Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
• Ms. Irene Selia, Product Manager, ClearSkies SecaaS SIEM
Contact: [email protected], w: +357 22463600
• Mr. Angelos Printezis, ITHACA Labs Team Leader Researcher/Analyst
Contact: [email protected], w: +30 2106565200
2
About the Presenters
Agenda
3
The Service in a Nutshell
Challenges Faced by Organizations Today
Addressing Challenges with ClearSkies SecaaS SIEM
ClearSkies SecaaS SIEM overview
ClearSkies SIEM Architecture
1
2
3
4
5
Service Offerings
Building Blocks
6
7
8 Threat Intelligence powered by ITHACA Labs
9 Supported Vendors
10 Q&A
• Efficient and effective Security Information and Event Management (SIEM) is no longer an expensive information security tool that can be afforded only by large and resource-rich organizations.
• ClearSkies Security-as-a-Service (SecaaS) SIEM platform, addresses the need of organizations of any size or industry, to manage the wealth of information generated by their networks, systems and applications.
• It does so, in a holistic manner and over the cloud, enabling you to effectively and cost efficiently enhance your information security and regulatory compliance operations across the board and with virtually zero upfront investment.
4
The Service in a Nutshell
Challenges Faced by Organizations Today
• Increase in frequency, complexity and sophistication of threats and attacks against your networks, systems and applications
• The complexity of Internet & Intranet applications
• Comply with Legal and Regulatory frameworks and reporting requirements
• Maintain in-house Information Security expertise.
• As a result...minimize the Risk of Information Security loss.
5
• Security, over the private-cloud, access to a feature-rich SIEM platform, which addresses the needs of organizations irrespective of their size, industry, extent and complexity of their existing information security infrastructure, or in-house level of expertise
• Fast and intuitive deployment allowing organizations to reap the benefits of the ClearSkies SecaaS SIEM services in no time
• Access to - and utilization of - our Analysis and Correlation engines, which are constantly updated and enriched with the threat intelligence and knowledge gathered and developed within ITHACA Labs©, our very own world class Information Security Research and Threat Intelligence Center
• Zero up-front investment
6
Addressing Challenges with ClearSkies SecaaS SIEM
• Functional Log and Event Management with clear view of your overall information security posture at any time
• Instant transformation of raw data into information security intelligence, useful in making informed decisions
• Early identification of suspected or actual incidents and ability to address and follow up on them through a structured process
• Effortlessly prepare both specialized as well as ad-hoc reports in no time. Enhance your compliance and business decision support processes.
• Maximize your knowledge of latest information security threats and trends by tapping into a unique Information Security and Threat Intelligence knowledge pool
7
What ClearSkies SecaaS SIEM will help you achieve
ClearSkies SecaaS SIEM Overview
• Provides organizations, which otherwise would not have the necessary resources to maintain an adequate SIEM SecaaS infrastructure in-house, the opportunity to gain access to such capability in the cloud.
• Enables organizations to:
– Collect, Archive, Normalize, Analyze and Correlate the logs generated from a number of diverse systems and applications
– Effectively and efficiently Monitor and Raised/Assign Incidents for abnormal behavior and suspected threats
– Generate the reports require to demonstrate compliance with legal and regulatory obligations
8
ClearSkies Architecture “Single Site”
9
ClearSkies Secure Web Portal
Firewall
Switch/Router
Server
Workstation
Database
Customer Premises Odyssey’s Private Cloud Environment
Log Storage Threat Inteligence Database
Analysis &
Correlation
Log Collector(s)
Event Management & Incident Escalation
Service Offerings
A holistic approach to Security Information and Event Management
10
Security As A Service “SecaaS” with Daily Log Review (with Daily Log Review, Analysis and Event Management)
ClearSkies SIEM Standard
ClearSkies SIEM Plus
ClearSkies SIEM Premium
Security As A Service “SecaaS”
(perform Log Review, Analysis
and Event Management)
Security As A Service “SecaaS” with 24/7/365 Log Analysis and Event Management (Managed Security Services in a Hybrid model)
Building Blocks - Collect
• Collect Raw Logs generated from diverse systems, applications and/or security devices:
– Syslogs
– SNMP messages
– Database
– Windows
– Security
– NetFlow
– Other….
• Development/updating of our collection mechanism for supporting either in house/custom applications or other log sources/formats
12
Building Blocks - Archive
• Archive of raw logs collected:
– During this process the Archive mechanism Compress and “Digitally Signs” the raw logs collected.
Note: Raw logs collected compression ratio up to 5 to 1 (80%)
• Then the Compressed file checksum is calculated using a hashing algorithm (SHA-1, MD5). The checksum is encrypted with Collector’s Private.
– The encrypted checksum is saved to a database for future use.
– At any given time, it can be verified that the Raw Logs collected are intact ( not tampered)by using the Public Key
13
Building Blocks - Normalize
• Logs from different network, systems and applications and vendors are formatted in different ways, even if these events are semantically equivalent.
• Logs collected are normalized and stored into a common schema at time of data collection for further processing and ad hoc search and reporting.
• Analysis and Correlation is designed to present these logs in a unified view across heterogeneous vendor data formats.
14
Building Blocks- Analyze
What is Threat Intelligence (TI)?
• Threat intelligence is evidence-based knowledge, including context,
mechanisms, indicators, implications and actionable advice, about
an existing or emerging menace or hazard to assets that can be
used to inform decisions regarding the subject's response to that
menace or hazard.
• Threat Intelligence is all about collecting, refining, analyzing, and
prioritizing vast quantities of data in order to enable a tactical
decision to be made about your defenses.
15
Actuate the process of Threat Intelligence for Analysis.
Building Blocks- Threat Analysis through Intelligence
Key benefits:
• Focus on the most severe security events based on their actual technical and business impact.
• Evaluate the risks based on evidence and decide on what precautions need to be taken.
• Continuously evaluate the effectiveness of the current security controls against emerging threats.
16
Perform an evidence-based evaluation of the security events for detecting and responding to threats effectively.
Building Blocks- Threat Intelligence Methodology
17
Obtain evidence-based intelligence on events and activities for estimating the business risk.
Risk calculation Threat mitigation
Reporting module (FW, IPS, Endpoint) Automated actions (Block, Detect, Quarantine)
Global Reputation Suspicious characteristics
Vulnerability Exposure (NVD, VA Scans) Asset Value
Affected products CVE References Exploitability Duration
Building Blocks – Analyze (Pre Correlation)
During the analysis, the following data activities are performed:
• Link: Delivers insights above and beyond those of individual feeds stored independently.
• Enrich: Enables us to do linking and relating better and also provides a way to validate weak TI signals.
• Relate: Discover new threat activities and expand the scope of the organization’s response process.
18
1/2
Building Blocks – Analyze (Pre Correlation)
Data activities continued..
• Validate: TI is matched to known industry black lists which enable us to either promote or demote some pieces of intelligence.
• Contextualize: Make TI data more relevant to the organization.
• Tag: Collected Events (logs) are tagged with this information such as Relevant/Not Relevant to the Target Host.
• Risk Calculation: Risk Index is calculated based on the outcome of the above process.
19
2/2
Building Blocks – Correlate
• Correlate Normalized Logs to identify Malicious and/or Misuse activity based on:
• Threat Intelligence - Analysis Phase
• CVSS 2.0 ( Common Vulnerability Scoring System ) – Analysis Phase
• Vulnerabilities that may exist on the target Host
- Vulnerability Information from Nessus and Acunetix. Support for other Vulnerability Assessment tools,
- Statistical & Behavioral Analysis,
- The output of the Analysis phase is used during the correlation phase ..
20
Edit, Add
Correlation
Rules
2nd Step:
Pattern/Behavior
Identification, DOS –
Web Specific –
Service Probing
.
3rd Step: Asset
Vulnerabilities Vs
Attacks
4th Step: Continuous
monitoring of suspicious
activity – Including IP,
type...etc.
1st step: Number of
events Detected within a
time interval
5th Step: Use existing
Correlation rules provided, or
develop your own
21
Threat Intelligence: IP Reputation Malware sites
Anonymous Proxies…
Building Blocks – Correlation Methodology
Building Blocks – Incident Escalation
22
• Incidents raised must be assigned to specific user(s) or Group of Users
• By default, when an incident is assigned to specific User(s) or Group, an email message is sent to these Users providing detailed information.
• User(s) or Group of Users could be configured to receive Push Notifications on their iOS and Android Smart Phones and/or Tablets using Odyssey’s App*
*The iOS and Android App could be downloaded from iTunes and Google Play Stores or by visiting our web site http://www.odysseyconsultants.com/WhoWeAre/CompanyOverview/tools/
Building Blocks – Summary
• Collect Raw Logs generated from diverse systems, applications and/or security devices
• Archive of Raw Logs collected:
– During this process the Collector Digitally Sign and Compress the Raw Logs collected using a high ratio compression rate up to 80%.
• Normalize the Raw Logs collected ( Prepare the logs for Analysis )
• Analyze the Normalized Logs in regards to ( Threat Intelligence provided by ITHACALabs®):
– IP Reputation
– Anonymous Proxies
– Malware
– Bot/Zombies (Command & Control)
– Dymamic DNS Assignment (NoIP)
• Correlate the Normalize Logs to identify Malicious and/or Misuse activities based on:
– Threat intelligence ( the outcome of the Analysis phase )
– CVSS 2.0 ( Common Vulnerability Scoring System )
– Relativity of the attack based on the Asset Information/Characteristics ( Operating System, Application Vendor and Version, Vulnerabilities Present )
– Statistical & Behavioral Analysis
• Incident Escalation
23