Security Information and Event Management (SIEM)

(1)

D r. A ndr ej R ak ar

SANS GCIH, RSA enVision CSE, MCP, MCSA, ISS Expert

Security Information and

Event Management (SIEM)

(2)



SIEM Role in ISMS



RSA enVision Presentation



SIEM Integration in Information

System

S ecu r ity I nfor m ation an d E v ent M anagem ent ( S I E M )

(3)

T h e E nter p r ise T oday

M ou ntains of data, m any stakeholders

Router logs IDS/IDP logs VPN logs Firewall logs Switch logs Windows logs

Client & file server logs Wireless access logs Windows domain logins Oracle Financial Logs San File Access Logs VLAN Access & Control logs DHCP logs Linux, Unix, Windows OS logs Mainframe logs Database Logs Web server activity logs

Content management logs Web cache & proxy logs

VA Scan logs

Configuration Control

Lockdown enforcement

Access Control Enforcement

Privileged User Management

Malicious Code Detection

Spyware detection Real-Time Monitoring Troubleshooting Unauthorized Service Detection IP Leakage False Positive Reduction

User Monitoring SLA Monitoring

How to collect & protect all the data necessary to build a platform for

compliance, security, and network operations

How to analyze and manage all the data to transform it into information

(4)

COMMERCIAL APPLICATIONS INTERNAL APPLICATIONS OPERATING SYSTEMS SECURITY INFORMATION NETWORK INFORMATION DATABASE SYSTEMS STORAGE

C h allen ge: G r ow th of E nter p r ise S ilos

(5)

C h allen ges



_{I nfor m ation}

S ecu r ity



_{I T C om p lian ce}

R ep or tin g

 Challenge to get up-to-date metrics for Security Status

 Countless hours spent gathering, understanding, security logs from

disparate systems

 Incident response is ad-hoc, manual and inefficient

 Data overload causes

reactive security measures

 Creating reports is time-consuming,

labor-intensive and error-prone

 Sr. management expects to cut compliance costs

 IT governance is reactive, not proactive

(6)

R equ ir em ents and O bjectiv es



_{I m p r ov e P r oof-O f-C om p liance}

r ep or ting of I T contr ols



_{S y stem m onitor ing and su p er v ision}



_{netw or k contr ols, ap plications}



_{E fficient m anagem ent of secu r ity r isk s}



_{r eal-tim e secu r ity aler ts}



_{C u tting com p liance costs}



_{by r ep lacing m anu al p r ocesses w ith}

h olistic solu tion for continu ou s

secu r ity infor m ation and ev ent

m anagem ent

(7)

Information security managemnt system documentation § information security policy § inventory of assests

§ risk analysis report

§ statement of applicability § policies , procedures and standards § SLA, contracts Bussiness processes controlled by process documentation EVENTS security incidents vulnerability malfunctions audit results sec. assessment results Review and improvement Analysis Proving documentation

SIEM

S I E M for M onitor ing an d I m p r ov em ent of I S M S

(8)

S I E M for S im p lify ing C om p liance Environmental & Environmental & Transmission Security Transmission Security Policy Policy Enforcement Enforcement

User Monitoring &

Management Management Malicious Code Malicious Code Detection Detection Configuration Configuration Control Control Access Control Access Control Enforcement Enforcement HIP AA

_{Secure data}_{Secure data}

transmissions

_{Proactive security of}_{Proactive security of}

the network

_{Verify user activity}_{Verify user activity}

against policy

_{Prevent information}_{Prevent information}

leakage

_{Monitor user privileges}_{Monitor user privileges} _{Enforcement of}_{Enforcement of}

account policies

_{Anomaly monitoring}_{Anomaly monitoring}

against baselines

_{Reporting of outbreaks}_{Reporting of outbreaks} _{Change control}_{Change control}

lockdown enforcement

_{Unapproved software}_{Unapproved software}

monitoring

_{Privileged user}_{Privileged user}

monitoring

_{Unauthorized user}_{Unauthorized user}

access access GL BA BA SE L II FIS M A PC I Sa rb an es -O xle y

= Critical to this compliance environment = Highly desired in compliance environment Compliance Environment Compliance Objective Product Capabilities Log Management Asset Identification Baseline

Report & Audit

Alert / Correlate

Forensic Analysis

(9)

S I E M for E nh ancin g S ecu r ity O p er ations

_{Proof of delivery}_{Proof of delivery} _{Monitor against}_{Monitor against}

baselines baselines SLA Compliance SLA Compliance Monitoring Monitoring

_{Shutdown rogue}_{Shutdown rogue}

services

_{Intellectual property}_{Intellectual property}

leakage leakage Unauthorized Network Unauthorized Network Service Detection Service Detection

_{External threat exposure}_{External threat exposure} _{Internal investigations}_{Internal investigations}

Watchlist Enforcement

_{Watch remote network}_{Watch remote network}

areas

_{Consolidate distributed}_{Consolidate distributed}

IDS alerts IDS alerts Correlated Threat Correlated Threat Detection Detection

_{Confirm IDS alerts}_{Confirm IDS alerts} _{Enable critical alert}_{Enable critical alert}

escalation

escalation False Positive Reduction

False Positive Reduction

_{Troubleshoot network &}_{Troubleshoot network &}

security events

_“_“_{What is happening?”}_{What is happening?”}

Real-time Monitoring

 _{Privileged user}_{Privileged user}

monitoring

 _{Corporate policy}_{Corporate policy}

conformance conformance Access Control Access Control Enforcement Enforcement In te rn al Sy ste m s & Ap pli ca tio ns eC om m erc e O pe ra tio ns Pe rim ete r N etw ork O pe ra tio ns

= Most critical = Highly desired = Desired

Security Objective Security Environment Product Capabilities Log Management Asset Identification Baseline

Report & Audit

Alert / Correlate

Forensic Analysis

(10)

How to ensure that security measures are really implemented?

What and when happened, should actions be taken?

P r oblem s:



lengthy collection, management and understanding

of security logs



incident management is manual, inefficient and

unsystematic



large number of data prevents timely measures and

actions



determining current security status of information

system is demanding



generating reports is time consuming, demanding,

(11)



SIEM Role in ISMS



RSA enVision Presentation



SIEM Integration in Information

(12)

A dv an tages of R S A enV ision S olu tion



_{R eal tim e ev ent m anagem ent}



R eal tim e ev ent cor r elation



_{A u tom atic discov er y of secu r ity}

inciden ts



_{S u p p or t for lar ge nu m ber of sy stem s}

and p ossibility to integr ate u nk now n

dev ices



_{>1000 p r econfigu r ed r ep or ts}

com p liant w ith B asel I I , P C I , I S O

27001, S O X , etc.

(13)

R S A en V ision S calability EPS 500 1000 2500 5000 10000 30000 # DEVICES 7500 300,000 100 200 400 750 1250 1500 2048 30,000 ES Series LS Series

(14)

(15)

LogSmart IPDB

R S A en V ision and LogS m ar t I P D B

A ll the D ata w ith Consistently H igh Perform ance

Relational Database Data Exp losion Data Loss Encrypted Compressed Parallel analysis Authenticated Un pre dict ab le A lert_s

(16)

D ata C ap tu r e

 _{A gentless D ata C ap tu r e}

 Low est possible im pact to th e enter pr ise

 S m aller attack sur face by r edu cing num ber of activ e elem ents

 I ncr eases accur acy by r educing/elim inating “blind sp ots”

 _{R aw D ata C ap tu r e}

 D ata integr ity v ia W r ite Once R ead M any ( W OR M ) design

 I ncr eases accur acy by r educing/elim inating “data m unging”

 P er m its data to be r e-pu r p osed as needed

 S u ppor ts both legal and for ensic ev idence discov er y

 _{U niv er sal D ev ice S u p p or t ( U D S )}

 D eliv er s v er y br oad sour ce dev ice suppor t

 P r ov ides easy m ech anism to k eep existing dev ices up to date

 A bstr acts 100K + ev ents into distinct categor ies for better consum ption/analy sis

 P er m its accur ate data captur e fr om “unk now n” sour ce dev ices

(17)

A naly sis and E v ent M anagem ent

 I n telligen t D ata M in in g & R aw E v en t V iew ing

 B oth r eal-tim e an d h istor ical ev en ts can be an aly zed

 H igh ly cu stom izable to m atch in div idu al con su m er r equ ir em en ts

 R ole-based access con tr ol

 C onsisten t p er for m an ce in dep en dent of incom in g E P S r ate

 A dv an ced E v en t C or r elation & A ler tin g

 R eal-tim e analy sis acr oss an y /all dev ice ty p e or ev ents

 Lev er ages com p r eh en siv e ev en t taxon om y

 S u pp or ts both an om aly an d sign atu r e-based cor r elation logic

 C onsisten t p er for m an ce in dep en dent of incom in g E P S r ate

 R ep or tin g E ngine

 Offer s both r u n-tim e an d sch edu led r epor ts

 A naly zes and r ep or ts on both “detail” an d “su m m ar y ” ty p e in for m ation

 D edicated r epor tin g p ack ages for sp ecific in du str y r equ ir em en ts

• S OX , P C I , H I P A A , G LB A , S A S 70, etc.

 >1000 r ep or ts & ch ar ts sh ip w ith p r odu ct

 W izar d G U I for cu stom ization

 B aseline A naly sis

 A u tom atically com p u tes baselin es as p r odu ct is u sed

 U sed to dr iv e both r eal-tim e aler tin g or h istor ical r ep or tin g

 R aw ev ents, p ay loads w ith in ev en ts & aler t ou tp u ts ar e baselin ed

(18)

S I E M R ep or ting

•Gain Needed Insight Into IT Controls

D iscov er tr ends, an om alies T r ack and r ep or t secu r ity

-r elated activ ity on assets im p acted by S ar

banes-Oxley , oth er r egu lations

•Improve Proof-of-Compliance

Reporting

D em onstr ate Y ou r

Or ganization

•M onitor s activ ity on cr itical I T

assets

•_{I dentifies and analy zes secur ity}

and com pliance incidents

•_{T r ack s and r esolv es incidents}

and policy v iolations

•Out-of-Box Reports, Configure

(19)

(20)



SIEM Role in ISMS



RSA enVision Presentation



SIEM Integration in Information

(21)

D r iv er s for I m p lem enting S I E M S olu tions



_{M itigatin g secu r ity r isk s}



_{E n d u ser exp ectation s}



_{R egu lator y com p lian ce}



_{A dap tability an d bu siness agility}

(22)

S I E M I ntegr ation in I nfor m ation S y stem

correlations Incident management

HELP DESK reporting by e-mail incidents events events routers servers web servers databases applications firewalls IDS/IPS Monitoring system events data Security policy Standards Legislation incidents

(23)

I ntegr ation of E v ents, S ystem s and I den tity M anagem ent Management Security Information & Event Systems Management

Identity & Access

Management

Comprehensive Security & Compliance

(24)

> Syslog, Syslog NG

> SNMP

> Formatted log files

>Comma/tab/space delimited, other

> ODBC connection to remote databases

> Push/pull XML files via HTTP

> Windows event logging API

> CheckPoint OPSEC interface

> Cisco IDS POP/RDEP/SDEE

B-2

(25)

I ntegr ation w ith N etw or k M anagem ent S y stem s



_{I ntegr ation w ith netw or k}

m anagem en t sy stem s ( S M S , M O M ,

etc.)



M onitor ing: defin ition and

clasification of in cidents



C r eate incident



_{U p date incident}



_{C lose incident}



_{M anagem ent: con solidate asset}

database

(26)

I ntegr ation w ith I den tity M anagem ent S ystem s ( I M ) Alerts User Provisioning Access Control Federated SSO Roles Rules Policies Reports Dashboards

IM System SIEM System

Correlation Rules Pattern Discovery Risk Scoring Unified User/Role Information Normalized Event Collection Badge readers Apps Web Databases Files Desktops Etc. Directory Directory Directory