security event log management- what to consider when looking at siem technology
DESCRIPTION
SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology. OVERVIEW. LOGS VALUE IN COLLECTING LOGS SIEM – EVENT LOG MANAGEMENT TECHNOLOGY DIFFERENCES GARTNER ANALYSIS IDENTITY MANAGEMENT COMBINED WITH LOG MANAGEMENT BENEFITS OF USING SIEM TECHNOLOGIES - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/1.jpg)
© Loop Technology
SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology
![Page 2: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/2.jpg)
© Loop Technology
OVERVIEW
• LOGS
• VALUE IN COLLECTING LOGS
• SIEM – EVENT LOG MANAGEMENT
• TECHNOLOGY DIFFERENCES
• GARTNER ANALYSIS
• IDENTITY MANAGEMENT COMBINED WITH LOG
MANAGEMENT
• BENEFITS OF USING SIEM TECHNOLOGIES
• HOW LOOP TECHNOLOGY CAN HELP YOU
![Page 3: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/3.jpg)
© Loop Technology
WHAT ARE LOGS?
• Messages generated by computer systems
• It is a record of an event that has occurred
• Different formats for each application and system
• Commonly use Syslog port 514
• They all contain common information:
Date and timeSource (IP Address, Computer name, UserID)DestinationType of event
![Page 4: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/4.jpg)
© Loop Technology
LOG DATA
• Types of Log data: Audit logs
Transaction logs
Connection logs
System performance
records
User activity
Intrusion detection and
Alerts
• These can come from any
source that generates logs,
including: Firewalls
Routers, switches
Operating systems
Content filtering programs
Anti virus
Physical alarm systems
VoIP phone systems
![Page 5: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/5.jpg)
© Loop Technology
WHY ANALYSE LOGS?
• Gain an understanding of what is going
on
• Discover new threats before they happen
• Measure security and IT performance
• Compliance
• Incident investigation
![Page 6: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/6.jpg)
© Loop Technology
RISK OF IP THEFT OR DATA LEAKAGE
• Could be malicious or profit motivated
• Perimeter security not always effective
• Attacks attempting to collect sensitive
organisational data are flexible enough to
deploy against applications, databases or
unstructured data (e.g. Excel)
• Impacts on data integrity
• Focus by the industry on either forensic
investigation, or restrictive point solutions
![Page 7: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/7.jpg)
© Loop Technology
ANALYSING AND MONITORING LOGS
• Real-time? Hourly? Weekly?
• Collect some or all logs?
• False Positives
• How much data do you need to correlate
events?
• Duplication of Logging
• Ensuring Data Integrity
• Size and diversity of environment considerations
How do these items affect your monitoring
strategy?
![Page 8: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/8.jpg)
© Loop Technology
VALUE IN VIEWING LOGS
Logging AuditIncident responseCompliance
Monitoring Incident detectionLoss preventionCompliance
Analysis Identifying trendsFault predictionPotential to identify internal attack
![Page 9: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/9.jpg)
© Loop Technology
MONITORING SAMPLES
“Real-time” Viral outbreakLoss of service on critical assetsRAID devices starting to crashExternal attackSerious internal network abuse
Daily / Weekly tasks
Unauthorised access evidence collectionSuspicious logon failuresPrivilege revalidationChanges on host and network systemsActivity summary
![Page 10: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/10.jpg)
© Loop Technology
VIEWING LOG SAMPLES - Do you recognise these?
Feb 12 15:47:40 localhost su[29149]: - pts/5 dcid:root
Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilegeFeb 12 15:11:41 enigma su[2936]: failed: ttyq4 changing from xx to root
ACCESS,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32 was unable to obtain permission for connecting to the Internet (169.254.207.118:Port 7000); access was denied.,N/A,N/A
PE,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32,C:\Program Files\Network Chemistry\RogueScanner GUI\RogueScannerGUI.exe,169.254.207.118:7001,N/A
100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] "POST /blog/xmlrpc.php HTTP/1.0" 404 288
![Page 11: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/11.jpg)
© Loop Technology
USING TOOLS WE CAN VIEW LOGS INSTANTLY TO FIND OUT
• Who – was it a userID, system event, automated
process?
• When - Out of hours? Another time zone?
• Where from - Source IP address, computer
name, operating system, program?
• Where to - Application? Database? Sensitive file?
• What - What actually happened?
• How - Can you trace all activity relating to the
incident?
![Page 12: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/12.jpg)
© Loop Technology
AUTOMATED METHOD OF VIEWING LOGS
Source – RSA Envision Dashboard
![Page 13: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/13.jpg)
© Loop Technology
GRAPHICAL REPRESENTATION OF LOG EVENTS
Source – Tier3 Huntsman Dashboard
![Page 14: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/14.jpg)
© Loop Technology
AUTOMATED METHOD FOR VIEWING LOGS- NETWORK TRAFFIC DASHBOARD
![Page 15: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/15.jpg)
© Loop Technology
AUTOMATED REPORT- PASSWORD CHARACTERISTICS
![Page 16: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/16.jpg)
© Loop Technology
USING SIEM TECHNOLOGY
“The effective way to manage all your events is through the use of an automated solution, allowing you to automate the analysis and review of your logs from a central location”
Your solution depends on what your requirements are
What is important to your organisation?
![Page 17: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/17.jpg)
© Loop Technology
DO YOUR HOMEWORK
• Do your homework – identify every requirement
you have
• Be as granular as you can
• ‘ We want forensics’ or ‘ we have compliance
issues’ is not a good answer
Loop Technology can help you identify what you need, then match your requirements to a solution that will best work for you
![Page 18: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/18.jpg)
© Loop Technology
WHY DO YOUR HOMEWORK?
• SIEM technologies vary quite differently from one
to another
• If you are not clear in what you want to monitor
you risk purchasing a solution that will not do what
you want it to
Many organisations have made this mistake – don’t let yours be next!
![Page 19: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/19.jpg)
© Loop Technology
EXAMPLE- TYPES OF WINDOWS XP WORKSTATION LOGS
• Logon / logoff• Access to sensitive files and directories• Process start / process stop• User access rights• Account administration• Changes to the security policy• Shutdown and startup events• System events
What else could there be? What about network logs? Proxy logs? Email server logs? Content management logs?
![Page 20: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/20.jpg)
© Loop Technology
SIEM COMMON FEATURES
• Many types of ‘out of the box’ reporting
• Use of a back end database for storing
data – may normalise data – BEWARE!!!
• Large number of defined rules provide a
base for standard reports
• Support many technologies but not always
all of your technologies
• Provide a way to parse any logs that are
not recognised ‘out of the box’
• Dashboard display, accessed by web
browser
• Multiple reporting options
![Page 21: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/21.jpg)
© Loop Technology
SIEM TECHNOLOGY DIFFERENCES
• In November 2007, the number of fully integrated
SIEM solutions in the marketplace is ZERO
• Every SIEM solution today is historically either a
SIM or a SEM solution – not both
• Many of these solutions are implementing short
cuts to satisfy the marketing side of things, but
will give you a lot of headaches
![Page 22: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/22.jpg)
© Loop Technology
SIM VERSUS SEM
SIM- Security Information Management
SEM- Security Event Management
Audit- ideal for host based events
Geared toward monitoring network traffic
End user centric- good for archive and reporting
Network centric – geared towards monitoring ‘real-time’ traffic
Long term storage and analysis
Threat orientated to immediate support incident response
Monitoring of policy violations Monitoring of external attacks
Correlation of many logs Consolidation of many events
![Page 23: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/23.jpg)
© Loop Technology
AGENT VERSUS AGENTLESS
Agent Monitoring Agentless monitoring
Allows rule definition remotely Rule definition is performed at a central server
Reduces traffic sent to a central reporting server
Collects all traffic at a central server
Higher configuration maintenance on remote systems
Higher volume maintenance at the server
Higher remote system resources consumption. More maintenance required
All maintenance is at the server- use of WMI and SNMP is common
Useful for a specific system or audit requirement
Useful when general policy enforcement applies for all systems
Agents monitor in near ‘real-time’ Agentless cannot monitor in ‘real-time;
Agents may cost more for security features Security features are either with the product or depend on the security of the network
Agents may cost more to transmit data via TCP
TCP is generally a standard offering with most agentless systems
![Page 24: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/24.jpg)
© Loop Technology
SYSLOG AND EVENT LOG PARSING
RSA authentication manager (all except 1) Clearswift SMTP and Clearswift Web Aventail VPN Various Linux versions VAX Tru64
•This is not unusual and you may find yourself in a situation where you need to parse and filter logs such as these. Most products offer a form of ‘universal log parsing’ where a few lines of code will provide a means to filter these logs. Make sure you check to see how each vendor performs this task, and compare each method.
•Examples of technologies rarely with ‘out of the box’ recognition by event log management technologies:
![Page 25: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/25.jpg)
© Loop Technology
USING OPEN SOURCE TECHNOLOGIES TO BOLSTER CAPABILITIES
•There are a wide range of syslog tools on the internet that can be used to provide rudimentary forms of monitoring. They serve a specific task and perform their task well
•Many so-called ‘enterprise’ SIEM solutions utilise open-source tools to complement areas which their tools were not designed to work – many SEM products will use these to provide basic SIM capabilities
•The use of open-source tools are not supported by the large vendors. If you use a product that relies on open source tools, don’t expect these tools to be supported
![Page 26: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/26.jpg)
© Loop Technology
GARTNER MAGIC QUADRANT 1Q07
![Page 27: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/27.jpg)
© Loop Technology
THE IDENTITY MANAGEMENT CONUNDRUM
The userID is then permitted to access your systems
Identity management checks to ensure the userID requesting
access is valid. It authenticates against the userID, then
authorises access
![Page 28: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/28.jpg)
© Loop Technology
• 80 percent of all IT security breaches are internal – these are by people who already have userID’s and passwords. *
• Can you be sure the person authorised to use that userID is using it? Example: Common practice in enquiries and help desk areas is to allow new people the use of other people’s userID’s that are already set up
THE IDENTITY MANAGEMENT CONUNDRUM
IDM authorises access – log management tracks the access once authorised – these two technologies are designed to work together
* zdnet.com.au report – inside intrusion statistics Feb 2005
![Page 29: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/29.jpg)
© Loop Technology
ISSUES THAT CAN BE SOLVED BY USING AUTOMATED LOG MANAGEMENT SOLUTIONS
• Costly to manage users and access to assets
• Difficult to know who has access to what
• Helpdesk costs continue to grow
• Difficult to manage users across different systems and applications
• Too many vulnerabilities & viruses , and patching is costly
• Unwanted emails and access to inappropriate websites is reducing productivity
• Blocking and tackling isn’t enough
• Compliance for various regulations – ISO27001, ACSI33, Basel II, SOX 404, EU directive, GLBA, HIPAA
![Page 30: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/30.jpg)
© Loop Technology
USING LOG MANAGEMENT TO REDUCE COSTS- AT A GLANCE
• Secures ICT system integrity against known and unknown threats
• Proactive protection against asset misuse, loss of IP or sensitive data and stakeholder confidence
• Reduces Costs: Remediation and business continuity – eliminate downtime
by preventing events occurring Automated ICT compliance – replace expensive non-
systematic manual processes Automated process controls – real time audit capability Audit and automate transaction processing – non-
repudiation capabilities Turn risk management & compliance costs into business
value
![Page 31: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/31.jpg)
© Loop Technology
CRITERIA LOOP TECHNOLOGY HAS USED TO SELECT ITS LOG MANAGEMENT PRODUCT SET
Trusted partnerships with leading vendors in the security space
Products are best of breed
Products that are easy to deploy and configure (you want to be able to make your evaluation after 1 week)
Products using flexible web based access
Secure protocols for protection of data
No normalisation of logs
100 percent fully supported – either agent or agentless or both
Local support for all product sets
Multiple reporting options i.e – SMS, email, CSV, PDF, HTML
![Page 32: SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology](https://reader036.vdocuments.us/reader036/viewer/2022081520/56814f09550346895dbc9b69/html5/thumbnails/32.jpg)
© Loop Technology
Information Security….. It’s what we do