Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

Published byJames Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp."— Presentation transcript:

1 The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

2 Welcome to SIM City

3 What is a SIM?

4 Separating signal from noise

5 “What is going on?” Gather data Normalize data Correlate events Eliminate duplicates Check for patterns Respond appropriately Learn Lather, rinse, repeat

6 Most tools are designed to solve a specific problem. IDS interface Firewall interface Anti-virus interface Router, load balancer, mail server Your technical staff uses the tools they have to solve specific problems. So what’s wrong with the tools I already have?

7 Here’s what happens when a security event occurs Uncoordinated points of defense Data overload False positives Undetected threats Time-consuming reporting Ad-hoc incident response

8 Technical solutions to business problems Are you being driven by your technology, or are you results driven? Fewer hacks More incidents handled by less-skilled staffers Shorter reaction time during events

9 Here’s what I need The ability to review security events generated from disparate devices across the enterprise Correlate those events with an asset management system (business criticality ratings) and external threat alert / intelligent analysis service Bubbling up information into a SIM dashboard that will provide real-time prioritization for (CIRT and operations) incident management and (executive and audit) risk reporting Policy and regulatory compliance (log review, reduced incident response times) Improved management of security resources through efficient prioritization of remedial efforts for business critical systems

10 Here’s what the SIM vendors are promising Collect 100% of security alarms or alerts from any device for storage in a consolidated, normalized database Centralized console display of all security events occurring in any and all security devices Cross-device correlation to eliminate false positives and identify true threats Complete reporting for ad-hoc and periodic reports targeted to security professionals, as well as line managers

11 Here’s what the SIM vendors are promising (continued) Integration with trouble-ticket and network management systems Support for multiple operating systems, hardware platforms and databases Add new devices without breaking the existing infrastructure Retain knowledge for use in training new security staff

12 Stage four of SEM Reexamine the IDS that was “detuned” due to information overload. Add in access control and wireless data. Add in employee login data, looking for unusual data. Add in financial applications.

13 Stage five of SEM Device parameters are able to be unified to support an evolving security policy from a central location.

14 SIM architecture Data collection (agents) Data storage (data warehouse) Analysis and cross-correlation engine (data reduction, data normalization) Display interface Incident management workflow modules Reporting modules

15 Data collection: Agents Log Parsing SNMP Native capability on appliances Number of devices supported Two-way information and command to devices Secure transmission Number of events per second Customizability Data reduction prior to transmission Bandwidth required

16 Data storage Multiple collectors Storage requirements Distributed vs. centralized Storage format BLOB, XML, proprietary

17 Analysis and cross-correlation engine Data warehouse engine Normalization Data reduction Correlation Pattern analysis (Detection of multi-source / Multi- target attacks) Filtering out false alarms Replaying events

18 Display interface Events Alerts Visual pattern development Multiple devices reduced to a common interface Specialized interface for specialists and NOC staffers Ability to drill down

19 Incident management workflow modules Multiple methods of alerting staff Investigation flow Identify vulnerable assets Resolution actions Patch management Script or application launch in response to events Access to industry knowledge bases Access to corporate policies Institutional knowledge capture

20 Reporting modules Technical Managerial Policy compliance Regulatory compliance Preconfigured Customizable

21 Thank you. Questions, comments?

Download ppt "The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.

A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
seminar on Intrusion detection system

seminar on Intrusion detection system
EHealth Network Monitoring Network Tool Presentation J. Gaston Senior Network Design Seminar Professor Morteza Anvari 10 December 2004.

EHealth Network Monitoring Network Tool Presentation J. Gaston Senior Network Design Seminar Professor Morteza Anvari 10 December 2004.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Security Guidelines and Management

Security Guidelines and Management
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

Similar presentations

Ads by Google