SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology
description
Transcript of SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology
© Loop Technology
SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology
© Loop Technology
OVERVIEW
• LOGS
• VALUE IN COLLECTING LOGS
• SIEM – EVENT LOG MANAGEMENT
• TECHNOLOGY DIFFERENCES
• GARTNER ANALYSIS
• IDENTITY MANAGEMENT COMBINED WITH LOG
MANAGEMENT
• BENEFITS OF USING SIEM TECHNOLOGIES
• HOW LOOP TECHNOLOGY CAN HELP YOU
© Loop Technology
WHAT ARE LOGS?
• Messages generated by computer systems
• It is a record of an event that has occurred
• Different formats for each application and system
• Commonly use Syslog port 514
• They all contain common information:
Date and timeSource (IP Address, Computer name, UserID)DestinationType of event
© Loop Technology
LOG DATA
• Types of Log data: Audit logs
Transaction logs
Connection logs
System performance
records
User activity
Intrusion detection and
Alerts
• These can come from any
source that generates logs,
including: Firewalls
Routers, switches
Operating systems
Content filtering programs
Anti virus
Physical alarm systems
VoIP phone systems
© Loop Technology
WHY ANALYSE LOGS?
• Gain an understanding of what is going
on
• Discover new threats before they happen
• Measure security and IT performance
• Compliance
• Incident investigation
© Loop Technology
RISK OF IP THEFT OR DATA LEAKAGE
• Could be malicious or profit motivated
• Perimeter security not always effective
• Attacks attempting to collect sensitive
organisational data are flexible enough to
deploy against applications, databases or
unstructured data (e.g. Excel)
• Impacts on data integrity
• Focus by the industry on either forensic
investigation, or restrictive point solutions
© Loop Technology
ANALYSING AND MONITORING LOGS
• Real-time? Hourly? Weekly?
• Collect some or all logs?
• False Positives
• How much data do you need to correlate
events?
• Duplication of Logging
• Ensuring Data Integrity
• Size and diversity of environment considerations
How do these items affect your monitoring
strategy?
© Loop Technology
VALUE IN VIEWING LOGS
Logging AuditIncident responseCompliance
Monitoring Incident detectionLoss preventionCompliance
Analysis Identifying trendsFault predictionPotential to identify internal attack
© Loop Technology
MONITORING SAMPLES
“Real-time” Viral outbreakLoss of service on critical assetsRAID devices starting to crashExternal attackSerious internal network abuse
Daily / Weekly tasks
Unauthorised access evidence collectionSuspicious logon failuresPrivilege revalidationChanges on host and network systemsActivity summary
© Loop Technology
VIEWING LOG SAMPLES - Do you recognise these?
Feb 12 15:47:40 localhost su[29149]: - pts/5 dcid:root
Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilegeFeb 12 15:11:41 enigma su[2936]: failed: ttyq4 changing from xx to root
ACCESS,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32 was unable to obtain permission for connecting to the Internet (169.254.207.118:Port 7000); access was denied.,N/A,N/A
PE,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32,C:\Program Files\Network Chemistry\RogueScanner GUI\RogueScannerGUI.exe,169.254.207.118:7001,N/A
100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] "POST /blog/xmlrpc.php HTTP/1.0" 404 288
© Loop Technology
USING TOOLS WE CAN VIEW LOGS INSTANTLY TO FIND OUT
• Who – was it a userID, system event, automated
process?
• When - Out of hours? Another time zone?
• Where from - Source IP address, computer
name, operating system, program?
• Where to - Application? Database? Sensitive file?
• What - What actually happened?
• How - Can you trace all activity relating to the
incident?
© Loop Technology
AUTOMATED METHOD OF VIEWING LOGS
Source – RSA Envision Dashboard
© Loop Technology
GRAPHICAL REPRESENTATION OF LOG EVENTS
Source – Tier3 Huntsman Dashboard
© Loop Technology
AUTOMATED METHOD FOR VIEWING LOGS- NETWORK TRAFFIC DASHBOARD
© Loop Technology
AUTOMATED REPORT- PASSWORD CHARACTERISTICS
© Loop Technology
USING SIEM TECHNOLOGY
“The effective way to manage all your events is through the use of an automated solution, allowing you to automate the analysis and review of your logs from a central location”
Your solution depends on what your requirements are
What is important to your organisation?
© Loop Technology
DO YOUR HOMEWORK
• Do your homework – identify every requirement
you have
• Be as granular as you can
• ‘ We want forensics’ or ‘ we have compliance
issues’ is not a good answer
Loop Technology can help you identify what you need, then match your requirements to a solution that will best work for you
© Loop Technology
WHY DO YOUR HOMEWORK?
• SIEM technologies vary quite differently from one
to another
• If you are not clear in what you want to monitor
you risk purchasing a solution that will not do what
you want it to
Many organisations have made this mistake – don’t let yours be next!
© Loop Technology
EXAMPLE- TYPES OF WINDOWS XP WORKSTATION LOGS
• Logon / logoff• Access to sensitive files and directories• Process start / process stop• User access rights• Account administration• Changes to the security policy• Shutdown and startup events• System events
What else could there be? What about network logs? Proxy logs? Email server logs? Content management logs?
© Loop Technology
SIEM COMMON FEATURES
• Many types of ‘out of the box’ reporting
• Use of a back end database for storing
data – may normalise data – BEWARE!!!
• Large number of defined rules provide a
base for standard reports
• Support many technologies but not always
all of your technologies
• Provide a way to parse any logs that are
not recognised ‘out of the box’
• Dashboard display, accessed by web
browser
• Multiple reporting options
© Loop Technology
SIEM TECHNOLOGY DIFFERENCES
• In November 2007, the number of fully integrated
SIEM solutions in the marketplace is ZERO
• Every SIEM solution today is historically either a
SIM or a SEM solution – not both
• Many of these solutions are implementing short
cuts to satisfy the marketing side of things, but
will give you a lot of headaches
© Loop Technology
SIM VERSUS SEM
SIM- Security Information Management
SEM- Security Event Management
Audit- ideal for host based events
Geared toward monitoring network traffic
End user centric- good for archive and reporting
Network centric – geared towards monitoring ‘real-time’ traffic
Long term storage and analysis
Threat orientated to immediate support incident response
Monitoring of policy violations Monitoring of external attacks
Correlation of many logs Consolidation of many events
© Loop Technology
AGENT VERSUS AGENTLESS
Agent Monitoring Agentless monitoring
Allows rule definition remotely Rule definition is performed at a central server
Reduces traffic sent to a central reporting server
Collects all traffic at a central server
Higher configuration maintenance on remote systems
Higher volume maintenance at the server
Higher remote system resources consumption. More maintenance required
All maintenance is at the server- use of WMI and SNMP is common
Useful for a specific system or audit requirement
Useful when general policy enforcement applies for all systems
Agents monitor in near ‘real-time’ Agentless cannot monitor in ‘real-time;
Agents may cost more for security features Security features are either with the product or depend on the security of the network
Agents may cost more to transmit data via TCP
TCP is generally a standard offering with most agentless systems
© Loop Technology
SYSLOG AND EVENT LOG PARSING
RSA authentication manager (all except 1) Clearswift SMTP and Clearswift Web Aventail VPN Various Linux versions VAX Tru64
•This is not unusual and you may find yourself in a situation where you need to parse and filter logs such as these. Most products offer a form of ‘universal log parsing’ where a few lines of code will provide a means to filter these logs. Make sure you check to see how each vendor performs this task, and compare each method.
•Examples of technologies rarely with ‘out of the box’ recognition by event log management technologies:
© Loop Technology
USING OPEN SOURCE TECHNOLOGIES TO BOLSTER CAPABILITIES
•There are a wide range of syslog tools on the internet that can be used to provide rudimentary forms of monitoring. They serve a specific task and perform their task well
•Many so-called ‘enterprise’ SIEM solutions utilise open-source tools to complement areas which their tools were not designed to work – many SEM products will use these to provide basic SIM capabilities
•The use of open-source tools are not supported by the large vendors. If you use a product that relies on open source tools, don’t expect these tools to be supported
© Loop Technology
GARTNER MAGIC QUADRANT 1Q07
© Loop Technology
THE IDENTITY MANAGEMENT CONUNDRUM
The userID is then permitted to access your systems
Identity management checks to ensure the userID requesting
access is valid. It authenticates against the userID, then
authorises access
© Loop Technology
• 80 percent of all IT security breaches are internal – these are by people who already have userID’s and passwords. *
• Can you be sure the person authorised to use that userID is using it? Example: Common practice in enquiries and help desk areas is to allow new people the use of other people’s userID’s that are already set up
THE IDENTITY MANAGEMENT CONUNDRUM
IDM authorises access – log management tracks the access once authorised – these two technologies are designed to work together
* zdnet.com.au report – inside intrusion statistics Feb 2005
© Loop Technology
ISSUES THAT CAN BE SOLVED BY USING AUTOMATED LOG MANAGEMENT SOLUTIONS
• Costly to manage users and access to assets
• Difficult to know who has access to what
• Helpdesk costs continue to grow
• Difficult to manage users across different systems and applications
• Too many vulnerabilities & viruses , and patching is costly
• Unwanted emails and access to inappropriate websites is reducing productivity
• Blocking and tackling isn’t enough
• Compliance for various regulations – ISO27001, ACSI33, Basel II, SOX 404, EU directive, GLBA, HIPAA
© Loop Technology
USING LOG MANAGEMENT TO REDUCE COSTS- AT A GLANCE
• Secures ICT system integrity against known and unknown threats
• Proactive protection against asset misuse, loss of IP or sensitive data and stakeholder confidence
• Reduces Costs: Remediation and business continuity – eliminate downtime
by preventing events occurring Automated ICT compliance – replace expensive non-
systematic manual processes Automated process controls – real time audit capability Audit and automate transaction processing – non-
repudiation capabilities Turn risk management & compliance costs into business
value
© Loop Technology
CRITERIA LOOP TECHNOLOGY HAS USED TO SELECT ITS LOG MANAGEMENT PRODUCT SET
Trusted partnerships with leading vendors in the security space
Products are best of breed
Products that are easy to deploy and configure (you want to be able to make your evaluation after 1 week)
Products using flexible web based access
Secure protocols for protection of data
No normalisation of logs
100 percent fully supported – either agent or agentless or both
Local support for all product sets
Multiple reporting options i.e – SMS, email, CSV, PDF, HTML
© Loop Technology
Information Security….. It’s what we do