You are on page 1of 16

Building a SOC

Maximizing the Value of a SIEM


Matt Shelton, Principal Engineer, Managed Security Solutions

Jim Pasquale, Director, Managed Security Solutions
Month 00, 2009

© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09

Verizon Business Security Solutions
• One of the largest global providers of managed
information security services
• More than 3,400 customers worldwide
• We serve the majority of the Fortune 100 and the
top 100 companies in Forbes’ Global 2000
• A leading PCI compliance program
• A leading portfolio of identity management
• A leading forensics practice
• First information security certification program
• ICSA Labs—recognized provider of information
security product testing and certification © 2009 ArcSight Confidential 3
Market Analyst View
•The Magic Quadrant—copyrighted 2009 by Gartner Inc. Magic Quadrant for MSSPs
and is reused with permission (North America)
•Graphical representation of a marketplace at and for a Gartner
specific time period—depicts Gartner’s analysis of how
certain vendors measure against criteria for that
•Gartner does not endorse any vendor, product or service
depicted in the Magic Quadrant and does not advise
technology users to select only those vendors placed in
the Leaders quadrant
•The Magic Quadrant is intended solely as a research tool
and is not meant to be a specific guide to action; Gartner
disclaims all warranties, expressed or implied, with
respect to this research, including any warranties of
merchantability or fitness for a particular purpose
•The Magic Quadrant graphic was published by Gartner,
Inc., as part of a larger research note and should be
evaluated in the context of the entire report.
•The Gartner report is available upon request from Verizon
Business © 2009 ArcSight Confidential 4
Verizon Business SIEM Expertise
• 10 years of experience in the SIEM market
• Presented at the 2007, 2008, and 2009
ArcSight User Conferences
• Participant in the Washington DC
ArcSight User Group
• Provide professional services for ArcSight
• Manage and monitor SIEM environments
using ArcSight © 2009 ArcSight Confidential 5

Goal 1—Determine Logging Requirements


•Security Policy © 2009 ArcSight Confidential 6

Choose Data Feeds Wisely!

• More data does not always

lead to better security!
• Be careful logging the
Remember: ArcSight Logger
is optimized for data storage
and retention and ArcSight
ESM shines at event
management—know the
strengths of each product! © 2009 ArcSight Confidential 7
Goal 2—Develop an Event Analysis Strategy

The 4 CIAP principals can serve as the basis of an event analysis strategy

Confidentiality The limiting of data to certain places or people

Integrity Trusting the validity of the data

Availability Accessing the data when, where,

and how it is expected

Policy Specific organization-defined rules © 2009 ArcSight Confidential 8

Example CIAP Use Cases

Confidentiality SQL injection, zeus trojan

Integrity Password brute force attacks, cross-site scripting

Availability Denial of service, Microsoft service worm

Policy Peer-to-peer traffic, unauthorized VoIP traffic © 2009 ArcSight Confidential 9

Use Case Sources
–SANS top 20 security vulnerabilities
–SANS top 25 programming errors
–SANS 20 most critical security controls

SANS Top 20 Primary Use Case Secondary Use Case

Operating Systems

W1. Internet Explorer Browser Jacking, NetIntel Hit Backdoor Traffic, IRC Activity

W2. Windows Libraries Microsoft Advisory Microsoft Service Worm

W3. Microsoft Office Application Vuln, Microsoft Advisory MessageLabs Verizon SMTP Service!

W4. Windows Services Microsoft Advisory Microsoft Service Worm

W5. Windows Configuration Weaknesses Policy Violation AUP, Brute Force

M1. Mac OS X Browser Jacking

U1. UNIX Configuration Weaknesses Brute Force, Attack Responses SSH Sweeps, Etc Passwd Attacks © 2009 ArcSight Confidential 10

Goal 3—Measuring the Value
Two types of reports
1. Executive reports
» Graphics
» High level
» Events processed vs. incidents
» Event distribution by
location/region/business unit
» Events and incidents per month
2. Operational reports
» SANS top 5 essential log reports
» Attempts to gain access through
existing accounts
» Failed file or resource access attempts
» Unauthorized changes to users,
groups, and services
» Systems most vulnerable to attack
» Suspicious or unauthorized network
traffic patterns © 2009 ArcSight Confidential 11
Goal 4—
Developing a Security Incident Workflow
How will security analysts respond to incidents?

ArcSight provides multiple methods

–Active channels
–Reports © 2009 ArcSight Confidential 12
Workflow—Active Channels
• Primary workflow
method for Verizon
• Allows easy access to
the security events
• Event annotations for
• Supports distributed
SOCs © 2009 ArcSight Confidential 13

• Email based
• Triggered by a rule
• Can use ArcSight web for
–This allows non-security
staff who may not use
ArcSight regularly to
respond to notifications.
• Multiple escalation levels © 2009 ArcSight Confidential 14

• Good for weekly, monthly, or bulk investigations
• Policy violations and acceptable use monitoring are
great examples © 2009 ArcSight Confidential 15

Goal 5—Integrating Incident Management into
External Tools
• What do you do with a
security incident has been
identified in ArcSight?
• Many organizations choose
to integrate ArcSight into
their own ticketing systems
• Possible ticketing choices
–ArcSight case system
–BMC remedy
–Internal system © 2009 ArcSight Confidential 16

When building a SOC and deploying a SIEM tool,
remember the 5 goals

1. Determine the logging requirements

2. Develop an event analysis strategy
3. Measuring the value
4. Developing a security incident workflow
5. Integrating incident management into external

Questions? © 2009 ArcSight Confidential 17