Security Information and Event Managemen


Published on

SIEM Best Practice

Published in: Design, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Information and Event Managemen

  1. 1. S.Periyakaruppan
  2. 2.  Introduction Types of SIEM SIEM Vs SEM Vs SIM Life Cycle High level architecture Low level design Key Requirements Security Log analysis Security Log monitoring NIST Guidelines
  3. 3. SIEM ??  Security Information and event management (Refers the process of centralized security log management with analysis, reporting and alerting function)Security Information  An event or a record related to security devices or an event belongs to security of the IT systems or devicesSecurity event  A occurrence or activity in the system related to security
  4. 4. Introduction - contdWhy SIEM ???To improve log analysisTo support Incident analysisTo improve incident responseTo support forensic investigationsTo support regulatory complianceTo support internal process adherence and audit requirements
  5. 5. Introduction - contdWhy Log Management is important ???To generate logs for what is worthTo support operation maintenance & TroubleshootingTo transmit filtered logs in a secured fashionTo what and how long logs should be stored  Log retentionTo store logs for appropriate, in a secured fashionTo ensure relevant security metrics as triggered appropriate logsTo enhance the threat discovery
  6. 6. SIEM vs SIM vs SEM SIM,SIEM &SEM are often interchange for its meaning….. Are they same ?????SEM  real-time monitoring and event management to support IT security operations.SEM requires several capabilities  event and data collection, aggregation andcorrelation in near real time; a dynamic monitoring/security event console for viewingand managing events; and automated response generation for security events.SIM  historical analysis and reporting for security event data. This requires event anddata collection/correlation (but not in real time), an indexed repository for log data andflexible query and reporting capabilities.SIEM = SIM+SEM
  7. 7. SIEM Agent based Plug and collection PlaySpecial software need to End system can becollect logs pushed logs to SIEM orCollection/Filtering/Aggreg SIEM can pull logs from logation/Normalization sourceshappened in agent Collection/Filtering/AggregImplementation challenges ation/Normalizationdue to different agents happened in SIEM required to process different Performance impactformats Near or Near real timeNear or Near real time logslogs
  8. 8. SIEM&LM – Life-cycle Notify Identify React Analyze Monitor Collect Trigger
  9. 9. Key Requirements - SIEM
  10. 10. User interfaceLog Sources Ticketing Log Collection Data Process Analysis system LOG Collection s E-mail system Data Managemen Universal t Data Analysis device Log Intelligent event support storage/Thi and payload Agent rd party inspection Console collection storage Co-relation and Log Normalizati Alerting Consolidati on Base-line and on/Compre Other Reporting engine ssion Analytics Normalization Other Analytics SOC
  11. 11. Log Sources LogAttack Collection Log Source Agent Collection Analysis Context E-mail Data Info Process Console Filterin Normalizati Aggregati Correlatio Alert Ticketing g on on n system Repor t Storage
  12. 12. Log Analysis  Studying log entries to identify events of interest orsuppress log entries for insignificant events. Correlation structure Vulnerability database & Historical events Event correlation Alerts/reports Security policy and observations correlation SMTP SNMP Behavior XML Analysis Proprietar Message y Analysis Statistical Baseline of Analysis multiple events Structural Functional Analysis Analysis
  13. 13. Critical Success factors - Security Log Analysis Observe  Study the logs to filter unwanted noises and to understand the very nature of the system Brainstorm / Mining  Mining the logs leads to understand beyond the level of good or bad. Read the logs to know the behavior of the system in various situation Understand the insight  The objective of the log trigger may or may not be achieve its worthiness so we need to understand the insight of the logs Classify  Once you understand the insight you would be able to classify the logs Prioritize  The prioritization takes vital part of detection as you might be miss a log due to poor prioritization
  14. 14. Security Log Monitoring - Approach •Compliance Map Requirements •Regulatory requirements •Scenario of the event Declare Use case •Appropriate reaction • Appropriate criteria to understand the reality or the Match Criteria degree of the occurrence •Based on pre-defined procedure or incident nature Declare Priority •Alert the operations team to take action Notify •The logs should be monitored for recurrence Post Incident review •Closure should be captured in KB for future reference Closure
  15. 15. Critical Success factors - Security Log Monitoring
  16. 16. NIST Guidelines  Security Log managementTo establish and maintain successful log management infrastructures,an organization should perform significant planning and other preparatoryactions for performing log management.This is important for creating consistent, reliable, and efficient log managementpractices that meet the organization’s needs and requirements and alsoprovide additional valueSECURITY IS PROCESS NOT PRODUCT !!!!!!!!!!!