top of page
Search

SWA - SIEM Vendor Demonstration Agenda: Use Cases

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 9
  • 12 min read

Summary:

The provided document outlines several key aspects of a case management system's capabilities within a SIEM tool, which is crucial for organizations like SWA that need robust solutions to manage complex network environments. Here’s an overview and breakdown of the main points discussed in the document: ### Case Management Capability: 1. **Workflow Engine**: The workflow engine manages case management by routing cases based on criteria such as platform owner, ensuring efficient handling of tasks according to predefined rules and priorities. This helps in streamlining processes and reducing response times for urgent matters. 2. **Base Ticketing Capability**: Basic ticketing features allow for the tracking of incidents and tasks within the SIEM tool, providing a centralized hub for all network-related activities that need monitoring or intervention. 3. **Reports on Case Management**: The ability to generate reports helps in analyzing performance metrics, compliance status, and other relevant case management data, which is essential for making informed decisions and ensuring continuous improvement in the organization’s security posture. 4. **Integration of Evidence**: Digital evidence integration ensures that all legal and investigative requirements are met by providing a structured way to collect and manage digital assets related to cases. This includes secure storage and easy retrieval for future use. ### Planned Use Cases: 1. **Event Collection from Low Bandwidth (High Latency Sites)**: To optimize data collection in environments with limited bandwidth or high latency, strategies such as batch processing, prioritization of critical events, and efficient use of available network resources are employed to ensure that no important event is missed due to technical constraints. 2. **Use of Weak Protocols across Secure Zones**: By using secure protocols compliant with the security zone's policies, organizations can collect logs and events without compromising security. This involves a balance between collecting necessary data for effective analysis and ensuring that collection methods do not create vulnerabilities within the network’s integrity. 3. **Reducing Load on Layer 3 Interface for Log Collection**: Architectural modifications to the SIEM solution include deploying agents closer to the data sources, optimizing query efficiency, and using compression techniques during log transmission to minimize impact on high-density server environments and overall network performance. ### Planned Use Cases (continued): 5. **Address Overlap**: This scenario involves detecting and correlating traffic from two branch offices with overlapping IP addresses or belonging to another organization’s subnet. The SIEM tool must be able to differentiate between these networks, tag relevant events, and define rules for identifying the source of threats across overlapping addresses. 6. **Vulnerability Trending**: By correlating vulnerability data with security threats, the SIEM solution should help identify which platforms are most affected by current vulnerabilities, enabling targeted improvements in patch management or other preventive measures. 7. **ARP Spoofing Detection**: The vendor’s solution should be capable of detecting ARP spoofing attacks without relying on additional technologies like Arpwatch. This involves setting up monitoring tools within the network to detect and alert about false ARP broadcasts that are indicative of an attack. ### Summary: The document focuses on demonstrating how a SIEM tool can effectively handle specific challenges in complex network environments, providing actionable insights into potential threats and vulnerabilities. The use cases presented showcase not only the technical capabilities of the SIEM solution but also its adaptability to diverse organizational needs. This structured approach helps SWA evaluate vendors’ solutions based on their ability to manage overlapping IP addresses, detect ARP spoofing, and analyze vulnerability trends within networks.

Details:

**Table of Contents** **Section 1 - Introduction**

  • **1.1 - Document Purpose**: This document outlines the purpose and guidelines for vendors preparing to demonstrate their Security Event Management (SIEM) solutions at Southwest Airlines (SWA). The primary objective is to select a suitable SIEM architecture that consolidates, correlates, and reports on SWA's security logs, crucial for managing sensitive customer and operational data. The potential compromise of these systems could lead to significant risk, loss of customer confidence, and recovery costs.

  • **1.2 - Vendor Preparation**: Vendors should bring a live instance of their SIEM solution for onsite demonstration. They are expected to connect the SIEM solution with a syslog receiver to process sample log events as part of the demo. The setup involves connecting vendor's SIEM system to SWA’s infrastructure, which is essential for evaluating and showcasing the capabilities of the proposed solutions.

  • **1.2 - Session Format**: The session will involve presentations by vendors followed by a demonstration of their SIEM solution against predefined scenarios related to log collection, protocol usage in secure zones, network optimization, addressing issues, vulnerability monitoring, and ARP spoofing. This format allows for a comprehensive evaluation of the vendor's solutions based on practical use cases relevant to SWA’s operational environment.

  • **1.2 - Audience**: The session is intended for vendors proposing SIEM solutions and includes technical representatives who are expected to understand the complexities of deploying and managing security event management systems within an airline context, as well as having expertise in handling sensitive data securely.

  • **1.3 – Assumptions**: Vendors are assumed to have knowledge about SWA’s operational environment, including its IT infrastructure and specific requirements for log management. This includes understanding the potential risks associated with various technologies used across different scenarios during the demonstration.

**Section 2 - Introductions, Vendor and Solution Overview**

  • **2.1 – Scope**: The session will cover a broad range of topics to assess the suitability of the SIEM solutions for SWA’s needs. This includes understanding the vendor's solution architecture, its ability to handle various log types from multiple sources, and how it addresses specific operational challenges such as low bandwidth environments or secure zone vulnerabilities through weak protocols.

  • **2.2 – Expected Participants**: Key participants include technical representatives from both SWA and the vendor’s organization who are knowledgeable about IT security management and have a role in evaluating SIEM solutions.

  • **2.3 – Vendor Demonstration Criteria**: Vendors must demonstrate their solution's ability to handle specific scenarios such as event collection under high latency, use of weak protocols across secure zones, log reduction on Layer 3 interfaces, handling Double NAT configurations, managing address overlaps, trending vulnerabilities, and addressing ARP spoofing issues.

**Section 3 - Planned Use Cases**

  • **Scenario 1**: Demonstrates the solution’s ability to collect events from sites with low bandwidth (high latency).

  • **Scenario 2**: Shows how the SIEM can handle insecure protocol usage within secure network zones.

  • **Scenario 3**: Illustrates reducing load on Layer 3 interfaces for efficient log collection and analysis.

  • **Scenario 4**: Addresses challenges of Double NAT configurations in SWA’s environment, which is crucial due to its complex networking setup.

  • **Scenario 5**: Highlights issues related to address overlaps that could affect network security measures implemented by the SIEM system.

  • **Scenario 6**: Focuses on vulnerability trending within the SWA ecosystem, showcasing predictive analytics and trend detection features of the SIEM.

  • **Scenario 7**: Addresses ARP spoofing incidents using advanced techniques such as DNS poisoning prevention that are typically handled by a robust SIEM solution.

**Section 4 - Other Use Cases**

  • This section likely includes additional scenarios or use cases not covered in detail under Section 3, which could include future-facing challenges or hypothetical situations designed to test the vendor’s adaptability and innovation capabilities within SWA's security framework.

The document outlines details about a Vendor Demonstration for a SIEM (Security Information and Event Management) product, emphasizing its integration with Cyber Threat Intelligence content. Key points include: 1. **Technical Specifications**: The demonstration focuses on showcasing the SIEM's centralized architecture, which includes a data store, correlation, and presentation layer. It also highlights the use of a regional collector to compress events, thereby reducing bandwidth requirements. 2. **Participants**: Expected participants in the demonstration include SWA SIEM Project Team members (sponsor, manager, tech lead, analyst), Deloitte engagement partners and architects who are involved in the SIEM implementation. 3. **Assumptions**: The document assumes that the vendor has already enabled certain features on their SIEM product, such as Cyber Threat Intelligence content fully operational with an up-to-date database. 4. **Restrictions**: The information provided is confidential and should not be distributed outside the project team. It is intended solely for invited Proponents who are directly involved in the project. 5. **Expectations**: During the demonstration, vendors must provide a high-level overview of their organization and showcase key functionalities and features of their SIEM offering as outlined in this document. The provided document outlines a detailed evaluation framework for a security information and event management (SIEM) solution, focusing on various aspects such as the organization's background, market focus, commitment to product development, architecture, event processing, correlation capabilities, integration with vulnerability assessment tools, role-based access controls, data retention, obfuscation features, and more. For the SIEM solution: 1. **Organization Overview**: The vendor should briefly describe the organization, its mission statement, and the year of incorporation. This helps in understanding the company's background and its core values. 2. **Market Focus**: The focus on the market includes identifying the target industries or sectors where the vendor's services are most applicable, showcasing their expertise and potential for growth within specific markets. 3. **Product Development Vision**: A clear vision of how the SIEM product is being developed and enhanced to meet future needs in a rapidly changing technological landscape should be provided. 4. **Differentiation Factors**: Specific details about what sets this vendor's solution apart from competitors, including unique features or technologies that are exclusive to their offering. 5. **Architecture Description**: A high-level overview of the SIEM architecture, detailing how it is organized into tiers and showcasing its ability to create correlations efficiently and process data from vulnerability assessment tools seamlessly. 6. **Event Processing Overview**: Insights into how events are managed across different layers of the architecture, including which devices may require agents for data collection, bandwidth management features, normalization and aggregation processes, and more. 7. **Correlation Capabilities**: A brief overview of the system's ability to correlate events, emphasizing its effectiveness in handling complex security threats by integrating with vulnerability assessment tools and ensuring proper jurisdiction-specific data handling and obfuscation where necessary. 8. **Role-Based Access Controls and Data Handling**: Demonstrations of how access to SIEM data can be tailored based on user roles, allowing for secure information sharing among subsidiaries while maintaining privacy and compliance requirements across different jurisdictions. 9. **Data Retention and Obfuscation**: Details about the method and extent of data retention policies, as well as techniques used to obscure sensitive information without compromising the usability of non-sensitive data within log messages. 10. **Granular Obfuscation Levels**: Clarification on how much personal or sensitive information can be concealed in logs while still allowing for meaningful correlation and analysis across various systems. The provided text outlines various capabilities and features of a solution being described by a vendor, focusing on its alerting, reporting, data analysis, and visualization components. Here's a summary of each section based on the text: 2.3.5 - Alerting System: This part of the description focuses on the alerting functionality of the solution. It highlights the demonstration of an easy-to-write correlation and aggregation rule setup, which involves alerting capabilities for both zero day (unknown threats) and outbreak events. The system should also allow users to customize threat formulas based on their needs, using these formulas to determine business importance and threat confidence levels. Additionally, it covers aspects such as demonstration of the alert view, operator aids, categorization of severity, detection of anomalies (both known and unknown), multiple escalation levels for alerts, routing options based on owner, and mechanisms for acknowledging or handling unacknowledged alerts. 2.3.6 - Reporting System: The vendor is required to provide a brief overview of the reporting system's capabilities within the solution. This includes demonstrations of various types of reports (likely including dashboards and customizable reports), querying databases, completeness of the reporting, ad-hoc query capability, and ease in adding customized reports for specific user requirements. 2.3.7 - Data Analysis and Queries: The section discusses how the system aids in security data analysis, forensic investigations, and even offers a feature to replay original events. It also covers what happens when performing data analysis on events outside the retention period or for search queries longer than one month. This indicates that the solution should be capable of handling retrospective analyses as well as complex long-term searches efficiently. 2.3.8 - Visualizations: Although not expanded upon in detail, this section would typically cover how visual representations enhance data interpretation and facilitate understanding within the system. It might include graphs, charts, maps, or other graphical displays that help users visualize trends, patterns, threats, etc., directly related to security events or operations monitored by the solution. Overall, these sections collectively showcase a comprehensive security information and event management (SIEM) or advanced threat detection solution with robust analytical capabilities, visual reporting features, flexible alerting mechanisms, and historical analysis tools—all tailored for both proactive defense against current threats and insights into past incidents to improve future responses. The document outlines a comprehensive evaluation and demonstration of capabilities for a security information and event management (SIEM) solution, including system dashboards, case management, incident management, and planned use cases addressing various technical challenges such as low bandwidth/high latency sites, weak protocols across secure zones, and reducing load on Layer 3 interfaces. ### System Capabilities Demonstration: 1. **System Dashboards**: The vendor is required to demonstrate interactive dashboards that provide real-time insights into the system's status, including threat indicators, geo-threats, and investigative tools for actionable intelligence. 2. **Situational Threat Dashboards**: Show how these dashboards can be used to visualize and prioritize threats based on their severity and potential impact. 3. **Geo-Threat Dashboards**: Demonstrate the mapping of threats by geographical location, allowing for targeted responses. 4. **Drill Down from Dashboards**: Ability to dive deeper into specific details from the main dashboards for more granular analysis. 5. **Running Investigations from Dashboards**: The capability to launch and track investigations directly from the dashboard interface. 6. **Adding Objects (Users, Addresses) to Watch Lists**: How vendors can integrate new entities into their watch lists via the dashboard for continuous monitoring. 7. **Opening Tickets from Dashboards**: Demonstrate the ease of creating service tickets or alerts from the SIEM tool's dashboard for quick response and escalation handling. ### Case Management Capability: 1. **Workflow Engine**: Show how cases are managed through a workflow engine, with specific routing based on criteria like platform owner. 2. **Base Ticketing Capability**: Demonstrate basic ticketing features to track incidents and tasks within the system. 3. **Reports on Case Management**: Ability to generate reports that analyze performance, compliance, or other relevant metrics from case management activities. 4. **Integration of Evidence**: Show how digital evidence can be seamlessly integrated into the case management tools for legal and investigative purposes. ### Planned Use Cases: 1. **Event Collection from Low Bandwidth (High Latency Sites)**: Describe strategies to optimize data collection in environments with limited bandwidth or high latency, ensuring that critical events are not missed due to network constraints. 2. **Use of Weak Protocols across Secure Zones**: Discuss methods to securely collect logs and events from devices within secure VLANs without compromising the security posture by using insecure protocols that cross zone boundaries. 3. **Reducing Load on Layer 3 Interface for Log Collection**: Suggest architectural modifications or enhancements to the SIEM solution to minimize the impact of log collection on high-density server environments, thereby reducing network strain and improving performance. 4. **Double Naming (NA) - Not applicable in this context.** This document provides a structured approach to evaluating and demonstrating the capabilities of a SIEM tool, with specific focus on addressing practical challenges faced by organizations like SWA. To address the outlined scenarios, the vendor's solution needs to demonstrate its capabilities in handling specific network complexities and providing actionable insights within a double NAT environment. Here are the summaries for each scenario: **Scenario 5 - Address Overlap**: This scenario involves two branch offices with overlapping IP addresses or different classification levels (criticality) due to being part of another organization's subnet. The vendor should showcase how their SIEM solution can detect and correlate traffic from these overlapping networks, even if they share the same subnet. The solution should be able to tag events based on the address overlap and define correlation rules for identifying the original threat source. **Scenario 6 - Vulnerability Trending**: SWA aims to use the SIEM tool to assess targeted assets for vulnerability relevance using data from IDS alerts, as well as to trend vulnerabilities across different platforms. The vendor should demonstrate how the solution can correlate vulnerability data with security threats and provide insights into which platforms are most affected by current vulnerabilities. **Scenario 7 - Address Resolution Protocol (ARP) Spoofing**: SWA seeks ARP spoofing detection using their SIEM tool. The vendor needs to show how the solution detects an ARP spoofing attack, where attackers broadcast false ARP messages within a local area network. This should be achieved without requiring additional technologies like Arpwatch. In each scenario, the focus is on demonstrating the flexibility and effectiveness of the SIEM solution in handling complex network environments and providing actionable insights to enhance security posture. The text is discussing a process where SWA (which likely stands for some organization or project) will evaluate networking equipment such as switches and routers by providing it to various vendors. To assess how easily these devices can be configured and their adaptability to different threat situations, SWA plans to introduce advanced use cases specifically designed for the demonstration day with each vendor. Here's a breakdown of the key points: 1. **Evaluating Networking Equipment**: The organization is considering various networking equipment from different vendors. These could include network switches and routers that are crucial for efficient data transmission and management within an IT infrastructure. 2. **Advanced Use Cases**: To better understand how well these devices can be configured, adapted to new scenarios, and managed under diverse threat conditions, SWA will present them with specific advanced use cases. This approach is intended to assess the flexibility and capability of each vendor's offering in a controlled but realistic environment. 3. **Vendor Demonstration Day**: The evaluation process involves a demonstration day where vendors are expected to showcase how their equipment performs under the given advanced use cases. This hands-on session allows SWA to directly observe and interact with the devices, gaining practical insights into their features and limitations. 4. **Adaptability and Threat Scenarios**: By introducing challenging scenarios that mimic real-world threats or complex configurations, SWA aims to gauge how well each vendor's solution can adapt and perform efficiently in potentially difficult conditions. This helps in selecting a versatile and robust networking equipment that can handle various situations effectively. In summary, the text describes an evaluation process for networking equipment from multiple vendors, focusing on configuration ease, adaptability, and performance under advanced use cases, all set to be demonstrated during a vendor demonstration day.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page