Reference Use Cases

Summary:

This document serves as a guide for vendors invited by Koch Business Solutions, LP (KBS) to present their technical Security Incident and Event Management (SIEM) solutions. The purpose of this document is to define the requirements and recommendations for the onsite demonstration at KBS facilities during the SIEM architecture selection process. Intended audience includes direct account representatives and their supporting teams from the invited vendors. It outlines several assumptions, such as that vendors will participate in the demonstration without any obligations to KBS, and that KBS will not directly compete with the vendor being considered for the SIEM solution. The document requires vendors to demonstrate their SIEM architecture's capabilities including data storage, correlation, presentation, regional collection, event compression, and more. Key areas covered include a vendor's organization overview, market focus, commitment to development, vision of the solution, description of architecture, and tiered architecture details. The demonstration should also highlight how events can be compressed to reduce bandwidth usage. The document outlines detailed aspects and capabilities of an event processing and correlation system in a vendor's architecture. Key points include: 1. Event Processing Overview - Detailed description of how events are processed through various layers of the vendor’s architecture, identification of devices which act as sources for incoming data/events (including IP addresses of such devices), and integration with KBS network topology maps to better understand event flow across different locations. 2. Data Storage - Description of where data is stored within the SIEM system (e.g., primary storage for short-term correlation, archival storage, etc.), how data classification impacts its storage location, and any specific requirements or limitations related to data residency or security compliance (like GDPR, HIPAA). 3. Correlation Engine - Details about how correlation rules are created and executed at runtime, including the ability to create and modify these rules dynamically based on user input, event types, and other contextual information relevant to KBS’s specific threat landscape. 4. Multi-Tenancy Support - If applicable, describe any multi-tenant features or capabilities that enable separate management of distinct groups within KBS while still sharing a common platform for data analysis. This can include role-based access controls, isolated environments with different configurations, and reporting mechanisms tailored to each tenant’s specific needs without compromising security or performance. 5. Evidence Integration - Discuss how the SIEM system integrates with other security products such as firewalls, IDS/IPS systems, endpoint detection and response tools (EDR), etc., for a unified threat management approach. This includes any interoperability standards followed by the vendor’s product suite which may be essential in scenarios where different technologies are utilized within KBS infrastructure. 6. Workflow Engine - Demonstrate how tickets can be generated based on detected threats, including automation of response actions and escalation protocols that align with KBS's incident handling procedures and compliance requirements (e.g., NIST or ISO standards). 7. Use Cases for Specific Scenarios: a. Event Collection from Low Bandwidth Sites - Optimization techniques to reduce the amount of data transmitted between sites by using compression algorithms, minimizing event collection protocols, or employing lightweight agents on network devices where bandwidth is limited. b. Weak Protocols Across Secure Zones - Compliance with KBS security policies regarding secure communication channels (like HTTPS) and encryption methods used for transferring logs across different zones within the corporate network. c. Reducing Load on Layer 3 Interfaces - Implementation of lightweight sensors or agents directly at network devices to process log data, thereby reducing reliance on high-bandwidth interfaces between remote sites and the main SIEM server. d. Double NAT Configurations - Ability to track original source IP addresses through multiple NAT layers and correctly map them within the SIEM architecture, ensuring comprehensive event collection across various secure network configurations. e. Address Overlap Issues - Techniques for tagging events originating from overlapping address spaces with appropriate classification levels or criticality tags based on KBS's internal policies, while adhering to security constraints of different zones. The document concludes by emphasizing the importance of configuring rule creation during runtime and flexibility in adapting to new threats and challenges faced by diverse organizations within KBS’s ecosystem. It encourages vendors to showcase how their SIEM solutions can be easily configured for various threat scenarios and adapt to changes in the security landscape, providing a scalable and adaptable platform that meets the evolving needs of an organization with overlapping address spaces and differing classification levels across multiple locations.

Details:

This document is a guide for potential vendors invited by Koch Business Solutions, LP (KBS) to present their technical Security Incident and Event Management (SIEM) solutions. The purpose of this document is to define the requirements and recommendations for the onsite demonstration at KBS facilities as part of the SIEM architecture selection process. The intended audience includes direct account representatives and their supporting teams from the invited vendors. It should not be re-distributed to other parties or used outside the scope of this project. The document outlines several assumptions, such as that vendors will participate in the demonstration without any obligations to KBS, and that KBS will not directly compete with the vendor being considered for the SIEM solution. This document outlines requirements for a Vendor Demonstration regarding SIEM functionality. Vendors are expected to demonstrate their SIEM architecture's capabilities, including data storage, correlation, presentation, regional collection, event compression, and more. Key areas to be covered in the demonstration include the vendor's organization overview, market focus, commitment to development, vision of the solution, description of architecture, and tiered architecture details. The demonstration should also highlight how events can be compressed to reduce bandwidth usage. The provided information outlines detailed aspects and capabilities of an event processing and correlation system in a Vendor's architecture. Key points include: 1. **Event Processing Overview**:

• Detailed description of how events are processed through various layers of the vendor’s architecture.

• Identification of devices requiring agents, bandwidth containment features, normalization, aggregation, and additional processing locations.

• Demonstration of role-based access controls for data handling within KBS.

• Ability to manage data by different subsidiaries including addressing overlap between units and distinguishing data across business units.

• In-country data retention requirements are discussed along with methods to obfuscate sensitive information while transmitting other log messages.

• Explanation of how events can be correlated across jurisdictions, including role-based access control for un-obfuscated data.

2. **Correlation Capability**:

• The vendor must demonstrate the ease of writing and applying correlation and aggregation rules.

• The solution should alert on zero day and outbreak events using customizable threat formulas.

• Explanation of how these threat formulas are used to assess business importance and threat confidence levels.

3. **Alerting System**:

• Overview of the alerting capabilities within the solution, including demonstration of Alert View.

These points highlight the comprehensive nature of the vendor's architecture in terms of data handling, security features, and operational efficiency. The provided text outlines various demonstrations and capabilities that a solution might showcase during its demonstration, specifically focusing on aspects related to incident management, reporting, data analysis, visualizations, and case management. Here's a summary of each section described in the context of a comprehensive security or IT system: 1. **Demonstration of Operator Aids**: This involves showing how the system helps operators by providing tools that categorize the severity of architectural issues, detect anomalies (both known and unknown), allow for multiple escalation levels, route alerts based on owner, and require acknowledgment from users. If an alert is not acknowledged, a predefined response mechanism should be demonstrated. 2. **Reporting System**: The vendor must demonstrate how their solution can provide real-time reports, query databases to retrieve information efficiently, offer out-of-the-box reporting on security metrics and key risks, and support custom reports as needed. It also involves demonstrating the completeness of the reporting system and its capability for ad-hoc queries. 3. **Data Analysis and Queries**: The solution should be able to analyze security data to aid in forensic investigations, replay original events for further analysis, and perform analyses on events outside the retention period or those that span more than one month by using advanced search functionalities. 4. **Visualizations**: This section requires demonstrating system dashboards that provide real-time situational threat insights, geo-threat visualizations, the ability to drill down from high-level views for more detailed analysis, and interactive features like adding objects to watch lists or opening tickets directly from the dashboard. 5. **Case Management**: While this part is cut off in your text, it would typically involve showing how cases are managed within the system, including tracking progress, assigning tasks, and managing follow-ups on alerts or incidents reported by users. Each of these areas showcases different aspects of a modern security operations center (SOC) or incident response platform, emphasizing real-time actionable insights derived from advanced analytics and visualization tools. The provided document outlines a detailed overview of the case management, workflow, and incident management capabilities of a technical solution, including demonstrations of its base ticketing capability, report generation, evidence integration, and workflow engine. It also describes planned use cases addressing specific scenarios such as low bandwidth or high latency sites, weak protocols across secure zones, reducing load on Layer 3 interfaces, double NAT configurations, and address overlap issues. For the first scenario (Event Collection from Low Bandwidth Sites), the solution should be designed to handle environments with limited bandwidth by optimizing data collection processes, possibly using compression techniques for transmitted logs or employing more efficient monitoring methods that require less network resources. For weak protocols across secure zones, the solution must ensure compliance with security policies and avoid insecure cross-zone communications by leveraging secured communication channels such as HTTPS or other encrypted protocols. In Scenario 3 (Reducing Load on Layer 3 Interface for Log Collection), the technical solution should focus on designing a system that efficiently processes logs directly at network devices, using lightweight agents or sensors to minimize data transfer over the Layer 3 interface. For scenarios involving double NAT configurations and address overlap issues, the solution must be capable of tracking the original source IP through multiple NAT layers and correctly mapping it in the SIEM architecture, ensuring all relevant security events are captured without violating secure network zones. The document concludes with a request for demonstrations on how to configure rule creation during runtime for these specific scenarios, highlighting the flexibility and adaptability of the solution's technical capabilities. The provided text outlines a scenario involving an SIEM (Security Information and Event Management) solution's integration within KBS (a hypothetical organization). The scenario involves handling overlapping address spaces between two branch offices, differing classification/criticality levels due to the subnet allocation belonging to another company. Additionally, there is discussion about using the SEM (SIEM) solution for vulnerability trending based on data from an IDS (Intrusion Detection System). **Acquisition: Overlapping Addresses and Classification**

• **Overlapping Address Space**: Two branch offices within KBS share a common address space which can lead to overlapping addresses with different classification levels or criticalities. This necessitates handling the use of networks that have been allocated to other organizations, where there exists a subnet not following RFC1918 standards but is assigned to another company.

• **Handling Overlapping Addresses**: The vendor should handle this by defining how the SIEM solution can tag and classify events based on the overlapping address space and set correlation rules accordingly. This involves identifying the origin of traffic from these addresses, even if they share the same subnet, ensuring proper classification and management of criticality levels.

**Vulnerability Trending**

• **Assessing Targeted Assets**: KBS aims to use the SEM solution to assess targeted assets for vulnerability relevance based on threats detected by the IDS. This involves using the SIEM tool to correlate vulnerabilities with incoming threats, helping in assessing asset importance and threat exposure.

• **Vulnerability Trending by Platform**: The solution should provide a capability to trend vulnerabilities across different platforms over time, enabling KBS to understand the evolving security posture of its systems based on detected threats and potential vulnerabilities.

**Other Use Cases**

• **Ease of Configuration and Adaptation**: As part of evaluating the SIEM solution, KBS plans to demonstrate additional advanced use cases. This includes assessing how easily the solution can be configured for diverse threat scenarios and adapting to various security challenges faced by different organizations.

Overall, this scenario emphasizes the importance of addressing overlapping address spaces and differing classification levels in a multi-organization environment, as well as leveraging SIEM tools for vulnerability management and trend analysis based on real-time threat intelligence from IDS data.