LogLogic Security Event Manager

Introduction to
Security Event Manager
Megan McGuire
Christophe Briguet
Visibility & Controlon IT Security

Collect

Log Collector
Logs
SEM appliance

Normalise

Map Logs to a Structured Event Format
10.10.0.3 sshd[76195]: Failed password for John from 209.195.132.165 port 5735
classification.text=
assessment.impact.severity=
source.node.nameOrIp=
source.service.nameOrPort=
target.node.nameOrIp=
target.service.nameOrPort=
target.user.nameOrId=
Extract of a IDMEF event

target.node.nameOrIp=10.10.0.3
target.service.nameOrPort=

target.service.nameOrPort=ssh

classification.text=SSH Remote user login failed
assessment.impact.severity=high

target.user.nameOrId=john

source.node.nameOrIp=209.195.132.165

source.node.nameOrIp=209.195.132.165
source.service.nameOrPort=5735

Classify Events with a Taxonomy
System
Authentication
Right
Use
Configuration
Attack
…
…
Failed
Update
Account
…

Enrich

Add Context Information to Events
SLA
Site
Contact
Event
Host
Regulation
Main IT Assets
SEM Asset Database
Organisation

Correlate

UseCase #1: Vulnerabilities correlation
« The SEM knows that the target is vulnerable and the attack succeded »
« The SEM knows that the target of the attack is NOT vulnerable »

UseCase #2: Asset Database correlation
« Assets have been misused or bypassed (i.e. email sent directly to Internet or web browsing from the mail server) »
« Connection to an IP located in a country under US embargoes (i.e. Iran, Korea, etc.) »

UseCase #3: User auth. correlation
« Bruteforce attack = many logon failed + 1 success »

UseCase #3: User auth. correlation
« Login failure alert correlated with target criticality »
Medium severity event for the WinDC server
Low severity event the WKS-1 workstation

Escalade

An Incident Case is a Data Container
Incident Case : A Data Container for Remediation Action
Contact (owner)
Business cost
Time cost
Events and Alerts
Impact on CIA
Remediation
action

Two-Ways Interaction with Trouble Ticketing System
Incident Case
External Trouble Ticketing System
Alerts

Report

Regulations
SOX, HIPAA, FSA, etc.
Standards and Framework
COBIT, ISO 27001, PCI-DSS, etc.
Reports allow to:
Establish controls
Maintain controls
Prove controls
Controls

Dashboard Overview
Dashboard
Report
Workspace
Chart
Events detail
Text session (comments)

Reports Drill Down
1
2
4
3

Escalade
Enrich
Report
Correlate
Normalise
Collect
Benefits are …

Sorting out normal vs. abnormal

Achieve regulatory compliance requirements

Fill the gap between technologies and process

“
Title
Want to see SEM in action?
Ask for a Demo!
”

http://www.loglogic.com	233
http://loglogic.com	85
http://www.slideshare.net	9
http://loglogicrd.collaborint.com	3
http://www.loglogic.eu	1
http://www.lmodules.com	1
http://www.loglogic.co.jp	1

LogLogic Security Event Manager

by Christophe Briguet on Jul 11, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

7 Embeds 333

Statistics

LogLogic Security Event Manager — Presentation Transcript