SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA...
-
Upload
melody-burke -
Category
Documents
-
view
220 -
download
1
Transcript of SIEM: The Tangible and Intangible ROI Trey Ackerman Director Systems Engineering, NA...
SIEM: The Tangible and Intangible ROI
Trey AckermanDirector Systems Engineering, NA
What is a SIEM?
Standard SIEM Deployment
Events
Assessment
Discovery
Detection
Monitoring
Alert
Incident Response
SIEM
Security Automation
Assessment
Discovery
Detection
Monitoring
Two way flow of information
Vulnerability discovered
Security Automation: Dynamic Event Validation
Attack observed
Was Attack Successful?
Any connections from the target machine to the attacker?
Alert
Security Automation: IR Workflow Automation
Network Flow Analysis
Shellcode Analysis Vulnerability AssessmentFull Packet Analysis
Incident Response workflow automation starts with a click of a menu and provides …
Service Monitoring
Security Research
Start with a Robust and Powerful SIEM Platform
Analysis, Incident Management & Reporting• Event Normalization• Real-time Analysis & Correlation• Unified Management
Compliance Logging• Forensically secured• Highly scalable (SAN/NAS)• Rich query interface
SIEM
Basic Security Events• Network• Endpoint
Extend the Monitoring and Contextual Input
Basic Security Events• Network• Endpoint• Wireless
Assessment Tools• Threats• Vulnerability
Detection Tools• IDS / IPS• Host IDS • FIM
Discovery Tools• Identity• Assets
SIEM
Monitoring Tools• Users/Data• Apps/
Services
Generating that data requires expensive
sophisticated tools
Problem!
StandardSIEM
Assessment
Tools
DiscoveryTools
DetectionTools
Monitoring
Tools
Basic Security Events
MonitoringInsight into
availability of services,
activities of users, and flow of data
AlienVault SIEM
SIEM
IDS/IPSWIDS
HIDS/ File Integrity
User & DataApplication & Services
Vulnerability Assessment
Threat Assessment
IdentityAsset
InventoryBasic Security Events
Solution: Unified Security Management
Detection
AssessmentSignature and
anomaly based intrusion protection
(Host, Network, Wireless)
Vulnerability and threat assessment
Discovery
An inventory of all security relevant assets under management
Integration reduces time to visibility
1. Automatically inventories assets2. Assesses assets for vulnerabilities3. Analyzes behavior to detect
intrusions4. Monitors systems for disruptions5. Correlates for targeted
alerts• Full Visibility out of the box
• Assets• Network Activity• Vulnerabilities
What do I need to RIGHT NOW?
There is No Security Without Visibility
What is happening?
Where is it happening?
What does that mean to my
business? (Am I going to get fired?)
“You cannot fight what you cannot see.”
Technology is no longer the impediment …
• Licensing cost
• Staff to manage the deployment
• Time to make the products work together
ROI for the IT Team
For example, just PCI Compliance …
1.1.2 Network map1.1.5 Asset Inventory10.7 Log management11.1 Wireless IDS11.2 Vulnerability Assessment11.4 Intrusion Detection System (IDS)11.5 File Integrity Monitoring12.5.2 SIEM
The SIEM pulls it all together, but SIEM alone is not enough
And it costs you more than just money …Product License Cost Hours to implement
Network Map $40,000 80
Asset Inventory $120,000 320
Log Management $120,000 640
Wireless IDS $80,000 80
Vulnerability Assessment $80,000 160
IDS $300,000 320
File Integrity Monitoring $120,000 320
SIEM $200,000 640
TOTAL $1,060,0002,520 hours (15 Months)
Estimated price based on consulting engagement for 200 node data center
If you already have all of those security controls ….Product License Cost Hours to integrate
Network Map 0 40
Asset Inventory 0 160
Log Management 0 320
Wireless IDS 0 40
Vulnerability Assessment 0 80
IDS 0 160
File Integrity Monitoring 0 160
TOTAL $0960 hours
(6 Months)
Estimated price based on consulting engagement for 200 node data center
How long to make them SIEM Aware?
Built-in security tools save money and time …Product License Cost Hours
Network Map Included Automated
Asset Inventory Included Automated
Log Management Included Automated
Wireless IDS Included Automated
Vulnerability Assessment Included Automated
IDS Included Automated
File Integrity Monitoring Included Automated
SIEM $200,000 320
TOTAL $200,000 2 Month
ROI for the Executive Team
ROI for the Executive Team
Basis of Model Summary of Costs
Breach Type Cost with Visibility
Cost without Visibility Savings
Distribution of Breaches
Basic Breach- Data Theft- Unauthorized Access $18,900 $126,000 $107,100 $42,840.00Breach Causing Damage to IT Assets- No law enforcement $56,700 $378,000 $321,300 $96,390.00Non-Public Breach- Law enforcement investigation $1,125,130 $4,002,432 $2,877,302 $834,417.70Public Breach- Law enforcement investigation $1,767,730 $7,152,432 $5,384,702 $53,847.02
Total Savings
$1,027,494.72
Calculated Costs
Calculated CostsForensic
Consulting for Clean up
LegalFees
Internal Costs (IT
Systems & Staff)
Legal Exposure
Public Relation
CostFew systems compromised $25,000 $0 $0 $0 $0System performance degradation $75,000 $0 $0 $0 $0Non-Public Breach- Law enforcement investigation $100,000 $25,000 $0 $649,133 $20,000Public Breach- Law enforcement investigation $500,000 $150,000 $0 $649,133 $120,000
Calculated Costs
Factors Cost Forensic for major incident $100,000.00 Work w/ forensic consulting organizationForensic for minor incident $25,000.00 Work w/ forensic consulting organizationReduction of forensic cost by visibility 0.5Months of Public Relation for non-public breach 1Months of PR for public breach 6Months of legal for non-public breach 1Months of legal for public breach 6
Cost per public record $214.00 Ponemon Institute 2011
Cost per corporate record $71.33 Derivative of public record costCost per business partner record $107.00 Derivative of public record cost
AlienVault - Creators of Open Source SIM
A Little About Us
Our roots …• MSSP & Consultants
• Leverage open-source to provide best value
• Limited by time & resources
• Founded OSSIM• Started building in
best of breed open-source tools
• Provided unified management capabilities
• Focus on building-in open source security tools
• Focused on unified management for a small team
• Integrated controls & SIEM to reduce time to secure
• Priced for protection
AlienVault Unified Security Management PlatformOver 30 essential security management tools built-in
Assessment
Asset Discovery
Open source in the box with ability to integrate best of breed commercial solutions as needed
USM
Recent Headlines“A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards…The trojan, first identified by Alienvault Labs, appears targeted at a particular type of application”
AlienVault Nabs Seven Senior HP Security Execs
Security ResearchAdditional Resources
Sample Forensics Report Output
Forensic reports should include:
1. Incident Summary 2. Investigation Commenced 3. Investigative Steps
• Forensic/Network Analysis • Document Review • Interviews
4. Summary of Principal Findings 5. Forensic Analysis
Applicable PoliciesFactual Chronology
• Dates of Events
6. Findings & Conclusions
Analysis and Research Resources
Malware Analysis Resources including:• PDF Analysis Tools• Sandbox Tools for Malware Analysis• Adobe Flash/Shockwave Analysis Tools• Online Scanner and Malware Analysis tools• http://t.co/i1p6zFRc
Nice egress testing tool: "Egress Buster"• https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-
outbound-ports/
10 SQL Injection Tools For Database Pwnage• http://t.co/3kFXzLrG
Thank you