siem 101 - hewlett packard enterprise•siem seen as cost avoidance •people and tools currently...

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SIEM 101 Keith Stover, Solutions Delivery Manager #HPProtect

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

What is SIEM? Why is it important?

SIEM = SIM + SEM – SIM is the collection of log data into central repository for trend analysis. Today it is commonly referred

to as Log Management. – SEM is the ability to analyze the collected logs to highlight behaviors of interest from various sources,

including network and security devices and applications.

Why SIEM is important? • Complex threat landscape • Deployment and support simplicity • Incident investigation


Three reasons for any project

1. Save the business $$$ • Labor intensive process to manually aggregate and report on event data • Aversion to penalties (PCI, SOC, FTC, etc….) • Brand protection

2. Make the business $$$ • MSSP • Service Offerings

3. Compliance • PCI, SOX, NIST, etc….


Tips to implementing

4 major areas of focus for a SIEM deployment • Use cases • People • Process and procedures • Architecture


Use cases It’s all about the use cases!


Water to wine: The art of use cases

Defining use cases • Defining your use cases defines the event feeds • Should be measureable (measuring = success) • Align to business objectives

– Protect the perimeter, insider threat, user monitoring, compliance (Solution Packs) – Associate to Risk Management (Enterprise View) – Run use case workshops


People They make the magic happen!


Make the world go round

People are the greatest resource • Executive sponsorship – bottom-up vs. top-down adoption • Project management • Resource constraints

– During planning through implementation – Ongoing staffing

• Training • Monitoring


Process and procedures Critical to provide direction once alert has occurred!


It isn’t sexy, but just as important

Give meaning to all that is done • Well-defined • Measured

– Reports – Metrics

• Monitored for adherence • Repeatable • Closed loop


Architecture This can make or break a solution!


If you build it…

Measure twice, cut once! • Future-proofing – align with hardware refresh cycles • Storage • Sizing • Event retention • Physical locations • How will you use the data?


How do I show value? Ensuring executive buy in after the purchase


Breaking down barriers

Return on Security Investment (ROSI) • SIEM seen as cost avoidance • People and Tools currently used to handle/investigate security incidents can be simplified • Staff currently involve in the capture, transfer, and storage of compliance related information is decreased

How to show that value? • Security • Operations • Compliance


Security Defense in layers


SIEM is the last line of defense

How can I show value within Security? • Decrease in helpdesk ticketing • Reduction in fraud or theft of IP • Without a SIEM what would go undetected? • Delegate responsibility throughout the organization

"Organizations need the latest in security research to effectively prevent, detect and combat the growing number of sophisticated threats," – Art Gilliland, Senior Vice President and General Manager, Enterprise Security Products, HP “Information security is one of the most significant corporate missions and continual challenges at this high-growth company” – Charles Kallenback, General Counsel and Chief legal Officer at Heartland Payment Systems


Operations “Git-R-Done!”


Doing more with less

How to measure operations • Efficiencies gain

– Time to resolution – Alerts per day per analyst – Alerts per shift – Funnel reports

• Savings on reporting efforts – Licensing – People time

• Onboarding time for new event sources

0

1

2

3

4

5

Monday Tuesday Wednesday Thursday Friday

Analyst 1 Analyst 2 Analyst 3


Compliance SIEM alone does not make you compliant!


Filling in those check boxes

SIEM’s value toward compliance • Helps secure resources with the most risk

– Assets – Applications

• Reduces reporting effort – Decrease LOE – Simplify and standardize

• Remember that compliance is the baseline and not what security should strive towards


Common mistakes Been there, someone else has done that! Always comes down to people, process, technology


People

People are the single greatest investment for an organization • Training • Care and feeding of a SIEM • Fulfilling 10 use cases in an afternoon scenarios • Who’s doing what?

– SOC Operations – Engineering – Content authoring

• Real Total Cost of Ownership

"To get something out of a tool you have to invest time, money and effort into people” – Bill Bradd, OTSIS U.S. Census Bureau

"It's an investment in technology, but also people knowledgeable in maintaining and monitoring the system" – Bill Bradd, OTSIS U.S. Census Bureau


Back to those darn use cases!

Process

Process is key! • Recent data breaches show that technology isn’t effective if there isn’t a process in place • Processes need to be closed loop • Processes need to be measured and monitored

Failure to define your use cases should not be an option • Failing to define them leads to the previous slide • No definable success criteria • No way to show value back to the organization • Conduct value assessments on existing use cases

Document everything!


Technology

Right idea, wrong application • SIEM layers

– Connector, agent, receiver, etc…. – Log management – Real-time correlation

I’m giving her all she’s got! • Storage • Scaling – going vertical or horizontal

"Nobody has the perfect solution; these are complex problems and complex challenges" – Chis Petersen, CTO LogRythmn

“Troubleshooting SIEM tools is generally no picnic, either" – Eugene Schultz, Info Sec author


Parting thoughts: Baby steps! Use cases


Tonight’s party

Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration

@ Newseum Enjoy food, drinks, company, and a private concert by Counting Crows


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3258 Speaker Keith Stover

Please give me your feedback


Thank you

siem 101 - hewlett packard enterprise•siem seen as cost avoidance •people and tools currently...

Documents