Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralized Security Event Management

Published byJoshua Logan Morris Modified over 7 years ago

Similar presentations

Presentation on theme: "Centralized Security Event Management"— Presentation transcript:

1 Centralized Security Event Management
Chris Workman Associate Director, UGA Office of Information Security, CISSP Alex Merck Security Analyst, UGA Office of Information Security

2 Problems we face Attacks > defense 80,000 devices on our network
~50,000 users SOC staff of 4.5 UGA IT is decentralized ~160 departments Departmental IT contacts have different skill levels

3 Weighing Risks Threat x Vulnerability Impact Severe Critical
Sensitive, Restricted High Internal High-Priority Elevated Medium Public Supportive Low None

4 Response SIEM Centralized Services
Security Information and Event Manager Centralized Services AntiVirus Vulnerability Scanner DLP Firewall Given our decentralization, we have multi-tennant configs for each service.

5 Intelligence is needed to weigh risks
Threats AntiVirus IDP FireEye Firewall SNORT Bro DNS Departmental devices Vulnerabilities NeXpose Departmental Nessus Impact ASSETs DLP SSNCap Manual reporting Explain ASSETs; open source items

6 Incident Actions Notification Alarm Ignore
True Positive Unknown False Positive

7 Overview of SIEM: correlates logs, we can create directives to take any action once a risk level is hit

8 Logs from multiple sources; multi tenancy leads to better network visibility; automated alerts – to departmental IT for incidents, to SOC for critical incidents; SIEM is open source

9 Vulnerability data in SIEM for correlation. SQLi example

10 Notification :58: x OfficeScan Virus: Failed to Clean or Quarantine Mal_Hifrm :18: x snort: "ET DROP Known Bot C&C Server Traffic TCP (group 243) " :48: x Malicious Domain Lookup img717.imageshack.us malicious domain aggressive :05: x snort: "SPECIFIC-THREATS Microsoft IE malformed iframe buffer overflow attempt Sample notification – explain looking at these in context; we ask them to call us immediately if sensitive information; if not then format machine; 3 strikes for repeat offenders; students get 1 Link at the end of notices

11 Alarms Departments can see alarms for their ranges and do the same (thereby giving us more intelligence to make decisions with).

12 They can drill down to see data collected from any device to help mark false-positives (which we then whitelist after some research on our part)

13 Correlation Directive

14 Multi-tenancy How we create departments, roles, users

15 Resulting Actions Notice of incident sent to department or student
Repeat offenders blocked SOC Incident Response Team handles critical incidents Containment Remediation Resolution Closure

16 Measuring Success Incidents identified up from ~150/month 24 months ago to ~350/month Critical incidents still between one and two per month, but turnaround time reduced from 5 days to 1.5; due to data availability, forensics capability Departmental IT staff now helping by logging, and by processing Alarms; increased visibility from departments

17 Sharing Directives Business logic based on incidents
Question/answer pair incident Vendor agnostic SIEM log correlation, and resulting action

18 How do we get there? Look at vendors Off-the-shelf features
Selecting a SIEM Look at vendors Off-the-shelf features Ability for customization Use cases Automated alerts to departments Elevated alerts to SOC Multi-tenancy Functionality Designate logs sources AV, SNORT DLP Do Proof-of-concepts!

19 Questions?

20 Contact Info Chris Workman Associate Director, UGA Office of Information Security, CISSP Alex Merck Security Analyst, UGA Office of Information Security

Download ppt "Centralized Security Event Management"

Similar presentations

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
MIS 5211.001 Week 6 Site:

MIS Week 6 Site:
Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget.

Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
MIS 5211.001 Week 6 Site:

MIS Week 6 Site:

Similar presentations

Ads by Google