McAfee SIEM solution

Preview:

Citation preview

Jonathan Knohl – CEOShaliza Fayyaz – CFOHashnee Subbusundaram – COOJuan Pardo – CIO Fahad Mohammad - CPO

Integration• SIEM can be integrated with various platforms/software to insure that

those specific platforms are well secure from outside threats. • Platform/Software specific - each has its own set of SIEM Integration

Capabilities and its own SIEM Integration page• Transfer all information to the SIEM Integration Server • Select Data Transport Protocol - UDP or TCP (both transport layer protocol)

o User Data Protocol - Faster! o Transmission Control Protocol

• Has various correlation techniques used to integrate with a specific platforms/softwares

Escalation• Throughout time SIEM has escalated to be adaptable with various

devices/technologieso Applications, Operating Systems, Firewalls, Healthcare Auditing, Proxies

• Once a threat is detected, the device/software escalates its security levels to stay on top of potential new threats• McAfee releases periodic updates for SIEM

o Code updates are made available as a single compressed TAR file (Simple 7 Step Process)

• SIEM Add-Ons Include…oMcAfee Advanced Correlation Engine oMcAfee Application Data MonitoroMcAfee Enterprise Log ManageroMcAfee Global Threat Intelligence for Enterprise Security Manager

Use Cases

Scenario

What SIEM delivers?

Informational Interview

1. Which are the benefits of SIEM?

To extract context from common security events. Using categorization and normalization, we can understand better what is a normal behavior and what should be investigated. I have sent you a few scenarios around that. For example, a normal environment would have 1000 lines of firewall logs, but which of those are related to a known malicious IP? Which users, through which protocol interacted with this IP? Was it a critical machine? Can it be infected by malware? Etc.

2. How is the Investment related with the solution/acquirement?

I wouldn’t know anything related to the price of it and that would also depend on the use case and sizing. For example, we have massive deployments where you have more than 30 appliances and environments that would use only a single combo box appliance.

3. How to deal with the storage when it comes to volume of data logs, correlation, etc?

This is also related to sizing and use case. Some organizations might have different requirements for log retention because of some specific compliance regulation.

4. Which will be the Best strategy followed to store that huge amount of data?

The best strategy is to have a powerful database that is capable of retrieving the data easily and serve the administrators. Also, to establish a structure for long term storage, that is the raw log. When we talk about SIEM, correlation, aggregation, we are talking about events that have been parsed and treated. The raw log is the raw log only, and should be primary for compliance. The company implementing that technology must have a clear use case in mind, that will directly impact on how much storage and which appliances they will need.

5. Is it easy how SIEM integrates with other technologies? any restrictions? is it secure?

We have a list of supported devices. For those unsupported, it is relatively easy to integrate building a custom parser. We just need a log sample and a method of retrieval.

6. What is the current analytical technique that is used?

I couldn’t answer that.

7. What are some challenges associated with this tool?

The challenges are the business related rules and configurations. Once it is implemented, the administrators must be capable of extracting all the information available and make sense of it.

8. Is SIEM Cloud friendly? how it deals with data correlation and processing in this environment?

We support deployment of a component of the solution at the cloud (Amazon), that is the Receiver.

9. What are some additional functions that you think can make this tool even more effective? or which fields are being worked, so they can be included?

Data sources are key to achieve a specific use case. The more information available, the more you can extract context from it and investigate further the environments.

10. Was there a specific company or event that inspired the creation of SIEM?

I wouldn’t know.

11. What people (skills, roles, etc) should be involved in running and using a SIEM? Does it require training of personnel before deployment?

Security administrators, SOC operators, compliance reviewers, etc. It is recommend that the administrators take the McAfee offered training for the solution.

12. What is needed to make a SIEM implementation successful?

We recommend that the customer work with a Professional Services Consultant during the implementation and that they have a clear notion on what is the use case they are looking for. From there, as the deployment matures, they might grow to other levels and implement further business rules.

References• "Advanced Threat Defense for SIEM." Solution Briefs (n.d.): n. pag. Web. 25 Sept. 2016. <

http://www.mcafee.com/us/resources/solution-briefs/sb-atd-for-siem.pdf>• "Security Information and Event Management." (n.d.): n. pag. Unique McAfee Data Management

Techniques. McAfee, Inc. Web. 25 Sept. 2016.http://bluekarmasecurity.net/wp-content/uploads/2014/01/McAfee-WhitePaper-SIEM.pdf

• “Data Sheet." (n.d.): n. pag. SIEM Solutions from McAfee. McAfee, Inc. Web. 25 Sept. 2016. http://www.mcafee.com/us/resources/data-sheets/ds-siem-solutions-from-mcafee.pdf

• "Data Exfiltration Study: Actors, Tactics, and Detection." (n.d.): n. pag. Grand Theft Data. McAfee, Inc. Web. 25 Sept. 2016. <http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf>

• "Verizon’s 2016 Data Breach Investigations Report." Verizon, n.d. Web. 25 Sept. 2016.<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/>

• http://www.isaca.org/Knowledge-Center/Research/Documents/SIEM-Business-Benefits-and-Security-Governance-and-Assurance-Perspectives_whp_Eng_1210.pdf?regnum=

• Eduardo de Sá XavierProfessional Services Consultant – LAR Brazil

(eduardo.xavier@intel.com)

Recommended