siems - decoding the mayhem

Download SIEMs  - Decoding The Mayhem

Post on 24-Feb-2016




0 download

Embed Size (px)


SIEMs - Decoding The Mayhem. Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. Outline Today’s Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring. Computer Security LandScape You Are Being Blamed - PowerPoint PPT Presentation


Slide 1

SIEMs - Decoding The MayhemBill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.

Outline Todays Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring

Computer Security LandScape You Are Being Blamed Your Money Isnt Safe Your Information Isnt Safe Your Reputation Is at Stake More Threats, Less People

Your Are Being Blamed BotNets Pivoting


Stealing Your $$

Stealing Your Information Computers Are No Longer for Productivity You Have Valuable Information You ARE A Target You Arent Dealing With Amateurs

Hactivists Exposing Your Secrets

Hactivists Exposing Your Secrets


Hactivists Business Disruption


Your Challenge


You Need An Oracle Know The Past Knows The Present Knows The Future Knows How to CYA


SIEM Basics Provides Instant Replay 24 X 7 Security Guard SIEMs v. Firewall v. IDS v. IPS SIEM v. SEIM v. SIM Typically Compliance Driven

Compliance HIPAA PII Data Breach Notification Laws


Why Do I Need A SIEM? Infrastructure Monitoring Reporting Threat Correlation Instant Replay Incident Response

What Is Monitored? Account Activity Availability IDS/Context Correlation Data Exfiltration Client Side Attacks Brute Force Attacks

19Windows AccountsAccounts Created, By Whom, and When New Accounts That Arent StandardNew Accounts Created At Odd TimeNew Workstation Account CreatedKey Group Membership ChangeAccounts Logon Hours


Availability System Uptime Statistics Availability Reporting Uptime is Relative

21IDS Context/Correlation Place Value On Assets Context Is Essential Maintain Current Vulnerability DBs Create Priority Rules

2122Data ExfiltrationYou Must Know What Is NormalDeviations From The Norm Warrant An AlertSome Events Are Non-NegotiableYou Typically Initiate Data Transfers

2223Client Side AttacksWindows Event Logs InformationProcess Status ChangesNew Services CreatedScheduled Tasks Creations Changes to Audit Policies

2324Brute-force AttacksDetailed Reports of Failed LoginsSource Of Failed Login AttemptsLocked Accounts Report


Incident Response

Incident Response Scenario #1 Law Firm With Dealings In China Law Firm Was Owned More Than A Year Access To Every Machine On Network Thousands of Responsive Emails ObtainedPrivilege Was Not Observed


Incident Response Scenario #2 VP of Finance Promoted to CFO Attack on the Weakest Link




AV Will Save Us!!31

Incident Response Scenario #3

How SIEMs Would Have Helped Accounts Enabled Services Created Firewall Changes Data Exfiltration Network Communications Incident Response Costs


Choosing A SIEM Not a Replacement for Security Engineers Must Support Disparate Devices (Agentless) Dont Plan To Monitor? DONT BOTHER


Deploying a SIEM Architecture Options Tuning Out The Noise

SIEM Option$ OutSourced OptionsSecureWorks High-CostArcSight, Q1 Labs Radar, RSA, TripwireLower-CostQ1 Labs FE, TriGEO, Splunk No-CostOSSIMOSSEC

Summary You Must Anticipate Todays Threats SIEMs Are Extremely Valuable SIEMs Are Not A Silver Bullet


Bill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.bdean@swordshield.com