More Related Content

Similar to SIEM vs Log Management - Data Security Solutions 2011 (20)


More from Andris Soroka(20)


SIEM vs Log Management - Data Security Solutions 2011

  1. Innovations in data security Log management vs SIEM Andris Soroka 07.07.2011 Together with
  2. Agenda Introduction - threats, technology era, definitions Business drivers for log management and SIEM (Security Information and Events Management) Market analysis, critical capabilities of solutions Selected solutions for Your review for - SEM (Log management) SEM (Wider scope) SIEM
  3. Where to start from? Internet has been compared to America’s Wild Wild West countless times – now the analogy holds more weight than ever. No DNA forensics, no overarching laws – just lawlessness.
  4. The 21st Century – the age of cybercrime “Year 2010 was the year of cybercrime and cyberwars. Year of Wikileaks” “The New York Times”, “Guardian”, “Der Spiegel”, “El Pais”, “Le Monde”, “CNN”, “BBC” and more. 2010, 2011.. FBI warns Congress that cybercriminals can hack any internet-linked system Gordon M. Snow, assistant director of the FBI’s Cyber Division (13th of April, 2011)
  5. Background - technology development IT continues taking the lead in business (ERP, CRM, document management, digital prototyping etc.) Importance and development of e-World (e-Health, e-government, e-services, social networking, Web 2.0, unified communications and tools for that etc.) Mobility and borderless enterprise Cyber culture develops faster than cyber security
  6. Every technology is vulnerable
  7. New threats – targeted, professional, silent There are Internet shops full of credit card, bank account, privacy, business and other confidential data. Also there are available services to rent a botnet, malicious code and attack anyone. Cybercriminal «CV Online» “Black Community” where cybercriminals are organized better than hi level military organizations Video trainings and eLearning available in social media, such as YouTube
  8. Business drivers that initiate LM / SIEM EU directives Such as for data protection Critical infrastructure protection Cooperation Industry standards and regulations Banks Health organizations etc. NATO directives Security, military orgs Related to NATO work IT Security ISO 2700X Local laws and regulations Personal data protection IT Security politics
  9. SIEM / SEM / SIM - Where to start from? Do You have one, central solutions for collecting ALL events (logs), correlate them Operational IT & Network Identity Governance & Security Operations Management Compliance and have real time intelligent Log Log visibility? Tool Silo ? ? ? ?????? ? ? Do You monitor the ? ? ? ? ? ? ????? ? ? ? ? ? ???? business processes instead ? ? ? ????? Log Jam of network? ? ? ?? ? ??? ?? ? ?? ?LOGS Do You monitor identities, applications, information and their context instead of just IP Network Servers Databases Homegrown Applications addresses, OS’s and devices? If not – You are vulnerable!!!
  10. No, I mean, really…do You know? Clear & concise delivery of the most relevant information … What was the attack? Was it Who was successful? responsible? Where do I find them? How valuable are How many they to the business? targets involved? Are any of them vulnerable? Where is all the evidence?
  11. What is in Your logs so far..? 50%? Less..? Failed Logon User and System Activity Privileges Assigned/ Security Breach Changed File Up/Download Credit Card Data Access 50%? Runaway Application Customer Transaction Information Leak Email BCC
  12. What is in Your logs so far..? 50%? Less..? What logs – From where - Audit logs Firewalls / Intrusion Transaction logs prevention Intrusion logs Routers / Switches Connection logs Intrusion detection System performance Servers, desktops, records mainframes User activity logs Business applications Different systems alerts Databases and different other systems Antivirus software messages VPN’s There is no standard format, transportation method for logs, there are more than 800 log file formats used..
  13. Definitions from IT SecurityIntroduction / technologies – solutions SEM – Security Events Management (Correlation – events relation together for security benefits) SIM – Security Information Management (Log management – e.g. collecting the events of the applications and operational systems.) SIEM (Security Information And Event Management) You cannot control what You cannot see!
  14. SIEM evolution (from Anton Chuvakin blog) Historically – 1997-2002 IDS & Firewall Worms, alerts of overflow, packets etc. Sold as a “SOC in the box” 2003 – 2007 Above + Server + Context Users, compliance etc. Sold as a “SOC in the box” + 2008+ Above + Applications + Cybercrime, fraud prevention, identity etc. Sold as a “SOC in the box”+++
  15. Log management and intelligence Collect Alert Store Report Time-stamping and Alerts based on real time As much as you want, Should have reasy to secure collection of log forensics according to as little as your compliance configure and report. 100% of all log data, policies. According to needs dictate. Automated, Should be easy-to-use 100% of the time, from anomalies, incidents. In secure storage and templates and more any device, including any possible alerting way. archival of critical log data. than 10K custom network, storage, Maintain chain of custody. reports. Packaged SOX, servers, applications! PCI reporting + more. Process Integration & Information Share
  16. More about SIM / SEM / SIEM coverage Scope of usage – SIM (log management) + SEM Standards such as – Syslog (Unix / Linux, network devices) Eventlog (Windows) Journals (mainframe, midrange..) Non standards such as logging into files and SQL databases Usage Central monitoring, finding anomalies, reporting, alerting Collecting and archiving logs, forensics (search all over) Threat protection & discovery, incident response, audit support Advantages / Disadvantages (not always) Scalability – security logs are only about 10% of all logs, but SIM solutions collect ALL logs correlation can be an issue later Functionality – correlated events from different sources is with different level than SIEM that is naturally designed to do so
  17. More about SIM / SEM / SIEM coverage Scope of usage and quality control SIEM – A must to have! Log and context data collection (SIM) Normalization and categorization (SIM) Correlation (SEM) Notification / Alerting (SEM) Prioritization (SEM) Dashboards and visualization Reporting and reports delivery (SIM) Security role workflow SIEM – next generation solutions work looking at level of – File integrity Monitoring Database Activity Monitoring Application Monitoring Identity Monitoring User Activity Monitoring
  18. Planning a SIEM / LM project? Planning areas (IN THAT ORDER! By Anton Chuvakin) Goals and requirements Functionality & features Scope and data collection Sizing Architecting Deploy Log management before SIEM…. Q: Why do You think most of the SIEM projects failed in past? A: There was no LM at place, SIEM alone is just not that useful..
  19. Quality and innovations portfolio from DSS Market leadership in research of leading market analysts Close partnership with local competence center, represented vendors and regional distributor Market industry standards and international quality standards
  20. Solutions to offer SIM / SIM + SEM Balabit IT Security Syslog NG Store Box SSB + Sawmill SIEM+ Q1 Labs – The Market Leader Suspected Incidents
  21. Balabit IT Security Founded in 2000, Hungary 2nd fastest growing IT company in CEE, listed in Deloitte’s Top50 research “The syslog -ng company” – open source log collecting solution is used by 650000 customers world wide SIM (Log management) and more
  22. Balabit IT Security Syslog –ng Premium Edition TLS-encrypted communication Direct SQL Access More than 21 platform support Windows agent with AD IBM System I agent Syslog –ng Store box Complete log lifecycle management Web based user interface 75000 messages per second 24GB messages per hour Encrypted communication, alerting, filtering etc. Shell Control Box (“The Black Box”) Monitoring over admins Monitoring over outsourcers
  23. Balabit IT Security
  24. Balabit IT Security + Sawmill Real Time ‘Live’ Reports Dynamic Reports Sawmill – software Static Reports for email/ publishing Real Time Alerts package to analyze log html/csv/pdf files Reports Alerts Has more than 250000 customers world wide Works with more than Reports & Report Filters ODBC Profiles & Schedules 800 different log file Analysis MySQL formats Database INTERNAL Extremely great Log Filtering & Parsing reporting Licensed by report Web Server Security Logs Network Logs Streaming Mail Server Log Files Security Events Network Events Media Logs Logs profiles Enterprise-wide analytics ** 800+ different log formats supported **
  25. Balabit IT Security + Sawmill Balabit syslog –ng is licensed by the number of log sources hosts (LSH), licenses for 5,10,25,50,100,150, 250…Unlimited, unlimited costs about 25K Euro Balabit SSB is licensed same way, licensed for 50,100,250,500, 750,1000…Unlimited, depending on options (HA, support, hardware:1U or 2U, architecture) project can be between 25K – 150K Euro Sawmill is licensed by the number of report profiles created and product type selected, can vary between 1K and 10K Euro
  26. Q1 Labs SIEM Gartner
  27. Q1 Labs business card Q1 Labs – a global leader PCI HIPAA FISMA CoCo NERC SOX in SIEM market from USA Best price / performance Next generation SIEM +2000 customers world wide Gartner 2009 / 2010 Magic quadrant leader Biggest independent SIEM vendor from leaders Out of box number of compliances covered
  28. Q1 Labs SIEM & much more Next-generation Log Management: •Turnkey log management •SME to Enterprise •Upgradeable to enterprise SIEM Next-generation SIEM: •Integrated log, cyber threat, risk and compliance management •Scalable, Automated, Broad market •Network activity information Next-generation Risk Management •Predictive threat modeling & simulation •Automated compliance and policy verification •Scalable configuration monitoring & audit •Advanced threat visualization/impact analysis Stackable Expansion: •Event Processors, High Availability •Network Activity Processors •Geographic distribution •Horizontal scale •Embedded, real-time database Application & Activity Monitoring: •Layer 7 application monitoring •Content Aware •Identity/user-based visibility of network and application activity •Provides visibility into physical and virtual
  29. Q1 in action - Malware activity Potential Botnet Detected? This is as far as traditional SIEM can go. IRC on port 80? QFlow enables detection of a covert channel. Irrefutable Botnet Communication Layer 7 data contains botnet command and control instructions.
  30. Q1 in action - User activity monitoring Authentication Failures Perhaps a user who forgot their password? Brute Force Password Attack Numerous failed login attempts against different user accounts. Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required.
  31. Q1 in action - complex threat detection Sounds Nasty… But how to we know this? The evidence is a single click away. Network Scan Buffer Overflow Detected by QFlow Exploit attempt seen by Snort Total Visibility Targeted Host Vulnerable Convergence of Network, Event and Vulnerability data. Detected by Nessus
  32. Q1 in action – data loss prevention Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail
  33. Q1 Labs in figures Based on selection, sizing, requirements, targets there are different models and ways how to move forwards All-in-One solutions Distributed Console Flow processor Event processor Qflow collector Many upgrade possibilities HA and DR options Smallest all-in-one appliance pricing starts with 30K Euro – ends with ……depends on everything
  34. Business & personal risk analysis matrix
  35. “Data Security Solutions” can help Specialization – IT Security IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries
  36. Think security first +371 2 9162784