Supercharging SIEM with Change & Configuration Data

Supercharging SIEM with Change & Configuration Data

Supercharging SIEM with Change & Configuration Data

Jason IlerEd Rarick

IT SECURITY & COMPLIANCE AUTOMATION

More Data. Fewer Results.

Existing approaches are falling short

0% Log analysis/review discovered no breaches

2011


More Data. Fewer Results. Change is Needed!

LimitedValue

Existing technology

isn’t providing

expected ROI,

is too expensive and

complex, and only

delivers data

Existing approaches are falling short

0% Log analysis/review discovered no breaches

2011


Problem: Data Deluge

VulnerabilityAssessment

Switches& RoutersFirewalls, IDS & IPSDatabasesApplications

Too much data!All of one type!


Result: It Takes Too Long To Find Trouble


Project Delays

Labor Intensive

Failed Audits

COMPLIANCE

Result: Time-to-Find Means Trouble for Everyone!

Branding

$$$$

Compromise

SECURITY


Project Delays

Labor Intensive

Failed Audits

COMPLIANCE

Result: Trouble for Everyone, Including Ops!

Branding

$$$$

Compromise

SECURITY

Budget Pressure

Unplanned Work

Longer MTTR

OPERATIONS


0%: Log analysis/review discovered no breaches

Capturing Data…. Is Not The Same As Knowing When

Something Bad Just Happened!


Log Analysis & SIEM Alerts Lack “Context of Change”

Login successful

10 failed logins

FTP Enabled

Were undesired changes made?Who made them?

Was compliance level lowered?Did changes enable SIEM events?

Or enable other events?

Host not generating events

Windows event log cleared


Log Analysis & SIEM Alerts Lack “Context of Change”

Login successful

10 failed logins

FTP Enabled

Logging turned off



Policy test fails

Were undesired changes made?Who made them?

Was compliance level lowered?Did changes enable SIEM events?

Or enable other events?


No Intelligence No ContextNo SecurityJust Data!

Raw Log Data

Report ChangeGood & Bad

Simple Change Detection Is Not Adequate

Detect Change Good & Bad


Configuration Policy Failures Change Policy Failures Change Authorization Failures = Changes of Interest!

Raw Log Data

Detect Change Good & Bad

Report & Alert

Change Intelligence Provides Essential “Context”

Dynamic Analysis Changes of Interest


Change + SIEM Provides Much Need Clarity

10 failed logins

Logging turned off



Login successful

Policy test fails

FTP Enabled

Changes of Interest correlated with

Log Events of Interest turn Raw Data into timely,

actionable Information


Event Integration Framework process


What Does This Give Us?

Enriches Change Audit data by sending User Audit data to TLC.• File ‘Sales_Forecast_2011.xls’ was changed on node ‘PROD_FINANCE’ by Ed Rarick.

Offers summarized changes by severity to provide greater manageability of data by operational teams.• There were 15 Medium Severity Changes on node ‘PROD_DC1’.

Can send compliance test result data to TLC.• Node ‘PROD_DC1’ had an additional 2 tests fail from policy ‘PCI 2.1’ after the last

scan. 15 tests passed and 30 failed.

Can send compliance scoring data to TLC.• Node ‘PROD_DC1’ decreased its score by 2.53 on policy ‘PCI 2.1’ after the last scan.


Assess & Achieve

Maintain

Non-stop monitoring & collectionDynamic analysis to find suspicious activitiesAlert on impact to policyRemediate options to speed remedy

Enforce IT Process. Increase Security. Maintain Compliance.

Des

ired

Sta

te

Time


Answers For Your Questions

Technology

Supercharging SIEM with Change & Configuration Data