SIEM presentation final

Editor's Notes

• #2: software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications .
• #4: Security Log Management (Kent & Souppaya, 2006) states that information regarding an incident may be recorded in several places, such as firewalls, routers, network IDS, host IDS, and application logs. log management infrastructure typically comprises of three tiers: log generation, log analysis and storage, and log monitoring. log generation tier involves hosts making their logs available to log servers in the second tier. log analysis and storage tier is composed of one or more log servers receiving log data from the hosts. log monitoring tier contains consoles that are used for monitoring and reviewing of log data and the results of automated analysis.
• #5: In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service. The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. UDP: It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network protocol. There is no guarantee of delivery, ordering, or duplicate protection. Host A sends a TCP SYNchronize packet to Host B Host B receives A's SYN Host B sends a SYNchronize-ACKnowledgement Host A receives B's SYN-ACK Host A sends ACKnowledge Host B receives ACK. TCP socket connection is ESTABLISHED.
• #6: In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service. SSH SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer.SSH also refers to the suite of utilities that implement the protocol. DNS-  a system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names. (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks Hypertext Transfer protocol HTTP is the foundation of data communication for the World Wide Web.  HTTPS: is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. SMB:  by default, with a thin layer, similar to the Session Message packet of NBT's Session Service, on top of TCP, using TCP port 445 rather than TCP port 139—a feature known as "direct host SMB". RDP: provides a user with a graphical interface to connect to another computer over a network connection.
• #8: Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslogprotocol is supported by a wide range of devices and can be used to log different types of events.
• #11: Security information and event management (SIEM) software provides the log management infrastructure encompassing log analysis, log storage and log monitoring tiers. What sets SIEM products apart from traditional log management software is the ability to perform event correlation, alerting, incident management, reporting and forensic investigation based on event analysis. SIEM technology aggregates the event data produced by security devices, network devices, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data. Event data is combined with contextual information about users, data and assets. The data is normalized, so that events from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring or compliance reporting. The technology provides real-time security monitoring, historical analysis, and other support for incident investigation and compliance reporting.
• #13: Events are generated by log sources such as firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS). Flow data collectionFlows provide information about network traffic and can be sent to QRadar SIEM in various formats, including flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. Vulnerability assessment informationQRadar SIEM can import VA information from various third-party scanners.
• #22: Mobile:Malicious apps compromise mobile security to access private information, such as contact lists and calendar details. They also use mobile device features, such as cameras and microphones, to spy, profile users, or conduct cyber attacks. TAP provides enterprise-wide visibility, codified detection expertise and guided investigation workflows to amplify your defense against today’s most sophisticated cyber-attacks. The Threat Analytics Platform applies threat intelligence, expert rules and advanced security data analytics to noisy event data streams. By revealing suspicious behavior patterns and generating alerts that matter, security teams can prioritize and optimize their response efforts.  FireEye Threat Intelligence is the most extensive and immediately operational cyber intelligence. It enables security teams to detect and respond to threats effectively and efficiently. FireEye Network Security (NX) solutions protect against known and unknown advanced attacks with the signature-less Multi-Vector Virtual Execution™ (MVX) engine, conventional intrusion prevention system (IPS) and intelligence-driven detection. This enables faster detection, more accurate alerts and reduced noise. Identifying threats traditional security solutions can't allows you to focus on alerts that pose a genuine threat and reduce the operational cost of false positives. Cyber criminals often use spear phishing attacks, as well as malicious file attachments and URLs in emails, to launch an advanced cyber attack. These email attacks routinely bypass email security that uses conventional signature-based defenses such as antivirus (AV) and spam filters. FireEye File Content Security (FX Series) products help prevent, detect and respond to cyber attacks by scanning file content for signs of malicious threats. These threats might be brought into an organization from outside sources, such as online file sharing services and portable file storage devices. o reduce the impact of a security incident, organizations should focus on early detection and swift investigation. Enterprise forensics makes this possible. When attacked, an enterprise needs to be able to rapidly investigate and determine the scope and impact of the incident so they can effectively contain the threat and re-secure their network. Your security team should be focused on safeguarding your company’s data assets. Instead, they are overwhelmed by alerts, unable to discern real threats from false alarms. Most security teams can investigate just a small fraction of alerts, most of which turn out to be false alarms. Your managed security services provider (MSSP) is not helping, either. Most likely, they are simply filtering the noise, parsing down the number of alerts from millions to hundreds, telling you that you might have a problem but pushing the investigative burden back on your team. Meanwhile, attackers hide in the noise, operating at will for months before detection.