Download   Report
  1. No category

SIEM AND THE ART OF LOG MANAGEMENT

SIEM AND THE ART OF
LOG MANAGEMENT
© 2015 Trustwave Holdings, Inc.
PRESENTERS
Ron Pettit
Jeff Pold
• Director,
Security Information Services,
SpiderLabs Research
• SR. Security Specialist,
Security Information Services,
SpiderLabs Research
• 11 years on SIS
• 5 years on SIS
• Intellitactics: 2004-2010
• Trustwave: 2010-current
• Trustwave: 2010-current
© 2015 Trustwave Holdings, Inc.
SUMMARY
1
What is SIEM?
• SIEM overview
• The SIS Team
2
How to use SIEM effectively
3
SIEM management considerations
• Self-managed SIEM
• MSSP-managed SIEM
© 2015 Trustwave Holdings, Inc.
WHAT IS
SIEM?
© 2015 Trustwave Holdings, Inc.
SIEM OVERVIEW
Security information and event management
• Collect, parse and normalize logs from various security devices
• Provide content to analyze parsed information
• Backup and long-term retention of logs
• Ensure compliance goals are met
© 2015 Trustwave Holdings, Inc.
WHERE DOES SIS COME IN?
Security Information Services
• Parsing/Normalization
– Extract pertinent information
– Normalize extracted values
– Categorize/taxonomize events
• Content
–
–
–
–
–
Reports
Charts
Event searches
Alerts/notifications
Categorized lists
© 2015 Trustwave Holdings, Inc.
TRUSTWAVE SIEM
43
What do we support?
42
• SIEM products
175
– SIEM log management appliances
37
– SIEM Enterprise
– MSS Managed SIEM
27
20
9
15
10
13
13
15
HIDS/NIDS/IPS
Firewall
AAA
OS Logs
Antivirus
Proxy
Switch
Database
Vulnerability Assessment
Router
Web Server
Other (Email/Packet/etc.)
© 2015 Trustwave Holdings, Inc.
TRUSTWAVE SIEM
New Event Classification
132,083
100,000
47,463
28,177
29,837
2011
2012
2013
© 2015 Trustwave Holdings, Inc.
2014
2015
USING SIEM
EFFECTIVELY
© 2015 Trustwave Holdings, Inc.
GET THE MOST FROM YOUR SIEM
Powerful tool when fully utilized
• Have a security plan
– Zone your network
– Decide what and where to
monitor
– Incidence response plan
• Monitoring vs. investigation
– Trending via reports
– Alerting on incidents
– Investigating events
© 2015 Trustwave Holdings, Inc.
YOUR NETWORK ISN’T STATIC
And your SIEM shouldn’t be either
• Infrastructure Changes
– Hardware replacements
– Software updates
– New services offered
• Personnel Factors
– New employees
– Elevated permissions
• External Factors
– Malware threats
– Unforeseen attacks
© 2015 Trustwave Holdings, Inc.
SPEC YOUR HARDWARE
Requirements may change over time
• Storage
– Average events per day
– Retention policy
• Processing Power
– Events per second
– Alerting timeliness
• High Availability
– Failover
– Data Backup
© 2015 Trustwave Holdings, Inc.
SELF-MANAGED
SIEM
© 2015 Trustwave Holdings, Inc.
SELF-MANAGED SIEM
Monitor your own network
Network
Security
Devices
SIEM
© 2015 Trustwave Holdings, Inc.
CHALLENGES OF SELF-MANAGED SIEM
• Building a team
– Finding and retaining knowledgeable people
• Hardware cost
– Initial build and ongoing maintenance
• Ramp-up time
– Time from inception to production
• Using the SIEM
– Configuration and monitoring
© 2015 Trustwave Holdings, Inc.
BENEFITS OF SELF-MANAGED SIEM
• You are in control
– Only limited by your own resources
• Data doesn’t leave your site
– You maintain ownership of your data
• Retain knowledge of your network
– Learn your weak-points
• React quicker
– Shorter communication times between onsite resources
© 2015 Trustwave Holdings, Inc.
MSSP-MANAGED
SIEM
© 2015 Trustwave Holdings, Inc.
MSSP-MANAGED SIEM
Third-party monitoring
Your Network
MSSP
SIEM
Collector
© 2015 Trustwave Holdings, Inc.
Network
Security
Devices
CHALLENGES OF MSSP-MANAGED SIEM
• Externalizing your data
– Must trust the MSSP with your logs
– Geographic restrictions
• Reliance on outside intelligence
– Potentially less involvement with
your environment
• Time to alerts
– More communication channels
• More generalized support
– Potentially less customization options
© 2015 Trustwave Holdings, Inc.
BENEFITS OF MSSP-MANAGED SIEM
• Monitored by knowledgeable professionals
– Recruiting and training not required
– Observe and respond to global security trends
• Off-site backup of data
– Your logs are protected off-site
• Latest SIEM technology
– MSSP’s tend to use newest technologies
• Time to production
– Standardized configuration procedures
© 2015 Trustwave Holdings, Inc.
THANK YOU
© 2015 Trustwave Holdings, Inc.
Senior Manager, Digital Marketing Position Overview

Senior Manager, Digital Marketing Position Overview

date of board meeting

date of board meeting

world official gold holdings: february 2015

world official gold holdings: february 2015

6d cambodia with battambong tour - about u

6d cambodia with battambong tour - about u

AgriMarine Announces Credit Facility of $5 Million with

AgriMarine Announces Credit Facility of $5 Million with

Senior Analyst, Digital Marketing

Senior Analyst, Digital Marketing

Summary: Sino-Ocean Land Holdings Ltd. Feb 15

Summary: Sino-Ocean Land Holdings Ltd. Feb 15

Hong Kong Exchanges and Clearing Limited, The Stock Exchange

Hong Kong Exchanges and Clearing Limited, The Stock Exchange

Money Left on the Table in IPOs - by Firm

Money Left on the Table in IPOs - by Firm

EsDocs.com

© Copyright 2024