1 / 21

The Real Deal With SIM/SEM

The Real Deal With SIM/SEM. The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp. Welcome to SIM City. What is a SIM?. Separating signal from noise. “What is going on?”. Gather data Normalize data Correlate events

crystalp
Download Presentation

The Real Deal With SIM/SEM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

  2. Welcome to SIM City

  3. What is a SIM?

  4. Separating signal from noise

  5. “What is going on?” • Gather data • Normalize data • Correlate events • Eliminate duplicates • Check for patterns • Respond appropriately • Learn • Lather, rinse, repeat

  6. So what’s wrong with the tools I already have? • Most tools are designed to solve a specific problem. • IDS interface • Firewall interface • Anti-virus interface • Router, load balancer, mail server • Your technical staff uses the tools they have to solve specific problems.

  7. Here’s what happens when a security event occurs • Uncoordinated points of defense • Data overload • False positives • Undetected threats • Time-consuming reporting • Ad-hoc incident response

  8. Technical solutions to business problems • Are you being driven by your technology, or are you results driven? • Fewer hacks • More incidents handled by less-skilled staffers • Shorter reaction time during events

  9. Here’s what I need • The ability to review security events generated from disparate devices across the enterprise • Correlate those events with an asset management system (business criticality ratings) and external threat alert / intelligent analysis service • Bubbling up information into a SIM dashboard that will provide real-time prioritization for (CIRT and operations) incident management and (executive and audit) risk reporting • Policy and regulatory compliance (log review, reduced incident response times) • Improved management of security resources through efficient prioritization of remedial efforts for business critical systems

  10. Here’s what the SIM vendors are promising • Collect 100% of security alarms or alerts from any device for storage in a consolidated, normalized database • Centralized console display of all security events occurring in any and all security devices • Cross-device correlation to eliminate false positives and identify true threats • Complete reporting for ad-hoc and periodic reports targeted to security professionals, as well as line managers

  11. Here’s what the SIM vendors are promising (continued) • Integration with trouble-ticket and network management systems • Support for multiple operating systems, hardware platforms and databases • Add new devices without breaking the existing infrastructure • Retain knowledge for use in training new security staff

  12. Stage four of SEM • Reexamine the IDS that was “detuned” due to information overload. • Add in access control and wireless data. • Add in employee login data, looking for unusual data. • Add in financial applications.

  13. Stage five of SEM • Device parameters are able to be unified to support an evolving security policy from a central location.

  14. SIM architecture • Data collection (agents) • Data storage (data warehouse) • Analysis and cross-correlation engine (data reduction, data normalization) • Display interface • Incident management workflow modules • Reporting modules

  15. Data collection: Agents • Log Parsing • SNMP • Native capability on appliances • Number of devices supported • Two-way information and command to devices • Secure transmission • Number of events per second • Customizability • Data reduction prior to transmission • Bandwidth required

  16. Data storage • Multiple collectors • Storage requirements • Distributed vs. centralized • Storage format • BLOB, XML, proprietary

  17. Analysis and cross-correlation engine • Data warehouse engine • Normalization • Data reduction • Correlation • Pattern analysis (Detection of multi-source / Multi-target attacks) • Filtering out false alarms • Replaying events

  18. Display interface • Events • Alerts • Visual pattern development • Multiple devices reduced to a common interface • Specialized interface for specialists and NOC staffers • Ability to drill down

  19. Incident management workflow modules • Multiple methods of alerting staff • Investigation flow • Identify vulnerable assets • Resolution actions • Patch management • Script or application launch in response to events • Access to industry knowledge bases • Access to corporate policies • Institutional knowledge capture

  20. Reporting modules • Technical • Managerial • Policy compliance • Regulatory compliance • Preconfigured • Customizable

  21. Thank you.Questions, comments?

More Related