2. Disclaimer: HISTORICAL INTEREST ONLY
This material is at many years old and is
preserved here for HISTORICAL INTEREST
ONLY
Advice may not reflect current conditions
(but then again, it may reflect yours…)
3. Outline
• Security Monitoring and SIEM Today
• Top 5 SIEM Futures
1. Expanded context data collection and analysis
2. Shared, distributed intelligence
3. Emerging environment monitoring
4. New and expanded analytic algorithms
5. Application security monitoring
• How To Prepare For The Future?
3
4. SIEM Technology?
• User activity and resource access monitoring for compliance
reporting and security
• Collects, normalizes, aggregates, correlates and analyzes the
log data.How it works
What it solves
Applications
Directories
Servers
Network
Devices
Security
Devices
Firewalls
IDS/IPS
SIEM
Real-time aggregation,
correlation and alerts
Reporting and historical
analysis , investigastion
IAM
Databases
6. How Bad Are We, Really?
•“84% of investigated breaches had log evidence
available”
•“85% of breaches took weeks or more to
discover”
•“92% of incidents were discovered by a third
party”
Verizon DBIR 2012
6
7. SIEM Challenges Today
• SIEM “trifecta of complexity”
• Deployment, administration, operation
• Security married to data analysis
• Both also married to system integration
• Need for even more data to detect
advanced attacks
• Heavy skill requirements
7
8. Future: Basic Extrapolations
•Morelog data, more log sources
and more types of log data collected by
SIEM tools
•Morenetworks and environments
covered by SIEM
•MoreSIEM users, both in number
and type
•Expansionof SIEM use cases
8
9. Top 5 SIEM Futures
1. More Context
2. Distributed Intelligence
3. Emerging Environment Monitoring
4. New Algorithms
5. Application Security Monitoring
9
10. #1 Expanded Context Data Collection and
Analysis
10
Logs
User
Asset
Vuln
ConfigData
External
Business
11. Context Data: Today vs Future
Today
• Collection of context
• Use of context for log
analysis
Future
• Broader collection of
context
• Use of context for log
analysis
• Analysis of context data
11
12. #2 Shared, Distributed Intelligence
• IP reputation
• Other entity reputation
• Bi-directional security data
sharing
12
14. #3 Emerging environment monitoring: virtual,
cloud and mobile
• Servers, firewalls, NIPS, anti-virus …what’s next?
• Virtual, cloud, mobile also need monitoring!
• Is your SIEM tool “cloud-ready” and “virtual-ready”?
14
15. New Environment: Today vs Future
Today
• Virtual platform log
collection
• Minimum cloud log
collection
Future
• Virtualization –specific
analytics
• Cloud security monitoring
• Adapt to new
15
16. #4 New and expanded algorithms for data
analysis
SIEM = data analysis (not just
collection, storage and
presentation!)
• Raise alerts
• Prioritize received log messages
• Discover events of interest
• Enable the analyst to perform
iterative searches for clues
16
17. Analytics: Today vs Future
Today
• Correlation rules
• Reports
Future
• Rules, including auto-
create rules
• Data and text mining
• Profiling and baselining
17
18. #5 Application security monitoring
• IT infrastructure vs application: a HUGE chasm!
• Most SIEM projects today are about infrastructure
• Who/what monitors the application security?
• Web application firewalls
• Transaction monitoring for fraud
• Application logging
• Database security monitoring
• IAM and application access
18
21. Advice
• Integrate more context data today: users,
assets, configurations, etc
• Collect open source and commercial security
data feeds
• Expand SIEM coverage to new environments
• Expand SIEM for ASM
• Make use of the data you have today
21