Embed Size (px)
Citation preview
SIEM Enabled Risk Management, SOC and GRC
1
SIEM: A Single View of Your IT Security
• SIEM is about looking at what’s happening on your network through a larger lens than can be provided via any one security control or information source.• Your Intrusion Detection only understands Packets,
Protocols and IP Addresses• Your Endpoint Security sees files, usernames and hosts• Your Service Logs show user logins, service activity and
configuration changes.• Your Asset Management system sees apps, business
processes and owners
• None of these by themselves, can tell you what is happening to *your business* in terms of securing the continuity of your business processes – but together, they can…
• SIEM is essentially, nothing more than a management layer above your existing systems and security controls.
• It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface
SAP Cloud Security2
SIEM based Risk Management
• SIEM is a foundation to security management in 21st Century for provides mostly the post-exploit value
• Risk Manager based on SIEM gives detailed assessment of network security risk using broad risk indicators such as:
• WHAT HAS HAPPENED? (from network activity data and behavior analysis)
• WHAT CAN HAPPEN? (from topology and configuration)
• WHAT HAS BEEN ATTEPMTED? (from events and content data)
• WHAT IS VULNERABLE AND AT RISK? (from scanners)
SAP Cloud Security3
• Automated and real time «Security Intelligence» is what is needed for GRC • Risk Assessment & Management
• IT Security Governance & Management
• Control of activities and environment
• Performance measurement and improvement
• Benefits from better alignment with business (costs saving, efficiency etc.)
SIEM- 8 Critical Things – At a glance
SAP Cloud Security44
Logs, flows, maze
• What logs –• Audit logs
• Transaction logs
• Intrusion logs
• Connection logs
• System performance records
• User activity logs
• Business systems alerts and different other systems messages
SAP Cloud Security5
• From where –• Firewalls / Intrusion prevention
• Routers / Switches
• Intrusion detection
• Servers, desktops, mainframes
• Business applications
• Databases
• Antivirus software
• VPN’s
SIEM based Risk Management
• Assessing the risks =• Log management +• Event management +• Network activity monitoring +• Configuration +
• Most successful attacks are result of poor configuration
• Configuration audits are expensive, labor intensive and time consuming
• Config files are inconsistent across the vendors and product / technology types
• Compliance is mandatory in many industries
SAP Cloud Security6
• Vulnerability Assessment +• VA scanners don’t prioritize based
on network context
• Vulnerability prioritization is historically complex
Legal
Compliance and Laws
• EU Data Protection /WP29
• US Data Protection
• COPPA,HIPPA,SOX, Safe Harbor
• Usage and Purpose of Collection
• Conflicts
• ES-US Data transfer
• Encryption or not
• Trade Compliance
• Business need vs. Personal need
• Information Assymetry
SAP Cloud Security7
• Privacy Policies
• Secondary Data Collection • Opt-in and Opt-out
• Defaults
• Necessity
• Tracking
• Browser Cookies
• Data transfers
• Data retention
What is SOC – Security Operations Center
• Providing Security Intelligence by • Detection of IT threats • Containment of IT threats • Remediation of IT threats
• Monitors application to identify possible cyber attack ( Event)
• Real time Monitoring • Log Collection, Analysis
• Reporting/Custom Views
• Post Incident Analysis• Forensic• Investigation • Automatic Remediation
SAP Cloud Security8
• Central Location to collect information on • External threats
• Internal Threats
• User activity
• Loss of Personal or sensitive data
• Provide evidence in investigations
Isn't a firewall, IDS or AVS enough ?
• Firewall is active and known by attackers • Protect systems , not users
• Anti-Virus• Lag time to catch new
threats
• Matches file, but not patterns
SAP Cloud Security9
• IDS alerts but does not provide context • System Logs,
• Proxy Logs,
• DNS Logs
• Information from other sources
IBM Qradar Solution Portfolio and vision
SAP Cloud Security10
SIEM based Risk Management
SAP Cloud Security11
1
Sample Security Governance Model
SAP Cloud Security12
1
SAP Cloud Security13
Q & A
