7. The Bottom Line
IT Trends exposing orgs to more risk
Strong incentives for hackers
Unsustainable and explosive situation
Security orgs are underfunded
Hard for business leaders to understand the expenses
Focus is on compliance, but compliance only protects your organization against
fines
In order to do your job, must fight for mandate and
budget like never before
7
8. Start with a Few Assumptions
No endpoint is secure
Employees will get duped into doing bad things
Not all employees have the best intentions
You will be breached, the question is just how badly
Business leaders must justify investments to a higher
authority
Criminals are lazy
88
9. No Endpoint is Secure
• Too many threat vectors to guard against them
all
– S ocial networking
– 0-day vulnerabilities
– Malware
– S QL injection
• Y our employees will get duped
• Y our employees could even be getting paid
99
10. You Are Breached
• R esearch suggests that a large portion of
botnets comes from corporate networks
– C an you guarantee every endpoint on your
network is completely malware free?
• S tart from the perspective that every endpoint
on your network is already breached
• Trust must be earned before being granted
• Authentication only guarantees access
• Inspect every tr
1010
11. “IT administrators were responsible for
more data compromises than any other
insider role. [However,] many will note the
rather small difference between
breaches caused by other employees
and IT administrators. These findings
are a reminder that high levels of access
are not necessary in order to compromise
data. – Verizon Business, 2008 Data Breach Investigations Report
12. Security Today
• Keep “bad guys” away from the network
• Build a gigantic wall around the enterprise
• Deploy point technologies to guard against specific threat vectors at the edge
1212
13. Today's Reality
• Data and workloads moving off-premise
• Threats from insiders and outsiders...
• Targeted attacks increasing
1313
14. Targeted Attacks Pose a Problem
• Blurs the lines between an ins ider and outs ider
• Hackers are incredibly good at covering their tracks
– Heartland Data S ystems: Takes nine weeks of intense
scrutiny
to discover something was wrong
• The evidence is there, but buried under a mountain of
data!
The central challenge of security is filtering
the noise and finding inconsistencies in
the data.
15. “Evidence of events leading up to 82
percent of data breaches was available
to the organization prior to actual
compromise. Regardless of the
particular type of event monitoring in
use, the result was the same:
information regarding the attack was
neither noticed nor acted upon.”
– Verizon Business, 2008 Data Breach Investigations Report
17. The Next Generation Security
Program
User Activity
Monitoring SIEM +
IAM
Security Log Management
Intelligence
IDS/IPS Vuln Scan
Basic
blocking and
Firewall Anti-virus Access Controls
tackling
1717
18. What is Log Management,
anyway?
• A tool for collecting and s toring large
amounts of security logs, with the ability to
s earch and report
• Typically deployed as a response to some sort of
regulatory mandate
– PCI
– S arbanes Oxley
– HIP AA
• Often takes the place of a home grown log
aggregation system
19. Silos of Data, Manual Processes and
Little Insight
Security Requires:
SYS • Collect • Analyze TABLES
LOGS • Consolidate • Notify
Network • Understand • Report
Databases
Infrastructure • Oracle
• Routers • SQLServer
• Switches Must Translate
Disparate Data to • DB2
• VPN Concentrators
Standard Regulatory
LOGS Language LOGS
Security Devices Applications
• Firewalls • SAP
•
•
IDSs
IPSs
Not Practical • Oracle
• Home Grown
• A/V with Manual
LOGS Processes LOGS
Workstations Mainframes
and Servers • RACF
• Windows
• ACF2
• Unix What's Happening? • TopSecret
• Netware
20. Basic Log Management
Functions
• Collecting logs from various network devices,
security applications, and business applications
• S toring these logs for some defined retention
period – ideally at the lowest possible cost
• S earching through the stored logs on an ad-
hoc basis for forensics, to find anomalies, etc.
• S ending Reports to analysts, managers, etc. at
periodic intervals to fulfill operational or
regulatory requirements
21. What's In a Log?
• C ertain activities that take place on a system generate an event
or log file
– S uccessful and failed login
– P orts open/close
– P rivelege E scalation
• S yslog is a standard for taking these log files and streaming
them to a central location
– Wikipedia - “S yslog ... allows separation of the software that generates messages
from the system that stores them and the software that reports and analyzes
them. It also provides devices, which would otherwise be unable to communicate,
a means to notify administrators of problems or performance.”
• If syslog is just a stream of information – how to make it useful?
– Not much provided by default
– C an save syslog to a file, grep through it – a completely manual effort
22. Events Explained
• S ource + Priority + Mes s age =
S ys log Event
• ftp + warning + failed login
• lpr + notice + low on ink
• auth + warning + privilege escalation
failed How Ido I know if something events?
Can search through these
is wrong?
Can I create a report to see all the failed logins last week?
23. Using Log Management for
Prevention
• Log management provides the transparency required
to discover potential threats and vulnerabilities
– R equires a certain amount of diligence
• Use log management to discover
– If devices or software are misconfigured
– Who is accessing data or files
– Who is changing configurations
– Who has access to sensitive data and systems (and then go and limit those with
access where possible)
– Whether administrators are sharing passwords or abusing privileged access
24. Using Log Management for Detection
• Log management can help determine whether a breach
event has occured
– Knowing that you've been breached is often extremely difficult
• Diligent log management tell you
– If a new user was unexpectedly created
– Who has elevated permissions
– If the volume of attacks increases
– If a vulnerable system was targeted with an exploit
– Whether a configuration was tampered with
25. Using Log Management for
Investigation
• E vent logs are the most critical footprints within the
enterprise to reconstruct an actual breach
– Log Management provides visibility across all your IT infrastructure
– Allows root cause analysis
• Use log management to determine what happened and
how it happened to remediate or mitigate:
– Which systems and applications were compromised
– The attack vector that was used
– Which security systems failed
– If the attack was detected but not acted on
– If the attack was external or due to an insider (malicious or otherwise)
27. Building User Activity Monitoring
UAM Is the weapon against trustless computing
Inject context into security events
– Identities
– Asset information
Examine transactions with all available information
– Determine what happened? who did it? should I care?
Mine the data for inconsistencies
Where to start?
2727
28. The Maturity Model
User
Activity
Security Monitoring
CISO
Monitoring and
“Compliance is the Driver” Remediation
Log • Manage User Access Risk
Management • Monitor Identity Fraud
• Enterprise View
• Real-time Monitoring
• Historical Analysis
• Automated Remediation
• Audit / Compliance Reporting
• Collection, Storage, Analysis
• Advanced Analytics
29. Security Management
Capabilities
Security • Detect and report on security
Monitoring anomalies to reduce risk
and • Automate remediation to
improve security
Remediation
Log • Collect, archive, and report on
Management log data
• Forward data for further
analysis
30. The Hacker
• Manually checking system logs is prone to error
Intruder
With so many logs
The intruder hacks
payment- The intruder steals
to monitor,
into the payment-
processing systems customers’ credit
administrators
processing system.
logs the malicious and debit card
overlook the
activity. numbers.
activity.
Payment-
processing
System
31. Real-time Monitoring and
Remediation
• R eal-time monitoring and remediation stops malicious activity when it
occurs
Intruder IT Security
Team
Recognizing the …like alerting the
The intruder of
activity as out Thesecurity team
IT payment-
policy, the
hacks into the processing down
and locking
system takes
payment- the payment-
system logs the
immediate
processing processing
malicious activity.
action…
system. system.
Payment-
processing
System
32. Apply
Quantify the risks to the business
Show cost and likelihood, estimate how security investments reduce each
Survey the technology in place today
Tie each investment to the risk it is reducing, or the agility it is enabling
Build out metrics to capture the value of each piece
Establish a baseline
Compare to industry norms
Show how specific investments will impact metrics
Establish weekly or monthly cadence with cross-
functional security team
32