How To Drive Value with Security Data
•Download as PPTX, PDF•
0 likes•3,527 views
Blog Post: http://raffy.ch/blog. - Video: https://youtu.be/nk5uz0VZrxM In this video we talk about the world of security data or log data. In the first section, we dive into a bit of a history lesson around log management, SIEM, and big data in security. We then shift to the present to discuss some of the challenges that we face today with managing all of that data and also discuss some of the trends in the security analytics space. In the third section, we focus on the future. What does tomorrow hold in the SIEM / security data space? What are some of the key features we will see and how does this matter to the user of these approaches.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to How To Drive Value with Security Data
Similar to How To Drive Value with Security Data (20)
More from Raffael Marty
More from Raffael Marty (15)
Recently uploaded
Recently uploaded (20)
How To Drive Value with Security Data
- 1. Raffael Marty How To Drive Value with Security Data June 2021 ThinkIn 2021
- 2. 1980 Log Collection (syslog) Sharing “searches” Forensics Reporting Log Management 2006 2009 1999 2004 2012 2015 2017 Security Data Lake Apache Metron ELK Open Source 2021 Incident Management SIEM Compliance Use-Cases Real-time Correlation Artificial Intelligence Attempt in Visual Analytics Anomaly Detection Heavy filtering Data on demand Threat Hunting Risk centricity Federated Analytics? Analytics Asset Mgmt Cloud Analytics ©2021RaffaelMarty Security Data Lakehouse? • Network (FW, flows) • Vulnerability • Endpoint • Threat Intel • IaaS logs • System Event Logs • IAM • PCAP Data • SaaS logs • Metrics • API • “Data” Activity Security Data–ThePast Big Data (Hadoop, Spark) Logging as a Service (Loggly) CEF SOAR UEBA The Logging Wild West XDR Metrics Correlation DevSecOps Use-Cases
- 3. Logging andSecurity AnalyticsToday FalesPositives Use-Cases Data Inputs Scalability Challenges Trends Data Centricity Risk Centric I/SaaSVisibility Distributed Analytics Beyond Events/Alerts Shared Frameworks Movetothe Cloud Entity Focus
- 4. Tomorrow - How To Drive Value From Your Security Data Become Risk Centric Risk Service Resource Access User Device App Data Anomaly Belief Net Security “Knowledge” Entity Engines Expert
- 5. SIEM– Future Aspects AI / ML Visibility Automation Cloud Privacy
- 6. Takeaways Analytics (Logic) Unified Platform: SIEM | UEBA | SOAR | XDR | TIP | CCM Visibility Zero Trust / Risk Outsource Inventory Activity Use-Case Driven Open Standards
Editor's Notes
- Challenges – these are things you want to be aware of when you invest in any data capability – or assess your own Use-Cases - Focus on the wrong use-cases - Email is still prevalent vector for attacks, not vulnerabilities - Not having a use-case driven approach at all - Sharing use-cases is still non existent – Sigma - SOCs are building use-cases for the data they have instead of for the things they want to detect Scalability Running many rules Collecting all data (expensive) Collecting all data Correct data architecture Trying to do it ourselves, rather than outsourcing – can you get the right people? Why does everyone re-invent their processes? Cloud helps, but it still expensive SOCs are running an average of 30 tools! Data - Visibility gaps (email and humans) – how is it that we buy phishing solutions and do not understand our email communication patterns better? - Understanding data and knowing what to do with it (remediation) – alerts are not indicative of whether a system / user is under duress - Application visibility and understanding – SaaS applications anyone? - Beyond alerts : inventory as well – CSPM, … AND metrics collection as well False Positives - A threat / exploit / vulnerability centric view makes event prioritization challenging - We are still operating on an event level instead of an entity (user, device) level - We are prioritizing all events / alerts that our data sources send us … Beyond events/alerts - CSPM / configuration / asset information Shared Frameworks - ATT&CK -> I think that’s a bad trend – it’s not really covering the right set of detections and is not enough prescriptive for your use-cases! - Sigma -> is an okay start, but very very limited still to date and hasn’t been shown to really produce good thorough detections Move to the Cloud - Not solving all our problems, in fact, introducing new problems – governance, … - Let’s be clear, your SIEM will run in the cloud Insider Focus - Monitoring the users and understanding them – away from the latest vulnerability / … because even an external attack will show a change in the user’s behavior
- Rethink what we really want from SIEM / security data analytics -> Some call that XDR now Data Inventory Classification Movement App Posture Activity SaaS Cloud posture Device Asset Info Posture (Vuln, Patch, Config) User HR Identity Access Priv’s. Activity / Behavior Personality Anomaly - To self and to peers Interaction with critical data Gets you out of the cat and mouse game – yet another attack type (ransomware today, phishing tomorrow, etc.)
- AI and ML to the rescue – or not We will get better at anomaly detection from a behavioral standpoint, but not through supervised ML! Expert systems We will keep using ML (supervised) for malware detection, document classification, and basically all kinds of pattern matching Let AI help automate machine-enabling tasks – and visualize more Verifyability and explainability of approaches That’s IT, folks! Cloud We are moving to the cloud. Period. Your SIEM too. How do you monitor on-prem in that case? Visibility - Challenges to see and understand it all? What are all the assets in your environment right now? How do you track them? What are they? What are their risks? - What about all your users? - Across on-prem and cloud / SaaS / … Automation - built into products and not separate as SOAR - beyond the simple ‘augmentation’ use-cases – phishing playbook – remediate across your risk engine … - we need to push toward remediation. Why do we still need security analysts making decisions? Why can’t we learn from past activity? Privacy - Needs to be designed with ‘privacy first’ (only collect what you need, in a secure manner) Securing collected data - Anonymization? Nuances of regional regulations (GDPR, CCPA, etc.) Where are the socio-ethical boundaries?
- SIEM visibility has been focused on network – it’s time to get endpoint and cloud visibility. AND DATA – including SaaS The risk-based approach will help you not just defend from external attacks, but also monitor your insiders. They are becoming more of a problem! Sharing – from TI to TTPs / analytics sharing
- http://slideshare.net/zrlram @raffaelmarty