ClearSkies SIEM Security-as-a-Service (SecaaS) Infocom Security Athens April 2014

1

• Ms. Irene Selia, Product Manager, ClearSkies SecaaS SIEM

Contact: iselia@odysseyconsultants.com, w: +357 22463600

• Mr. Angelos Printezis, ITHACA Labs Team Leader Researcher/Analyst

Contact: aprintezis@odysseyconsultants.com, w: +30 2106565200

2

About the Presenters

Agenda

3

The Service in a Nutshell

Challenges Faced by Organizations Today

Addressing Challenges with ClearSkies SecaaS SIEM

ClearSkies SecaaS SIEM overview

ClearSkies SIEM Architecture

1

2

3

4

5

Service Offerings

Building Blocks

6

7

8 Threat Intelligence powered by ITHACA Labs

9 Supported Vendors

10 Q&A

• Efficient and effective Security Information and Event Management (SIEM) is no longer an expensive information security tool that can be afforded only by large and resource-rich organizations.

• ClearSkies Security-as-a-Service (SecaaS) SIEM platform, addresses the need of organizations of any size or industry, to manage the wealth of information generated by their networks, systems and applications.

• It does so, in a holistic manner and over the cloud, enabling you to effectively and cost efficiently enhance your information security and regulatory compliance operations across the board and with virtually zero upfront investment.

4

The Service in a Nutshell

Challenges Faced by Organizations Today

• Increase in frequency, complexity and sophistication of threats and attacks against your networks, systems and applications

• The complexity of Internet & Intranet applications

• Comply with Legal and Regulatory frameworks and reporting requirements

• Maintain in-house Information Security expertise.

• As a result...minimize the Risk of Information Security loss.

5

• Security, over the private-cloud, access to a feature-rich SIEM platform, which addresses the needs of organizations irrespective of their size, industry, extent and complexity of their existing information security infrastructure, or in-house level of expertise

• Fast and intuitive deployment allowing organizations to reap the benefits of the ClearSkies SecaaS SIEM services in no time

• Access to - and utilization of - our Analysis and Correlation engines, which are constantly updated and enriched with the threat intelligence and knowledge gathered and developed within ITHACA Labs©, our very own world class Information Security Research and Threat Intelligence Center

• Zero up-front investment

6

Addressing Challenges with ClearSkies SecaaS SIEM

• Functional Log and Event Management with clear view of your overall information security posture at any time

• Instant transformation of raw data into information security intelligence, useful in making informed decisions

• Early identification of suspected or actual incidents and ability to address and follow up on them through a structured process

• Effortlessly prepare both specialized as well as ad-hoc reports in no time. Enhance your compliance and business decision support processes.

• Maximize your knowledge of latest information security threats and trends by tapping into a unique Information Security and Threat Intelligence knowledge pool

7

What ClearSkies SecaaS SIEM will help you achieve

ClearSkies SecaaS SIEM Overview

• Provides organizations, which otherwise would not have the necessary resources to maintain an adequate SIEM SecaaS infrastructure in-house, the opportunity to gain access to such capability in the cloud.

• Enables organizations to:

– Collect, Archive, Normalize, Analyze and Correlate the logs generated from a number of diverse systems and applications

– Effectively and efficiently Monitor and Raised/Assign Incidents for abnormal behavior and suspected threats

– Generate the reports require to demonstrate compliance with legal and regulatory obligations

8

ClearSkies Architecture “Single Site”

9

ClearSkies Secure Web Portal

Firewall

Switch/Router

Server

Workstation

Database

Customer Premises Odyssey’s Private Cloud Environment

Log Storage Threat Inteligence Database

Analysis &

Correlation

Log Collector(s)

Event Management & Incident Escalation

Service Offerings

A holistic approach to Security Information and Event Management

10

Security As A Service “SecaaS” with Daily Log Review (with Daily Log Review, Analysis and Event Management)

ClearSkies SIEM Standard

ClearSkies SIEM Plus

ClearSkies SIEM Premium

Security As A Service “SecaaS”

(perform Log Review, Analysis

and Event Management)

Security As A Service “SecaaS” with 24/7/365 Log Analysis and Event Management (Managed Security Services in a Hybrid model)

Building Blocks

11

Building Blocks - Collect

• Collect Raw Logs generated from diverse systems, applications and/or security devices:

– Syslogs

– SNMP messages

– Database

– Windows

– Security

– NetFlow

– Other….

• Development/updating of our collection mechanism for supporting either in house/custom applications or other log sources/formats

12

Building Blocks - Archive

• Archive of raw logs collected:

– During this process the Archive mechanism Compress and “Digitally Signs” the raw logs collected.

Note: Raw logs collected compression ratio up to 5 to 1 (80%)

• Then the Compressed file checksum is calculated using a hashing algorithm (SHA-1, MD5). The checksum is encrypted with Collector’s Private.

– The encrypted checksum is saved to a database for future use.

– At any given time, it can be verified that the Raw Logs collected are intact ( not tampered)by using the Public Key

13

Building Blocks - Normalize

• Logs from different network, systems and applications and vendors are formatted in different ways, even if these events are semantically equivalent.

• Logs collected are normalized and stored into a common schema at time of data collection for further processing and ad hoc search and reporting.

• Analysis and Correlation is designed to present these logs in a unified view across heterogeneous vendor data formats.

14

Building Blocks- Analyze

What is Threat Intelligence (TI)?

• Threat intelligence is evidence-based knowledge, including context,

mechanisms, indicators, implications and actionable advice, about

an existing or emerging menace or hazard to assets that can be

used to inform decisions regarding the subject's response to that

menace or hazard.

• Threat Intelligence is all about collecting, refining, analyzing, and

prioritizing vast quantities of data in order to enable a tactical

decision to be made about your defenses.

15

Actuate the process of Threat Intelligence for Analysis.

Building Blocks- Threat Analysis through Intelligence

Key benefits:

• Focus on the most severe security events based on their actual technical and business impact.

• Evaluate the risks based on evidence and decide on what precautions need to be taken.

• Continuously evaluate the effectiveness of the current security controls against emerging threats.

16

Perform an evidence-based evaluation of the security events for detecting and responding to threats effectively.

Building Blocks- Threat Intelligence Methodology

17

Obtain evidence-based intelligence on events and activities for estimating the business risk.

Risk calculation Threat mitigation

Reporting module (FW, IPS, Endpoint) Automated actions (Block, Detect, Quarantine)

Global Reputation Suspicious characteristics

Vulnerability Exposure (NVD, VA Scans) Asset Value

Affected products CVE References Exploitability Duration

Building Blocks – Analyze (Pre Correlation)

During the analysis, the following data activities are performed:

• Link: Delivers insights above and beyond those of individual feeds stored independently.

• Enrich: Enables us to do linking and relating better and also provides a way to validate weak TI signals.

• Relate: Discover new threat activities and expand the scope of the organization’s response process.

18

1/2

Building Blocks – Analyze (Pre Correlation)

Data activities continued..

• Validate: TI is matched to known industry black lists which enable us to either promote or demote some pieces of intelligence.

• Contextualize: Make TI data more relevant to the organization.

• Tag: Collected Events (logs) are tagged with this information such as Relevant/Not Relevant to the Target Host.

• Risk Calculation: Risk Index is calculated based on the outcome of the above process.

19

2/2

Building Blocks – Correlate

• Correlate Normalized Logs to identify Malicious and/or Misuse activity based on:

• Threat Intelligence - Analysis Phase

• CVSS 2.0 ( Common Vulnerability Scoring System ) – Analysis Phase

• Vulnerabilities that may exist on the target Host

- Vulnerability Information from Nessus and Acunetix. Support for other Vulnerability Assessment tools,

- Statistical & Behavioral Analysis,

- The output of the Analysis phase is used during the correlation phase ..

20

Edit, Add

Correlation

Rules

2nd Step:

Pattern/Behavior

Identification, DOS –

Web Specific –

Service Probing

.

3rd Step: Asset

Vulnerabilities Vs

Attacks

4th Step: Continuous

monitoring of suspicious

activity – Including IP,

type...etc.

1st step: Number of

events Detected within a

time interval

5th Step: Use existing

Correlation rules provided, or

develop your own

21

Threat Intelligence: IP Reputation Malware sites

Anonymous Proxies…

Building Blocks – Correlation Methodology

Building Blocks – Incident Escalation

22

• Incidents raised must be assigned to specific user(s) or Group of Users

• By default, when an incident is assigned to specific User(s) or Group, an email message is sent to these Users providing detailed information.

• User(s) or Group of Users could be configured to receive Push Notifications on their iOS and Android Smart Phones and/or Tablets using Odyssey’s App*

*The iOS and Android App could be downloaded from iTunes and Google Play Stores or by visiting our web site http://www.odysseyconsultants.com/WhoWeAre/CompanyOverview/tools/

Building Blocks – Summary

• Collect Raw Logs generated from diverse systems, applications and/or security devices

• Archive of Raw Logs collected:

– During this process the Collector Digitally Sign and Compress the Raw Logs collected using a high ratio compression rate up to 80%.

• Normalize the Raw Logs collected ( Prepare the logs for Analysis )

• Analyze the Normalized Logs in regards to ( Threat Intelligence provided by ITHACALabs®):

– IP Reputation

– Anonymous Proxies

– Malware

– Bot/Zombies (Command & Control)

– Dymamic DNS Assignment (NoIP)

• Correlate the Normalize Logs to identify Malicious and/or Misuse activities based on:

– Threat intelligence ( the outcome of the Analysis phase )

– CVSS 2.0 ( Common Vulnerability Scoring System )

– Relativity of the attack based on the Asset Information/Characteristics ( Operating System, Application Vendor and Version, Vulnerabilities Present )

– Statistical & Behavioral Analysis

• Incident Escalation

23

24

Supported Vendors/Devices for Log Collection

25

26

Do You Have Any Questions?

27

THANK YOU!