Search

LogLogic Security Event Manager

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    1 Favorite

    LogLogic Security Event Manager - Presentation Transcript

    1. Introduction to
      Security Event Manager
      Megan McGuire
      Christophe Briguet
      Visibility & Controlon IT Security
    2. Collect
    3. Log Collector
      Logs
      SEM appliance
    4. Normalise
    5. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=
      assessment.impact.severity=
      source.node.nameOrIp=
      source.service.nameOrPort=
      target.node.nameOrIp=
      target.service.nameOrPort=
      target.user.nameOrId=
      Extract of a IDMEF event
    6. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=
      assessment.impact.severity=
      source.node.nameOrIp=
      source.service.nameOrPort=
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=
      target.user.nameOrId=
      Extract of a IDMEF event
    7. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=
      assessment.impact.severity=
      source.node.nameOrIp=
      source.service.nameOrPort=
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=ssh
      target.user.nameOrId=
      Extract of a IDMEF event
    8. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=SSH Remote user login failed
      assessment.impact.severity=high
      source.node.nameOrIp=
      source.service.nameOrPort=
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=ssh
      target.user.nameOrId=
      Extract of a IDMEF event
    9. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=SSH Remote user login failed
      assessment.impact.severity=high
      source.node.nameOrIp=
      source.service.nameOrPort=
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=ssh
      target.user.nameOrId=john
      Extract of a IDMEF event
    10. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=SSH Remote user login failed
      assessment.impact.severity=high
      source.node.nameOrIp=209.195.132.165
      source.service.nameOrPort=
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=ssh
      target.user.nameOrId=john
      Extract of a IDMEF event
    11. Map Logs to a Structured Event Format
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      classification.text=SSH Remote user login failed
      assessment.impact.severity=high
      source.node.nameOrIp=209.195.132.165
      source.service.nameOrPort=5735
      target.node.nameOrIp=10.10.0.3
      target.service.nameOrPort=ssh
      target.user.nameOrId=john
      Extract of a IDMEF event
    12. Classify Events with a Taxonomy
      10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
      System
      Authentication
      Right
      Use
      Configuration
      Attack


      Failed
      Update
      Account

    13. Enrich
    14. Add Context Information to Events
      SLA
      Site
      Contact
      Event
      Host
      Regulation
      Main IT Assets
      SEM Asset Database
      Organisation
    15. Correlate
    16. UseCase #1: Vulnerabilities correlation
      « The SEM knows that the target is vulnerable and the attack succeded »
      « The SEM knows that the target of the attack is NOT vulnerable »
    17. UseCase #2: Asset Database correlation
      « Assets have been misused or bypassed (i.e. email sent directly to Internet or web browsing from the mail server) »
      « Connection to an IP located in a country under US embargoes (i.e. Iran, Korea, etc.) »
    18. UseCase #3: User auth. correlation
      « Bruteforce attack = many logon failed + 1 success »
    19. UseCase #3: User auth. correlation
      « Login failure alert correlated with target criticality »
      Medium severity event for the WinDC server
      Low severity event the WKS-1 workstation
    20. Escalade
    21. An Incident Case is a Data Container
      Incident Case : A Data Container for Remediation Action
      Contact (owner)
      Business cost
      Time cost
      Events and Alerts
      Impact on CIA
      Remediation
      action
    22. Two-Ways Interaction with Trouble Ticketing System
      Incident Case
      External Trouble Ticketing System
      Alerts
    23. Report
    24. Regulations
      SOX, HIPAA, FSA, etc.
      Standards and Framework
      COBIT, ISO 27001, PCI-DSS, etc.
      Reports allow to:
      • Establish controls
      • Maintain controls
      • Prove controls
      Controls
    25. Dashboard Overview
      Dashboard
      Report
      Workspace
      Chart
      Events detail
      Text session (comments)
    26. Reports Drill Down
      1
      2
      4
      3
    27. Escalade
      Enrich
      Report
      Correlate
      Normalise
      Collect
      Benefits are …
    28. Sorting out normal vs. abnormal
    29. Achieve regulatory compliance requirements
    30. Fill the gap between technologies and process

    31. Title
      Want to see SEM in action?
      Ask for a Demo!

    + Christophe BriguetChristophe Briguet, 4 months ago

    custom

    433 views, 1 favs, 3 embeds more stats

    Introduction to Security Event Manager

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 433
      • 283 on SlideShare
      • 150 from embeds
    • Comments 0
    • Favorites 1
    • Downloads 16
    Most viewed embeds
    • 96 views on http://www.loglogic.com
    • 51 views on http://loglogic.com
    • 3 views on http://loglogicrd.collaborint.com

    more

    All embeds
    • 96 views on http://www.loglogic.com
    • 51 views on http://loglogic.com
    • 3 views on http://loglogicrd.collaborint.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved