SIEM: The Tangible and Intangible ROI

Trey AckermanDirector Systems Engineering, NA

trey@alienvault.com

What is a SIEM?

Standard SIEM Deployment

Events

Assessment

Discovery

Detection

Monitoring

Alert

Incident Response

SIEM

Security Automation

Assessment

Discovery

Detection

Monitoring

Two way flow of information

Vulnerability discovered

Security Automation: Dynamic Event Validation

Attack observed

Was Attack Successful?

Any connections from the target machine to the attacker?

Alert

Security Automation: IR Workflow Automation

Network Flow Analysis

Shellcode Analysis Vulnerability AssessmentFull Packet Analysis

Incident Response workflow automation starts with a click of a menu and provides …

Service Monitoring

Security Research

Start with a Robust and Powerful SIEM Platform

Analysis, Incident Management & Reporting• Event Normalization• Real-time Analysis & Correlation• Unified Management

Compliance Logging• Forensically secured• Highly scalable (SAN/NAS)• Rich query interface

SIEM

Basic Security Events• Network• Endpoint

Extend the Monitoring and Contextual Input

Basic Security Events• Network• Endpoint• Wireless

Assessment Tools• Threats• Vulnerability

Detection Tools• IDS / IPS• Host IDS • FIM

Discovery Tools• Identity• Assets

SIEM

Monitoring Tools• Users/Data• Apps/

Services

Generating that data requires expensive

sophisticated tools

Problem!

StandardSIEM

Assessment

Tools

DiscoveryTools

DetectionTools

Monitoring

Tools

Basic Security Events

MonitoringInsight into

availability of services,

activities of users, and flow of data

AlienVault SIEM

SIEM

IDS/IPSWIDS

HIDS/ File Integrity

User & DataApplication & Services

Vulnerability Assessment

Threat Assessment

IdentityAsset

InventoryBasic Security Events

Solution: Unified Security Management

Detection

AssessmentSignature and

anomaly based intrusion protection

(Host, Network, Wireless)

Vulnerability and threat assessment

Discovery

An inventory of all security relevant assets under management

Integration reduces time to visibility

1. Automatically inventories assets2. Assesses assets for vulnerabilities3. Analyzes behavior to detect

intrusions4. Monitors systems for disruptions5. Correlates for targeted

alerts• Full Visibility out of the box

• Assets• Network Activity• Vulnerabilities

What do I need to RIGHT NOW?

There is No Security Without Visibility

What is happening?

Where is it happening?

What does that mean to my

business? (Am I going to get fired?)

“You cannot fight what you cannot see.”

Technology is no longer the impediment …

• Licensing cost

• Staff to manage the deployment

• Time to make the products work together

ROI for the IT Team

For example, just PCI Compliance …

1.1.2 Network map1.1.5 Asset Inventory10.7 Log management11.1 Wireless IDS11.2 Vulnerability Assessment11.4 Intrusion Detection System (IDS)11.5 File Integrity Monitoring12.5.2 SIEM

The SIEM pulls it all together, but SIEM alone is not enough

And it costs you more than just money …Product License Cost Hours to implement

Network Map $40,000 80

Asset Inventory $120,000 320

Log Management $120,000 640

Wireless IDS $80,000 80

Vulnerability Assessment $80,000 160

IDS $300,000 320

File Integrity Monitoring $120,000 320

SIEM $200,000 640

TOTAL $1,060,0002,520 hours (15 Months)

Estimated price based on consulting engagement for 200 node data center

If you already have all of those security controls ….Product License Cost Hours to integrate

Network Map 0 40

Asset Inventory 0 160

Log Management 0 320

Wireless IDS 0 40

Vulnerability Assessment 0 80

IDS 0 160

File Integrity Monitoring 0 160

TOTAL $0960 hours

(6 Months)

Estimated price based on consulting engagement for 200 node data center

How long to make them SIEM Aware?

Built-in security tools save money and time …Product License Cost Hours

Network Map Included Automated

Asset Inventory Included Automated

Log Management Included Automated

Wireless IDS Included Automated

Vulnerability Assessment Included Automated

IDS Included Automated

File Integrity Monitoring Included Automated

SIEM $200,000 320

TOTAL $200,000 2 Month

ROI for the Executive Team

ROI for the Executive Team

Basis of Model Summary of Costs

Breach Type Cost with Visibility

Cost without Visibility Savings

Distribution of Breaches

Basic Breach- Data Theft- Unauthorized Access $18,900 $126,000 $107,100 $42,840.00Breach Causing Damage to IT Assets- No law enforcement $56,700 $378,000 $321,300 $96,390.00Non-Public Breach- Law enforcement investigation $1,125,130 $4,002,432 $2,877,302 $834,417.70Public Breach- Law enforcement investigation $1,767,730 $7,152,432 $5,384,702 $53,847.02

   Total Savings

$1,027,494.72

Calculated Costs

Calculated CostsForensic

Consulting for Clean up

LegalFees

Internal Costs (IT

Systems & Staff)

Legal Exposure

Public Relation

CostFew systems compromised $25,000 $0 $0 $0 $0System performance degradation $75,000 $0 $0 $0 $0Non-Public Breach- Law enforcement investigation $100,000 $25,000 $0 $649,133 $20,000Public Breach- Law enforcement investigation $500,000 $150,000 $0 $649,133 $120,000

Calculated Costs

Factors Cost Forensic for major incident $100,000.00 Work w/ forensic consulting organizationForensic for minor incident $25,000.00 Work w/ forensic consulting organizationReduction of forensic cost by visibility 0.5Months of Public Relation for non-public breach 1Months of PR for public breach 6Months of legal for non-public breach 1Months of legal for public breach 6

Cost per public record $214.00 Ponemon Institute 2011

Cost per corporate record $71.33 Derivative of public record costCost per business partner record $107.00 Derivative of public record cost

AlienVault - Creators of Open Source SIM

A Little About Us

Our roots …• MSSP & Consultants

• Leverage open-source to provide best value

• Limited by time & resources

• Founded OSSIM• Started building in

best of breed open-source tools

• Provided unified management capabilities

• Focus on building-in open source security tools

• Focused on unified management for a small team

• Integrated controls & SIEM to reduce time to secure

• Priced for protection

AlienVault Unified Security Management PlatformOver 30 essential security management tools built-in

Assessment

Asset Discovery

Open source in the box with ability to integrate best of breed commercial solutions as needed

USM

Recent Headlines“A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards…The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application”

AlienVault Nabs Seven Senior HP Security Execs

Security ResearchAdditional Resources

Sample Forensics Report Output

Forensic reports should include:

1. Incident Summary 2. Investigation Commenced 3. Investigative Steps

• Forensic/Network Analysis • Document Review • Interviews

4. Summary of Principal Findings 5. Forensic Analysis

Applicable PoliciesFactual Chronology

• Dates of Events

6. Findings & Conclusions

Analysis and Research Resources

Malware Analysis Resources including:• PDF Analysis Tools• Sandbox Tools for Malware Analysis• Adobe Flash/Shockwave Analysis Tools• Online Scanner and Malware Analysis tools• http://t.co/i1p6zFRc

Nice egress testing tool: "Egress Buster"• https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-

outbound-ports/

10 SQL Injection Tools For Database Pwnage• http://t.co/3kFXzLrG

Thank you