The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

The Most Analytical and Comprehensive Defense Network in a Box.

A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

Access Control Chapter 3 Part 5 Pages 248 to 252.

The State of Security Management By Jim Reavis January 2003.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

seminar on Intrusion detection system

EHealth Network Monitoring Network Tool Presentation J. Gaston Senior Network Design Seminar Professor Morteza Anvari 10 December 2004.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.

Security Guidelines and Management

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,

Governance, Risk, and Compliance Bill Greene Senior Industry Director.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

© 2009 IBM Corporation Delivering Quality Service with IBM Service Management April 13 th, 2009.

AGENDA Welcome and introductions Brief introduction to PSI Mobile Technical Overview Demonstration Q and A Next Actions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Security Information Management.  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

The Most Analytical and Comprehensive Defense Network in a Box.

Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.

Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Eyes Off Glass Dinesh Gode Sr. Technical Specialist Oct 9, 2007.

© Copyright 2011 Elitecore Technologies Pvt. Ltd. All Rights Reserved. Securing You Centralized Security Management with Cyberoam Central.

1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Scott Charney Cybercrime and Risk Management PwC.

IT Priorities Minimize CAPEX Maximize employee productivity Grow the business Add new compute resources real- time to support growth Meet compliance requirements.

SQL Server 2008 R2 Manageability. Challenges facing database administrators today: Scaling management to multiple data centers Proactively monitoring.

Overview SessionVista™ Enterprise is the first integrated network monitoring and control appliance that combines application layer firewall capabilities.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

GRC: Aligning Policy, Risk and Compliance

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Taking your Business Technology Further. First Communications: At A Glance Technology Provider since 1998, serving thousands of Businesses throughout.

1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.

Slide 1 © 2016, Lera Technologies. All Rights Reserved. SAP BO vs SPLUNK vs OBIEE By Lera Technologies.

Dr. Hussein Al-Bahadili Faculty of Information Technology Petra University Week #5 1/10 Securing E-Transaction - SIEM.

Contextual Security Intelligence Suite™ Preventing Data Breaches without Constraining Business.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Juniper Security Threat Response Manager (STRM)

Proactive Incident Response

SIEM Rotem Mesika System security engineering

IoT Security Part 2, The Malware

OIT Security Operations

Juniper Software-Defined Secure Network

CIM Modeling for E&U - (Short Version)

High Performance Computing Lab.

SECURITY INFORMATION AND EVENT MANAGEMENT

BOMGAR REMOTE SUPPORT Karl Lankford

Infrastructure, Data Center & Managed Services

I have many checklists: how do I get started with cyber security?

THE NEXT GENERATION MSSP

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

Welcome to SIM City

What is a SIM?

Separating signal from noise

“What is going on?” Gather data Normalize data Correlate events Eliminate duplicates Check for patterns Respond appropriately Learn Lather, rinse, repeat

Most tools are designed to solve a specific problem. IDS interface Firewall interface Anti-virus interface Router, load balancer, mail server Your technical staff uses the tools they have to solve specific problems. So what’s wrong with the tools I already have?

Here’s what happens when a security event occurs Uncoordinated points of defense Data overload False positives Undetected threats Time-consuming reporting Ad-hoc incident response

Technical solutions to business problems Are you being driven by your technology, or are you results driven? Fewer hacks More incidents handled by less-skilled staffers Shorter reaction time during events

Here’s what I need The ability to review security events generated from disparate devices across the enterprise Correlate those events with an asset management system (business criticality ratings) and external threat alert / intelligent analysis service Bubbling up information into a SIM dashboard that will provide real-time prioritization for (CIRT and operations) incident management and (executive and audit) risk reporting Policy and regulatory compliance (log review, reduced incident response times) Improved management of security resources through efficient prioritization of remedial efforts for business critical systems

Here’s what the SIM vendors are promising Collect 100% of security alarms or alerts from any device for storage in a consolidated, normalized database Centralized console display of all security events occurring in any and all security devices Cross-device correlation to eliminate false positives and identify true threats Complete reporting for ad-hoc and periodic reports targeted to security professionals, as well as line managers

Here’s what the SIM vendors are promising (continued) Integration with trouble-ticket and network management systems Support for multiple operating systems, hardware platforms and databases Add new devices without breaking the existing infrastructure Retain knowledge for use in training new security staff

Stage four of SEM Reexamine the IDS that was “detuned” due to information overload. Add in access control and wireless data. Add in employee login data, looking for unusual data. Add in financial applications.

Stage five of SEM Device parameters are able to be unified to support an evolving security policy from a central location.

SIM architecture Data collection (agents) Data storage (data warehouse) Analysis and cross-correlation engine (data reduction, data normalization) Display interface Incident management workflow modules Reporting modules

Data collection: Agents Log Parsing SNMP Native capability on appliances Number of devices supported Two-way information and command to devices Secure transmission Number of events per second Customizability Data reduction prior to transmission Bandwidth required

Data storage Multiple collectors Storage requirements Distributed vs. centralized Storage format BLOB, XML, proprietary

Analysis and cross-correlation engine Data warehouse engine Normalization Data reduction Correlation Pattern analysis (Detection of multi-source / Multi- target attacks) Filtering out false alarms Replaying events

Display interface Events Alerts Visual pattern development Multiple devices reduced to a common interface Specialized interface for specialists and NOC staffers Ability to drill down

Incident management workflow modules Multiple methods of alerting staff Investigation flow Identify vulnerable assets Resolution actions Patch management Script or application launch in response to events Access to industry knowledge bases Access to corporate policies Institutional knowledge capture

Reporting modules Technical Managerial Policy compliance Regulatory compliance Preconfigured Customizable

Thank you. Questions, comments?