Accel Ops Csobc Sans Webcast 090210.Ppt
-
Upload
stephen-tsuchiyama -
Category
Documents
-
view
1.199 -
download
0
description
Transcript of Accel Ops Csobc Sans Webcast 090210.Ppt
x
© 2010 AccelOps, Inc. September 2, 2010
SANS “ASK THE EXPERT”
Process, Metrics and Technologies
Sponsors: AccelOps, Inc.
CSO Breakfast Club
Putting the Top 10 SIEM Best Practices To Work
x
Also visit: WWW.ACCELOPS.NET/SIEMtop10.php
Bill Sieglein President, CSO Breakfast Club
Dr. Anton Chuvakin Author/Blog @ Security Warrior
Tim Mather CISSP, CISM I4, former Chief Security Strategist at RSA, former CSO Symantec
Randolph Barr, CISSP CSO Qualys, former CSO at WebEx Comm.
Jamie Sanbower, CISSP Cyber Security Director @ Force3
Scott Gordon CISSP Vice President, AccelOps
Roundtable Participants
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 2
What is a SIEM? (rhetorical)
A solution that aggregates, normalizes, filters, correlates and manages security and other operational event / log data to monitor, alert, report, analyze and manage security and compliance-relevant information.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 3
Send us your questions… CHAT to moderators Tweet Top10SIEMbpract Email [email protected]
Monitoring and Reporting Requirements
Establish key monitoring and reporting requirements prior to deployment, including objective, targets, compliance controls, implementation and workflow.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 4
Infrastructure audit activations
Determine the scope of implementation, infrastructure audit targets, necessary credentials and verbosity, activation phases and activation.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 5
Audit data requirements
Identify and assure adherence to audit data requirements including accessibility, integrity, retention, evidentiary requisites, disposal and storage considerations.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 6
Access Controls
Monitor, respond to and report on key status, violations and anomalous access to critical resources.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 7
Perimeter Defenses
Monitor, respond to and report on key status, configuration changes, violations/attacks and anomalous activity associated with perimeter defenses.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 8
Network and host defenses
Monitor, respond to and report on key status, configuration changes, violations/attacks and anomalous activity associated with internal network and host defenses.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 9
Network and system resource integrity
Monitor, respond to and report on key status, configuration changes, patches, vulnerabilities, threats and anomalous activity affecting network and system resources.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 10
Malware Control
Monitor, respond to and report on key status, threats, issues, violations and activity supporting malware controls.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 11
Access management and acceptable use
Monitor, respond to and report on key status, configuration changes, violations and anomalous activity affecting access management, user management and acceptable use of resources
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 12
Application defenses
Monitor, respond to and report on key status, configuration changes, violations and anomalous activity with regard to web, database and other application defenses.
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 13
Webcast Sponsor:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 14
Single pane of glass – Intelligence at your fingertips
End-to-end visibility – service, performance, availability, security, change and compliance management
SOC/NOC convergence – extensive operational visibility
Efficiency – proactive monitoring, expedited root-cause analysis, flexible search/reporting
Value – easy to use, implement and scale with rich feature set
Virtual Appliance or SaaS – out of the box use and readily scale
Challenges Integrated Data Center Monitoring
Complex Threats and Environment
Monitoring, Search & Reporting Scope
Implementation and Scale Difficulty
Timely & Extensive Device Support
IT Service Awareness & Priority
Budget for Isolated Security Tools
In Conclusion Map your requirements; output, audience, functional
Scope implementation; size, deployment, activation
Determine operating norms; what will you do with the information, incident workflow, escalation…
One size does not fit all; dovetail your infosec policy with best practices that works best for your organization
For more detailed and on-going contribution to SIEM best practices visit: www.accelops.net.SIEMtop10.php
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 15
Ask the Experts:
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 16
For a more extensive, on-going set of Top 10 SIEM Best Practices visit: WWW.ACCELOPS.NET/SIEMtop10.php
Released under a Creative Commons 3.0 Attribution license: http://creativecommons.org/licenses/by/3.0/
Thanks to content contribution from: Scott Gordon CISSP
Dr. Anton Chuvakin
Tim Mather CISSP, CISM
SANS.org in reference to… Top Cyber Security Risks 20 Critical Security Controls
April Russo (number graphics)
Randolph Barr, CISSP Jamie Sanbower, CISSP Bill Sieglein CISSP