How to Leverage Log Data for Effective Threat Detection
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

How to Leverage Log Data for Effective Threat Detection

  • 569 views
Uploaded on

Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a......

Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data.
Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn :
*What log data you always need to collect and why
*Best practices for network, perimeter and host monitoring
*Key capabilities to ensure easy, reliable access to logs for incident response efforts
*How to use event correlation to detect threats and add valuable context to your logs

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
569
On Slideshare
569
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
38
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • We leverage technology in our effort to simplify things but introduce new problems in the process. And sometimes the learning curve is just too steep.Articulate the challenge and how it ties in to the overall concept more clearly… express the volume of data challenge more specifically – also emphasize the human element required for making SIEM effectiveThis slide ran too long (shorten it up)Add transitions
  • In the business world, we have people and technology coming together to try to meet the business objective and the human error factor mixes with technology error and suddenly we have a big mix of information that is difficult to manage. Sometimes honest mistakes appear to have malicious intent, while real malicious intent gets overlooked entirely.This slide ran too long (shorten it up)
  • The traditional approach to log management says “collect logs from everything connected to the network and let some back end analysis process figure out what’s important.”So how far do we take this? Should we audit and correlate print jobs? I mean, I guess there could be a use case for identifying gross misuse of printing resources.How much value are you really getting out of all these logs?Add transitions
  • This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
  • This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
  • This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
  • This is a best practice by the way. We always recommend collecting firewall permit logs to get visibility around what is coming in to the network. If your use case were “I need to identify misconfigured systems on my network”, collecting firewall deny events would help you get there.Point out that firewall denies represent action already takenUse screenshots of the product and forego the demo…
  • Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
  • This is also a best practice. We always recommend collecting OS audit logs to get visibility around who is accessing your assets. Paying special attention to privileged accounts is critical.Include specific references, numbers and percentages to illustrate the issue
  • This is also a best practice. We always recommend collecting OS audit logs to get visibility around who is accessing your assets. Paying special attention to privileged accounts is critical.
  • Switches and routers generate lots of information. A small percentage is security relevant. We have to make a cognizant effort to identify the relevant information.
  • Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
  • In fact, AlienVault offers the only unified security management solution to unify the five essential security capabilities you need for complete security visibility. This translates into rapid time to value – faster and easier audits, targeted remediation, and more seamless incident response.
  • Delivers 8 coordinated rulesets, fueled by the collective power of the Open Threat Exchange, to drive the USM security capabilities and identify the latest threats, resulting in the broadest view of attacker techniques and effective defenses.

Transcript

  • 1. HOW TO LEVERAGE LOG DATA FOR EFFECTIVE THREAT DETECTION Tom D’Aquino – Sr. Security Engineer
  • 2. AGENDA The Challenge
• Getting adequate security visibility for your small or medium business The Widely Pursued Solution
• The traditional approach to Log Management/SIEM
• The cost/benefit analysis An Alternative Approach
• Who, What and Why is the key The Wrap Up
• Unified Security Management
• AlienVault’s Threat Intelligence Labs Questions & Answers as time permits
  • 3. HUMANS MEET TECHNOLOGY
  • 4. HUMANS MEET TECHNOLOGY Something is down? YouTube is up though.
  • 5. THE WIDELY PURSUED SOLUTION The traditional approach to Log Management/SIEM: • Collect Everything • Analyze everything • Correlate everything • Store everything
  • 6. BUT AT WHAT HARDWARE COST? How much storage, CPU and RAM will you need to collect, correlate and store all of this data? • High-performance storage is not cheap How effective is the automated analysis, i.e. correlation really going to be? • • Correlation is CPU and memory intensive This is a case of garbage in, garbage out
  • 7. AND AT WHAT HUMAN RESOURCE COST? How effective is your team really going to be? • Can one person realistically review 10,000 alerts in a day
  • 8. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? Why
  • 9. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Why What
  • 10. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Who will the logs you collect pertain to? • Is there a specific user group/community you should be focused on? Why What Who
  • 11. LET’S LOOK AT SOME EXAMPLES Why do you need Firewall logs? • I need to see what is getting in to my network What logs will you need to get that result? • Firewall permit logs Who will the logs you collect pertain to? • I’m most significantly concerned with blacklisted IPs/domains
  • 12. EXAMPLE ILLUSTRATED You are probably only seeing these: When you should be looking for this:
  • 13. EXAMPLES CONTINUED Why do you need OS logs? • I need to detect unauthorized access attempts and account lockouts What logs will you need to get that result? • OS authentication failure and account lockout logs Who will the logs you collect pertain to? • I’m most significantly concerned with admin level accounts
  • 14. EXAMPLE ILLUSTRATED Multiple events to indicate a single login:
  • 15. ONE MORE EXAMPLE Why do you need Switch/Router logs? • I need to see when someone logs in to my network gear and makes config changes What logs will you need to get that result? • Authentication and authorization logs from my TACACS server would do the job Who will the logs you collect pertain to? • Anyone connecting to my network gear
  • 16. EXAMPLE ILLUSTRATED You may have to process thousands of these: Just to get one or two of these:
  • 17. UNIFIED SECURITY MANAGEMENT “VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU” Asset Discovery Threat Detection Behavioral Monitoring • • • • • • • • • Log Collection • Netflow Analysis • Service Availability Monitoring Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Network IDS Host IDS Wireless IDS File Integrity Monitoring Security Intelligence Vulnerability Assessment • Network Vulnerability Testing • SIEM Correlation • Incident Response
  • 18. AlienVault Labs Threat Intelligence: Coordinated Analysis, actionable Guidance • Updates every 30 minutes • 200-350,000 IP validated daily • 8,000 Collection points • 140 Countries
  • 19. ALIENVAULT LABS THREAT INTELLIGENCE: COORDINATED ANALYSIS, ACTIONABLE GUIDANCE   Weekly updates that cover all your coordinated rule sets:  Network-based IDS signatures  Host-based IDS signatures  Asset discovery and inventory database updates  Vulnerability database updates  Event correlation rules  Report modules and templates  Incident response templates / “how to” guidance for each alarm  Plug-ins to accommodate new data sources Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)
  • 20. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com