Introduction Types of SIEM SIEM Vs SEM Vs SIM Life Cycle High level architecture Low level design Key Requirements Security Log analysis Security Log monitoring NIST Guidelines
SIEM ?? Security Information and event management (Refers the process of centralized security log management with analysis, reporting and alerting function)Security Information An event or a record related to security devices or an event belongs to security of the IT systems or devicesSecurity event A occurrence or activity in the system related to security
Introduction - contdWhy SIEM ???To improve log analysisTo support Incident analysisTo improve incident responseTo support forensic investigationsTo support regulatory complianceTo support internal process adherence and audit requirements
Introduction - contdWhy Log Management is important ???To generate logs for what is worthTo support operation maintenance & TroubleshootingTo transmit filtered logs in a secured fashionTo what and how long logs should be stored Log retentionTo store logs for appropriate, in a secured fashionTo ensure relevant security metrics as triggered appropriate logsTo enhance the threat discovery
SIEM vs SIM vs SEM SIM,SIEM &SEM are often interchange for its meaning….. Are they same ?????SEM real-time monitoring and event management to support IT security operations.SEM requires several capabilities event and data collection, aggregation andcorrelation in near real time; a dynamic monitoring/security event console for viewingand managing events; and automated response generation for security events.SIM historical analysis and reporting for security event data. This requires event anddata collection/correlation (but not in real time), an indexed repository for log data andflexible query and reporting capabilities.SIEM = SIM+SEM
SIEM Agent based Plug and collection PlaySpecial software need to End system can becollect logs pushed logs to SIEM orCollection/Filtering/Aggreg SIEM can pull logs from logation/Normalization sourceshappened in agent Collection/Filtering/AggregImplementation challenges ation/Normalizationdue to different agents happened in SIEM required to process different Performance impactformats Near or Near real timeNear or Near real time logslogs
User interfaceLog Sources Ticketing Log Collection Data Process Analysis system LOG Collection s E-mail system Data Managemen Universal t Data Analysis device Log Intelligent event support storage/Thi and payload Agent rd party inspection Console collection storage Co-relation and Log Normalizati Alerting Consolidati on Base-line and on/Compre Other Reporting engine ssion Analytics Normalization Other Analytics SOC
Log Sources LogAttack Collection Log Source Agent Collection Analysis Context E-mail Data Info Process Console Filterin Normalizati Aggregati Correlatio Alert Ticketing g on on n system Repor t Storage
Log Analysis Studying log entries to identify events of interest orsuppress log entries for insignificant events. Correlation structure Vulnerability database & Historical events Event correlation Alerts/reports Security policy and observations correlation SMTP SNMP Behavior XML Analysis Proprietar Message y Analysis Statistical Baseline of Analysis multiple events Structural Functional Analysis Analysis
Critical Success factors - Security Log Analysis Observe Study the logs to filter unwanted noises and to understand the very nature of the system Brainstorm / Mining Mining the logs leads to understand beyond the level of good or bad. Read the logs to know the behavior of the system in various situation Understand the insight The objective of the log trigger may or may not be achieve its worthiness so we need to understand the insight of the logs Classify Once you understand the insight you would be able to classify the logs Prioritize The prioritization takes vital part of detection as you might be miss a log due to poor prioritization
Security Log Monitoring - Approach •Compliance Map Requirements •Regulatory requirements •Scenario of the event Declare Use case •Appropriate reaction • Appropriate criteria to understand the reality or the Match Criteria degree of the occurrence •Based on pre-defined procedure or incident nature Declare Priority •Alert the operations team to take action Notify •The logs should be monitored for recurrence Post Incident review •Closure should be captured in KB for future reference Closure
NIST Guidelines Security Log managementTo establish and maintain successful log management infrastructures,an organization should perform significant planning and other preparatoryactions for performing log management.This is important for creating consistent, reliable, and efficient log managementpractices that meet the organization’s needs and requirements and alsoprovide additional valueSECURITY IS PROCESS NOT PRODUCT !!!!!!!!!!!http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92
Gostou de algum slide específico?
Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.