Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic: SECURITY and RISK

Published byMartin Mills Modified over 6 years ago

Similar presentations

Presentation on theme: "Topic: SECURITY and RISK"— Presentation transcript:

1 Topic: SECURITY and RISK
SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby

2 Topics Threat landscape Breaches and hacks
Leadership and accountability Evolution of security technology What is SIEM? SIEM overview and use cases Pitfalls of SIEM implementations Is SIEM a nice to have or need? Topics

3 20 Years of IT solutioning, telecom and security experience
Director of Commercial Cybersecurity for Vertek, based out of Colchester VT 20 Years of IT solutioning, telecom and security experience I’ve been both a buyer and a supplier of telecom and security related services Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek Vertek provides BPO, BI, Order Management, Network Migration Services, eNOC, MSSP/SOC and Consulting services to CP, MSPs, SMB, and Large Enterprise MSSP Division provides managed SOC services, including 24x7 network monitoring, security intelligence and breach detection Background

4 Can your IT Department detect a breach today?

5 DDoS Attack Distributed denial-of-service attack
Attacker machine running client program Command and control (C2) Infect and control clients DDoS Attack Compromised hosts (botnet clients) - Millions of devices Target of attack Distributed denial-of-service attack Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack

6 Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface

7 Pastebin is a txt storage site where users can store plain text
Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC) Special shout out to #39 on this list

8 Pwned?

9 Verizon DBIR 2017

10 Many organizations don’t have the basics covered
Shodan.io

11 VNC Virtual Network Computing
VNC is a graphical desktop sharing program that allows someone to remotely control another computer VNC Workstation running VNC Server Workstation running VNC Viewer Virtual Network Computing

12

13 Supply Chain Attacks “Foot-in-the door” through a vendor
Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads Million Infected “CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.”

14

15 Among other things, our obligation is to protect
CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it

16 Leveraging Frameworks
Sample Requirements Assess and classify assets and information according to risk Continuously scan and assess unpatched software and system vulnerabilities Identify malicious entities probing systems and network Continuously monitor network traffic and system events for potential unsecure behaviors Respond to identified malicious events to remediate them Audit and report effectiveness As suppliers we see this language on contracts. We also require it. Cybersecurity Framework

17 Evolution of security technology

18 SIEM SIEM Security Information Event Management
Desperate security log and event sources Manual correlation of events Single pane of glass for security log and events Cross correlation of events Log retention Router Threat Feeds Scans SIEM Switch Router IDS SIEM FW Server Switch Threat Feeds IDS Server Scans FW Security Information Event Management SIEM Components: Sensor - Logger - Server

19 Security Information Event Management
SIEM The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments TRADITIONAL SIEM LOG MANAGEMENT ASSET DISCOVERY EVENT CORRELATION FORENSIC ANALYSIS TICKETING REPORTING THREAT FEEDS VENDER FEATURES NETWORK VULNERABILITY SCANNING NETWORK IDS HOST IDS / FIM NETFLOW PACKET CAPTURE OTX / FEED / IOC INTERGRATION POLICY VIOLATIONS

20 Sample SIEM Dash

21 Assets and Groups

22 Plugin Normalized Data
Raw log mapped to a taxonomy subtype = SIEM can read it.

23 IDS Critical SIEM Log Source
Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Internet IDS Critical SIEM Log Source Firewall IDS Sort (Sourcefire) Signatures VLAN 20 VLAN 10 Server Workstation Signature vs. Anomaly Based

24 Vuln Scanning Critical SIEM Log Source
Internet Vuln Scanning Critical SIEM Log Source Firewall Vulnerability Scanner NVT’s OpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures VLAN 10 VLAN 20 Server Workstation

25 Open Threat Exchange Key SIEM IoC source
Many technologies support OTX Open Threat Exchange Key SIEM IoC source

26 Correlation Suspicious Inbound Connections
Suspicious Outbound Connections Critical Vulnerabilities Policy Violations Attacks Brute Force DDOS Malware Network Scanning User Contributed

27 Informationisbeautiful.net

28 Alarm and Forensics

29 IR | BPM Ticket and Triage

30 Security Incidents / Events
Vulnerabilities Policy Items Performance Trends Tuning Change Action Items Reporting SIEM Lifecycle

31 Pitfalls of SIEM Implementations
Scope 01 Planning 02 Policy 03 Alert Fatigue / Lack of Context 04 Inadequate staffing 05

32 Striking the balance Is a SIEM nice or have or need?
Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network… IDS provide a way to monitor traffic in and out of your network… IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic… Vulnerability scanning provides a way to scan and detect vulnerabilities… Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)

33 Among other things, our obligation is to protect
CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it 3rd party testing Combination of red team blue team tactics Checks and balance

34 1+1 should be >2 SIEM does not implement itself. It knows nothing about your environment, your assets or your risks Business requirements should drive directives and tuning Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews Signatures, directives and threat feeds are extremely important to detect new and emerging threats Ultimately the team managing the SIEM and reviewing the reports will make or break its success Technology (SIEM)+ People (Sr. Security Analyst)

35 rhruby@vertek.com ManagedThreatIntelligence.com
Don’t bet on luck Be well prepared ManagedThreatIntelligence.com

Download ppt "Topic: SECURITY and RISK"

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.

Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Guidelines and Management

Security Guidelines and Management
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
COEN 252 Computer Forensics

COEN 252 Computer Forensics
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.

Similar presentations

Ads by Google