Download presentation
Presentation is loading. Please wait.
1
Topic: SECURITY and RISK
SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby
2
Topics Threat landscape Breaches and hacks
Leadership and accountability Evolution of security technology What is SIEM? SIEM overview and use cases Pitfalls of SIEM implementations Is SIEM a nice to have or need? Topics
3
20 Years of IT solutioning, telecom and security experience
Director of Commercial Cybersecurity for Vertek, based out of Colchester VT 20 Years of IT solutioning, telecom and security experience I’ve been both a buyer and a supplier of telecom and security related services Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek Vertek provides BPO, BI, Order Management, Network Migration Services, eNOC, MSSP/SOC and Consulting services to CP, MSPs, SMB, and Large Enterprise MSSP Division provides managed SOC services, including 24x7 network monitoring, security intelligence and breach detection Background
4
Can your IT Department detect a breach today?
5
DDoS Attack Distributed denial-of-service attack
Attacker machine running client program Command and control (C2) Infect and control clients DDoS Attack Compromised hosts (botnet clients) - Millions of devices Target of attack Distributed denial-of-service attack Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack
6
Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface
7
Pastebin is a txt storage site where users can store plain text
Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC) Special shout out to #39 on this list
8
Pwned?
9
Verizon DBIR 2017
10
Many organizations don’t have the basics covered
Shodan.io
11
VNC Virtual Network Computing
VNC is a graphical desktop sharing program that allows someone to remotely control another computer VNC Workstation running VNC Server Workstation running VNC Viewer Virtual Network Computing
13
Supply Chain Attacks “Foot-in-the door” through a vendor
Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads Million Infected “CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.”
15
Among other things, our obligation is to protect
CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it
16
Leveraging Frameworks
Sample Requirements Assess and classify assets and information according to risk Continuously scan and assess unpatched software and system vulnerabilities Identify malicious entities probing systems and network Continuously monitor network traffic and system events for potential unsecure behaviors Respond to identified malicious events to remediate them Audit and report effectiveness As suppliers we see this language on contracts. We also require it. Cybersecurity Framework
17
Evolution of security technology
18
SIEM SIEM Security Information Event Management
Desperate security log and event sources Manual correlation of events Single pane of glass for security log and events Cross correlation of events Log retention Router Threat Feeds Scans SIEM Switch Router IDS SIEM FW Server Switch Threat Feeds IDS Server Scans FW Security Information Event Management SIEM Components: Sensor - Logger - Server
19
Security Information Event Management
SIEM The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments TRADITIONAL SIEM LOG MANAGEMENT ASSET DISCOVERY EVENT CORRELATION FORENSIC ANALYSIS TICKETING REPORTING THREAT FEEDS VENDER FEATURES NETWORK VULNERABILITY SCANNING NETWORK IDS HOST IDS / FIM NETFLOW PACKET CAPTURE OTX / FEED / IOC INTERGRATION POLICY VIOLATIONS
20
Sample SIEM Dash
21
Assets and Groups
22
Plugin Normalized Data
Raw log mapped to a taxonomy subtype = SIEM can read it.
23
IDS Critical SIEM Log Source
Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Internet IDS Critical SIEM Log Source Firewall IDS Sort (Sourcefire) Signatures VLAN 20 VLAN 10 Server Workstation Signature vs. Anomaly Based
24
Vuln Scanning Critical SIEM Log Source
Internet Vuln Scanning Critical SIEM Log Source Firewall Vulnerability Scanner NVT’s OpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures VLAN 10 VLAN 20 Server Workstation
25
Open Threat Exchange Key SIEM IoC source
Many technologies support OTX Open Threat Exchange Key SIEM IoC source
26
Correlation Suspicious Inbound Connections
Suspicious Outbound Connections Critical Vulnerabilities Policy Violations Attacks Brute Force DDOS Malware Network Scanning User Contributed
27
Informationisbeautiful.net
28
Alarm and Forensics
29
IR | BPM Ticket and Triage
30
Security Incidents / Events
Vulnerabilities Policy Items Performance Trends Tuning Change Action Items Reporting SIEM Lifecycle
31
Pitfalls of SIEM Implementations
Scope 01 Planning 02 Policy 03 Alert Fatigue / Lack of Context 04 Inadequate staffing 05
32
Striking the balance Is a SIEM nice or have or need?
Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network… IDS provide a way to monitor traffic in and out of your network… IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic… Vulnerability scanning provides a way to scan and detect vulnerabilities… Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)
33
Among other things, our obligation is to protect
CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it 3rd party testing Combination of red team blue team tactics Checks and balance
34
1+1 should be >2 SIEM does not implement itself. It knows nothing about your environment, your assets or your risks Business requirements should drive directives and tuning Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews Signatures, directives and threat feeds are extremely important to detect new and emerging threats Ultimately the team managing the SIEM and reviewing the reports will make or break its success Technology (SIEM)+ People (Sr. Security Analyst)
35
rhruby@vertek.com ManagedThreatIntelligence.com
Don’t bet on luck Be well prepared ManagedThreatIntelligence.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.