Brief overview of SIEM / log management technology era, technology and business drivers for better network security and visibility with log management and SIEM solutions, some selected players from DSS portfolio.
SIEM vs Log Management - Data Security Solutions 2011
Innovations in data securityLog management vs SIEM Andris Soroka 07.07.2011 Together with
Agenda Introduction - threats, technology era, definitions Business drivers for log management and SIEM(Security Information and Events Management) Market analysis, critical capabilities of solutions Selected solutions for Your review for - SEM (Log management) SEM (Wider scope) SIEM
Where to start from? Internet has been compared to America’s Wild Wild Westcountless times – now the analogy holds more weight than ever.No DNA forensics, no overarching laws – just lawlessness.
The 21st Century – the age of cybercrime“Year 2010 was the year of cybercrime andcyberwars. Year of Wikileaks”“The New York Times”, “Guardian”, “Der Spiegel”, “ElPais”, “Le Monde”, “CNN”, “BBC” and more. 2010,2011..FBI warns Congress that cybercriminals can hackany internet-linked systemGordon M. Snow, assistant director of the FBI’s Cyber Division(13th of April, 2011)
Background - technology development IT continues taking the lead in business(ERP, CRM, document management, digitalprototyping etc.) Importance and development of e-World(e-Health, e-government, e-services, socialnetworking, Web 2.0, unifiedcommunications and tools for that etc.) Mobility and borderless enterprise Cyber culture develops faster than cybersecurity
New threats – targeted, professional, silent There are Internet shops full of creditcard, bank account, privacy, businessand other confidential data. Also thereare available services to rent a botnet,malicious code and attack anyone. Cybercriminal «CV Online» “Black Community” wherecybercriminals are organized betterthan hi level military organizations Video trainings and eLearningavailable in social media, such asYouTube
Business drivers that initiate LM / SIEMEU directives Such as for data protection Critical infrastructure protection CooperationIndustry standards and regulations Banks Health organizations etc.NATO directives Security, military orgs Related to NATO workIT Security ISO 2700XLocal laws and regulations Personal data protection IT Security politics
SIEM / SEM / SIM - Where to start from? Do You have one, centralsolutions for collecting ALLevents (logs), correlate them Operational IT & Network Identity Governance & Security Operations Management Complianceand have real time intelligent Log Logvisibility? Tool Silo ? ? ? ?????? ? ? Do You monitor the ? ? ? ? ? ? ????? ? ? ? ? ? ????business processes instead ? ? ? ????? Log Jamof network? ? ? ?? ? ??? ?? ? ?? ?LOGS Do You monitor identities,applications, information andtheir context instead of just IP Network Servers Databases Homegrown Applicationsaddresses, OS’s anddevices? If not – You are vulnerable!!!
No, I mean, really…do You know?Clear & concise delivery of the most relevant information … What was the attack? Was it Who was successful? responsible? Where do I find them? How valuable are How many they to the business? targets involved? Are any of them vulnerable? Where is all the evidence?
What is in Your logs so far..? 50%? Less..? Failed Logon User and System Activity Privileges Assigned/ Security Breach ChangedFile Up/Download Credit Card Data Access 50%? Runaway Application Customer Transaction Information Leak Email BCC
What is in Your logs so far..? 50%? Less..? What logs – From where - Audit logs Firewalls / Intrusion Transaction logs prevention Intrusion logs Routers / Switches Connection logs Intrusion detection System performance Servers, desktops, records mainframes User activity logs Business applications Different systems alerts Databases and different other systems Antivirus software messages VPN’sThere is no standard format, transportation method for logs, there are more than 800 log file formats used..
Definitions from IT SecurityIntroduction / technologies – solutions SEM – Security Events Management (Correlation – events relation together for security benefits) SIM – Security Information Management (Log management – e.g. collecting the events of the applications and operational systems.) SIEM (Security Information And Event Management) You cannot control what You cannot see!
SIEM evolution (from Anton Chuvakin blog)Historically – 1997-2002 IDS & Firewall Worms, alerts of overflow, packets etc. Sold as a “SOC in the box” 2003 – 2007 Above + Server +Context Users, compliance etc. Sold as a “SOC in the box” + 2008+ Above + Applications + Cybercrime, fraud prevention, identity etc. Sold as a “SOC in the box”+++
Log management and intelligence Collect Alert Store ReportTime-stamping and Alerts based on real time As much as you want, Should have reasy tosecure collection of log forensics according to as little as your compliance configure and report.100% of all log data, policies. According to needs dictate. Automated, Should be easy-to-use100% of the time, from anomalies, incidents. In secure storage and templates and moreany device, including any possible alerting way. archival of critical log data. than 10K customnetwork, storage, Maintain chain of custody. reports. Packaged SOX,servers, applications! PCI reporting + more. Process Integration & Information Share
More about SIM / SEM / SIEM coverageScope of usage – SIM (log management) + SEM Standards such as – Syslog (Unix / Linux, network devices) Eventlog (Windows) Journals (mainframe, midrange..) Non standards such as logging into files and SQL databasesUsage Central monitoring, finding anomalies, reporting, alerting Collecting and archiving logs, forensics (search all over) Threat protection & discovery, incident response, audit supportAdvantages / Disadvantages (not always) Scalability – security logs are only about 10% of all logs, but SIM solutions collect ALL logs correlation can be an issue later Functionality – correlated events from different sources is with different level than SIEM that is naturally designed to do so
More about SIM / SEM / SIEM coverageScope of usage and quality control SIEM – A must to have! Log and context data collection (SIM) Normalization and categorization (SIM) Correlation (SEM) Notification / Alerting (SEM) Prioritization (SEM) Dashboards and visualization Reporting and reports delivery (SIM) Security role workflow SIEM – next generation solutions work looking at level of – File integrity Monitoring Database Activity Monitoring Application Monitoring Identity Monitoring User Activity Monitoring
Planning a SIEM / LM project?Planning areas (IN THAT ORDER! By Anton Chuvakin) Goals and requirements Functionality & features Scope and data collection Sizing ArchitectingDeploy Log management before SIEM…. Q: Why do You think most of the SIEM projects failed in past? A: There was no LM at place, SIEM alone is just not that useful..
Quality and innovations portfolio from DSS Market leadership in research of leading market analysts Close partnership with local competence center,represented vendors and regional distributor Market industry standards and international qualitystandards
Solutions to offerSIM / SIM + SEM Balabit IT Security Syslog NG Store Box SSB + SawmillSIEM+ Q1 Labs – The Market Leader Suspected Incidents
Balabit IT Security Founded in 2000, Hungary 2nd fastest growing IT company inCEE, listed in Deloitte’s Top50 research “The syslog -ng company” – opensource log collecting solution is used by650000 customers world wide SIM (Log management) and more
Balabit IT SecuritySyslog –ng Premium Edition TLS-encrypted communication Direct SQL Access More than 21 platform support Windows agent with AD IBM System I agentSyslog –ng Store box Complete log lifecycle management Web based user interface 75000 messages per second 24GB messages per hour Encrypted communication, alerting, filtering etc.Shell Control Box (“The Black Box”) Monitoring over admins Monitoring over outsourcers
Balabit IT Security + Sawmill Real Time ‘Live’ Reports Dynamic Reports Sawmill – software Static Reports for email/ publishing Real Time Alertspackage to analyze log html/csv/pdffiles Reports Alerts Has more than 250000customers world wide Works with more than Reports & Report Filters ODBC Profiles & Schedules800 different log file Analysis MySQLformats Database INTERNAL Extremely great Log Filtering & Parsingreporting Licensed by report Web Server Security Logs Network Logs Streaming Mail Server Log Files Security Events Network Events Media Logs Logsprofiles Enterprise-wide analytics ** 800+ different log formats supported **
Balabit IT Security + Sawmill Balabit syslog –ng is licensed by the number of logsources hosts (LSH), licenses for 5,10,25,50,100,150,250…Unlimited, unlimited costs about 25K Euro Balabit SSB is licensed same way, licensed for50,100,250,500, 750,1000…Unlimited, depending on options(HA, support, hardware:1U or 2U, architecture) project can bebetween 25K – 150K Euro Sawmill is licensed by the number of report profiles createdand product type selected, can vary between 1K and 10K Euro
Q1 Labs business card Q1 Labs – a global leader PCI HIPAA FISMA CoCo NERC SOXin SIEM market from USA Best price / performance Next generation SIEM +2000 customers worldwide Gartner 2009 / 2010 Magicquadrant leader Biggest independent SIEMvendor from leaders Out of box number ofcompliances covered
Q1 Labs SIEM & much more Next-generation Log Management: •Turnkey log management •SME to Enterprise •Upgradeable to enterprise SIEM Next-generation SIEM: •Integrated log, cyber threat, risk and compliance management •Scalable, Automated, Broad market •Network activity information Next-generation Risk Management •Predictive threat modeling & simulation •Automated compliance and policy verification •Scalable configuration monitoring & audit •Advanced threat visualization/impact analysis Stackable Expansion: •Event Processors, High Availability •Network Activity Processors •Geographic distribution •Horizontal scale •Embedded, real-time database Application & Activity Monitoring: •Layer 7 application monitoring •Content Aware •Identity/user-based visibility of network and application activity •Provides visibility into physical and virtual
Q1 in action - Malware activity Potential Botnet Detected? This is as far as traditional SIEM can go. IRC on port 80? QFlow enables detection of a covert channel. Irrefutable Botnet Communication Layer 7 data contains botnet command and control instructions.
Q1 in action - User activity monitoring Authentication Failures Perhaps a user who forgot their password? Brute Force Password Attack Numerous failed login attempts against different user accounts. Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required.
Q1 in action - complex threat detection Sounds Nasty… But how to we know this? The evidence is a single click away.Network Scan Buffer OverflowDetected by QFlow Exploit attempt seen by Snort Total VisibilityTargeted Host Vulnerable Convergence of Network, Event and Vulnerability data.Detected by Nessus
Q1 in action – data loss preventionPotential Data Loss?Who? What? Where? Who? An internal user What? Oracle data Where? Gmail
Q1 Labs in figures Based on selection, sizing,requirements, targets there aredifferent models and ways how tomove forwards All-in-One solutions Distributed Console Flow processor Event processor Qflow collector Many upgrade possibilities HA and DR options Smallest all-in-one appliancepricing starts with 30K Euro – endswith ……depends on everything
“Data Security Solutions” can helpSpecialization – IT Security IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries
Think security first www.dss.lv firstname.lastname@example.org+371 2 9162784