The challenges with SIEM and How it can become an integrated security platform, to provide a framework for managing next generation SOC, and mitigate advanced attacks

1. Copyright © Aujas All rights reserved.
Risk Advisory and Security Intelligence Services
Is SIEM Dead or Evolving
Aujas Networks Private Ltd.
“Aujas” in Sanskrit means “Strength & Energy in a Warrior”
Chandra Prakash Suryawanshi
chandra.prakash@aujas.com

2. Copyright © Aujas All rights reserved.
SIEM is Dead ?
2
• 2 Decade old Technology
• Was great in managing compliance
• Evolved from log management to correlation and providing
single pane of glass
• Reduces signal to noise
• But got soon got reduced to limited sight as attackers tools,
techniques and procedures advanced and became stealthy
• And finally Compliance management is no more risk
management ?

3. Copyright © Aujas All rights reserved.
And data from monitoring capabilities suggests SIEM is dead
3
Different Threat Actors Have Different Motivations... And Tactics
The Facts states that attackers are getting smarter, targeted and persistent
* Source - Mandiant
Number of US companies
hit by APT
Average compromise time
before discovered
Compromises take minutes
or hours
Number of victims re-
compromised within a year
Intrusions are low difficulty
= no special skills or
resources
83%
78%
38%
84%
9 M

4. Copyright © Aujas All rights reserved.
So why is SIEM not able to detect advanced threats ?
4
Security Procedures and Agility
Risk Reduction and Compliance Efforts
Volume of Threats and
Vulnerabilities
Speed and
Sophistication of
Attacks
“Mind the Gap”
Security Exposures
Increasing Exponentially
Progression of Adversary and Motive Over Time
Sophistication
 Attack speed and sophistication advancing due to mature underground economy; most attacks
don’t leave logs.
 New Technologies provide new supply of vulnerabilities to be exploited; attackers are
persistent and behave normally that is difficult to detect.
 Old threats don’t always disappear; new threats add to the total threat landscape.
* Source - IBM

5. Copyright © Aujas All rights reserved.
5
So what is the alternative
• What all patterns have been built and what algorithm the
technology uses for machine learning
• How accurate is the system in detecting anomalies for
malware and behavior
• How does it compare it with other similar products; what
criteria should be used for evaluation.
• Threat Intelligence comes in many forms, difficult to
ingest and requires capabilities and continuous analysis
and actionables
MACHINE LEARNING AND ARTIFICIAL
INTELLIGENCE
SECURITY ANALYTICS – NBAD AND
END POINT AND USER ANALYTICS
THREAT INTELLIGENCE

6. Copyright © Aujas All rights reserved.
6
Or IS really SIEM Dead – Yes ? / No ?
• SIEM is good at collecting logs from disparate systems and
aid in correlation and compliance but limits the analytical
capability for threat detection and forensics
• SIEM is reactive and driven by rules, wherein the security is
not static that one can implement rules and sleep, the security
is continuous process and evolving
• SIEM cannot provide entire attack vector in a single window,
i.e. the attack behavior?
• Most modern and advanced attacks do not leave logs and in
some cases transaction and other logging is difficult
• Organization still need data aggregation and
correlation
• SIEM provides single pane of glass and forms the
backbone of monitoring capabilities
• One can create better attack and kill chain methods
of use cases to drive behavior to move away from
point security tool detection capabilities
• Automate and integrate multiple technologies with
SIEM for better threat detection

7. Copyright © Aujas All rights reserved.
SIEM is Evolving as a Platform
7
• Data collection capabilities and compliance benefits of log management,
• The correlation, normalization and analysis capabilities of SIEM (security information and event management)
• The network visibility and advanced threat detection of NBAD (network behavior anomaly detection), and user
behavior anomaly detection by machine learning - User Behavior Analytics
• The ability to reduce breaches and ensure compliance provided by Risk Management,
• The network traffic and application content insight afforded by Network Forensics.
• The automation of Incident Response by Artificial Intelligence / Run Books
• IOC / VM Management by Threat Intelligence
• Reporting and Visualization provided by Presentation Layer
SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data
management architecture and a single user interface.

8. Copyright © Aujas All rights reserved.
8
SIEM as a Platform
Monitor everything
Logs, network traffic, user activity
Correlate intelligently
Connect the dots of disparate activity
Detect anomalies
Unusual yet hidden behavior
Prioritize for action
Attack high-priority incidents
Threat Intelligence
• Logs
• Contextual Data
• Vulnerability
Assessments
• Asset Inventories
• Reports and Analytics
Internal
• XFORCE
• CrowdStrike
• SecureWorks
• Deepsight
External
Threat Ingestion - Structured Threat
Information eXpression (STIX™)
SIEM
Environment
Single, Unified and
Integrated Management
Console
Machine Learning – Analytics
Artificial Intelligence
Incident Management
Automation

9. Copyright © Aujas All rights reserved.
9
SIEM Platform: Conceptual Integration Architecture
Email Gateway
Malware Protection IBM IPS
McAfee IPS
Anti Virus
End Point Sec
Full Packet Capture
Proxy
Configuration Mgt
DDOSWirelessIPSAPTSolution
DLP SIEM
SourceFire IPS
IT GRC
Compliance Tool
VulnerabilityMgt
AppSec
1 2
The following figure
(from our prior work)
depicts a “sample”
conceptual integration
architecture for SOC

10. Copyright © Aujas All rights reserved.
The benefits of a fully integrated Security Intelligence function
Components
SIEM function NOT fully
integrated
SIEM as a Platform Benefits
Technology
 SEM Tool only
 Limited data sets
 SIEM and Big Data Platform
 Data analytics and Visualization tools
 Integration of VM and Threat Intelligence
 Multi-disciplinary data sets
 Incident Response Run books
 Richer visibility into the
environment
 Coverage for unknown / unknown
threats
 Leverage threat intelligence for
proactive response
Process
 Integrated with SOC only
 Implement recommendations to
Detect attacks for SOC (SEM
Tool)
 Integrated with entire Security Program and
cross functional areas
 Operational processes – Incident, escalation,
forensics. governance and foundation
processes fully integrated and workflow driven
with full automation
 Robust method driven
management
 Reduction in costs by reducing
the number of incidents
 Run book automation
Governance /
People
 Number of attacks detected by
SOC due to Security Intelligence
Recommendations
 Cross functional committee only
prioritize projects within SOC’s
scope
 Number of attacks Detected and Prevented by
SOC, Security Controls and Business
Functions due to Security Intelligence
Recommendations
 Apply data breach cost avoidance value for
each attack Prevented
 Cost of Service Quality
 Data breach cost avoidance
 Focus on Cyber Attack metrics
Vs. Compliance metrics

11. Copyright © Aujas All rights reserved.
11
Client Challenges in Implementing SIEM as a Platform
• Availability of Talent:
• Threat Hunting is a dedicated job and need expertise and breadth of knowledge and expertise in
vulnerability research, IOC Management, reverse malware analysis and business acumen
• Application Integration and business use case building needs application owners buy-in and their
time. It needs parser building and customizations, a different set of talent from programming
background
• For SOC operations - Need minimum 10 people to manage 24*7 coverage with different set of
expertise
• Forensics is specialized skill and difficult to manage, retain and nurture talent.
• Extremely costly to implement the full suite of technologies; Need investment in SIEM platform tools,
consulting services, Threat Intelligence feeds & Infrastructure Management
• Analytics as a function is slow in learning and need large data sets, managing it with right set of data,
fine tuning needs continuous efforts and time
• Need a roadmap to Walk, Crawl and Run and handholding across the programme over its lifecycle.

12. Copyright © Aujas All rights reserved.
12
HOW CAN
AUJAS
HELP

13. Copyright © Aujas Information Risk Services
Aujas Service and Value Proposition
13
TOOLS & METHODS
Security
operations
Tools at
Customer
Premise
Security operations
staff
Customer Org
Aujas SAVP platform for SIEM data feed
console integration and parser & API
integration for security point tools
Console monitoring, Incident
workflow, reporting, SIEM
administration & service management
Single console to visualize SLA driven
services, risk and compliance reports
and incident lifecycle metrics
SERVICEPLATFORM
SIEM Policy Management
• Perform updates to existing policy rules;
• Setup correlation rules to process and detect advanced patterns
• Manage SIEM system health; manage users and permissions
Log Source Management
• Verify data collection and log continuity
• Perform device on-boarding and log source addition
Custom Parser Development
• Develop custom parsers and properties and convert customized logs to common
log format for SIEM consumption
Analysis and Reporting
• Generate daily and weekly reports;
• Investigate anomalous data;
• Manage report distribution; and
Dashboard and Visualization
• Provide role based dashboards for Executives,
engineers and resolution teams
• Extend visualization capabilities for security posture
assessment and trending.
SIEM ADMINISTRATION
ANALYSIS, REPORTING AND
DASHBOARD
Monitoring and Notification
• Monitor alerts and policy exceptions
• Validate incidents and eliminate false positives
• Classify security Incidents and manage escalation
Incident Response Management
• Provide remediation/countermeasure
recommendations, if applicable;
• Manage lifecycle of incidents – creating, tracking,
escalation and closure of incident tickets
INCIDENT MANAGEMENT
SERVICES

14. Copyright © Aujas All rights reserved.
14
Aujas advantage
Co-Managed / Hybrid SOC model advantages:
 Aujas extends its Platform for managing incidents, workflow based escalations and reporting and visualization
 Trained resources with full 24*7 coverage
 Manages entire program; client can also subscribe to on-demand services like Use case build, application integration,
device integration, vulnerability and threat management and forensics support.
 Highly scalable model, adapts well to changing needs
 Strikes balance between In-House / Outsourced service
 Leverage Aujas expertise and best practices like use case accelerators, process kick start, parsers etc.
 Provide access to ongoing training and education
 Low cost to implement
 Quick startup between 30 to 60 days
 Minimizes operating costs

15. Copyright © Aujas All rights reserved.
15
Aujas Information Risk Services
400+ Customers
served across 22 countries
340+ Employees
globally with more than 190
specialists
290+ Certified employees
across standards, technologies &
industry certifications
Aujas helps organizations manage information security risks by protecting data, software, people and identities in line with
compliance requirements and best practices; we also help strengthen security governance and intelligence frameworks.
Investors:
• Seed Funding
• IDG Ventures – Boston, MA
• Series B Funding
• IDG Ventures – Boston, MA
• IvyCap Ventures – Bay Area, CA
• RVCF - India
Global Presence:

16. Copyright © Aujas All rights reserved.
16