1 / 38

SIEMs - Decoding The Mayhem

SIEMs - Decoding The Mayhem. Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. Outline Today’s Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring. Computer Security LandScape You Are Being Blamed

casta
Download Presentation

SIEMs - Decoding The Mayhem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

  2. Outline • Today’s Threat Landscape • Why Do I Need a SIEM? • Choosing and Deploying a SIEM • This Will Not Be Boring

  3. Computer Security LandScape • You Are Being Blamed • Your Money Isn’t Safe • Your Information Isn’t Safe • Your Reputation Is at Stake • More Threats, Less People

  4. Your Are Being Blamed • BotNets • Pivoting

  5. Stealing Your $$

  6. Stealing Your Information • Computers Are No Longer for “Productivity” • You Have Valuable Information • You ARE A Target • You Aren’t Dealing With “Amateurs”

  7. Hactivists – Exposing Your Secrets

  8. Hactivists – Exposing Your Secrets

  9. Hactivists – Business Disruption

  10. Your Challenge

  11. SIEMS

  12. You Need An “Oracle” • Know The Past • Knows The Present • Knows The Future • Knows How to CYA

  13. SIEM Basics • Provides “Instant Replay” • 24 X 7 Security Guard • SIEMsv. Firewall v. IDS v. IPS • SIEM v. SEIM v. SIM • Typically Compliance Driven

  14. Compliance • HIPAA • PII • Data Breach Notification Laws

  15. Why Do I Need A SIEM? • Infrastructure Monitoring • Reporting • Threat Correlation • Instant Replay • Incident Response

  16. What Is Monitored? • Account Activity • Availability • IDS/Context Correlation • Data Exfiltration • Client Side Attacks • Brute Force Attacks

  17. Windows Accounts • Accounts Created, By Whom, and When • New Accounts That Aren’t Standard • New Accounts Created At Odd Time • New Workstation Account Created • Key Group Membership Change • Accounts Logon Hours

  18. Availability • System Uptime Statistics • Availability Reporting • Uptime is “Relative”

  19. IDS Context/Correlation • Place Value On Assets • Context Is Essential • Maintain Current Vulnerability DBs • Create Priority Rules

  20. Data Exfiltration • You Must Know What Is “Normal” • Deviations From The Norm Warrant An Alert • Some Events Are “Non-Negotiable” • “You” Typically Initiate Data Transfers

  21. Client Side Attacks • Windows Event Logs Information • Process Status Changes • New Services Created • Scheduled Tasks Creations • Changes to Audit Policies

  22. Brute-force Attacks • Detailed Reports of Failed Logins • Source Of Failed Login Attempts • Locked Accounts Report

  23. Incident Response

  24. Incident Response Scenario #1 • Law Firm With Dealings In China • Law Firm Was “Owned” More Than A Year • Access To Every Machine On Network • Thousands of “Responsive” Emails Obtained • “Privilege” Was Not Observed

  25. Incident Response Scenario #2 • VP of Finance Promoted to CFO • Attack on the “Weakest” Link

  26. AV Will Save Us!!

  27. Incident Response Scenario #3

  28. How SIEMs Would Have Helped • Accounts Enabled • Services Created • Firewall Changes • Data Exfiltration • Network Communications • Incident Response Costs

  29. Choosing A SIEM • Not a Replacement for Security Engineers • Must Support Disparate Devices (Agentless) • Don’t Plan To Monitor? DON’T BOTHER

  30. Deploying a SIEM • Architecture Options • Tuning Out The “Noise”

  31. SIEM Option$ • OutSourced Options • SecureWorks • High-Cost • ArcSight, Q1 Labs Radar, RSA, Tripwire • Lower-Cost • Q1 Labs FE, TriGEO, Splunk • No-Cost • OSSIM • OSSEC

  32. Summary • You Must Anticipate Today’s Threats • SIEMs Are Extremely Valuable • SIEMs Are Not A Silver Bullet

  33. Questions? Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. bdean@swordshield.com http://www.twitter.com/BillDeanCCE

More Related