SIEM evolution
-
Upload
stijn-vande-casteele -
Category
Technology
-
view
4.395 -
download
3
description
Transcript of SIEM evolution
SIEM EVOLUTION A day in the life of a Security Architect
Stijn Vande Casteele
28 September 2009
Who are we / Key Brands
www.arcsight.com © 2009 ArcSight Confidential 2
International presence: Leading ICT integrator in Western Europe
• Leading ICT integrator in Belgium, France & Luxembourg
• 32 affiliates in Western Europe
• Global reach through strategic partners
28 September 2009Sensitivity : "Unrestricted" Slide
www.arcsight.com © 2009 ArcSight Confidential 3
What do I do?
• My team provides solutions to underpin the on-site and managed SIEM services, with a focus on the what and the how!
• Engineer a grid/cloud/infrastructure to deliver these services to customers (enterprises) with a focus on security operations.
• Steer the service catalogue with fresh use cases (add value).• Integrate technologies with our architecture to build automations and enhance
the richness of our SIEM clouds.• Data sources configuration documents• Automatic ticket creation• Portal visualizations• Self monitoring
• 2nd line support for security management related infrastructure (application/systems) and forensic security investigations.
• Advice in general on a diverse range of pre-sales and service questions within this domain.
• Objective: centre of excellence (SIEM think-thank for the Belgacom group)
www.arcsight.com © 2009 ArcSight Confidential 4
Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 5
Firewall Security Monitoring
Inbound Top DropsActive list with
confirmed scanners from Internet
Outbound Top DropsCan spot infected
internal systems or configuration errors (eg. wrong DNS or NTP client configuration)
Outbound
If firewall accepts from IP addresses in the active list, increase event priority
SIEMLogs
www.arcsight.com © 2009 ArcSight Confidential 6
Security Analysis
• Unlike firewalls, IDS/IPS provides information up to OSI layer 7 via signature based detection methods
• Typical attacks detected by IDS/IPS: Worms, Exploits, Brute force attacks, Backdoors, Cover channels.
• IDS/IPS are best placed where “threat x asset value” is high (eg. DMZ, server farm)
• IDS/IPS provide input for SIEM tools to correlate with Vulnerability and Asset (VA) data
Z Z
www.arcsight.com © 2009 ArcSight Confidential 7
Monitoring WiFi GUEST traffic
Internet
CISCO WLC CISCO ASAEND-USER
End-User MAC AddressEnd-User IP AddressEnd-User Account Name
End-User IP AddressWeb Target AddressWeb Target Port
End-User MAC AddressEnd-User IP AddressEnd-User Account NameWeb Target AddressWeb Target Port
www.arcsight.com © 2009 ArcSight Confidential 8
Monitoring business risks
ConfidentialityProtecting sensitive information from
unauthorised disclosure or malicious interception.
Integritysafeguarding the accuracy and
completeness of information
Business impact Availability
Ensuring that vital IT services and information are available when
required.
www.arcsight.com © 2009 ArcSight Confidential 9
Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 10
Some history…
ArcSight 2.1 (Sept 2003)
ArcSight 2.2 (POC)
ArcSight 2.5 (Production Jan 2004)
ArcSight 3.0 (Production Oct 2004)
ArcSight 3.5 (Production Mar 2006)
ArcSight 4.0 (Production Sept 2007)
www.arcsight.com © 2009 ArcSight Confidential 11
Two different hardware platforms were tested from an ArcSight manager performance perspective:
• As the biggest factor in database performance is the available RAM and the SAN read / write speed, the OS / architecture is not so influential.
Model Architecture CPU RAM OS Sun SPARC T2000
SPARC T1 1 x 8 core (1.2 GHz) 32 GB Solaris 10
Sun Fire X2100 AMD X_64 1 x dual core (1.8 GHz) 4GB Red Hat 4.5
Telindus hardware tests
• It seems to Telindus that ArcSight 4.0 JRE is not optimized to make use of the multi-thread (CMT) possibilities of the SUN T1 processor. The AMD X_64 / Red Hat platform significantly outperformed the SPARC T1 / Solaris platform.
www.arcsight.com © 2009 ArcSight Confidential 12
ArcSight test graph
Y-Axis = EPS (000’s) X-Axis = Number of core CPUs
Y-Axis = EPS (000’s) X-Axis = Number of core CPUs
www.arcsight.com © 2009 ArcSight Confidential 13
Security Event Lifecycle
www.arcsight.com © 2009 ArcSight Confidential 14
Log Sources
Diameter is proportional to the event amounts
relevance with respect to security information and correlation capabilities
security information value
NIPS
VA data
HIPS
AV
FW
Routers & switches
Web servers
OS logs
Proxy
DB logs
Monitoringlogs
AIM
Reverse proxy
Security events and information
Network and Application events /
information
Web Content
screening
Email / smartphone
gateways
NBA
Network Intrusion Prevention Systems
Firewalls
www.arcsight.com © 2009 ArcSight Confidential 15
Standardized data collection?
We need a uniform way how computer events are described, logged, and exchanged.
www.arcsight.com © 2009 ArcSight Confidential 16
Agenda
• Security Monitoring
• SIEM architectures
• Use Cases
www.arcsight.com © 2009 ArcSight Confidential 17
Perimeter Defence
Regulatorycompliance
Insider threat
Use Case Library
Use Case library
www.arcsight.com © 2009 ArcSight Confidential 18
SIEM audit report
www.arcsight.com © 2009 ArcSight Confidential 19
Security Operations
www.arcsight.com © 2009 ArcSight Confidential 20
Event Management
www.arcsight.com © 2009 ArcSight Confidential 21
Conclusions
• Carefully plan your SIEM migrations with business and operations!
• Make checklists, cheat sheets and technical notes to educate your security analysts on new evolutions.
• Keep a change log for SIEM content adaptations.
• Think out-of-the-box, SIEM has a lot of potential but KISS towards the outside.
• Request (simple) KPI’s on how your application/service is evolving.
• Use intake templates to facilitate the scoping exercise towards your client.
• Centralize your efforts, look for partners and create centre of excellence in your organization around security monitoring.
www.arcsight.com © 2009 ArcSight Confidential 22
Questions?
http://www.linkedin.com/in/ictsecurity
http://www.twitter.com/securityworld
www.arcsight.com © 2009 ArcSight Confidential 23