Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc."— Presentation transcript:

1 SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

2 Outline Today’s Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring

3 Computer Security LandScape You Are Being Blamed Your Money Isn’t Safe Your Information Isn’t Safe Your Reputation Is at Stake More Threats, Less People

4 Your Are Being Blamed BotNets Pivoting

5 Stealing Your $$

6 Stealing Your Information Computers Are No Longer for “Productivity” You Have Valuable Information You ARE A Target You Aren’t Dealing With “Amateurs”

7 Hactivists – Exposing Your Secrets

8

9 Hactivists – Business Disruption

10 Your Challenge

11 SIEMS

12 You Need An “Oracle” Know The Past Knows The Present Knows The Future Knows How to CYA

13

14 SIEM Basics Provides “Instant Replay” 24 X 7 Security Guard SIEMs v. Firewall v. IDS v. IPS SIEM v. SEIM v. SIM Typically Compliance Driven

15 Compliance HIPAA PII Data Breach Notification Laws

16

17 Why Do I Need A SIEM? Infrastructure Monitoring Reporting Threat Correlation Instant Replay Incident Response

18 What Is Monitored? Account Activity Availability IDS/Context Correlation Data Exfiltration Client Side Attacks Brute Force Attacks

19 19 Windows Accounts Accounts Created, By Whom, and When New Accounts That Aren’t Standard New Accounts Created At Odd Time New Workstation Account Created Key Group Membership Change Accounts Logon Hours

20 Availability System Uptime Statistics Availability Reporting Uptime is “Relative”

21 21 IDS Context/Correlation Place Value On Assets Context Is Essential Maintain Current Vulnerability DBs Create Priority Rules

22 22 Data Exfiltration You Must Know What Is “Normal” Deviations From The Norm Warrant An Alert Some Events Are “Non-Negotiable” “You” Typically Initiate Data Transfers

23 23 Client Side Attacks Windows Event Logs Information Process Status Changes New Services Created Scheduled Tasks Creations Changes to Audit Policies

24 24 Brute-force Attacks Detailed Reports of Failed Logins Source Of Failed Login Attempts Locked Accounts Report

25 Incident Response

26 Incident Response Scenario #1 Law Firm With Dealings In China Law Firm Was “Owned” More Than A Year Access To Every Machine On Network Thousands of “Responsive” Emails Obtained “Privilege” Was Not Observed

27 Incident Response Scenario #2 VP of Finance Promoted to CFO Attack on the “Weakest” Link

28

29

30

31 AV Will Save Us!!

32 Incident Response Scenario #3 http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx

33 How SIEMs Would Have Helped Accounts Enabled Services Created Firewall Changes Data Exfiltration Network Communications Incident Response Costs

34 Choosing A SIEM Not a Replacement for Security Engineers Must Support Disparate Devices (Agentless) Don’t Plan To Monitor? DON’T BOTHER

35 Deploying a SIEM Architecture Options Tuning Out The “Noise”

36 SIEM Option$ OutSourced Options SecureWorks High-Cost ArcSight, Q1 Labs Radar, RSA, Tripwire Lower-Cost Q1 Labs FE, TriGEO, Splunk No-Cost OSSIM OSSEC

37 Summary You Must Anticipate Today’s Threats SIEMs Are Extremely Valuable SIEMs Are Not A Silver Bullet

38 Questions? Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. bdean@swordshield.com http://www.twitter.com/BillDeanCCE

Download ppt "SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc."

Similar presentations

Innovation Change Transformation Enterprise Security Office www.security.state.mn.us Enterprise Security: Planning Today for Tomorrows Unknown Threats.

Innovation Change Transformation Enterprise Security Office Enterprise Security: Planning Today for Tomorrows Unknown Threats.
OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.

OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
BalaBit Shell Control Box

BalaBit Shell Control Box
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
Cyber Security Discussion Craig D’Abreo – VP Security Operations.

Cyber Security Discussion Craig D’Abreo – VP Security Operations.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Security Track Day 1 Richard Stiennon Chief Research Analyst IT-Harvest Blog: ThreatChaos.com twitter.com/stiennon IT-Harvest Confidential.

Security Track Day 1 Richard Stiennon Chief Research Analyst IT-Harvest Blog: ThreatChaos.com twitter.com/stiennon IT-Harvest Confidential.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.

Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.

Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.

Similar presentations

Ads by Google