JumpStart Guide for SIEM in AWS
Transcript of JumpStart Guide for SIEM in AWS
![Page 1: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/1.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
JumpStart Guide for SIEM in AWSMonthly Webinar Series
in conjunction with
![Page 2: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/2.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
Jumpstart Guide for Security Information and Event
Management (SIEM) in AWS
![Page 3: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/3.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers
• J. Michael Butler, SANS Analyst and Information Security Consultant
• Jay Austad, VP, Orchestration and Automation Solutions, Optiv
• David Aiken, Solutions Architect Manager, AWS Marketplace
3
![Page 4: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/4.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Agenda
• Integrating Security Information and Event Management (SIEM) to the cloud
• Benefits and Options
• On premises vs. cloud
• Growing adoption of Security Orchestration and Automated Response (SOAR)
• Goals of Integration
• AWS tools and options
4
![Page 5: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/5.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• SIEM systems continue to mature and add functionality.
• Adding SOAR capabilities increases value –(exponentially?)
• NIST: “Present [event] data as actionable information via a single interface” has cloud implications.
• There are advantages to pushing events to SIEM in the cloud.
Integrating SIEM to the Cloud
5
![Page 6: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/6.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Enhancements are regularly added to the cloud.
• Hardware, OS, software maintenance responsibilities that belong to provider
• Quickly adjust elastic resources to incident related events
• Security can be designed to ensure forensically sound log and data storage.
Benefits of SIEM in the cloud
6
![Page 7: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/7.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Governance, policies, and standards
• Reporting and metrics
• Budget, funding, and support
• Risk classifications
Business Considerations
7
![Page 8: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/8.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Requirements for compliance with policies and standards
• Capacity and speed—ingestion, analytics, and storage
• Agent-based vs. agentless
• Secure data in transit and at rest
• Operational and monitoring responsibility
• Development of processes and procedures
Technical and Operations Considerations
8
![Page 9: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/9.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
On-Premises
• Limited scale
• Unknown and hidden costs
• Resources assigned
• Infrastructure in place
• Familiarity and internal documentation
• Long term storage
Cloud• Unlimited scale• Predictable costs• Documentation• Training• Infrastructure available as
needed• Support• Available storage tiers
On-Premises vs. Cloud
9
![Page 10: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/10.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Security Orchestration and Automated Response
• Growing Integration and Adoption into SIEM (Gartner)
• Analyze Events for Known Incident Patterns
• Incorporate Logic for Appropriate Response
• Test, Review, Refine, Reduce False Positives
• Use Threat and Vulnerability Data for Continuous Enhancement
Incident Response Automation
10
![Page 11: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/11.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Combine log data from on-prem and off-prem systems.
• Provide the best speed possible for ingestion and analysis.
• Close gaps that may exist in current infrastructure.
• Add automated incident response where possible.
• Abbreviate reaction and dwell time to incidents.
• Add ability to grow log collection and analysis to scale.
• Better resource management with predictable budgeting
Goals of Integration
11
![Page 12: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/12.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Move logging, analysis, alerting, and/or mitigation to the cloud?
• What current on-prem tools will continue to add value?
• Are there sufficient resources for training and management of “new” tools?
• How much is the budget for ongoing support?
Questions and Decisions
12
![Page 13: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/13.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Resource Constraints
• Cloud Context
• Efficiency
• Ease of use
• Integration requirements
• Availability of built-in tools
• Time to alert and reaction
AWS Considerations
13
![Page 14: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/14.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Have a plan
• Get C level buy in
• Build a team and get their buy in
• Consider partners
• Conduct Proof of Concept testing and evaluation
• Plan for growth and for long term
• Implement and integrate
Summary
14
![Page 15: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/15.jpg)
KEY BENEFITS OF ADDING SOAR TO YOUR SIEM SOLUTIONJay Austad
VP, Orchestration and Automation Solutions, Optiv
![Page 16: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/16.jpg)
CASE STUDY
16
Global Entertainment Company – SIEM Deployment
![Page 17: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/17.jpg)
17
CHALLENGES
• Current licensing for legacy SIEM solution up
for renewal in less than 90 days
• Client required predictable TCO cost out 3
years
• Insufficient internal resources to deploy a new
platform in the required timeframe
• Any on-prem deployment would require a
significant acquisition of new hardware to
support the solution
![Page 18: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/18.jpg)
18
SOLUTION
• Splunk in AWS
• Ingestion from multiple international datacenter
locations, office locations, as well as AWS
• Optiv services to deploy, integrate, and tune
![Page 19: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/19.jpg)
19
OUTCOMES
• Solution fully deployed and in production within 6 weeks
from project start
• No additional hardware acquisition or deployment was
required, reducing the overall time to value
• No ongoing maintenance on server/OS platforms
required, reducing ongoing cost of ownership
• TCO was known up front without having to take into
account facility costs, power, labor for maintenance, etc
• The ability to scale quickly when required
• Deployment of Splunk in AWS saved the customer 75%
on initial deployment costs
![Page 20: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/20.jpg)
SIEM/SOAR SYMBIOSIS
• The more effective a SIEM solution is, the greater the workload on the SOC because of increased quality alert volume
• SIEM solutions:
• Lack robust 3rd party API integration capabilities
• Require significant development for automation capabilities
• Are good at generating actionable alerts, but fail to be able to do advanced analysis of those alerts based on enrichment data, context, etc
• Lack a Case Management system that is robust or flexible enough for most customer needs
• SOAR leverages SIEM as the primary source of actionable alerts
• SOAR fills in the gaps where SIEM falls short
• SOAR is the communication bus for all of your disparate security (or non-security) tools
![Page 21: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/21.jpg)
21
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“My analysts spend 90% of their time performing
tedious and repetitive tasks.”
• Automation of tedious and repetitive tasks
• Improvement in job satisfaction, less turnover
• Recovery of hours and reduction in labor costs
• Lessens or removes the burden of off-hour shifts
The 7 Benefits of adding SOAR to your SIEM solution
![Page 22: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/22.jpg)
22
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I bought all this stuff, how do I make it work together?”
• Built-in integrations for most common security tools
• Ability to easily write integrations for non-
supported tools
• No reliance on vendors to build support for other
vendors products
• Multiply the value of your existing tools and use
them more effectively
The 7 Benefits of adding SOAR to your SIEM solution
![Page 23: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/23.jpg)
23
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I rely on people to accurately follow a written
process, and that doesn’t always happen.”
• Elimination of human error
• Guardrails to ensure a process is followed to
spec every time
• Audit trails to ensure all steps were followed
• Ability to automatically pivot the process based
on the context of the alert (on-prem or cloud)
The 7 Benefits of adding SOAR to your SIEM solution
![Page 24: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/24.jpg)
24
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I have trouble showing the true value of our
solutions, and the effectiveness of our security
team.”
• Automatic collection of complex metrics
• ROI/Hours saved calculations
• Improved visibility of the overall operation of
the SOC
The 7 Benefits of adding SOAR to your SIEM solution
![Page 25: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/25.jpg)
25
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unified Collaboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
”My people utilize several different platforms for incident
management, there is no one single source of truth.”
• Reduction in systems/platforms that analysts must
touch directly
• Purpose built case management for incident
response
• Increased analyst efficiency and ability to pivot
• Single source of truth for security incidents
The 7 Benefits of adding SOAR to your SIEM solution
![Page 26: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/26.jpg)
26
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intelligence Amplification
7. Brokered Access
“My people do not have the information or the time to
effectively make accurate determinations on every
alert.”
• Ability to make an automated analysis based on 3rd
party threat intel, contextual information, or other
enrichment data
• Ability to use rules, algorithms, and machine
learning to improve the analysis of incidents
• Ability to use the analysis to kick off automated
remediation tasks
The 7 Benefits of adding SOAR to your SIEM solution
![Page 27: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/27.jpg)
27
1. Automation
2. Integration
3. Process Enforcement
4. Metrics and KPIs
5. Unif ied Col laboration/Case Mgmt
6. Human Intel l igence Amplif icat ion
7. Brokered Access
“I have to escalate certain tasks to higher tiers or other
teams for remediation, which adds a significant delay to
the resolution and puts my organization at risk.”
• Give analysts access to specific tasks without the
requirement of full administrative access to
systems.
• Lessens the need to escalate to higher tiers or other
teams for data collection or remediation.
• Dramatic reduction in Time to Resolution
The 7 Benefits of adding SOAR to your SIEM solution
![Page 28: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/28.jpg)
CASE STUDY - HIA
28
Global 50 Organizationwith over 100,000 employees
![Page 29: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/29.jpg)
29
CHALLENGES
No SOC and limited security tools that would
provide visibility and remediation capabilities
No good way to estimate alert volume in the new
SOC
Much greater volume of alerts than anticipated on
go-live date
![Page 30: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/30.jpg)
30
SOLUTION
• Implementation of Splunk Phantom in AWS for rapid
deployment and ease of integration to Sumo Logic in AWS,
as well as on-prem platforms
• A Human Intelligence Amplification playbook to do all of
the initial true/false positive identification to lessen analyst
workload
Human Intelligence Amplification functions:
• Severity Adjustment based on:
• Alert content
• Host Context
• User context
• True positive identification based on a scoring mechanism
that uses rules and algorithms to assign a confidence score.
![Page 31: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/31.jpg)
31
OUTCOMES
• Reduction in ATD and
signal-to-noise ratio
• Increased analyst efficiency
• Higher true positive rate
• Enriched data sets ->
improved analysis capability
and visualization (i.e.
clustering)
389376
399
129111
9987
41
240 240 240 240 240
180 180 180
97.1 102.6 110.2
24.613.9 6.8 4.8 4
1 2 3 4 5 6 7 8
Average Time to Detect (Critical Alerts) in Minutes - Weekly
ATD Actual
ATD Target SLA
(Critical Alerts)
Voume of Alerts
(x10)
![Page 32: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/32.jpg)
SIEM/SOAR IN AWS OUTCOMES
• Predictable costs
• Rapid deployment
• Dramatic reduction in deployment LOE
• Elimination of capital expenditures related to hardware and facilities
• Ease of scale
• Disaster Recovery and High Availability options
• Ability to leverage AWS security features such as GuardDuty when traditional on-prem security platforms do not provide the required visibility or functionality in the cloud
![Page 33: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/33.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discovering SIEM and SOAR
solutions available in AWS
Marketplace
![Page 34: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/34.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What SIEM and SOAR solutions are available in AWS
Marketplace?
SIEM and SOAR Portfolio
Splunk Cloud, Splunk Enterprise, and
Splunk Phantom offer comprehensive
SIEM and SOAR coverage.
Demisto Enterprise AMI
SOAR solution that can accelerate
incident response and security
operations.
Machine Data Analytics Service
Manage operation and security of
applications with machine learning
based analytics.
Alert Logic SIEMless Threat
Management
Security monitoring and threat
analysis from a certified security
team.
![Page 35: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/35.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blackstone increases security efficiency
Benefits:
• Reduced processing time of
malware alerts to 40 seconds
from 30+ minutes
• Ensured a repeatable,
auditable process for
investigating alerts
• Increased accuracy and
consistency of response
process
using Splunk Phantom SOAR technology
![Page 36: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/36.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits:
• Saved hundreds of hours
across security team through
automation
• Increased visibility aided
cross-departmental alignment
and problem solving
• Reduced time spent on
compliance efforts
Pokemon protects customer’s privacy
with cloud-native Machine Data Analytics Service
![Page 37: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/37.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
Flexible consumption
and contract models Quick and
easy deployment
Trusted
Consulting Partners
![Page 38: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/38.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Complete the survey to learn more
on the solutions mentionedCloud Security Architecture
Assessment for AWS
![Page 39: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/39.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Please use GoToWebinar’sQuestions tool to submit questions to our panel.
Send to “Organizers” and tell us if it’s for a specific panelist.
Q&A
39
![Page 40: JumpStart Guide for SIEM in AWS](https://reader034.fdocuments.us/reader034/viewer/2022052318/6289fe373429c3187748e2e8/html5/thumbnails/40.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
And to our attendees, thank you for joining us today!
Acknowledgments
Thanks to our sponsor:
To our special guest:
40
David Aiken and Jay Austad