SIEM 101 - Hewlett Packard Enterprise•SIEM seen as cost avoidance •People and Tools currently...

SIEM 101 Keith Stover, Solutions Delivery Manager #HPProtect

What is SIEM? Why is it important?

SIEM = SIM + SEM – SIM is the collection of log data into central repository for trend analysis. Today it is commonly referred

to as Log Management. – SEM is the ability to analyze the collected logs to highlight behaviors of interest from various sources,

including network and security devices and applications.

Why SIEM is important? • Complex threat landscape • Deployment and support simplicity • Incident investigation

Three reasons for any project

1. Save the business $$$ • Labor intensive process to manually aggregate and report on event data • Aversion to penalties (PCI, SOC, FTC, etc….) • Brand protection

2. Make the business $$$ • MSSP • Service Offerings

3. Compliance • PCI, SOX, NIST, etc….

Tips to implementing

4 major areas of focus for a SIEM deployment • Use cases • People • Process and procedures • Architecture

Use cases It’s all about the use cases!

Water to wine: The art of use cases

Defining use cases • Defining your use cases defines the event feeds • Should be measureable (measuring = success) • Align to business objectives

– Protect the perimeter, insider threat, user monitoring, compliance (Solution Packs) – Associate to Risk Management (Enterprise View) – Run use case workshops

People They make the magic happen!

Make the world go round

People are the greatest resource • Executive sponsorship – bottom-up vs. top-down adoption • Project management • Resource constraints

– During planning through implementation – Ongoing staffing

• Training • Monitoring

Process and procedures Critical to provide direction once alert has occurred!

It isn’t sexy, but just as important

Give meaning to all that is done • Well-defined • Measured

– Reports – Metrics

• Monitored for adherence • Repeatable • Closed loop

Architecture This can make or break a solution!

If you build it…

Measure twice, cut once! • Future-proofing – align with hardware refresh cycles • Storage • Sizing • Event retention • Physical locations • How will you use the data?

How do I show value? Ensuring executive buy in after the purchase

Breaking down barriers

Return on Security Investment (ROSI) • SIEM seen as cost avoidance • People and Tools currently used to handle/investigate security incidents can be simplified • Staff currently involve in the capture, transfer, and storage of compliance related information is decreased

How to show that value? • Security • Operations • Compliance

Security Defense in layers

SIEM is the last line of defense

How can I show value within Security? • Decrease in helpdesk ticketing • Reduction in fraud or theft of IP • Without a SIEM what would go undetected? • Delegate responsibility throughout the organization

"Organizations need the latest in security research to effectively prevent, detect and combat the growing number of sophisticated threats," – Art Gilliland, Senior Vice President and General Manager, Enterprise Security Products, HP “Information security is one of the most significant corporate missions and continual challenges at this high-growth company” – Charles Kallenback, General Counsel and Chief legal Officer at Heartland Payment Systems

Operations “Git-R-Done!”

Doing more with less

How to measure operations • Efficiencies gain

– Time to resolution – Alerts per day per analyst – Alerts per shift – Funnel reports

• Savings on reporting efforts – Licensing – People time

• Onboarding time for new event sources

Monday Tuesday Wednesday Thursday Friday

Analyst 1 Analyst 2 Analyst 3

Compliance SIEM alone does not make you compliant!

Filling in those check boxes

SIEM’s value toward compliance • Helps secure resources with the most risk

– Assets – Applications

• Reduces reporting effort – Decrease LOE – Simplify and standardize

• Remember that compliance is the baseline and not what security should strive towards

Common mistakes Been there, someone else has done that! Always comes down to people, process, technology

People

People are the single greatest investment for an organization • Training • Care and feeding of a SIEM • Fulfilling 10 use cases in an afternoon scenarios • Who’s doing what?

– SOC Operations – Engineering – Content authoring

• Real Total Cost of Ownership

"To get something out of a tool you have to invest time, money and effort into people” – Bill Bradd, OTSIS U.S. Census Bureau

"It's an investment in technology, but also people knowledgeable in maintaining and monitoring the system" – Bill Bradd, OTSIS U.S. Census Bureau

Back to those darn use cases!

Process

Process is key! • Recent data breaches show that technology isn’t effective if there isn’t a process in place • Processes need to be closed loop • Processes need to be measured and monitored

Failure to define your use cases should not be an option • Failing to define them leads to the previous slide • No definable success criteria • No way to show value back to the organization • Conduct value assessments on existing use cases

Document everything!

Technology

Right idea, wrong application • SIEM layers

– Connector, agent, receiver, etc…. – Log management – Real-time correlation

I’m giving her all she’s got! • Storage • Scaling – going vertical or horizontal

"Nobody has the perfect solution; these are complex problems and complex challenges" – Chis Petersen, CTO LogRythmn

“Troubleshooting SIEM tools is generally no picnic, either" – Eugene Schultz, Info Sec author

Parting thoughts: Baby steps! Use cases

Tonight’s party

Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration

@ Newseum Enjoy food, drinks, company, and a private concert by Counting Crows

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3258 Speaker Keith Stover

Please give me your feedback

Thank you

SIEM 101 - Hewlett Packard Enterprise•SIEM seen as cost avoidance •People and Tools currently...

Documents

SIEM INDUSTRIES

Axxera ci siem

Bn ArcSight Siem

EIGHT STEPS TO MIGRATE YOUR SIEM - Exabeam€¦ · replacing a legacy SIEM with a modern SIEM. These considerations also apply to more speciﬁc use cases such as SIEM consolidation

SIEM Architecture

ISSA Siem Fraud

siem tirana

Advanced SIEM Operations

The SIEM Evaluator’s GuideThe SIEM Evaluator’s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are

AHTS VS491 CD SIEM PEARL SIEM EMERALD SIEM SAPPHIRE SIEM ... · PDF fileThe vessel is a very large capacity Anchor Handling Tug Supply Vessel ... SIEM AHTS. Engine and

Siem Overview 2009

The SIEM Buyer’s Guide for 2020 - The SIEM...The SIEM Buyer's Guide for 2020 1 WHITE PAPER 1. What is a SIEM 2 a. The evolution of a SIEM 3 b. Legacy SIEMs are stuck in the past

SIEM HELIX 1 & 2 - Helix Energy Solutions Grouphelixesg.com/media/36686/Siem1Siem2.pdf · SIEM HELIX 1 SIEM HELIX 2 The Siem Helix 1 and Siem Helix 2 vessels are purpose designed

2018 - Siem Offshore · SIEM OFFSHORE INC. ANNUAL REPORT 2018 3. VESSELS IN THE FLEET Platform Supply Vessels (PSV) Siem Pride Siem Symphony Siem Atlas Siem Giant Siem Hanne Siem

Siem Offshore presentation

McAfee SIEM solution

Symantec™ SIEM 9700 Series Appliances · 16 SIEM 9700 Series appliance hardware removal and replacement SIEM 9700 Series appliance guide rails and rack SIEM 9700 Series appliance

Siem daya decoration

Siem leadconf sf_pm_31052013

SIEM Integration Guide - bomgar.com · BomgarSIEMToolPluginInstallationandAdministration TheSecurityInformationandEventManagement(SIEM)toolpluginforBomgarRemoteSupportenablestheprocessingand