1.2 The Principal Functions, Limitations and Challenges of a SIEM Solution
Let's imagine we started a new company called Acme, and we want to start adding some cyber security elements to their network infrastructure.
Acne is a small company with just a couple of desktop users on a laptop user. The first layer of security is already in place. A network firewall.
This firewall will allow Acme tow have a layer of separation between their corporate devices on the Internet, assuming they're not yet using cloud more on that later.
Some firewalls also have intrusion prevention capabilities and can protect at me from intrusions by preventing access to the corporate network from outside or by preventing the corporate users from accessing things they don't want them to.
Some firewalls also protect against other kinds of tres.
They're used as choke points on there, a single point of access from and to the corporate network, which allows the firewall to inspect the traffic on look for suspicious events that could constitute a threat.
Usually in such an environment, everything behind the firewall is trusted. The firewall has a trust port for things inside the network on an intro sport for things outside of the network.
For a second layer of protection, we make sure that each user has an antivirus program installed. Agnes. Maintaining all current definition updates on one scans regularly.
Great. Now we're starting to protect the users and the end points. The anti virus software will protect each individual from the following
viruses. Trojans, worms, adware and spyware.
Anti virus software has evolved from a type of utility used for scanning and removing viruses from your computer to a set of endpoint protection solutions.
Anti virus programs include both automatic and manual scanning capabilities.
Very exciting times are coming.
Acme expands and adds a technician that travels to customer sites.
But because our technician is mobile and outside of the office, they can't benefit from the protection of the office. Firewall.
Criminals are scouring the Web looking for victims with specific vulnerabilities, and they get hit with intrusion attempts.
The Attackers will attempt to compromise and use the own protected host as a slingshot to access corporate network resources. Or they could be looking to intercept interesting data like passwords or credit card information.
The host becomes compromised outside of the central protection of the office.
Next time the technician returns to the office there, infection spreads to other users because of the lack of segregation within the network behind the firewall.
The same can happen if the user is on an open VPN.
Many organizations will try to get around the problem we described by installing a VPN to ensure that everyone is behind the corporate firewall. But remember,
even though their traffic maybe going through the same choke point, they're still not physically located behind that firewall. So their devices still exposed to the same risks.
Using perimeter based offenses is no longer viable in a world where devices are mobile and data is accessed through the cloud.
So that's now envision that all remote users are following the company's cyber safety rules.
We have a firewall and anti virus on we're Feeling Pretty Good are anti virus is very good at detection of the things that they already know about. That's known as known knowns.
But what about attacks that are new that nobody knows about yet?
What about unknown unknowns?
Anti virus detection is signature based. Thes signatures, which are like fingerprints or known patterns of behavior, are usually available to your anti virus product by means of regular updates,
but they're created only after someone has already been harmed by it on after the antivirus company know about it and have determined how to re mediate it.
The responsibility then fold on the user's toe, have to update their definitions and run regular scans.
Criminals don't always use malware,
just like burglars who choose the easiest way into your home or business, maybe through the open front door. Or maybe by smashing a window.
Online criminals find the path of least resistance into your network on anti virus is usually only good at detecting known malware.
Now it seems unfortunate,
but Acme has been compromised.
The criminal had free reign over the network once they could get onto a trusted system, which allowed them to bypass critical controls on the firewall.
Anti virus didn't detect the attack because there was no malware used. The criminal got in by exploiting a vulnerability in the roaming laptop. And then, when that user came back into the office, the criminal was able to move laterally toe other systems within the trusted zone.
Now the company realizes that they need to take the next step to improve their cyber security.
They decided to install a security information and event management solution also called seem, which is going to be the subject of our first module.
Hey, and welcome to the first module. Understanding Security information on event Management's role in security
in this module will be discussing why a company would implement a seam solution, the principal functions of a seam on how it works
after we'll also dive into some of its limitations on the challenges it faces.
Acme. Our Example. Company decides to install a scene.
A seam works as a focal point where old devices sent information and events once they're the traffic is analyzed. To determine if something is suspicious,
seems could be deployed two ways
on premises or cloud. Based
in our example, Acme chooses Cloud based because it's the most scalable solution.
Now they have to collect telemetry data from all across their network and then points
they need to install and configure agents and set up our sir's within their scene.
Usually, cos implement the same solution for one or more off the following reasons to protect the company by monitoring activity over the network in real time. The processing speed is crucial in cyber security. The quicker you process events the sooner the review process starts on, the sooner you confined risks or threats
to ensure audit success by demonstrating compliance with data security standards. A seam solution is a common requirement for several data security standards
to understand incidents by performing forensic analysis.
This way, you can dissect an event and understand what happened.
Toe Have access to threat intelligence feeds for supporting the security awareness function
threat. Intelligence feeds are repositories where cyber security information is stored and consumed
to make sure security incidents are being addressed by supporting the incident response process.
This will allow the company to respond to threats on breaches in a more effective way
and to perform security analytics in order to support a threat. Hunting protests
Determining the suspicious traffic is essential to the threat hunting process on dhe incident response.
When the average time to detective reaches 191 day's time is critical. Rial time monitoring lets you see alerts on defined filters for the events and logs at high speed so that you could react to them in a timely manner.
The weight of an agent and the capacity for transmitting telemetry data to the seam are essential to the monitoring process. A good agent leads to getting information into the seam at a faster rate on with more relevant data.
Also, a quicker processing time for the information can lead to a faster response to threats.
Many different types of seeing implementations lead to an increase of alerts.
This causes what we have no Jin called council burning.
It's where there are so many events that you either cannot humanly deal with them or where you see them so often that you begin to ignore them.
Some vendors recommend that customers tuned the scene on ignore information that they consider irrelevant. But in reality, ignoring this information could lead to important information getting lost.
What may currently be irrelevant may become relevant in the future.
Some data security standards, such as socks PC i HIPAA on fisma, among others, require the use of a scene tool for order trails, privacy and security.
For some businesses, not complying with specific types of standards can mean that they lose customers and b to B
or can't take credit card payments and B to C, for instance,
by not being in compliance, companies could expose themselves to unnecessary attacks on risk on lose trust in the marketplace.
Several seems solutions already have built in compliance standards in place,
but it's not always assumed.
Some scenes require a little more customization and tweaking based on the company's needs and priorities. So it's important to be aware of this when picking the right tool for your needs.
A seam tool supports the forensics function by providing a single repositories for logs alert on events. This is the foundation of a seam solution.
When incidents happen, The forensic function serves as an information gathering tool to determine what events such as source destination activity, ports, protocols, et cetera were used during the incident.
Based on the information gathered. You can use that information to begin with the investigation process to determine what happened on what caused it.
A scene solution needs Advanced Threat intelligence in order to correlate events and raise the alarm.
Better threat Intelligence means better resources to determine if a certain event may constitute a risk or a threat to the environment.
Seems solutions help you to perform threat hunting and analytical duties.
Some solutions need lots of tuning and customization. Others, such as cyber easy, provide more focused types of monitoring and automation, which require less tuning.
Another key element of a seam solution is its capacity to support incident response activities.
The ideal team is capable of detecting anomalies and creating alerts in near real time.
It also provides the ability to track and follow up of those incidents. By doing so, the incident response processes traced, tracked and documented.
There are several different seems solutions for different sized businesses. Many require full 24 7 capable teams to manage. Some, like Cyber Easy, are focused more toward ease of use. On others are fully managed by the vendor
and finally, the last main function of a seam. The Security Analytics
Security Analytics includes quantitative methods such as descriptive on predictive statistical methods, machine learning on data mining in order to model behaviors and establish patterns. Those patterns and behaviors help security analysts to determine if a series of events constitutes a threat or not.
Module two of this course will explain the processes involved in security analytics.
So now it's time for some questions.
Is the current seem out of the box approach enough to protect a company?
How does it seem help with the security process for companies.
This first module recovered the six main functions of a seam on how they can help to solve specific security issues for your company. To recap, the six functions are really time monitoring activity.
Complaints with data security standards,
threat intelligence feeds supporting the incident response process on dhe Security Analytics.
Thanks very much for your attention,
and I'll see you in the next module, where we discuss the process of Security analytics.