These aren't the logs you’re looking for... Learn the Basics of Security Monitoring.


Published on

Security monitoring is vital to the health of today’s “always on” organizations. Without effective monitoring, you’re just flying blind and giving threats a hall pass. But, where do you start? What if you don’t have the budget to build a monitoring capability the size of a death star, much less an army of storm troopers to staff its operations?

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • My story about doing IDS monitoring and not having the faintest clue what it was…
  • What is monitoring all about? Why do we do it… what is it meant to achieve? Is the purspose just to bore sysadmins to death?
  • Most importantly, it’s important to define what the objective of monitoring is. Without a goal you can’t score… too many organizations will rush out to buy a SIEM type product and then get all their logs nicely correlated but still have little to no idea what they’re supposed to do with it all.
  • So lets break it down – from a business aspect decide what is important – what are the assets of most concern.
  • Is it your sales data in salesforceIs it your secret recipe- Quote about selling more beer. - once you have that information, you are very well placed to know where to deploy monitoring controls and exactly what you’re looking out for.
  • This is where a lot of companies may turn around and say they don’t have the budget needed to deploy expensive and extensive tools and products.That may be true, but there are plenty of things you can do that can give you decent monitoring with nothing more than a chewing gum wrapper, a pair of tweezers and creativity. First of there is generally auditing / monitoring capabilities built into most products. If you know what your assets are you can probe those logs.
  • Story of our password vault which was envelopes and signed / taped to give a poor-mans tamper evidence seal.
  • Honey pot, trap etc. Creating dummy users in sales force. Putting dummy secret documents on the network.
  • Engaging your userpopulation… If you see something say something. A lot of things have been spotted by humans… e.g. the app is slow in responding, the servers are rebooting themselves etc.
  • Start by disabling all logs… then turn on one by one things that you are interested in or think you’ll need. Use common attack method knowledge to filter out the noise. Regularly review what you are doing and ask why you’re doing it?
  • Get familiar with your logs and what they look like – get your business familiar with how things should look…
  • Once you’ve found an event of interest what are you going to do next?This is where you need to have a process in place to report to the relevant people in a consistent manner – Consistency is king. Share information widely so the whole organization can benefit from it… maybe there’s something finance can do, or the guy who looks after the mail server can do to help stop these things happening again.
  • Then it needs to be responded to… this delves a little into incident response – but someone has to respond and if you have a good process in place that is agreed upon in advance, it helps stop rash decisions being made in the heat of the moment. What you do need to have though is a way by which you can monitor and validate that a response has had the desired effect and fixed the underlying issue while at the same time not introduced anything else undesirable.
  • Log files are the evidence locker of what’s really going on in your network, so it’s vital that organizations continuously monitor and analyze this data because you can’t control what you can’t see!
  • Log data is generated throughout the IT infrastructure -- web server logs, operating system logs, application logs, firewall logs, and more. Without the proper tools and processes in place, IT professionals can quickly become buried by the sheer volume. And, the critical information residing in those logs may never come to light.
  • IT pros face more and more pressure to detect and mitigate threats in real-time or near real-time. Unfortunately, a common scenario among organizations of all sizes and industries is the large amount of data that has to be collected, sorted, and analyzed in order to derive actionable security intelligence and truly assess the organization’s security posture.
  • Today’s security management can be overwhelming. The fact is IT pros need an easier way to address an ever-evolving threat landscape without neglecting the multitude of other daily IT responsibilities. Automated log collection from anywhere data is generated within the IT infrastructure—network devices, security devices, applications, databases, virtual machines, cloud, and more; device log consolidation; centralized location to store device logs24/7 security monitoring for suspicious or malicious activitiesReal-time, in-memory event correlation to instantly view a security breach; Correlating logs across disparate devices, providing a big picture view of network activity;nearly 700 built-in correlation rules for visibility right out of the boxBuilt-in active responses to instantly and automatically take action to remediate a threat, such as blocking an IP, killing a process, or logging off a userAdvanced, easy-to-use, search interface with drag-and-drop simplicity, datavisualization, and drill-down details for fast and effective forensic analysisOver 300 pre-packaged, “audit-proven” security and compliance templates including PCI, HIPAA, SOX, GLBA and many more; Out of the box rules and reporting for virtually all of the major regulatory industriesUSB-Defender® technology protects sensitive data with real-time monitoring, device detection, notification, and the ability to block usage
  • These aren't the logs you’re looking for... Learn the Basics of Security Monitoring.

    1. 1. Javvad Malik, Senior Security Analyst
    2. 2. The 451 Group A global syndicated research, data, advisory, certification, and professional services firm providing thought leadership and direct business value to the emergent digital infrastructure industry.
    3. 3. These aren’t the logs you’re looking for
    4. 4. IDS monitoring days
    5. 5. Security monitoring
    6. 6. Goal of security monitoring
    7. 7. Deciding what to monitor
    8. 8. Identify your assets Visibility of your assets is important. Document assets. Prioritize assets
    9. 9. No fancy tools, no problem
    10. 10. Using what’s available
    11. 11. HoneyX
    12. 12. Human Sensor
    13. 13. Filter out the noise
    14. 14. Get to know your environment Do you know what your environment usually looks like? Can you spot anomalies?
    15. 15. Reporting
    16. 16. Responding
    17. 17. Summary Be clear on what you’re monitoring and why Clearly define roles Share information
    18. 18. Thank you Javvad Malik Senior Analyst, 451 Research @J4vv4D
    19. 19. SolarWinds® Log & Event Manager Security Information & Event Management SIEM Made Simple © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 19
    20. 20. You Can’t Control What You Can’t See! © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 20
    21. 21. Make Your Log Files Work for You Your IT infrastructure’s log files hold the key for mitigating threats and thwarting attacks, but only if they’re handled properly. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 21
    22. 22. Find the Needle in the Haystack—Fast IT professionals are under increased pressure to quickly detect and respond to threats, which requires turning raw log data into actionable security intelligence and fast! © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 22
    23. 23. How SolarWinds Log & Event Manager Can Help SolarWinds Log & Event Manager is a comprehensive, easy-to-use security information and event management (SIEM) solution in an affordable all-in-one virtual appliance, providing automated 24x7 log monitoring, analysis, alerting, reporting, and response.       Automatic collection, analysis, and storage of all log data Real-time event correlation for immediate threat detection Built-in Active Responses for automated remediation Advanced search and data visualization for fast and easy forensics Pre-packaged templates for simplified compliance reporting Hundreds of out-of-the-box filters, rules, searches, and reports  SECURITY EXPERTISE NOT REQUIRED! Security Monitoring and Response Made Easy © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 23
    24. 24. Be in Know and Stay in Control at All Times! Get the information you need, when you need it, to stop threats and overcome the increasing security and compliance challenges faced each day. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 24
    25. 25. SolarWinds Log & Event Manager Demo © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 25
    26. 26. Try Log & Event Manager for Free! Yes, FREE! Download Free, Fully Functional 30-Day Trial © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 26
    27. 27. Additional Resources  SolarWinds Log & Event Manager Overview  SolarWinds Log & Event Manager Guided Tour  Why & How of Workstation Monitoring with Log & Event Manager  Combat Security Threats with SolarWinds LEM's Active Responses  Case Study: SolarWinds LEM & EasyStreet  Case Study: SolarWinds LEM & United States Postal Service Federal Credit Union © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 27
    28. 28. Trademark The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 28