The Real Deal With SIM/SEM

1
The Real Deal With SIM/SEM

• The Promise of Security Information / Event
  Management
• Scott Sidel
• Sr. Security Manager
• Computer Sciences Corp.

2
Welcome to SIM City
3
What is a SIM?
4
Separating signal from noise
5
What is going on?

• Gather data
• Normalize data
• Correlate events
• Eliminate duplicates
• Check for patterns
• Respond appropriately
• Learn
• Lather, rinse, repeat

6
So whats wrong with the tools I already have?

• Most tools are designed to solve a specific
  problem.
• IDS interface
• Firewall interface
• Anti-virus interface
• Router, load balancer, mail server
• Your technical staff uses the tools they have to
  solve specific problems.

7
Heres what happens when a security event occurs

• Uncoordinated points of defense
• Data overload
• False positives
• Undetected threats
• Time-consuming reporting
• Ad-hoc incident response

8
Technical solutions to business problems

• Are you being driven by your technology, or are
  you results driven?
• Fewer hacks
• More incidents handled by less-skilled staffers
• Shorter reaction time during events

9
Heres what I need

• The ability to review security events generated
  from disparate devices across the enterprise
• Correlate those events with an asset management
  system (business criticality ratings) and
  external threat alert / intelligent analysis
  service
• Bubbling up information into a SIM dashboard that
  will provide real-time prioritization for (CIRT
  and operations) incident management and
  (executive and audit) risk reporting
• Policy and regulatory compliance (log review,
  reduced incident response times)
• Improved management of security resources through
  efficient prioritization of remedial efforts for
  business critical systems

10
Heres what the SIM vendors are promising

• Collect 100 of security alarms or alerts from
  any device for storage in a consolidated,
  normalized database
• Centralized console display of all security
  events occurring in any and all security devices
• Cross-device correlation to eliminate false
  positives and identify true threats
• Complete reporting for ad-hoc and periodic
  reports targeted to security professionals, as
  well as line managers

11
Heres what the SIM vendors are promising
(continued)

• Integration with trouble-ticket and network
  management systems
• Support for multiple operating systems, hardware
  platforms and databases
• Add new devices without breaking the existing
  infrastructure
• Retain knowledge for use in training new security
  staff

12
Stage four of SEM

• Reexamine the IDS that was detuned due to
  information overload.
• Add in access control and wireless data.
• Add in employee login data, looking for unusual
  data.
• Add in financial applications.

13
Stage five of SEM

• Device parameters are able to be unified to
  support an evolving security policy from a
  central location.

14
SIM architecture

• Data collection (agents)
• Data storage (data warehouse)
• Analysis and cross-correlation engine (data
  reduction, data normalization)
• Display interface
• Incident management workflow modules
• Reporting modules

15
Data collection Agents

• Log Parsing
• SNMP
• Native capability on appliances
• Number of devices supported
• Two-way information and command to devices
• Secure transmission
• Number of events per second
• Customizability
• Data reduction prior to transmission
• Bandwidth required

16
Data storage

• Multiple collectors
• Storage requirements
• Distributed vs. centralized
• Storage format
• BLOB, XML, proprietary

17
Analysis and cross-correlation engine

• Data warehouse engine
• Normalization
• Data reduction
• Correlation
• Pattern analysis (Detection of multi-source /
  Multi-target attacks)
• Filtering out false alarms
• Replaying events

18
Display interface

• Events
• Alerts
• Visual pattern development
• Multiple devices reduced to a common interface
• Specialized interface for specialists and NOC
  staffers
• Ability to drill down

19
Incident management workflow modules

• Multiple methods of alerting staff
• Investigation flow
• Identify vulnerable assets
• Resolution actions
• Patch management
• Script or application launch in response to
  events
• Access to industry knowledge bases
• Access to corporate policies
• Institutional knowledge capture

20
Reporting modules

• Technical
• Managerial
• Policy compliance
• Regulatory compliance
• Preconfigured
• Customizable

21
Thank you.Questions, comments?