x

© 2010 AccelOps, Inc. September 2, 2010

SANS “ASK THE EXPERT”

Process, Metrics and Technologies

Sponsors: AccelOps, Inc.

CSO Breakfast Club

Putting the Top 10 SIEM Best Practices To Work

x

Also visit: WWW.ACCELOPS.NET/SIEMtop10.php

  Bill Sieglein   President, CSO Breakfast Club

  Dr. Anton Chuvakin   Author/Blog @ Security Warrior

  Tim Mather CISSP, CISM   I4, former Chief Security Strategist at RSA, former CSO Symantec

  Randolph Barr, CISSP   CSO Qualys, former CSO at WebEx Comm.

  Jamie Sanbower, CISSP   Cyber Security Director @ Force3

  Scott Gordon CISSP   Vice President, AccelOps

Roundtable Participants

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 2

  What is a SIEM? (rhetorical)

  A solution that aggregates, normalizes, filters, correlates and manages security and other operational event / log data to monitor, alert, report, analyze and manage security and compliance-relevant information.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 3

  Send us your questions…   CHAT to moderators   Tweet Top10SIEMbpract   Email siemtop10@accelops.net

  Monitoring and Reporting Requirements

  Establish key monitoring and reporting requirements prior to deployment, including objective, targets, compliance controls, implementation and workflow.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 4

  Infrastructure audit activations

  Determine the scope of implementation, infrastructure audit targets, necessary credentials and verbosity, activation phases and activation.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 5

  Audit data requirements

  Identify and assure adherence to audit data requirements including accessibility, integrity, retention, evidentiary requisites, disposal and storage considerations.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 6

  Access Controls

  Monitor, respond to and report on key status, violations and anomalous access to critical resources.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 7

  Perimeter Defenses

  Monitor, respond to and report on key status, configuration changes, violations/attacks and anomalous activity associated with perimeter defenses.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 8

  Network and host defenses

  Monitor, respond to and report on key status, configuration changes, violations/attacks and anomalous activity associated with internal network and host defenses.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 9

  Network and system resource integrity

  Monitor, respond to and report on key status, configuration changes, patches, vulnerabilities, threats and anomalous activity affecting network and system resources.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 10

  Malware Control

  Monitor, respond to and report on key status, threats, issues, violations and activity supporting malware controls.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 11

  Access management and acceptable use

  Monitor, respond to and report on key status, configuration changes, violations and anomalous activity affecting access management, user management and acceptable use of resources

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 12

  Application defenses

  Monitor, respond to and report on key status, configuration changes, violations and anomalous activity with regard to web, database and other application defenses.

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 13

Webcast Sponsor:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 14

  Single pane of glass – Intelligence at your fingertips

  End-to-end visibility – service, performance, availability, security, change and compliance management

  SOC/NOC convergence – extensive operational visibility

  Efficiency – proactive monitoring, expedited root-cause analysis, flexible search/reporting

  Value – easy to use, implement and scale with rich feature set

  Virtual Appliance or SaaS – out of the box use and readily scale

Challenges Integrated Data Center Monitoring

Complex Threats and Environment

Monitoring, Search & Reporting Scope

Implementation and Scale Difficulty

Timely & Extensive Device Support

IT Service Awareness & Priority

Budget for Isolated Security Tools

  In Conclusion   Map your requirements; output, audience, functional

  Scope implementation; size, deployment, activation

  Determine operating norms; what will you do with the information, incident workflow, escalation…

  One size does not fit all; dovetail your infosec policy with best practices that works best for your organization

  For more detailed and on-going contribution to SIEM best practices visit: www.accelops.net.SIEMtop10.php

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 15

Ask the Experts:

(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 16

  For a more extensive, on-going set of Top 10 SIEM Best Practices visit: WWW.ACCELOPS.NET/SIEMtop10.php

  Released under a Creative Commons 3.0 Attribution license: http://creativecommons.org/licenses/by/3.0/

  Thanks to content contribution from:   Scott Gordon CISSP

  Dr. Anton Chuvakin

  Tim Mather CISSP, CISM

  SANS.org in reference to…   Top Cyber Security Risks   20 Critical Security Controls

  April Russo (number graphics)

  Randolph Barr, CISSP   Jamie Sanbower, CISSP   Bill Sieglein CISSP