sentors frukostseminarium om siem - logpoints del
TRANSCRIPT
Enterprise Log Management / SIEM
Christian HaveVice President
Products and Innovation
2
- Founded in 2001; doing Security consulting- Focus on Security Analytics from 2008 – Bought Immune APS
- Danish company- 250+ Customers- 75 employees – 45 developers (!)- Offices in Denmark, Sweden,
Germany, France and the UK- 100% Year over Year growth
Vision:Creating the worlds greatest
SIEM platform
3http://www.logpoint.com/images/Articles/Borsen_ImmuneSecurity_LogPoint_Boeing.pdf
4
Decentralized logging – Problem areas
Separate logging of different systemsSearching in AD requires manual search of X logs
Some logs/systems are not handled todayDifficult and time consuming to search information
Up to X working days for basic reports
No overview of the entire environmentHighly dependent on individual employees(Way) too short retention times on some systems
Decentralized logging - Consequences
Limited traceabilityDecreased security for customers AND staff
Lacking in compliance in various areasTime consuming reporting, search and forensicsLimited information for troubleshooting and supportReactive incident handling, no statistics, no trendsExpensive management of many local log archives
What should you log?
”Everything” – you don’t know what you will need!
Changes in system configurationsChanges in critical system filesChanges and access in critical databasesAccess and use of business applicationsActions by privileged users and administratorsUser and Device management
Creations, Changes, Deletions
Session logging from network devices
Where should you log?
Operating systems Infrastructure components
Switches, RoutersNetwork security - Firewalls, Proxy, IPS, VPN…Wireless
User AuthenticationActive Directory, IDM systems, Policy Servers
Device ManagementMDM, Software Deployment, Antivirus, Asset Management
Applications!
How do you identify security incidents without a SIEM?
Manual log review and log analysisHost and Network-based IDS AntimalwareStructured observations, monitoring etc.
But it is typically unorganized:External parties, customers, users, administratorsPost-incident / leaked to the press
Log Analysis
That which is strange, unusual, unknownEverything not uninteresting is interesting
The common item to look for when reviewing log files is
anything that appears out of the ordinary. CERT Coordination Center, Intrusion
Detection Checklist
If the statistics are boring, then you've got the wrong numbers.Edward Tufte on analysis and visualization
Log Analysis - Baseline
Typically security incidents make out less than 0.001% of the total amount of log dataBaseline, thresholding, what’s interestingFalse positives
Trends, different types of data – historical informationKnown badUnknowns
Look at the baseline:What is strange?How many times have a given event occurred in a given timeframe – frequency thresholdingMessage if a log source stops sending logs.
10
Log Analysis - investigationHow is an investigation initiated?
As standard a set of rule based alerts are usedFollowed by periodic manual review collected and analyzed data and dashboards
The ”can you tell me” scenarioSpecific investigations of events on
TimeUserIPetc
All based on the collected and analyzed data
Everything that looks unusual
11
Identifying the unusual
Statistical eventsHigh response times / LatencyDeviating session-length: time / frequency
Chronological eventsInstallation of kernel-drivers during the nightLogins with service-accounts on day-time systems
Machine Learning / Advanced AlgorithmsIdentifying clusters or groups of similar patternsPredictive “what’s next” analytics
ApplicationsNetwork
13
Technology development and maturity
No log-management
Log-Management
Classical SIEM tools
“Next Generation” SIEM
Decentralized loggingSilo and competence-orientedNo utilization of collected dataNo structured retention of dataOpportunistic search and samples based
Ontology (Greek on, = ”the being", logi = ”learning of") describes the study of the being, the study of what exists and how it exists.
Centralized (network) loggingNo analysis layer, no intelligenceCollecting log-data, nothing else
Centralized LoggingAnalysis LayerStatic data and concepts modelCorrelation of defined events
Deep application integrationDynamic ontology“Big Data”Wide enterprise integration
TechnicalOrganizational
14
Next Generation SIEM
16
Example of contextual analysis
17
Another example
Public Danish organization to implement trust based managementLogs from firewallsClassification of firewall traffic (context)Filter searches on job-sitesCorrelate user-names (context) from ADCorrelation organizational associationCorrelate the manager of the given employee
Dashboard with KPI:Percentual share of employees looking for new jobsBracketing middle-managers– Red/Yellow/Green
18
Business-driven (ERP) use-cases
Detect invoices without purchase ordersIdentify vendors where alternate payee names have been changed before paymentMultiple use of one-time vendorsDetection of payments more than the threshold value to one time vendorsIdentify transactions where the purchase approver is equal to the goods receipt creatorIdentify transactions where the order approver is equal to the invoice creatorIdentify transactions where the order creator is equal to the payment creatorIdentify purchase orders that were created on or after the date the invoice was issuedInvoice receipt is more than goods receipt documentDetect value increases for purchases orders over a certain thresholdCheck for bank accounts bookings not processed with one of the known transactionsCheck suspicious manual bookings at unusual timesDetect split invoices to avoid increasing certain threshold
Identifying Botnets
Inbound accepted connections
Outbound DNS Requests (+35.000): Searching forCommand&Control Servers
Botnet identification:
Accept inbound to (172.28.160.122)threat category=ZeroAccess.Gen Command and Control Traffic threat severity=criticalIdentify activity through DNS requests
Find MAC address and correlate physical location:mac-addr: 00:1e:0b:31:18:b7Correlate MAC With AV-oplysninger(Trend Micro) to get name and actions: M4986GE
IP Reptutation - router
Next-Gen Firewall
Next-Gen DNS/DHCP
Correlate switch-inf
Correlate AV-Inf
21
Security Operations Center View
Security Operations Center View
22
Health Care data – structured, readable, easily accessible