Can You SEE!! A Risk Approach To SIEM

yeah thank you for turning up to have a look at my presentation um what I found in quite a lot of businesses is they they they try and do monitoring login but they don't really understand it it's like a ticket box exercise so that was the idea of this you know what can't you see so I don't know if how many people you in are in businesses but do you know if you're actually being breached CU quite a lot of companies don't understand they've actually had a breach or or had a malware attack um any hands up on that one no good start um and uh do you have any threats defined so quite a lot of

companies don't Define what the actual threats are or any use cases for it have any other businesses have any of you guys done that couple of you I do find it few far between to be honest um and then you know you've got to know how to then monitor against these threats um when I've been to talk to senior stakeholders they tend to say you know when you TR and realize say what where are your threats or what are your you know uh have you had a breach or anything they start to panic there's a sudden realization of panic in their eyes um and when they realize that when you're going to start doing it the other

another second Panic say Oda what what AFF if we have had a breach and we're now finding out two two years later right um so to do this we need to do a risk-based approach and um we need to align it to the company strategy it's not just an IT thing and quite a lot of people I I see it's well the ca tend to be more it based than business strategic based um okay

so just in case you're all not aware I just wanted to Define what a seam and a sock was so for monitor the loging purposes there is a um a security incident and event management system that you need to look at incidents and events two different things um and then you need a good security operations center to to manage that and there's a lot of work you need to deliver to actually build that ENT security inst management processes and quite a lot of businesses don't understand that they'll buy a logorithm or something um and just yeah just expect it to work

um yeah so they tend to um do data aggregation and collation of events you need to be able to put the right events and logs into it so there's a lot of work that needs to be developed there to to look at how we how you get the information into the system so like I said on a on a um you know Baseline perspective tick boox exercise they tend to look at just what does the Baseline do so the providers will normally provide you with the key components so if we had a some kind of incident how would we know the source and destination and what happened during that path of events okay so they

normally have DNS DHCP Etc uh and then Tech stuff from your security toolings um and egress points ideally for command and control um and ideally between uh segregated systems within the business but sometimes they miss that piece out as well uh and they just rely on threat feeds and security tooling that goes into it so the question is what is missing and what don't we know okay I have a think about that one for a

sec I'll break it again there you go so what I also find is the people don't look at risk-based approach very much so you need to prioritize your efforts and establish you know what is the life an impact of these risks within the business context okay and is it cost effective to deliver tools against it uh and I think once you've got the eyes on the ground properly that will give you a better idea of of of that um so to do that You' got to establish the context uh the object and scope and boundaries uh you got to identify the risks um and risk methods and document it and then you got to assess the risks and

develop risk migration strategies and um you know that doesn't tend to get done a lot I don't think um and then implement the control measures and stuff like that and stakeholder um reporting and coms

um okay so if you want to do the SE properly or monitoring loging properly uh there are going to be some things you need to think about over and above just it Basics so you need to start to build out a strategy that's based on what are your key users with the key data um and the key data and key assets and ideally get a cmdb there's a lot of work you need to deliver before you actually can even think about implementing a SE and a sock um and and then start to look at threat analysis uh so what are your threats you know let's start from the beginning do a design what are your

threats what does your Solutions currently look like and have you done all the health standard checks there um and identify the goals of what you want the scene to deliver rather than just going it monitors all my logs and we've got a threat feed that detects indicates of compromise because key businesses that doesn't then take your business into account so it doesn't look at um aligned to security instance management plans it doesn't understand what P1 P2 is they don't correlate it properly um and it doesn't look at internal internal um attack vectors so it doesn't look at if I took something out of a database is that P1 or P2 should have done that nor

if you do that by default that won't get seen um and to do a lot of this you've got to um assess the organization compliance what really matters to you and start to look at Network diagrams and system diagrams that may not exist so you got to start to create them as well and data flow diagrams I don't find they exist a lot in businesses uh and what the key data is so to start doing that one of the key things that's that's a precursor that not tends to be done is is understanding where your critical assets are so you need to start to identify the critical assets um uh and find out what's what's missing

and start doing an an asset inventory and asset mapping exercise uh with data flows um that could be iTab and a cmdb um but there are there are tools that can start to do that for you so service now and and a few others that can do audits but ideally you need a dynamic asset inventory not a static one um Y and also the the other key areas that seem to be missed are um policy so acceptable use linked into that and then Define your use cases for that so you know what an instant looks like if someone does something uh by accident or nefariously um and also link that into security instant management uh

plans um we also need to have regular campaigns and people and tools together to make it safe for people to to to to to know there you know to to report incidents um and Link door cards and stuff into the seam so you know where people are moving to and from within the business

um so I think the point I was trying to make um was to make sure we design what you want first think about the cost versus benefit understand what the risk is do the likel hooded impact and protect your key assets and systems and show due diligence and doe care um because that can go a long way um if you breached a lot of data um and also you need to keep your eyes on the ground to do this I think monitoring loging and seam and sock are key uh you would want to do this initially rather than later um you might prioritize other security controls but unless you know what's going on you'll probably find you don't actually know if

you've been breached so it'll help you enhance security uh help with compliance and audit um even do you can even start to make it do operational uh efficiency after a while because you can actually say you know actually could do that better uh in different areas of the business and I've seen you you can use different tools off the top of the seam to to get that information out of the seam uh the the lake data Lake if you like um it also gives accountability transparency um forensic analysis a little bit that's that's going to need an extra massive data store um and it helps with your risk management I can't use my laptop very

well unfortunately but uh any

questions I would say what was the question I was just wondering you mentioned the data flow diagrams there I don't think I've ever properly seen one in the designs you might see something that's like a DFD and an hld but are they maintained and I was wondering in your experience where have you tended to see one yeah yeah no you're right it is it is few and far between uh and that's where security Architects can help by security by Design privacy by designning businesses and they don't seem to do that they do it by compliance and Pen testing you're absolutely right so this is what I'm saying about the key things not only is it the Monitor and login but

you've got to get your You' got to know your business first you've got to know where your data is where data flows are you know and um I have helped businesses do that but like you say it's few fall between so you know I think we need to start looking where your key assets are where your key data is and trying to get people to start I talk about process build them processes in to to to the designs I think because one of the other things is is missing as well is the network diagrams sometimes Network diagrams have disappeared as well so yeah so this is great right the way I this this is really cool right and um

my the way I would engineer to get the stuff you're talking about is to use uh P3 incidents like let's say midlevel incidents and I run them as p1s and I will put half of the team on it and we will do all that stuff during the incident so we'll do diagrams we map things we fix things we build stuff and in know we way you actually get a lot of those signals and you do that risk based analysis the interesting thing is because you're driving off real incidents you get a really good sense for what matters and what doesn't matter right but the key is what you're describing risk analysis understand the stuff but I think in practice if you

follow the kind of incidents that exist it's a great signal but you have to put half your team on it because you have to fix like you know I I I kind of view the incidents as an opportunity to Big Stuff get stuff done and we would do more things in a one day or 5 day or two week incident than we would in in months no you're right and I think that's the wrong way to do it right because you're actually doing it after the effect not before the effect what I'm saying is security by Design so with the seam and stuff you ask the question you use the seam as a pivot to ask the business

where is your key data where are your key assets what do you want to protect and how do you want to protect one quick question um in the kind of cloud and application space we're seeing a lot of adoption of observability where observability tools like open Telemetry can automatically like document what systems are connected to what systems have you seen any companies start to look at embedding that kind of Stu coming at the app world and the cloud world into the more kind of traditional seam areas uh yes the cloud yeah so you're right so the cloud can actually help if it's if it's better than on Prem right so you can actually get some of them

assets better so it actually help the the cause um and so many times you have to ask the question so we're implenting this toour when are we going to get the security locks from it and what can we get from it cuz what I also see if we don't embed Security in by Design at the start the things that we buy we haven't got the enough information to actually feed into the seam to get what we want and we have to pay millions of pounds extra to get it but yeah you're right it's it helps yeah definitely quick question uh why would you manage asset from a dynamic approach rather than a static approach um well Statics point in time

so you do it a week later a month later them assets probably have changed joiners movers levers old Legacy systems new systems being implemented how do you how big is your Enterprise you know how how it's going to be difficult right so ideally you want automated cmdbs and and and tools there otherwise that dat think we can have one more [Music]

question so say you have a start up right at what point from the creation of your company should you start thinking about hiring security Engineers because a lot of the things that you're mentioning security by Design and stuff like that you know as a software engineer should be able to put measures in place by Design you know to um have some kind of protection regardless right I'm talking maybe encryption of pii data and stuff like that these should be things that software Engineers do so at one point what level of risk um should I be at to really consider okay I need a security architect on this to make absolute sure that all of those things

are done and I'm not taking too much of a risk yeah um well this is regarding B and login I think you probably need to do that quite quite quickly right because what what what you're trying to say there is you know let's Port security encryption what if data is being exploit uh exfiltrated by encryption you won't see it so I would suggest yes make sure you do a health check and make sure things uh are right but again it's up to the business right so what risk do they want to take you know how much data have they got how much do they want to breach how can they afford to go bankrupt you know if you

show du do care with your eyes on the ground you probably know where your weaknesses are you know where your data is and I think that's a really good place to start you thank you so much Richard and thank you everyone for your questions