Log | Event | Information Management
-
Upload
ayman-saeed -
Category
Education
-
view
675 -
download
0
description
Transcript of Log | Event | Information Management
![Page 1: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/1.jpg)
![Page 2: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/2.jpg)
Log|Event|Information ManagementAyman SaeedSr.Network Security Engineer, PS DEPRaya IT
![Page 3: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/3.jpg)
Log Management
• Collection• Retention
Ex. Kiwi Syslog Server
![Page 4: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/4.jpg)
Information|Event Management
• Collection• Normalization• Retention• Correlation• Alerting• Reporting
![Page 5: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/5.jpg)
Log Types and Log Sources
• Audit Logs• Transaction Logs• Intrusion Logs• Connection Logs• Performance Records• User Activity Logs
• Firewall• IPS• Router/Switch• Servers• Databases• Business Applications• Antivirus
![Page 6: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/6.jpg)
Log Chaos : Login|Logon|Log in
![Page 7: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/7.jpg)
Log Chaos : Accept|Permit|Allow
![Page 8: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/8.jpg)
Log Chaos: Syslog|WinEV|DB|File
Firewalls/VPN
IntrusionDetectionSystems
VulnerabilityAssessment
NetworkEquipment
Server and Desktop OS Anti-Virus Applications Databases
User Activity Monitoring
Critical file modifications
Policy
Changes
Malicious IP
Traffic
WebTraffic
![Page 9: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/9.jpg)
Log Chaos, in brief.
• There is no standard format for writing logs
• There is no standard Transport method for moving logs
![Page 10: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/10.jpg)
.SIEM, the product
• SIEM , Security Information and Event Management• Again:– Collection– Normalization– Retention– Correlation– Alerting – Reporting
![Page 11: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/11.jpg)
Event Collection
– SIEM vendors create a group of documents for collecting logs from supported products.
![Page 12: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/12.jpg)
Normalization
– UserID > Username– LoginName > Username– ID > Username– Username > Username
![Page 13: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/13.jpg)
Retention
Example:• IDS+DMZ+Online = 90 days• Firewall+DMZ+online = 30 days• Servers+internal+online = 90 days• All+DMZ+archive = 3 years• Critical+internal+archive = 5 years• Other+internal+archive = 1 year
![Page 14: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/14.jpg)
Correlation
25 events based on cross-referencing intrusion alerts against firewall entries and host/asset databases much more efficiently than when he must scan 10,000 mostly normal log entries.
![Page 15: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/15.jpg)
Alerting
Alerting on incidents can take various forms :• Email• SMS• SNMP Trap
![Page 16: Log | Event | Information Management](https://reader035.fdocuments.us/reader035/viewer/2022081413/5489b3e5b479590f0d8b5968/html5/thumbnails/16.jpg)
Reporting
– Compliance Reports (PCI, ISO..)– Security Reports (Critical Attacks,
Failed Logins..)– Audit Reports (Configuration
Changes, VPN Access..)– Operational Reports (Link
Utilization, Top Destination IP..)