Innovations in data security
Log management
vs
SIEM
Andris Soroka
07.07.2011
Together with

Agenda
Introduction - threats, technology era, definitions
Business drivers for log management and SIEM
(Security Information and Events Management)
Market analysis, critical capabilities of solutions
Selected solutions for Your review for -
SEM (Log management)
SEM (Wider scope)
SIEM

Where to start from?
Internet has been compared to America’s Wild Wild West
countless times – now the analogy holds more weight than ever.
No DNA forensics, no overarching laws – just lawlessness.

The 21st Century – the age of cybercrime
“Year 2010 was the year of cybercrime and
cyberwars. Year of Wikileaks”
“The New York Times”, “Guardian”, “Der Spiegel”, “El
Pais”, “Le Monde”, “CNN”, “BBC” and more. 2010,
2011..
FBI warns Congress that cybercriminals can hack
any internet-linked system
Gordon M. Snow, assistant director of the FBI’s Cyber Division
(13th of April, 2011)

Background - technology development
IT continues taking the lead in business
(ERP, CRM, document management, digital
prototyping etc.)
Importance and development of e-World
(e-Health, e-government, e-services, social
networking, Web 2.0, unified
communications and tools for that etc.)
Mobility and borderless enterprise
Cyber culture develops faster than cyber
security

Every technology is vulnerable

New threats – targeted, professional, silent
There are Internet shops full of credit
card, bank account, privacy, business
and other confidential data. Also there
are available services to rent a botnet,
malicious code and attack anyone.
Cybercriminal «CV Online»
“Black Community” where
cybercriminals are organized better
than hi level military organizations
Video trainings and eLearning
available in social media, such as
YouTube

Business drivers that initiate LM / SIEM
EU directives
Such as for data protection
Critical infrastructure protection
Cooperation
Industry standards and regulations
Banks
Health organizations etc.
NATO directives
Security, military orgs
Related to NATO work
IT Security ISO 2700X
Local laws and regulations
Personal data protection
IT Security politics

SIEM / SEM / SIM - Where to start from?
Do You have one, central
solutions for collecting ALL
events (logs), correlate them Operational IT & Network Identity Governance &
Security Operations Management Compliance
and have real time intelligent Log
Log
visibility?
Tool
Silo ?
? ? ??????
?
?
Do You monitor the ? ? ? ? ? ? ?????
? ? ? ? ? ????
business processes instead ? ? ? ?????
Log Jam
of network? ? ? ??
? ???
?? ?
??
?LOGS
Do You monitor identities,
applications, information and
their context instead of just IP Network Servers Databases Homegrown
Applications
addresses, OS’s and
devices?
If not – You are vulnerable!!!

No, I mean, really…do You know?
Clear & concise delivery of the most relevant information …
What was the
attack?
Was it
Who was successful?
responsible?
Where do I find
them? How valuable are
How many they to the business?
targets
involved?
Are any of them
vulnerable?
Where is all the
evidence?

What is in Your logs so far..? 50%? Less..?
Failed Logon User and System Activity
Privileges Assigned/
Security Breach
Changed
File Up/Download
Credit Card
Data Access
50%? Runaway Application
Customer Transaction
Information Leak Email BCC

What is in Your logs so far..? 50%? Less..?
What logs – From where -
Audit logs Firewalls / Intrusion
Transaction logs prevention
Intrusion logs Routers / Switches
Connection logs Intrusion detection
System performance Servers, desktops,
records mainframes
User activity logs Business applications
Different systems alerts Databases
and different other systems Antivirus software
messages VPN’s
There is no standard format, transportation method for
logs, there are more than 800 log file formats used..

Definitions from IT SecurityIntroduction / technologies –
solutions
SEM – Security Events Management (Correlation – events
relation together for security benefits)
SIM – Security Information Management (Log
management – e.g. collecting the events of the applications
and operational systems.)
SIEM (Security Information And Event Management)
You cannot control what You cannot see!

SIEM evolution (from Anton Chuvakin blog)
Historically –
1997-2002 IDS & Firewall
Worms, alerts of overflow,
packets etc.
Sold as a “SOC in the box”
2003 – 2007 Above + Server +
Context
Users, compliance etc.
Sold as a “SOC in the box” +
2008+ Above + Applications +
Cybercrime, fraud prevention,
identity etc.
Sold as a “SOC in the box”+++

Log management and intelligence
Collect Alert Store Report
Time-stamping and Alerts based on real time As much as you want, Should have reasy to
secure collection of log forensics according to as little as your compliance configure and report.
100% of all log data, policies. According to needs dictate. Automated, Should be easy-to-use
100% of the time, from anomalies, incidents. In secure storage and templates and more
any device, including any possible alerting way. archival of critical log data. than 10K custom
network, storage, Maintain chain of custody. reports. Packaged SOX,
servers, applications! PCI reporting + more.
Process Integration & Information Share

More about SIM / SEM / SIEM coverage
Scope of usage –
SIM (log management) + SEM
Standards such as –
Syslog (Unix / Linux, network devices)
Eventlog (Windows)
Journals (mainframe, midrange..)
Non standards such as logging into files and SQL
databases
Usage
Central monitoring, finding anomalies, reporting, alerting
Collecting and archiving logs, forensics (search all over)
Threat protection & discovery, incident response, audit support
Advantages / Disadvantages (not always)
Scalability – security logs are only about 10% of all logs, but
SIM solutions collect ALL logs correlation can be an issue later
Functionality – correlated events from different sources is with
different level than SIEM that is naturally designed to do so

More about SIM / SEM / SIEM coverage
Scope of usage and quality control
SIEM – A must to have!
Log and context data collection (SIM)
Normalization and categorization (SIM)
Correlation (SEM)
Notification / Alerting (SEM)
Prioritization (SEM)
Dashboards and visualization
Reporting and reports delivery (SIM)
Security role workflow
SIEM – next generation solutions work looking at level of –
File integrity Monitoring
Database Activity Monitoring
Application Monitoring
Identity Monitoring
User Activity Monitoring

Planning a SIEM / LM project?
Planning areas (IN THAT ORDER! By Anton Chuvakin)
Goals and requirements
Functionality & features
Scope and data collection
Sizing
Architecting
Deploy Log management before SIEM….
Q: Why do You think most of the SIEM projects failed in
past?
A: There was no LM at place, SIEM alone is just not that
useful..

Quality and innovations portfolio from DSS
Market leadership in research of leading market analysts
Close partnership with local competence center,
represented vendors and regional distributor
Market industry standards and international quality
standards

Solutions to offer
SIM / SIM + SEM
Balabit IT Security
Syslog NG Store Box
SSB + Sawmill
SIEM+
Q1 Labs – The Market Leader
Suspected
Incidents

Balabit IT Security
Founded in 2000, Hungary
2nd fastest growing IT company in
CEE, listed in Deloitte’s Top50 research
“The syslog -ng company” – open
source log collecting solution is used by
650000 customers world wide
SIM (Log management) and more

Balabit IT Security
Syslog –ng Premium Edition
TLS-encrypted communication
Direct SQL Access
More than 21 platform support
Windows agent with AD
IBM System I agent
Syslog –ng Store box
Complete log lifecycle management
Web based user interface
75000 messages per second
24GB messages per hour
Encrypted communication, alerting, filtering etc.
Shell Control Box (“The Black Box”)
Monitoring over admins
Monitoring over outsourcers

Balabit IT Security

Balabit IT Security + Sawmill
Real Time ‘Live’ Reports
Dynamic Reports
Sawmill – software Static Reports
for email/ publishing Real Time Alerts
package to analyze log
html/csv/pdf
files Reports
Alerts
Has more than 250000
customers world wide
Works with more than Reports & Report Filters ODBC
Profiles &
Schedules
800 different log file Analysis
MySQL
formats Database
INTERNAL
Extremely great Log Filtering & Parsing
reporting
Licensed by report Web Server Security Logs Network Logs Streaming Mail Server
Log Files Security Events Network Events Media Logs Logs
profiles
Enterprise-wide analytics
** 800+ different log formats supported **

Balabit IT Security + Sawmill
Balabit syslog –ng is licensed by the number of log
sources hosts (LSH), licenses for 5,10,25,50,100,150,
250…Unlimited, unlimited costs about 25K Euro
Balabit SSB is licensed same way, licensed for
50,100,250,500, 750,1000…Unlimited, depending on options
(HA, support, hardware:1U or 2U, architecture) project can be
between 25K – 150K Euro
Sawmill is licensed by the number of report profiles created
and product type selected, can vary between 1K and 10K Euro

Q1 Labs SIEM Gartner

Q1 Labs business card
Q1 Labs – a global leader PCI HIPAA FISMA CoCo NERC SOX
in SIEM market from USA
Best price / performance
Next generation SIEM
+2000 customers world
wide
Gartner 2009 / 2010 Magic
quadrant leader
Biggest independent SIEM
vendor from leaders
Out of box number of
compliances covered

Q1 Labs SIEM & much more
Next-generation Log Management:
•Turnkey log management
•SME to Enterprise
•Upgradeable to enterprise SIEM
Next-generation SIEM:
•Integrated log, cyber threat, risk and
compliance management
•Scalable, Automated, Broad market
•Network activity information
Next-generation Risk Management
•Predictive threat modeling & simulation
•Automated compliance and policy verification
•Scalable configuration monitoring & audit
•Advanced threat visualization/impact analysis
Stackable Expansion:
•Event Processors, High Availability
•Network Activity Processors
•Geographic distribution
•Horizontal scale
•Embedded, real-time database
Application & Activity Monitoring:
•Layer 7 application monitoring
•Content Aware
•Identity/user-based visibility of network and
application activity
•Provides visibility into physical and virtual

Q1 in action - Malware activity
Potential Botnet Detected?
This is as far as traditional SIEM can go.
IRC on port 80?
QFlow enables detection of a covert channel.
Irrefutable Botnet Communication
Layer 7 data contains botnet command and control
instructions.

Q1 in action - User activity monitoring
Authentication Failures
Perhaps a user who forgot their
password?
Brute Force Password
Attack
Numerous failed login attempts against
different user accounts.
Host Compromised
All this followed by a successful login.
Automatically detected, no custom
tuning required.

Q1 in action - complex threat detection
Sounds Nasty…
But how to we know this?
The evidence is a single click away.
Network Scan Buffer Overflow
Detected by QFlow Exploit attempt seen by Snort
Total Visibility
Targeted Host Vulnerable Convergence of Network, Event and Vulnerability data.
Detected by Nessus

Q1 in action – data loss prevention
Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail

Q1 Labs in figures
Based on selection, sizing,
requirements, targets there are
different models and ways how to
move forwards
All-in-One solutions
Distributed
Console
Flow processor
Event processor
Qflow collector
Many upgrade possibilities
HA and DR options
Smallest all-in-one appliance
pricing starts with 30K Euro – ends
with ……depends on everything

Business & personal risk analysis matrix

“Data Security Solutions” can help
Specialization – IT Security
IT Security consulting
(vulnerability assessment
tests, security audit, new
systems integration, HR
training, technical support)
Innovative & selected
software / hardware & hybrid
solutions from leading
technology vendors from
over 10 different countries

Think security first
www.dss.lv
andris@dss.lv
+371 2 9162784