siem presentation final
TRANSCRIPT
SIEMSecurity Information and Event Management
Background on Network components Firewall Router Switch Anti-virus Duo two factor authentication Server Workstation Other sources
Log Management
Log management : states that the information regarding an incident is recorded in several places, such as firewalls, routers, network IDS, host IDS and application logs.
Send the duplicate logs to the centralized syslog
Infrastructure: log generation, log analysis and storage, and log monitoring.
Communication of logs via Ports Devices like workstations send
logs to the Syslog Servers by Transmission Control Protocol(TCP) by 3 way handshake (Syn, Syn Ack, Ack)
Devices like Palo Alto send logs to the Syslog Servers by Secure Socket Layer(SSL)
The other devices like Lanco sends logs to Syslog Servers by User Datagram Protocol(UDP) which do not have 3 way handshake process.
The syslog Server receives logs by 514 port
Common ports
22-SSH 53-DNS 123-NTP 80-HTTP 443-HTTPS 3389-RDP
Transition of Logs
The syslog forwards those logs to the event processor/flow processor. The logs are processed and CORRELATED OFFENSES are sent to the management console.
The logs can be monitored in Qradar SIEM tool with the combination of all components, the event processors, the flow processors, and the management console
Syslog Server
Syslog-ng is a computer program that can act as a server or a client to send or receive device logs.
Linux is the operating system of CHS syslog servers.
Syslog admin controls the data, deletes, updates the files if necessary
Syslog admin use cron to schedule jobs to manage the logs at fixed times, dates or intervals.
SIEM Objectives
Identify threats and possible breaches Collect audit logs for security and
compliance Conduct investigations and provide evidence
SIEM Overview A software provides the log management
infrastructure encompassing log analysis, log storage, and log monitoring tiers.
It also has Event correlation, altering, incident management, reporting, and forensic investigation
SIEM technology aggregates the event data produced by security devices, network devices, systems and applications
Event data is combined with contextual information about users, data and assets.
Technology provides real time security monitoring, historical analysis, incident investigation and compliance reporting.
SIEM Features
Log activity: monitor and display network events in real time or perform advanced searches
Network activity: investigate the communication sessions between two hosts
Assets: automatically creates asset profiles by using passive flow data and vulnerability data to discover your network servers and hosts.
Offenses: investigate offenses to determine the root cause of a network issue
SIEM Features Reports: create custom reports or use default
reports Data Collection: accepts information in various
formats and from a wide range of devices, including security events, network traffic, and scan results. Events are generated by log sources such as
firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).
Flows provide information about network traffic and can be sent to QRadar SIEM in various formats, including flowlog files, NetFlow, J-Flow, sFlow, and Packeteer
import VA information from various third-party scanners.
SIEM Features
Rules: perform tests on events, flows, or offenses, and if all the conditions of a test are met, the rule generates a response
Supported web browser: For the features in IBM Security QRadar products to work properly, you must use a supported web browser.
SIEM Features
AQL
The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel databases. Use AQL to manage event and flow data from the Ariel database.
Retrieve specific fields from the events, flows and simarc table in the Ariel database
SELECT statement, WHERE clause, GROUPBY clause, ORDERBY clause, LIKE clause, COUNT function
FireEye interaction with SIEM SIEM receives alerts from HX and PX tool of
FireEye HX: It is the antivirus provided by fire eye to
detect the advanced forms of attacks and malware
PX: Is the full packet capture solution provided by fire eye. This allows us to perform network forensics/investigation
Fire Eye