siems - decoding the mayhem
Post on 24-Feb-2016
35 views
Embed Size (px)
DESCRIPTION
SIEMs - Decoding The Mayhem. Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. Outline Today’s Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring. Computer Security LandScape You Are Being Blamed - PowerPoint PPT PresentationTRANSCRIPT
Slide 1
SIEMs - Decoding The MayhemBill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.
Outline Todays Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring
Computer Security LandScape You Are Being Blamed Your Money Isnt Safe Your Information Isnt Safe Your Reputation Is at Stake More Threats, Less People
Your Are Being Blamed BotNets Pivoting
4
Stealing Your $$
Stealing Your Information Computers Are No Longer for Productivity You Have Valuable Information You ARE A Target You Arent Dealing With Amateurs
Hactivists Exposing Your Secrets
Hactivists Exposing Your Secrets
8
Hactivists Business Disruption
9
Your Challenge
10SIEMS
You Need An Oracle Know The Past Knows The Present Knows The Future Knows How to CYA
12
SIEM Basics Provides Instant Replay 24 X 7 Security Guard SIEMs v. Firewall v. IDS v. IPS SIEM v. SEIM v. SIM Typically Compliance Driven
Compliance HIPAA PII Data Breach Notification Laws
15
Why Do I Need A SIEM? Infrastructure Monitoring Reporting Threat Correlation Instant Replay Incident Response
What Is Monitored? Account Activity Availability IDS/Context Correlation Data Exfiltration Client Side Attacks Brute Force Attacks
19Windows AccountsAccounts Created, By Whom, and When New Accounts That Arent StandardNew Accounts Created At Odd TimeNew Workstation Account CreatedKey Group Membership ChangeAccounts Logon Hours
19
Availability System Uptime Statistics Availability Reporting Uptime is Relative
21IDS Context/Correlation Place Value On Assets Context Is Essential Maintain Current Vulnerability DBs Create Priority Rules
2122Data ExfiltrationYou Must Know What Is NormalDeviations From The Norm Warrant An AlertSome Events Are Non-NegotiableYou Typically Initiate Data Transfers
2223Client Side AttacksWindows Event Logs InformationProcess Status ChangesNew Services CreatedScheduled Tasks Creations Changes to Audit Policies
2324Brute-force AttacksDetailed Reports of Failed LoginsSource Of Failed Login AttemptsLocked Accounts Report
24
Incident Response
Incident Response Scenario #1 Law Firm With Dealings In China Law Firm Was Owned More Than A Year Access To Every Machine On Network Thousands of Responsive Emails ObtainedPrivilege Was Not Observed
26
Incident Response Scenario #2 VP of Finance Promoted to CFO Attack on the Weakest Link
28
29
30
AV Will Save Us!!31
Incident Response Scenario #3
http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
How SIEMs Would Have Helped Accounts Enabled Services Created Firewall Changes Data Exfiltration Network Communications Incident Response Costs
33
Choosing A SIEM Not a Replacement for Security Engineers Must Support Disparate Devices (Agentless) Dont Plan To Monitor? DONT BOTHER
34
Deploying a SIEM Architecture Options Tuning Out The Noise
SIEM Option$ OutSourced OptionsSecureWorks High-CostArcSight, Q1 Labs Radar, RSA, TripwireLower-CostQ1 Labs FE, TriGEO, Splunk No-CostOSSIMOSSEC
Summary You Must Anticipate Todays Threats SIEMs Are Extremely Valuable SIEMs Are Not A Silver Bullet
Questions?
Bill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.bdean@swordshield.comhttp://www.twitter.com/BillDeanCCE