You are on page 1of 16

Building a SOC

Maximizing the Value of a SIEM


Implementation

Matt Shelton, Principal Engineer, Managed Security Solutions


Jim Pasquale, Director, Managed Security Solutions
Month 00, 2009

© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09


Verizon Business Security Solutions
• One of the largest global providers of managed
information security services
• More than 3,400 customers worldwide
• We serve the majority of the Fortune 100 and the
top 100 companies in Forbes’ Global 2000
• A leading PCI compliance program
• A leading portfolio of identity management
• A leading forensics practice
• First information security certification program
(1997)
• ICSA Labs—recognized provider of information
security product testing and certification
www.arcsight.com © 2009 ArcSight Confidential 3
Market Analyst View
•The Magic Quadrant—copyrighted 2009 by Gartner Inc. Magic Quadrant for MSSPs
and is reused with permission (North America)
•Graphical representation of a marketplace at and for a Gartner
specific time period—depicts Gartner’s analysis of how
certain vendors measure against criteria for that
marketplace
•Gartner does not endorse any vendor, product or service
depicted in the Magic Quadrant and does not advise
technology users to select only those vendors placed in
the Leaders quadrant
•The Magic Quadrant is intended solely as a research tool
and is not meant to be a specific guide to action; Gartner
disclaims all warranties, expressed or implied, with
respect to this research, including any warranties of
merchantability or fitness for a particular purpose
•The Magic Quadrant graphic was published by Gartner,
Inc., as part of a larger research note and should be
evaluated in the context of the entire report.
•The Gartner report is available upon request from Verizon
Business
www.arcsight.com © 2009 ArcSight Confidential 4
Verizon Business SIEM Expertise
• 10 years of experience in the SIEM market
• Presented at the 2007, 2008, and 2009
ArcSight User Conferences
• Participant in the Washington DC
ArcSight User Group
• Provide professional services for ArcSight
• Manage and monitor SIEM environments
using ArcSight

www.arcsight.com © 2009 ArcSight Confidential 5


Goal 1—Determine Logging Requirements
•Compliance
–PCI, HIPPA, SOX, GLBA, FISMA, etc.

•Retention
–Online
–Offline

•Security Policy

www.arcsight.com © 2009 ArcSight Confidential 6


Choose Data Feeds Wisely!

• More data does not always


lead to better security!
• Be careful logging the
following
–Firewalls
–Routers
–Switches
Remember: ArcSight Logger
is optimized for data storage
and retention and ArcSight
ESM shines at event
management—know the
strengths of each product!
www.arcsight.com © 2009 ArcSight Confidential 7
Goal 2—Develop an Event Analysis Strategy

The 4 CIAP principals can serve as the basis of an event analysis strategy

Confidentiality The limiting of data to certain places or people

Integrity Trusting the validity of the data

Availability Accessing the data when, where,


and how it is expected

Policy Specific organization-defined rules

www.arcsight.com © 2009 ArcSight Confidential 8


Example CIAP Use Cases

Confidentiality SQL injection, zeus trojan

Integrity Password brute force attacks, cross-site scripting

Availability Denial of service, Microsoft service worm

Policy Peer-to-peer traffic, unauthorized VoIP traffic

www.arcsight.com © 2009 ArcSight Confidential 9


Use Case Sources
Sources
–SANS top 20 security vulnerabilities
–SANS top 25 programming errors
–SANS 20 most critical security controls

SANS Top 20 Primary Use Case Secondary Use Case

Operating Systems

W1. Internet Explorer Browser Jacking, NetIntel Hit Backdoor Traffic, IRC Activity

W2. Windows Libraries Microsoft Advisory Microsoft Service Worm

W3. Microsoft Office Application Vuln, Microsoft Advisory MessageLabs Verizon SMTP Service!

W4. Windows Services Microsoft Advisory Microsoft Service Worm

W5. Windows Configuration Weaknesses Policy Violation AUP, Brute Force

M1. Mac OS X Browser Jacking

U1. UNIX Configuration Weaknesses Brute Force, Attack Responses SSH Sweeps, Etc Passwd Attacks

www.arcsight.com © 2009 ArcSight Confidential 10


Goal 3—Measuring the Value
Two types of reports
1. Executive reports
» Graphics
» High level
» Events processed vs. incidents
investigated
» Event distribution by
location/region/business unit
» Events and incidents per month
2. Operational reports
» SANS top 5 essential log reports
» Attempts to gain access through
existing accounts
» Failed file or resource access attempts
» Unauthorized changes to users,
groups, and services
» Systems most vulnerable to attack
» Suspicious or unauthorized network
traffic patterns
www.arcsight.com © 2009 ArcSight Confidential 11
Goal 4—
Developing a Security Incident Workflow
How will security analysts respond to incidents?

ArcSight provides multiple methods


–Active channels
–Notifications
–Reports
www.arcsight.com © 2009 ArcSight Confidential 12
Workflow—Active Channels
• Primary workflow
method for Verizon
Business
• Allows easy access to
the security events
• Event annotations for
accountability
• Supports distributed
SOCs

www.arcsight.com © 2009 ArcSight Confidential 13


Workflow—Escalations
• Email based
• Triggered by a rule
• Can use ArcSight web for
acknowledgements
–This allows non-security
staff who may not use
ArcSight regularly to
respond to notifications.
• Multiple escalation levels

www.arcsight.com © 2009 ArcSight Confidential 14


Workflow—Reports
• Good for weekly, monthly, or bulk investigations
• Policy violations and acceptable use monitoring are
great examples

www.arcsight.com © 2009 ArcSight Confidential 15


Goal 5—Integrating Incident Management into
External Tools
• What do you do with a
security incident has been
identified in ArcSight?
• Many organizations choose
to integrate ArcSight into
their own ticketing systems
• Possible ticketing choices
–ArcSight case system
–BMC remedy
–Internal system

www.arcsight.com © 2009 ArcSight Confidential 16


Summary
When building a SOC and deploying a SIEM tool,
remember the 5 goals

1. Determine the logging requirements


2. Develop an event analysis strategy
3. Measuring the value
4. Developing a security incident workflow
5. Integrating incident management into external
tools

Questions?
www.arcsight.com © 2009 ArcSight Confidential 17