WHOSE LOGS, WHAT LOGS, WHY
LOGS:
YOUR QUICKEST PATH TO SECURITY VISIBILITY

Tom D’Aquino – Sr. SIEM Engineer
AGENDA
The Challenge • Getting adequate security visibility for your small or medium
business
The Widely Pursued Solution ...
HUMANS MEET TECHNOLOGY
HUMANS MEET TECHNOLOGY

Something is
down?
YouTube is up
though.
THE WIDELY PURSUED SOLUTION
The traditional approach to Log
Management/SIEM:
• Collect Everything
• Analyze everything
• C...
BUT AT WHAT HARDWARE COST?
How much storage, CPU and RAM will you
need to collect, correlate and store all of this
data?
•...
AND AT WHAT HUMAN RESOURCE COST?
How effective is your team really going to
be?
•

Can one person realistically review
10,...
IS THERE A BETTER WAY?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you n...
IS THERE A BETTER WAY?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you n...
IS THERE A BETTER WAY?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you n...
LET’S LOOK AT SOME EXAMPLES
Why do you need Firewall logs?
• I need to see what is getting in to my
network
What logs will...
EXAMPLE ILLUSTRATED
You are probably only seeing these:

When you should be looking for this:
EXAMPLES CONTINUED
Why do you need OS logs?
• I need to detect unauthorized access
attempts and account lockouts
What logs...
EXAMPLE ILLUSTRATED
Multiple events to indicate a single login:
ONE MORE EXAMPLE
Why do you need Switch/Router logs?
• I need to see when someone logs in to
my network gear and makes con...
EXAMPLE ILLUSTRATED
You may have to process thousands of these:

Just to get one or two of these:
UNIFIED SECURITY MANAGEMENT

“VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU”

Asset Discovery

Threat Detection

Beha...
ALIENVAULT’S THREAT INTELLIGENCE LABS
AlienVault experts monitor, analyze, reverse engineer and report on sophisticated ze...
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Tr...
VIEW THIS WEBINAR ON-DEMAND
A recorded version of this
webinar is available to be
viewed on demand.
Click here
Upcoming SlideShare
Loading in …5
×

Whose Logs, What Logs, Why Logs - Your Quickest Path to Security Visibility

937 views

Published on

Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will include a technical presentation, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. You’ll leave this session with a clear understanding of what you need to achieve real-time security visibility and protection. Watch the on-demand webinar: http://ow.ly/pQzOT

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
937
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Whose Logs, What Logs, Why Logs - Your Quickest Path to Security Visibility

  1. 1. WHOSE LOGS, WHAT LOGS, WHY LOGS: YOUR QUICKEST PATH TO SECURITY VISIBILITY Tom D’Aquino – Sr. SIEM Engineer
  2. 2. AGENDA The Challenge • Getting adequate security visibility for your small or medium business The Widely Pursued Solution • The traditional approach to Log Management/SIEM • The cost/benefit analysis An Alternative Approach • Who, What and Why is the key The Wrap Up • Unified Security Management • AlienVault’s Threat Intelligence Labs Questions & Answers as time permits
  3. 3. HUMANS MEET TECHNOLOGY
  4. 4. HUMANS MEET TECHNOLOGY Something is down? YouTube is up though.
  5. 5. THE WIDELY PURSUED SOLUTION The traditional approach to Log Management/SIEM: • Collect Everything • Analyze everything • Correlate everything • Store everything
  6. 6. BUT AT WHAT HARDWARE COST? How much storage, CPU and RAM will you need to collect, correlate and store all of this data? • High-performance storage is not cheap How effective is the automated analysis, i.e. correlation really going to be? • Correlation is CPU and memory intensive
  7. 7. AND AT WHAT HUMAN RESOURCE COST? How effective is your team really going to be? • Can one person realistically review 10,000 alerts in a day
  8. 8. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? Why
  9. 9. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Why What
  10. 10. IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Who will the logs you collect pertain to? • Is there a specific user group/community you should be focused on? Why What Who
  11. 11. LET’S LOOK AT SOME EXAMPLES Why do you need Firewall logs? • I need to see what is getting in to my network What logs will you need to get that result? • Firewall permit logs Who will the logs you collect pertain to? • I’m most significantly concerned with blacklisted IPs/domains
  12. 12. EXAMPLE ILLUSTRATED You are probably only seeing these: When you should be looking for this:
  13. 13. EXAMPLES CONTINUED Why do you need OS logs? • I need to detect unauthorized access attempts and account lockouts What logs will you need to get that result? • OS authentication failure and account lockout logs Who will the logs you collect pertain to? • I’m most significantly concerned with admin level accounts
  14. 14. EXAMPLE ILLUSTRATED Multiple events to indicate a single login:
  15. 15. ONE MORE EXAMPLE Why do you need Switch/Router logs? • I need to see when someone logs in to my network gear and makes config changes What logs will you need to get that result? • Authentication and authorization logs from my TACACS server would do the job Who will the logs you collect pertain to? • Anyone connecting to my network gear
  16. 16. EXAMPLE ILLUSTRATED You may have to process thousands of these: Just to get one or two of these:
  17. 17. UNIFIED SECURITY MANAGEMENT “VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU” Asset Discovery Threat Detection Behavioral Monitoring • • • • • • • • • Log Collection • Netflow Analysis • Service Availability Monitoring Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Network IDS Host IDS Wireless IDS File Integrity Monitoring Security Intelligence Vulnerability Assessment • Network Vulnerability Testing • SIEM Correlation • Incident Response
  18. 18. ALIENVAULT’S THREAT INTELLIGENCE LABS AlienVault experts monitor, analyze, reverse engineer and report on sophisticated zeroday threats including malware, bots, phishing campaigns and more. AlienVault publishes our findings in our threat blog and include all the latest intelligence as correlation rules, policies, and reputation data in the AlienVault Threat feed. 500,000 Malware Samples Analyzed per day 100,000 Malicious IPs Validated per day 8,000+ Global Collection Points in 140+ countries > 7 Million URLs Analyzed
  19. 19. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? hello@alienvault.com
  20. 20. VIEW THIS WEBINAR ON-DEMAND A recorded version of this webinar is available to be viewed on demand. Click here

×