Infopercept SIEM Implementation Approach
Page 1
Security Information & Event Management (SIEM)
Technical Approach
Infopercept SIEM Implementation Approach
Page 2
CONTENTS
Section Page No.
1. Introduction 3
2. Infopercept Vision on Security Operation Center 6
3. Need for SIEM Deployment 8
4. How Infopercept Builds SOC 11
5. Infopercept Delivery Model 14
6. Features and Value Proposition 16
7. High Level Implementation Approach 26
Infopercept SIEM Implementation Approach
Page 3
1. INTRODUCTION
Infopercept SIEM Implementation Approach
Page 4
It is a
Unsafe
Cyber
world.. Global in minutes due to Cyberspace
Human systems can no longer react
FACT!!!! 99.9% secure = 100% Vulnerable!
Infopercept SIEM Implementation Approach
Page 5
5
200620062006
201020102010
201620162016
Physical IT Service
VirtualizedIT Service
Hybrid/Cloud Service
Complexity
Change volume, velocity
Managed but not owned
Complexity
Change volume, velocity
IT Apps and Services are evolving
Infopercept SIEM Implementation Approach
Page 6
2. Infopercept Vision for Security Operation Center
Infopercept SIEM Implementation Approach
Page 7
Vision for Security Operation Center
To provide business responsiveness, quality and costadvantages to customers’ IT Security operations to Globalcustomers, through proven best practices and managementsolution globally accepted….
Infopercept SIEM Implementation Approach
Page 8
3. Need for SIEM Deployment
Infopercept SIEM Implementation Approach
Page 9
Why SIEM?
• Ability to Systematically Store and retrieve the logs for Compliance requirements.
• Drive collaboration between Operations Teams (NOC, SOC, Systems etc.) by providing
Meaningful and Actionable information.
• Catch malicious activities delivered by exploit through Zero-Day-Attack.
• Cyber Forensic Investigations.
Infopercept SIEM Implementation Approach
Page 10
1 2 3 4
Consult
Integrate
Develop
Support• Health check
Assessment
• SIEM Design and
Consulting
• SIEM Solution
Selection and
Proof of Concept
• Data Source
configuration and
collection Architecture
• SIEM Implementation
• SIEM Upgrade
• Solution Integration
• Use-Case
Development
• Content
Development
• Connector
Development
• Use-Case
Development
• Content
Development
• Connector
Development
SIEM Services
Infopercept SIEM Implementation Approach
Page 11
4. How Infopercept Builds SOC?
Infopercept SIEM Implementation Approach
Page 12
How we build SOC?
Infopercept builds a Security Operation Center which is ascalable and configurable suite of services to help youmonitor all your IT elements more efficiently and cost-effectively...
Infopercept SIEM Implementation Approach
Page 13
13
Hardware & Network• Server
• Storage
• Desktops
• Network
• Printer
Software & Application• Operating Systems
• Database
• Applications
• Patch Management
• Migration Services
• Deployment
Value Added Services• Managed Security
• Help Desk
• Asset Management
• Risk Assessment
• Business Continuity
• L1, L2, L3 Support
Elements of IT Environment
Infopercept SIEM Implementation Approach
Page 14
5. Infopercept Delivery Model
Infopercept SIEM Implementation Approach
Page 15
DMZ
Branch
INTERNET
Mo
taD
ata
Se
rve
r
IPS Sensors
IPS Sensors
IPS Sensors
IPS Sensors
INFOPERCEPT Monitoring
TEAM
Firewall
LAN Users
Servers
Log Collection &
Analysis on
Motadata
IPS Sensors
Monitoring Traffic
Infopercept
Remote TEAM will
monitor the
Motadata Server
IPS Sensors
Forward all
sensitive Logs to
Motadata.
Infopercept
SOC Services
Cu
sto
me
r IT
La
nd
sca
pe
Infopercept SIEM Implementation Approach
Page 16
6. SIEM Features and Value Proposition
Infopercept SIEM Implementation Approach
Page 17
17
Anomaly Detection• DoS
• Recon
• Malware
• Suspicious activity
• User Access & Authentication
• Exploit
• Network
• Application
• Logins & Locations
• Administrative Accounts
• Infected Hosts detected on
subnets
Suspicious Activity• Traffic to known vulnerable host
• Logs deletion from Source
• Source Stopped Logging
• Various Protocol Traffic from
unauthorized host
Unauthorized Activity• User Access to confidential Data
• Subnet Access to Confidential Data
• Users on Network
• Devices on Network
• Server connection to Internet
Features of SIEM
Implementation
Infopercept SIEM Implementation Approach
Page 18
Infopercept Monitoring
› L1 Security Analyst
› L2 Security Analyst
› SOC Tech Leads
› SOC Managers
› Manage Security Solutions
SURICATA – Detection Engine
› Open source, mature, fast and robust network threat
detection engine
› Real time intrusion detection (IDS), inline intrusion
prevention (IPS), network security monitoring (NSM) and
offline pcap processing
› Signature detection and Anomaly Detection
Motadata› Unified IT Infra Monitoring & Log Management
› Monitoring
› Network Flow
› Log management
0203
01
SOC Model
SOC
Infopercept SIEM Implementation Approach
Page 19
Threat Monitoring
& Intelligence
SIEM
Behavioral Monitoring
Vulnerability Assessment
� IDS/IPS
� Monitoring – Apps, DB,
Antivirus, Firewall/VPN, DLPs,
Antispam, Web proxy etc.
� File Integrity monitoring
� Centralized Log collection
– applications/devices
� Event correlation
� Incident response
� Netflow Analysis (6.5)
� Service Availability
monitoring
� Continuous monitoring
� Active scanning
Need for an IT Security
Protect
Enterprise
Data
Infopercept SIEM Implementation Approach
Page 20
SIEM Systems require comparatively big investments.
Organizations Management usually asks to seek value out
of the tool from Information security team. The SIEM Use
Cases are scenarios to detect a range of threat and deliver
visibility you need to deal with it.
Understand Business
Objective
Understand Business
Objective
Document Problem
Statement
Document Problem
Statement
Define Use Cases
Define Use Cases
Generate Requirement Statements
Generate Requirement Statements
Prioritize ObjectivePrioritize Objective
Identify Data Sources
Identify Data Sources
Create ContentCreate ContentBuild Real Time
Event based Data Monitors
Build Real Time Event based
Data Monitors
Rules for Advance Co-
relation
Rules for Advance Co-
relation
Build Variables and Event
Stream Analysis
Build Variables and Event
Stream Analysis
Use Case Deployment
Infopercept SIEM Implementation Approach
Page 21
Details
Impact
Description
Recommendation
DetailsThe solution has detected traffic from <source IP / hostname> to
<destination IPs> over <ports> . Information gathered would indicate the
asset is infected with malware. Traffic activity is being reported by Suricata
ImpactMalware is performing a remote call back, possibly leaking data or
expanding its presence in the network
Description<Detailed observations of the pattern and activity>.
RecommendationFind the source IP asset. Contain the device. If no signs of malware are found, determine
the cause for the detected event and remediate. If signs of malware are found, perform the
required antivirus updates and/or forensics on the machine. Remediate or clean the system
prior to connecting it back on the network.
USE Case – 1 (Malware Detection)
Infopercept SIEM Implementation Approach
Page 22
Details
Impact
Description
Recommendation
DetailsThe solution has detected failed login attempt from a source to multiple destinations over
multiple ports. Information gathered would indicate the asset is infected with malware or
an insider is conducting malicious activities. Activities are being reported by the Intrusion
Prevention System (Suricata).
ImpactA malware or an insider is trying to gain access to resources by using brute
force attack.
Description<Detailed observations of the pattern and activity>.
RecommendationFind the source IP asset. Contain the device. If no signs of malware are found, determine
the cause for the detected event and remediate. If signs of malware are found, perform the
required antivirus updates and/or forensics on the machine. Remediate or clean the system
prior to connecting it back on the network.
USE Case – 2 (Brute Force Attack Detection)
Infopercept SIEM Implementation Approach
Page 23
Details
Impact
Description
Recommendation
DetailsUser is added to a privileged access group at non working hours.
ImpactAn insider has added a new user to privileged access group to access
resources which are not intended for them.
Description<Detailed observations of the pattern and activity>.
RecommendationCheck with Identity Management team to verify the authenticity of user addition to
privileged access group. If its unauthorized take the remediation actions.
USE Case – 3 (Privilege Escalation)
Infopercept SIEM Implementation Approach
Page 24
Details
Impact
Description
Recommendation
DetailsIntrusion Prevention System (Suricata) has detected probes from a source on various
destination which hosts business critical applications.
ImpactIt might be possible that a intentional intruder is trying to perform a
network scan on random hosts for recon.
Description<Detailed observations of the pattern and activity>.
RecommendationReport to network management team to verify the incident and take remediation action
USE Case – 4 (Network Scan Detection)
Infopercept SIEM Implementation Approach
Page 25
TEAM @ Infopercept Best of Breed – Best of Exposure
Operating System
•Windows
•Solaris
•HP-UX
•AIX
•Linux
Operating System
•Windows
•Solaris
•HP-UX
•AIX
•Linux
Database
•MS SQL
•MySQL
•Oracle
•Sybase
•MariaDB
Database
•MS SQL
•MySQL
•Oracle
•Sybase
•MariaDB
Messaging
•MS Exchange
•Lotus Domino
•Zimbra
Messaging
•MS Exchange
•Lotus Domino
•Zimbra
Web / App. Servers
•IIS
•Tomcat
•Apache
•WebLogic
•WebSphere
Web / App. Servers
•IIS
•Tomcat
•Apache
•WebLogic
•WebSphere
Service ToolsService Tools
Network Certification
•CCNA
•CCNP
•CCIE
Network Certification
•CCNA
•CCNP
•CCIE
System Certification
•RHCE
•SCSA
•SCNA
•MCSE
•MCSD
System Certification
•RHCE
•SCSA
•SCNA
•MCSE
•MCSD
Database Certification
•OCP
•OCA
•MCDBA
Database Certification
•OCP
•OCA
•MCDBA
Security Certification
•CISSP
•CISA
•BS7799 Auditors
Security Certification
•CISSP
•CISA
•BS7799 Auditors
Process Certification
•ITIL
•SIX Sigma
Process Certification
•ITIL
•SIX Sigma
Infopercept SIEM Implementation Approach
Page 26
7. High Level Plan - SIEM
Infopercept SIEM Implementation Approach
Page 27
� Exploration meeting
� Demo
� Solution capability & business benefits
� Assessment/Requirement Gatherings
• Business need/Use Cases
• Features required
• Customization needs
Let Us Evaluate
� Deployment - 15-day trial
� POC deliverables
• Unauthorized installation/access
• Unauthorized web application
• User account management
• Brute force attack
• Vulnerable devices
Infopercept SIEM Implementation Approach
Page 28
System Requirements and Deployment
Lower TCO – No Multiple Licenses Required
• On-premise
• Cloud
• Delivered as a Service
(coming up)
Deployment Options
System Requirements
Minimum 50GB
Bare Metal – ISO, VMware – OVA, Hyper-V – VHD
4 Core – 64 bit processor
Minimum 4GB
Infopercept SIEM Implementation Approach
Page 29
Thank You!
Infopercept Consulting Pvt. Ltd.
Corporate Office : H - 1209, Titanium City Center, Satellite Road, Ahmedabad – 380 015.
www.infopercept.com