The document outlines a presentation on Security Information and Event Management (SIEM) by Jim Kaplan and Richard Cascarino, with a focus on its definition, advantages, and operational use in cybersecurity. It discusses the importance of log management, correlation of security events, and the role of various SIEM tools and technologies in threat detection and compliance. Additionally, it addresses challenges in security administration and highlights best practices for effective SIEM implementation.

1. 7/8/2018
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
– SIEM Log Analysis
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2

2. 7/8/2018
2
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
3
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 4

3. 7/8/2018
3
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
TODAY’S AGENDA
• What is a SIEM?
• Advantages of a SIEM?
• Using SIEM
• Detection of outbound sensitive information
• Data Collection
• Aggregation, Normalization and Enrichment
• Reporting and Forensics
• Challenges in log management
• What comes next?
6

4. 7/8/2018
4
WHAT IS SIEM?
• SIEM = Security Information and Event Management
• SIEM collects log files and security information from internal and
external sources
• Event correlation is used to detect and alert unwanted activities
within the network defined by the organization
• An organization can use the information within the SIEM to
effectively respond and detect security incidents
• The main focus areas which define the fundaments of SIEM are:
1)Log management
2)Correlation
3)Alerting
4)Responding
7
WHY EVENT LOG MANAGEMENT?
• Security Information Event Management
[SIEM] for IT Operations & Compliance Audit
staff
• Regulatory compliance for PCI-DSS, HIPAA,
FISMA, SOX, and GLBA acts
• Monitor and Audit Privileged User activities
• Ensures System Security and Policy
enforcement
• Troubleshoots when things go wrong in the
network
• Monitors systems for optimal performance
• Secured storage of Log data for internal and
compliance audit

5. 7/8/2018
5
CREATING A SECURITY ECO SYSTEM
Security
Firewall
IPS
Malware
WAF
End Point
Network
Routers
Switches
Wireless
Directory
Services
Active
Directory
Users
Groups
Data
Management
Data Loss
Data in
Motion
Data at
Rest
Email
Spam
Malware
Phishing
Physical
Alarms
Surveillance
Access
Control
Businesses
have been
buying these
Solutions For
Years…..
SIEM -Makes
These Pieces
Work As A
Single
Security Eco
System…
SIEM
SIM VS SEM
• Security Information and Event Management
(SIEM) software products and services combine
security information management (SIM) and security
event management (SEM), and provide real-time
analysis of security alerts generated by network
hardware

6. 7/8/2018
6
DIFFERENT BETWEEN IDS AND
SIEM
• IDS = Intrusion Detection System
• “monitors network or system activities for malicious
activities or policy violations and produces electronic
reports to a management station” Wikipedia
• IDS is a “sensor” to the SIEM and help to protect the
organization's network by monitoring suspicious data
packets and requests.
• SIEM is use IDS as a sensor and also sensor from the
DC and the hosts (like antivirus) and not only from the
network.
11
WHY DO ORGANIZATIONS USE
IT?
• Threat management
• The ability to detect risky scenarios and common attacks, as well as
attack paths defined by the organization itself
• Relations are established between events from different sources on the
network
• Compliancy
• Joining the logs and reports of multiple systems within the organization,
enabling an easy access and analysis by a built in framework in each
system
• Forensic support
• The information available within SIEM is very valuable from a forensic
perspective and can greatly aid a forensic analyst in his or her
investigation
• SIEM allows forensic analysts to search within logs of many systems in a
centralized way, without the need of re-collecting the log files of
compromised systems
12

7. 7/8/2018
7
PURPOSE OF SECURITY
TOOLS
• Combining text and visuals
• Reporting
• Monitoring
• Correlating
• Simplify the life of a Security Administrator
FROM GARTNER
• You can buy an SIEM tool – but you can’t buy a
security monitoring capability
• You have to:
• Buy the tools
• Grow the people
• Mature the process

8. 7/8/2018
8
ALSO FROM GARTNER
PROTECTION THROUGH FASTER
DETECTION & RESPONSE
High Vulnerability Low Vulnerability
Months
Days
Hours
Minutes
Weeks
MTTD&MTTR
MEAN TIME TO DETECT (MTTD)
The average time it takes to
recognize a threat requiring further
analysis and response efforts
MEAN TIME TO RESPOND
(MTTR)
The average time it takes to
respond and ultimately resolve the
incident
As organizations improve their ability
to quickly detect and respond to
threats, the risk of experiencing a
damaging breach is greatly reduced
Exposed to
Threats
Resilient to
Threats

9. 7/8/2018
9
LOGGING SOURCES /
SERVICES
Logging Sources
• Syslog and SNMP Trap
• Network
o Cisco IOS
o Snort IDS/IPS
• Servers/Workstations
o Enterprise Linux 3/4/5
o Microsoft Windows
• Applications
o BIND (DNS)
o Exchange
o MS SQL
o Host Intrustion Detection
Logging Services
• SYSLOG
o SYSLOGD
o SYSLOG-NG
o RSYSLOG
• SNMP TRAP
CORRELATION
• Correlation integrates the key security factors
that are critical in determining the potential for
significant damage within an organization.
These factors are:
• Real time events from heterogeneous devices
• Results of vulnerability scans and other sources of
threat data
• The value of the host, database or application to the
organization.

10. 7/8/2018
10
PROBLEMS WITH SECURITY
ADMINISTRATION
• Integration is required
• From firewalls to IDSs to Websense to vulnerability
information to KB
• Challenges
• Too much to look at
• No single standard data format
• Out of sync system clocks
• Correlation becomes difficult
20
CORRELATION TECHNOLOGY
• Security Information and Event Management (SIEM) technology
provides:
• Security Information Management (SIM) – log management and compliance reporting
• Security Event Management (SEM) – real-time monitoring and incident management
for security-related events from networks, security devices, systems and application
• SIEM Technology is typically deployed to support three primary use cases:
• Compliance – Log management and compliance reporting
• Threat Management – real-time monitoring of user activity, data access and
application activity and incident management
• A deployment that provides a mix of compliance and threat management capabilities
• Source: Gartner Magic Quadrant for SIEM.
• http://www.arcsight.com/collateral/whitepapers/Gartner_Magic_Quadrant_2011.pdf

11. 7/8/2018
11
SIEM ADVANTAGES
• Correlation of data from multiple systems and from
different events detecting security and operational
conditions
• Anomaly detection by using a baseline of events over
time to find deviations from expected or normal
behavior
• Comprehensive view into an environment based on
event types, protocols, log sources, etc
• APT (advanced persistent threat) protection through
detection of protocol and application anomalies
SIEM ADVANTAGES
• Prioritization based on risk of threat to assets, staff can triage the
most vulnerable targets
• Alerting and monitoring on events of interest to escalate priority
• Ability to filter events and create custom views to meet business
needs
• Allows organizations to demonstrate adherence to polices and
controls
• Monitor and log the access and use of sensitive data
• Limits exposure to breach disclosure costs by knowing the
number or customer records affected
• Helps reduce risk to business partners and customers by
detecting data loss and fraud
• Reduce costs by replacing redundant functions and technologies

12. 7/8/2018
12
EXAMPLE OF A “USE CASE”
23
THE PROCESS -
LOG MANAGEMENT
24
 Log management is an integral
part of SIEM because, log
entries are greatest source of
information
 Though highly crucial, solely
collecting and aggregating
logs at a central location is not
enough

13. 7/8/2018
13
WHAT’S ON THE LOGS?
• Network Devices, Servers, Security Appliances
• Proxies, Web servers, Antivirus
• Databases, Applications, Desktops
CORRELATION
26
 Correlation of log
entries is performed
based on use
cases. Every use
case consists of
one or more rules
that detect an
unwanted event,
which is defined by
risk scenarios
 To trigger a use
case, one typically
needs to correlate
multiple log entries
from one or more
sources

14. 7/8/2018
14
USING CASES
TOP USE CASES?
• Malware Detection
• NIPS alerts
• Web Proxy Logs
• Tracking System Changes
• Internal log files
• Monitoring outbound connectivity
• Anything suspicious including data transfers
• IDS / IPS alerts
• Web application attacks
• Web server, WAF and Application logs

15. 7/8/2018
15
ALERTING
29
 Alerting abnormal
actions is the core
purpose of the
SIEM, focused on
threat
management
RESPONDING & EVALUATING
30
 Most alerts
require
manual
analysis by a
SOC analyst
 Experience
gained from
handling
incidents or
false-positives
can serve as
an input for a
new use case
or for fine-
tuning

16. 7/8/2018
16
SIEM PITFALLS
• Planning
• Skip the planning, buy the tool and assume ot will all go
together
• Fail to plan the initial scope for deployment
• Deployment
• Don’t go for a phased deployment
• Install the tool then worry about a logging policy
• Operation
• Do not define the SEIM owner
• Assume the tool will run itself
CHOOSE THE DEVICES AND
THEIR LOGS
• Domain controllers
• Databases
• Email servers
• IDS and IPS
• Firewall
• Network Devices
• Antivirus System
32

17. 7/8/2018
17
SIEM OF SIEMS
• Central SIEM server that acts as a parent and
communicates intermediary SIEM servers (called
Child Managers), instead of communicating with the
log sources directly
• The parent and the child managers each take on
deferent responsibilities
• Alerting, filtering, normalization, reporting and
anything else having to do with policy enforcement
are responding of the Child Manager
• Correlated events are forwarded from each Child
Manager to the Global Manager for global correlation
33
VENDOR APPROACHES
• Log Rhythm (http://logrhythm.com/)
• Qradar (http://www.q1labs.com/)
• Prismmicrosystems (http://www.prismmicrosys.com/)
• Nitro Security (http://nitrosecurity.com/)
• Symantec
(https://support.symantec.com/en_US/article.DOC248
0.html)

18. 7/8/2018
18
LOG RHYTHM
• Audit privileged user activity such as new account creation for greater operational
transparency
• Correlate privileged user behavior with specific network activity
• View real-time activity and drill down based on relevant criteria
• Map global relationships to identify communication involving suspicious sources
and/or destinations
• Visualize network communication to identify anomalous patterns and data
transfers
• Deliver real-time alerts on unauthorized access of sensitive data and information
transfers to unapproved recipients
• Independently audit and log data transfer to removable media such as USB drives
and memory cards
• Correlate access of sensitive data with printer logs and user activity
• Independently monitor processes for increased awareness of potential malware
and spyware
LOGRHYTHM TLM PLATFORM
TOP 5 DIFFERENTIATORSTIME TO DETECT TIME TO RESPOND
Forensic
Data
Collection
InvestigateQualifyDiscover RecoverNeutralize
2. Precision Search
3. Holistic Threat
Detection
5. Embedded Security Automation and Orchestration
1. Machine Data Intelligence Fabric (MDIF)
4. Risk-Based Monitoring

19. 7/8/2018
19
QRADAR - IBM
• Hardened, Linux-based appliance solution
• Integrated flow collection enables passive profiling of network asset applying context rules to
discovered assets
• Integration of external VA scanner results applies further context to rules, and weights to
incidents.
• Trend analysis and anomaly detection for detecting statistical anomalies and threshold
violations
• Ability to spot problems based on historical trends and current activity
• Increased forensics by combining fully integrated network activity with log data
• Agentless collection for most log sources, including Windows; Q1 Labs provided Windows
agent option, ALE, reads event data and has plug-ins for sources such as IIS, SQL Server, etc
• Geo-location ability, find traffic location based on IP address
• Product ships with 120 standard correlation rules, 1600 out-of-the-box report templates. Adding
site/industry-specific rules is easy
• Company autoupdates rules with every major release of QRadar
• Correlation rule editor is simple to use -- it resembles Microsoft Outlook's rules wizard
• Appliance has a distributed database (ARIEL) that excels at write-once read many times and
grow incrementally as you add QRadar appliances. Eliminates backend database, enables
efficient High Availability
• Segregation of duties based on job responsibility and business need
• Reports are single-pane view containing all relevant information for reporting and investigation
FULLY INTEGRATED SECURITY INTELLIGENCE
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
• Network security configuration monitoring
• Vulnerability prioritization
• Predictive threat modeling & simulation
SIEM
Log
Management
Configuration
& Vulnerability
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments

20. 7/8/2018
20
DataPower Web
Security Gateway
AppScan
BigFix
MobileFirst Protect
(MaaS360)
QRadar SIEM
QRadar Vulnerability
Manager
Key
Lifecycle
Manager
IBM X-Force Research
QRadar Incident Forensics
QRadar Log Manager
Guardium
zSecure
Trusteer Mobile
Trusteer
Pinpoint
Trusteer
Rapport
Consulting
Services
Managed
Services
Network
Advanced
Fraud
Data
Mobile
Applications
Endpoint
Identity
and
Access
Security
Intelligen
ce
SiteProtector
Network Protection XGS
Trusteer ApexQRadar Risk
Manager
Identity Manager
Access Manager Identity Governance and Intelligence
Privileged Identity Manager
EXPAND THE VALUE OF SECURITY
SOLUTIONS THROUGH INTEGRATIONContinuous actionable intelligence
PRISM MICROSYSTEMS
(NOW EVENTTRACKER)
• Software only solution running on Windows O/S
• No database, log data stored in compressed CAB files, SHA-1 and 92% raw log
compression
• Integration into current Active Directory environment, monitors log from major
vendors
• Indexed search with custom keywords
• Allows central management and deployment, monitors business critical
components
• Database Monitoring MS SQL, Oracle, and others via ODBC
• Point and click design of reports
• Provides high-level dashboards to low-level detail
• Optional Agents for Windows, Solaris BSM, IBM iSeries and AS 400
• Windows Agent features
o central management / deployment capability
o monitors USB drives, application logs, network connections, processes,
change audits and config assessments

21. 7/8/2018
21
NITROSECURITY (NOW PART OF MCAFEE 2011)
• Fast Database - High-level to packet level
• No DBA management
• "Single pane of glass" GUI
• Regular expression rules engine
• Multiple filtering options
• Passive database monitoring
• Auto discover feature to find "rogue" database instances
• Resolves "pooled" connections for applications
• Geo-location tracking
• Linux-based appliance - FIPS 140-2/CC EAL Level 3 certified
ADVANTAGES
• Highly feature - rich
• NitroSecurity falls between the pure - play SIEM
providers and the broader security vendors, meaning it
has good focus on the space, but isn’t solely reliant on
SIEM sales for its revenue.
• Users wanting a breadth of features, complete with the
most attractive and intuitive interface, will find an ideal
solution with NitroSecurity

22. 7/8/2018
22
SYMANTEC INFORMATION
SECURITY MANAGER
• Symantec offers the broadest base of deployment
types – software, hardware, virtual hardware, and
managed service offerings, allowing every enterprise
to find a fit.
• Security Information Manager is integrated into
Symantec’s Global Intelligence Network, meaning
system configuration can be adjusted based on more
than just local event data.
• •Symantec is splitting their product into separately
licensable components, so log management can be
deployed to feed cloud SIEM services.
CYBERSECURITY MARKET
THE OTHER SIDE OF THE COIN: OPPORTUNITIES FOR MANY
GDPR
44

23. 7/8/2018
23
45
EUROPE - GDPR: A FIRST CHECKLIST FOR A GENERIC
WEBSITE
FROM MAY 2018
GDPR theme Related
Article(s)
Checklist for a ‘standard’ website
(not elaborating user data)
Right to be informed Art. 5 and ff Privacy notice
Right of access Art. 15 (13, 14) All user data should be accessible after login
Right to rectification Art. 16; notific., Art.
19
All data should be editable by the user
Right to erasure Art. 17 It should be possible to delete an account
Right to restrict processing Art. 18 It should be possible to disable user account, data will
be still visible but can't be changed anymore
Right to data portability Art. 20 It should be possible to provide data export in CSV
format or similar
Right to object Art. 21 Phrase in the privacy notice
Rights related to automated decision
making and profiling
Art. 4(4), Art. 9, Art.
22
No relevant automated processing of personal data
are usually taken on a standard website
Accountability and governance DPO: Artt. 37, 38, 39,
…
Implement appropriate technical and organisational
measures that ensure and demonstrate that you
comply
Notification of data breach within 72
h
Art. 85, 86 Setup a procedure of notification in case of data
breach (when there is risk to the rights & freedom of
individuals)
WHERE ARE YOU?
• Thinking about it
• SIEM deployed and collecting some data
• Periodic SIEM usage, dashboard / report review
• SIEM Alerts and Correlation Rules enabled
• SEIM tuned with;
• Customized filters
• Rules
• Alerts
• Reports
• Advanced monitoring use cases and custom SEIM
content cases

24. 7/8/2018
24
CYBERSECURITY WEBINAR
SERIES
• August 2 - Administrative Control Breaches
• Sept 14 - Vulnerability Assessment
• Sept 27 - Advanced Persistent Threats and targeted
cyber attacks
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week

25. 7/8/2018
25
THANK YOU! Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino