ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

PKI.pptx

?Download as PPTX, PDF?
?
Ajit Wadhawan
Ajit Wadhawan

SIEM (Security Information and Event Management) technology provides real-time analysis of security alerts generated across an organization's network and applications. It involves collecting data from various sources, analyzing the data to discover threats, and pinpointing security breaches to enable investigation. SIEM functionality includes log management, data aggregation, correlation, alerting, dashboards, compliance, retention, and forensic analysis. However, SIEM tools require regular tuning and rule management to differentiate anomalous and normal activity. SOAR (Security Orchestration, Automation and Response) technologies help address SIEM limitations by integrating more data sources, providing context through automation and playbooks, and offering a single dashboard for security response. Benefits of SOAR include faster

1 of 12
SEIM and SOAR Apsw2015@gmail.com
Security Information and Event Management Components of SIEM SEM (Security Event Management) The segment of security management that deals with real-time monitoring, correlation of events, notifications ,and console views is commonly known as SEM. Security Information Management The second area provides long- term storage, analysis, and reporting of log data and is known as SIM. It is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. Step 4 Pinpoint security breaches and enable organization to investigate alerts Step 3 Analyze the data to discover and detect threats Step 2 Normalized and aggregate collected data Step 1 Collect Data from various sources( Network Devices, servers, Domain controllers and more SIEM Process
SIEM Functionality
SIEM Functionality Log management aggregates data from many sources, including network, security, servers, databases, and applications, providing the ability to consolidate monitored data to help avoid missing crucial events. Data aggregation This involves looking for common attributes and linking events into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources to turn data into useful information. Correlation: This is the automated analysis of correlated events and production of alerts to notify recipients of immediate issues. Alerting: Tools can take event data and turn it into informational charts to assist in seeing patterns or identifying activity that is not forming a standard pattern. Dashboards Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security,governance, and auditing processes. Compliance This involves employing long-term storage of historical data to facilitate correlation of data over time and to provide the retention necessary for compliance requirements Retention This is the ability to search across logs on different nodes and time periods based on specific criteria. Forensic analysis Some SIEMs include automated alert and response capabilities that can be programmed to suit your policiesand environment. Automated Response
Why SOAR is required Why SOAR? ? SIEM tools usually needs regular tuning to continually understand and differentiate between anomalous and normal activity. ? SIEM applications require consistent fine-tuning and development for security teams to maximize their value while avoiding getting bombarded with countless alerts. ? SIEM applications require dedicated development staff to manage rules and use cases to ensure that normal activities are not mixed up with suspicious ones. ? It is difficult to ingest data from external feeds like SSL certificate chain data , domain reputation scores etc. and it normally works with only logs and event data from whole lot 0f traditional infrastructure
What is SOAR( Security Orchestration , Automation and Response) Security Orchestration, Automation and Response (SOAR) ? It is a term used to describe the convergence of three distinct technology markets: ? Security orchestration and automation ? Security incident response platforms (SIRP) ? Threat intelligence platforms (TIP). ? SOAR technologies enable organizations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. ? This helps to build automated processes to respond to low-level security events and standardize threat detection and remediation procedures. ? . Three core capabilities of SOAR technologies: Threat and vulnerability management Security incident response Security operations automation
Components of SOAR Threat Intelligence ? Ingest and Analyzes data Automation ? Automates low level manual process Orchestration ? Connects and integrates disparate tools Response ? Offers a single-view dashboard to plan, manage, monitor and report incident response.
SOAR Platform Components Security orchestration ?Security orchestration connects and integrates disparate internal and external tools via built-in or custom integrations and application programming interfaces (APIs). ?Connected systems may include vulnerability scanners, endpoint protection products, end-user behavior analytics, firewalls, intrusion detection and intrusion prevention systems (IDSes/IPSes), and security information and event management (SIEM) platforms, as well as external threat intelligence feeds. ?Where security orchestration consolidates data to initiate response functions, security automation takes action. Security Automation ?Security automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated processes to replace manual processes. ?Using artificial intelligence (AI) and machine learning to decipher and adapt insights from analysts, SOAR automation can make recommendations and automate future responses. ?Playbooks are essential to SOAR success. Prebuilt or customized playbooks are predefined automated actions. Multiple SOAR playbooks can be connected to complete complex actions. Security response ?Security response offers a single view for analysts into the planning, managing, monitoring and reporting of actions carried out once a threat is detected. ?It also includes post-incident response activities, such as case management, reporting and threat intelligence sharing. ?Security incident response technologies that support how an organization plans, manages, tracks and coordinates the response to a security incident
Benefits of SOAR ? SOAR's improved data context, combined with automation, can bring lower mean time to detect (MTTD) and mean time to respond (MTTR). Faster incident detection and reaction times. ? By integrating more data from a wider array of tools and systems, SOAR platforms can offer more context, better analysis and up-to-date threat information. Better threat context. ? SOAR platforms consolidate various security systems' dashboards into a single interface. Simplified management. ? SOAR's orchestration, automation and workflows can meet scalability demands more easily. Scalability. ? Automating lower-level threats augments SecOps and security operations center (SOC) teams' responsibilities, enabling them to prioritize tasks more effectively and respond to threats that require human intervention more quickly. Boosting analysts' productivity. ? Standardized procedures and playbooks that automate lower- level tasks enable SecOps teams to respond to more threats in the same time period Streamlining operations. ? SOAR platforms' reporting and analysis consolidate information quickly, enabling better data management processes and better response efforts to update existing security policies and programs for more effective security Reporting and collaboration. ? In many instances, augmenting security analysts with SOAR tools can lower costs, as opposed to manually performing all threat analysis, detection and response efforts. Lowered costs.
Benefits and Drawbacks of SOAR tools Benefits ? Improves Productivity ? Builds Risk Resilience ? Faster incident response ? Centralized Management of multivendor tools ? Streamlined process and operations Drawbacks ? Cannot fix strategy or culture ? Overinflated expectations ? Limited success metrics ? Undervalue human Analysts ? Complexity
SEIM and SOAR SEIM ? Aggregate Logs ? Generate alerts ? Analyses data to identify potential threats ? Limited response work flows ? Notifies users and analysts of suspicious activity. ? SIEM Tools : ? Splunk enterprise SIEM ? Microsoft Azure Sentinel ? Archsight ? SolarWinds SIEM Security and Monitoring SOAR ? Aggregates security alerts and threat intelligence ? Ingests alerts from SIEM and other tools ? Enriches and correlates to determine risk ? End to End automation powered response work flows ? Orchestrates actions across integrated tools ? SOAR Tools ? Splunk Phantom. ? IBM Resilient. ? DFLabs IncMan. ? Insightconnect.
Thank You

More Related Content

PKI.pptx

  • 2. Security Information and Event Management Components of SIEM SEM (Security Event Management) The segment of security management that deals with real-time monitoring, correlation of events, notifications ,and console views is commonly known as SEM. Security Information Management The second area provides long- term storage, analysis, and reporting of log data and is known as SIM. It is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. Step 4 Pinpoint security breaches and enable organization to investigate alerts Step 3 Analyze the data to discover and detect threats Step 2 Normalized and aggregate collected data Step 1 Collect Data from various sources( Network Devices, servers, Domain controllers and more SIEM Process
  • 4. SIEM Functionality Log management aggregates data from many sources, including network, security, servers, databases, and applications, providing the ability to consolidate monitored data to help avoid missing crucial events. Data aggregation This involves looking for common attributes and linking events into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources to turn data into useful information. Correlation: This is the automated analysis of correlated events and production of alerts to notify recipients of immediate issues. Alerting: Tools can take event data and turn it into informational charts to assist in seeing patterns or identifying activity that is not forming a standard pattern. Dashboards Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security,governance, and auditing processes. Compliance This involves employing long-term storage of historical data to facilitate correlation of data over time and to provide the retention necessary for compliance requirements Retention This is the ability to search across logs on different nodes and time periods based on specific criteria. Forensic analysis Some SIEMs include automated alert and response capabilities that can be programmed to suit your policiesand environment. Automated Response
  • 5. Why SOAR is required Why SOAR? ? SIEM tools usually needs regular tuning to continually understand and differentiate between anomalous and normal activity. ? SIEM applications require consistent fine-tuning and development for security teams to maximize their value while avoiding getting bombarded with countless alerts. ? SIEM applications require dedicated development staff to manage rules and use cases to ensure that normal activities are not mixed up with suspicious ones. ? It is difficult to ingest data from external feeds like SSL certificate chain data , domain reputation scores etc. and it normally works with only logs and event data from whole lot 0f traditional infrastructure
  • 6. What is SOAR( Security Orchestration , Automation and Response) Security Orchestration, Automation and Response (SOAR) ? It is a term used to describe the convergence of three distinct technology markets: ? Security orchestration and automation ? Security incident response platforms (SIRP) ? Threat intelligence platforms (TIP). ? SOAR technologies enable organizations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. ? This helps to build automated processes to respond to low-level security events and standardize threat detection and remediation procedures. ? . Three core capabilities of SOAR technologies: Threat and vulnerability management Security incident response Security operations automation
  • 7. Components of SOAR Threat Intelligence ? Ingest and Analyzes data Automation ? Automates low level manual process Orchestration ? Connects and integrates disparate tools Response ? Offers a single-view dashboard to plan, manage, monitor and report incident response.
  • 8. SOAR Platform Components Security orchestration ?Security orchestration connects and integrates disparate internal and external tools via built-in or custom integrations and application programming interfaces (APIs). ?Connected systems may include vulnerability scanners, endpoint protection products, end-user behavior analytics, firewalls, intrusion detection and intrusion prevention systems (IDSes/IPSes), and security information and event management (SIEM) platforms, as well as external threat intelligence feeds. ?Where security orchestration consolidates data to initiate response functions, security automation takes action. Security Automation ?Security automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated processes to replace manual processes. ?Using artificial intelligence (AI) and machine learning to decipher and adapt insights from analysts, SOAR automation can make recommendations and automate future responses. ?Playbooks are essential to SOAR success. Prebuilt or customized playbooks are predefined automated actions. Multiple SOAR playbooks can be connected to complete complex actions. Security response ?Security response offers a single view for analysts into the planning, managing, monitoring and reporting of actions carried out once a threat is detected. ?It also includes post-incident response activities, such as case management, reporting and threat intelligence sharing. ?Security incident response technologies that support how an organization plans, manages, tracks and coordinates the response to a security incident
  • 9. Benefits of SOAR ? SOAR's improved data context, combined with automation, can bring lower mean time to detect (MTTD) and mean time to respond (MTTR). Faster incident detection and reaction times. ? By integrating more data from a wider array of tools and systems, SOAR platforms can offer more context, better analysis and up-to-date threat information. Better threat context. ? SOAR platforms consolidate various security systems' dashboards into a single interface. Simplified management. ? SOAR's orchestration, automation and workflows can meet scalability demands more easily. Scalability. ? Automating lower-level threats augments SecOps and security operations center (SOC) teams' responsibilities, enabling them to prioritize tasks more effectively and respond to threats that require human intervention more quickly. Boosting analysts' productivity. ? Standardized procedures and playbooks that automate lower- level tasks enable SecOps teams to respond to more threats in the same time period Streamlining operations. ? SOAR platforms' reporting and analysis consolidate information quickly, enabling better data management processes and better response efforts to update existing security policies and programs for more effective security Reporting and collaboration. ? In many instances, augmenting security analysts with SOAR tools can lower costs, as opposed to manually performing all threat analysis, detection and response efforts. Lowered costs.
  • 10. Benefits and Drawbacks of SOAR tools Benefits ? Improves Productivity ? Builds Risk Resilience ? Faster incident response ? Centralized Management of multivendor tools ? Streamlined process and operations Drawbacks ? Cannot fix strategy or culture ? Overinflated expectations ? Limited success metrics ? Undervalue human Analysts ? Complexity
  • 11. SEIM and SOAR SEIM ? Aggregate Logs ? Generate alerts ? Analyses data to identify potential threats ? Limited response work flows ? Notifies users and analysts of suspicious activity. ? SIEM Tools : ? Splunk enterprise SIEM ? Microsoft Azure Sentinel ? Archsight ? SolarWinds SIEM Security and Monitoring SOAR ? Aggregates security alerts and threat intelligence ? Ingests alerts from SIEM and other tools ? Enriches and correlates to determine risk ? End to End automation powered response work flows ? Orchestrates actions across integrated tools ? SOAR Tools ? Splunk Phantom. ? IBM Resilient. ? DFLabs IncMan. ? Insightconnect.