OSSIM User Training: Get Improved Security Visibility with OSSIM
Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source...
Transcript of Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source...
![Page 1: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/1.jpg)
Eumi SpragueInformation Technology
Cal Poly CorporationSan Luis Obispo, CA
Sunday, January 8, 2012
![Page 2: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/2.jpg)
What is SIEM?
Security Information and Event Management
Security Information Management (SIM)
• Log Management and Compliance Reporting
Security Event Management (SEM)
• Real-time Monitoring and Incident Management for Security-related Events from Networks, Security Devices, Systems, and Applications
Source: Gartner 2011 Magic Quadrant for SIEM
2
![Page 3: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/3.jpg)
What is SIEM – cont’dSIEM Technology:
Compliance – Log Management and Compliance Reporting
Treat Management – real time monitoring of user activity, data access, application activity, and incident management
A deployment that provides a mix of compliance and threat management capabilities
Source: Gartner 2011 Magic Quadrant for SIEM 3
![Page 4: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/4.jpg)
SIEM ‐ Our Story
What we did
Where we are
Where we are headed
4
![Page 5: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/5.jpg)
What We Did Our journey began about 18 months…
Sampled Two Systems
• LogRhythm
• TriGeo (now called SolarWinds)
Budgeted for Purchase in FY2011-12
5
![Page 6: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/6.jpg)
What We Did – cont’d Find out what others were using
• Cal Poly, SLO, use Splunk (open source)
• AOA IT Forum No responses posted on the IT forum
• Check List Servs: [email protected]
Excellent PCI List Serv. By invitation only. Email Chrissy Woodward at [email protected] to be added.
6
![Page 7: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/7.jpg)
Summary of List Serv Results – page 1No. Institution System Note
1 Utah State University
OSSEC (www.ossec.net), Splunk (www.splunk.com)
Open Source
2 Canisius College, Buffalo, NY
OSSIM (http://alienvault.com) Open Source
3 St. Clout State,St. Cloud, MN
LogRhythm (www.logrhythm.com)
4 Central Piedmont Community College, Charlotte, NC
OSSSEC (www.ossec.net) Open Source
5 Florida State Univ, Tallahassee, FL
NitroSecurity (ESM) www.nitrosecurity.com
7
![Page 8: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/8.jpg)
Summary of List Serv Results – page 2
No. Institution System Note
6 Purdue University Enterasys Networks (www.enterasys.com)
7 Norfolk State Univ, Norforlk, VA
Nitro Securitywww.nitrosecurity.com
8 The University of Oklahoma HSC, Oklahoma City, OK
Net Forensicswww.netforensics.com
9 College of Western Idaho, Nampa, ID
LogRhythmwww.logrhythm.com
8
![Page 9: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/9.jpg)
Gartner’s2011 SIEM Magic
Quadrant
9
![Page 10: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/10.jpg)
Open Source Systems Options
• OSSEC www.ossec.net• Splunk www.splunk.com• OSSIM http://alienvault.com/
Pros• Less cost
Cons• Not as robust as the commercial systems• Requires more work to deploy
10
![Page 11: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/11.jpg)
Where We Are
Look at LogRhythm & Solarwinds again
Look at Q1Labs• Used by Juniper Labs• Cost will be an important factor
Review and evaluate systems
Select a system
11
![Page 12: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/12.jpg)
Where We are Headed Implement a System
Time Line within 6 to 12 months
12
![Page 13: Sunday, January 8, 2012 - Home - AOA · What is SIEM? Security Information ... OSSIM () Open Source 3 St. Clout State, St. Cloud, MN LogRhythm () 4 Central Piedmont](https://reader035.fdocuments.us/reader035/viewer/2022062600/5af5aeda7f8b9a8d1c8ded1f/html5/thumbnails/13.jpg)
Conclusion –
SIEM market has matured Many systems to choose from Wealth of information available Helps to know our requirements Implementation is the new beginning Need to manage the information Would love to collaborate…
13