This document summarizes a SIEM product called RuSIEM. It describes RuSIEM's team and technology, how the product works, its components, data scaling abilities, and performance capabilities. The document also outlines how RuSIEM differs from other SIEM solutions and provides details on installations, correlations, receiving and sending events, analytics, and the product's current status and 2017 roadmap.
This document discusses RuSIEM Analytics, a product that provides log management, security information and event management, and real-time analytics capabilities. It aims to automate business processes, detect security incidents, analyze business metrics, and provide a single interface for employees. The product is already in use by many enterprise customers. It collects data from various sources, normalizes it, stores it for analysis, and ensures continuous data collection. It also provides security incident detection and prevention, reporting, and compliance functions. Real-time analytics are performed to detect incidents, establish baselines, and analyze multiple algorithms. The solution has various applications for IT, security, business units, and other teams.
Log management involves collecting logs from various sources, normalizing the data into a readable format, and using log intelligence and monitoring tools to detect threats, enable incident response and forensic investigations, and ensure regulatory compliance. It provides a centralized way to search logs, correlate events, and generate reports which can help security teams more efficiently investigate issues compared to traditional methods of reviewing raw logs. Challenges include a lack of standard log formats and capturing all activity, but the market for log management software is large and growing due to its importance for compliance needs.
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Anton Chuvakin
Logging is essential for security, operations, and compliance. However, common mistakes in log management include not logging at all, not reviewing logs, retaining logs for too short a time, prioritizing log collection, ignoring application logs, and only searching for known bad events. Effective log management requires collecting all relevant logs and retaining them for appropriate time periods according to a well-defined strategy.
This document provides a summary of authentication techniques and common vulnerabilities. It discusses how over 90% of applications use usernames and passwords for authentication. More secure authentication methods like two-factor authentication are also described. The document outlines various authentication protocols like HTTP, SAML, and JWT. It then details common design flaws such as weak passwords, password change vulnerabilities, account recovery issues, and information leakage. Specific attacks like brute force, credential stuffing, and session hijacking are examined. The summary recommends approaches to secure authentication like strong credentials, hashing passwords, multi-factor authentication, and logging authentication events.
This document discusses Manage Engine's Eventlog Analyzer product. It provides an overview of the software, including its editions, system requirements, installation process, and key features. The features section describes the various logs and reports that can be monitored and generated, including dashboards, security logs, application logs, compliance reports, user monitoring, and alert capabilities. It also outlines the configuration options for managing hosts, applications, importing/archiving data, scheduling reports, and customizing alerts and filters.
This document compares message and metric management solutions like Fluentd and Logstash. It discusses how these solutions can collect, store, visualize, and alert on log and metric data from heterogeneous environments. While commercial solutions like Splunk are very expensive, open source solutions like Fluentd, Logstash, Elasticsearch, and Kibana provide similar functionality through various "bricks" or components at no cost. The document analyzes key differences between Fluentd and Logstash, such as their configuration, buffering approaches, high availability features, and plugin ecosystems.
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
This document discusses RuSIEM Analytics, a product that provides log management, security information and event management, and real-time analytics capabilities. It aims to automate business processes, detect security incidents, analyze business metrics, and provide a single interface for employees. The product is already in use by many enterprise customers. It collects data from various sources, normalizes it, stores it for analysis, and ensures continuous data collection. It also provides security incident detection and prevention, reporting, and compliance functions. Real-time analytics are performed to detect incidents, establish baselines, and analyze multiple algorithms. The solution has various applications for IT, security, business units, and other teams.
Log management involves collecting logs from various sources, normalizing the data into a readable format, and using log intelligence and monitoring tools to detect threats, enable incident response and forensic investigations, and ensure regulatory compliance. It provides a centralized way to search logs, correlate events, and generate reports which can help security teams more efficiently investigate issues compared to traditional methods of reviewing raw logs. Challenges include a lack of standard log formats and capturing all activity, but the market for log management software is large and growing due to its importance for compliance needs.
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Anton Chuvakin
Logging is essential for security, operations, and compliance. However, common mistakes in log management include not logging at all, not reviewing logs, retaining logs for too short a time, prioritizing log collection, ignoring application logs, and only searching for known bad events. Effective log management requires collecting all relevant logs and retaining them for appropriate time periods according to a well-defined strategy.
This document provides a summary of authentication techniques and common vulnerabilities. It discusses how over 90% of applications use usernames and passwords for authentication. More secure authentication methods like two-factor authentication are also described. The document outlines various authentication protocols like HTTP, SAML, and JWT. It then details common design flaws such as weak passwords, password change vulnerabilities, account recovery issues, and information leakage. Specific attacks like brute force, credential stuffing, and session hijacking are examined. The summary recommends approaches to secure authentication like strong credentials, hashing passwords, multi-factor authentication, and logging authentication events.
This document discusses Manage Engine's Eventlog Analyzer product. It provides an overview of the software, including its editions, system requirements, installation process, and key features. The features section describes the various logs and reports that can be monitored and generated, including dashboards, security logs, application logs, compliance reports, user monitoring, and alert capabilities. It also outlines the configuration options for managing hosts, applications, importing/archiving data, scheduling reports, and customizing alerts and filters.
This document compares message and metric management solutions like Fluentd and Logstash. It discusses how these solutions can collect, store, visualize, and alert on log and metric data from heterogeneous environments. While commercial solutions like Splunk are very expensive, open source solutions like Fluentd, Logstash, Elasticsearch, and Kibana provide similar functionality through various "bricks" or components at no cost. The document analyzes key differences between Fluentd and Logstash, such as their configuration, buffering approaches, high availability features, and plugin ecosystems.
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
Learn best practices and demonstrate specific techniques to help you ensure both a successful audit and maintain a state of continuous compliance with the upcoming PCI-DSS 3.2 standards.
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
Firewalls continue to secure a countless number of organizations across the world and remain first line of defense against known cyber attacks and network risks. Avalanche of IT-led forces and evolution in threat landscape has brought increased onus on firewalls. On the other side, as enterprises extend their business leveraging internet driven business models and increasingly collaborative networks, embracing cloud and virtual environments, there's a need to understand how this ties with the changing role of security technologies such as a firewall. This webinar explains how a tectonic shift in enterprise networking requires rethinking firewall deployment and management for effective security management.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This document summarizes steps for auditing a Checkpoint firewall, including:
1) Reviewing the corporate firewall policy and network infrastructure.
2) Running host and network assessment scans to analyze the firewall configuration and rulebase.
3) Ensuring the firewall is properly configured, such as having the latest patches installed and unnecessary services disabled.
4) Examining the firewall's physical security, change control procedures, and backup/contingency plans.
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
A firewall is a device that controls what gets in and comes out of our network. The firewall is placed between an organization network and the outside world.
Enterprise-sanctioned application deployments on Infrastructure as a Service (IaaS) cloud platforms are fast becoming a reality. But while IaaS’s flexibility and cost-savings benefits are important, its success as a business solution hinges on its security.
Presented by the renowned industry expert Dr. Avishai Wool, this technical webinar covers security best practices for the Amazon Web Services (AWS) IaaS, including:
* The AWS firewall: what is it, how it differs from traditional firewalls, how it works, and tips for how to use it based on your business and technical needs
* AWS Security Groups: understanding them, recommendations for how to structure Security Groups to gain visibility and control of security polices effectively
* Integrating AWS into your enterprise data center: recommendations for setup, organization and configuration considerations on AWS
* Auditing and compliance: tools and techniques for tracking security policies across the hybrid data center
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
How we think about and architect network security has stayed fairly constant for quite some time.
Until we moved to the cloud.
Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments.
Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
In today’s global market place your organization needs network connectivity with external entities – suppliers, credit card processing companies, business partners, data feeds etc. But are you really sure these connections are secure and compliant? Are you really sure they are not inadvertently creating holes in your network and exposing your organization to cyber criminals? The Target breach – and many others like it – should at least make you double check your practices.
Presented by the renowned industry expert Professor Avishai Wool, this technical webinar will cover best practices for managing external connectivity lifecycle to and from your network, including:
• Defining the right infrastructure, network segmentation, security controls and additional security protections
• Managing changes to connectivity for third party applications or data feeds
• Routing partner traffic through your network
• Auditing and compliance challenges for both you and your partner
• Technical considerations for managing the business and ownership aspects of third party connectivity
This chapter discusses security engineering concepts including security models, evaluation methods, and secure system design. It covers topics such as the Bell-LaPadula and Biba models, evaluation standards like TCSEC and Common Criteria, secure hardware architectures involving CPUs and memory protection, and virtualization and distributed computing concepts. The chapter aims to explain foundational principles for engineering secure systems and applications.
ManageEngine EventLog Analyzer 8 Released. EventLog Analyzer 8 provides the most cost-effective Security Information and Event Management (SIEM) in the market and provides many advanced & powerful features like Universal log parsing and indexing, machine-generated log search engine, log field extraction with interactive regular expression (regex) pattern builder, and many more.
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Large enterprise SIEM: get ready for oversizeMona Arkhipova
This document discusses large enterprise security information and event management (SIEM) systems. It begins by distinguishing SIEM from simple log collection and systems monitoring. It then discusses the IBM qRadar SIEM platform and some of its architecture and performance challenges. The remainder of the document addresses challenges around log collection from various sources like Windows, Unix, databases and custom applications. It provides best practices guides and discusses normalization, indexing and storage of large volumes of log data. Specific metrics are given for the large QIWI SIEM installation handling millions of events per day. The document concludes by discussing automation of security monitoring and response.
Agent-less system and application monitoring with HP OpenViewStefan Bergstein
This document discusses agent-less system and application monitoring using HP OpenView products. It compares agent-based and agent-less approaches, describing how agent-less monitoring provides easier deployment but less functionality than agent-based. It then provides details on using OpenView products like OVOW and OVOU for remote monitoring via protocols like WMI, SNMP, and SSH. Finally, it introduces next-generation operations management which provides comprehensive out-of-the-box agent-less monitoring of systems, applications, databases and more with no installation required.
momentum DNS security , it describes the momentum Solves DNS Monitoring Problem For Large ISP Firm,
solve the problems :
•Monitoring the traffic of large) number of DNS servers
•Precision Burst analyst
•Constant DNS attack
•DNS Traffic Visibility
Benefits:
•Capture and Record all packets
•DNS Reporting capability independent from specific DNS software vendor
•Support historical trend of DNS traffic with one second granularity.
•Detect the attack with traffic trend or domain statistic
Обзор текущей ситуации в области импортозамещения СЗИDialogueScience
В рамках презентации автор даст описание текущей ситуации в области импортозамещения. Будут затронуты вопросы применения нормативной базы, рассмотрены классы средств защиты информации. Также будет приведен обзор современных российских средств защиты информации и даны рекомендации по их применению.
Спикер: Сергей Корольков, технический директор АО «ДиалогНаука»
Learn best practices and demonstrate specific techniques to help you ensure both a successful audit and maintain a state of continuous compliance with the upcoming PCI-DSS 3.2 standards.
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
Firewalls continue to secure a countless number of organizations across the world and remain first line of defense against known cyber attacks and network risks. Avalanche of IT-led forces and evolution in threat landscape has brought increased onus on firewalls. On the other side, as enterprises extend their business leveraging internet driven business models and increasingly collaborative networks, embracing cloud and virtual environments, there's a need to understand how this ties with the changing role of security technologies such as a firewall. This webinar explains how a tectonic shift in enterprise networking requires rethinking firewall deployment and management for effective security management.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This document summarizes steps for auditing a Checkpoint firewall, including:
1) Reviewing the corporate firewall policy and network infrastructure.
2) Running host and network assessment scans to analyze the firewall configuration and rulebase.
3) Ensuring the firewall is properly configured, such as having the latest patches installed and unnecessary services disabled.
4) Examining the firewall's physical security, change control procedures, and backup/contingency plans.
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
A firewall is a device that controls what gets in and comes out of our network. The firewall is placed between an organization network and the outside world.
Enterprise-sanctioned application deployments on Infrastructure as a Service (IaaS) cloud platforms are fast becoming a reality. But while IaaS’s flexibility and cost-savings benefits are important, its success as a business solution hinges on its security.
Presented by the renowned industry expert Dr. Avishai Wool, this technical webinar covers security best practices for the Amazon Web Services (AWS) IaaS, including:
* The AWS firewall: what is it, how it differs from traditional firewalls, how it works, and tips for how to use it based on your business and technical needs
* AWS Security Groups: understanding them, recommendations for how to structure Security Groups to gain visibility and control of security polices effectively
* Integrating AWS into your enterprise data center: recommendations for setup, organization and configuration considerations on AWS
* Auditing and compliance: tools and techniques for tracking security policies across the hybrid data center
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
How we think about and architect network security has stayed fairly constant for quite some time.
Until we moved to the cloud.
Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments.
Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
In today’s global market place your organization needs network connectivity with external entities – suppliers, credit card processing companies, business partners, data feeds etc. But are you really sure these connections are secure and compliant? Are you really sure they are not inadvertently creating holes in your network and exposing your organization to cyber criminals? The Target breach – and many others like it – should at least make you double check your practices.
Presented by the renowned industry expert Professor Avishai Wool, this technical webinar will cover best practices for managing external connectivity lifecycle to and from your network, including:
• Defining the right infrastructure, network segmentation, security controls and additional security protections
• Managing changes to connectivity for third party applications or data feeds
• Routing partner traffic through your network
• Auditing and compliance challenges for both you and your partner
• Technical considerations for managing the business and ownership aspects of third party connectivity
This chapter discusses security engineering concepts including security models, evaluation methods, and secure system design. It covers topics such as the Bell-LaPadula and Biba models, evaluation standards like TCSEC and Common Criteria, secure hardware architectures involving CPUs and memory protection, and virtualization and distributed computing concepts. The chapter aims to explain foundational principles for engineering secure systems and applications.
ManageEngine EventLog Analyzer 8 Released. EventLog Analyzer 8 provides the most cost-effective Security Information and Event Management (SIEM) in the market and provides many advanced & powerful features like Universal log parsing and indexing, machine-generated log search engine, log field extraction with interactive regular expression (regex) pattern builder, and many more.
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Large enterprise SIEM: get ready for oversizeMona Arkhipova
This document discusses large enterprise security information and event management (SIEM) systems. It begins by distinguishing SIEM from simple log collection and systems monitoring. It then discusses the IBM qRadar SIEM platform and some of its architecture and performance challenges. The remainder of the document addresses challenges around log collection from various sources like Windows, Unix, databases and custom applications. It provides best practices guides and discusses normalization, indexing and storage of large volumes of log data. Specific metrics are given for the large QIWI SIEM installation handling millions of events per day. The document concludes by discussing automation of security monitoring and response.
Agent-less system and application monitoring with HP OpenViewStefan Bergstein
This document discusses agent-less system and application monitoring using HP OpenView products. It compares agent-based and agent-less approaches, describing how agent-less monitoring provides easier deployment but less functionality than agent-based. It then provides details on using OpenView products like OVOW and OVOU for remote monitoring via protocols like WMI, SNMP, and SSH. Finally, it introduces next-generation operations management which provides comprehensive out-of-the-box agent-less monitoring of systems, applications, databases and more with no installation required.
momentum DNS security , it describes the momentum Solves DNS Monitoring Problem For Large ISP Firm,
solve the problems :
•Monitoring the traffic of large) number of DNS servers
•Precision Burst analyst
•Constant DNS attack
•DNS Traffic Visibility
Benefits:
•Capture and Record all packets
•DNS Reporting capability independent from specific DNS software vendor
•Support historical trend of DNS traffic with one second granularity.
•Detect the attack with traffic trend or domain statistic
Обзор текущей ситуации в области импортозамещения СЗИDialogueScience
В рамках презентации автор даст описание текущей ситуации в области импортозамещения. Будут затронуты вопросы применения нормативной базы, рассмотрены классы средств защиты информации. Также будет приведен обзор современных российских средств защиты информации и даны рекомендации по их применению.
Спикер: Сергей Корольков, технический директор АО «ДиалогНаука»
This presentation from Gartner discusses top security trends and takeaways for 2013. It covers trends in infrastructure protection, application security, risk and compliance, identity and access management, and provides an action plan for security leaders. The presentation is confidential and proprietary to Gartner and cannot be further distributed without their permission. It was presented by Earl Perkins, a Gartner research VP, on May 8, 2013.
HP ArcSight Demonstrating ROI For a SIEM Solutionrickkaun
This document discusses how SIEM technology can provide a return on investment through cost savings and avoidance. It provides examples from various organizations that implemented SIEM solutions. These organizations were able to reduce costs through automating security tasks, preventing infrastructure expansion, avoiding compliance penalties, and reducing losses. The examples show organizations achieving payback periods ranging from less than a week to 6 months. The document concludes that SIEM benefits far outweigh acquisition costs, with expenses usually paid off within a few weeks or months through hard cost savings and soft benefits like improved security awareness.
This document summarizes the risk service company's team, product, market opportunities, and business plan. The company was founded by two colleagues from a major Russian oil company who envisioned an automated fraud detection solution. Their team now includes analysts, data experts, and developers. The product analyzes internal and external data using innovative techniques to identify suspicious transactions and entities. The company sees opportunities in serving large businesses, banks, and small/medium businesses, and expects to generate over $1 million in revenue by 2018. Currently they are building their product and seeking initial anchor clients to help scale their business.
Системы класса SIEM могут быть вполне применимы не только для информационной безопасности, но и ИТ персоналом, разработчиками для своевременного обнаружения и предотвращения инцидентов
Тестирование через мониторинг или холакратия на практике / Максим Чистяков (U...Ontico
Чтобы быстро двигаться, надо быстро двигаться :-)
Скоростная разработка продукта невозможна без непрекращающегося выкатывания свежих изменений в боевое окружение. Именно это позволяет Ultimate-Guitar оставаться #1 world's guitar service.
Когда-то давным-давно мы приняли для себя, что "мы движемся очень быстро и иногда из-за этого что-то ломаем. Недоставленный пользователям продукт/непроверенная гипотеза хуже, чем временная неработоспособность части сервиса. Поэтому мы убираем преграды между новым кодом и продакшном: не тратим время ни на тестирование, ни на строгий релиз-менеджмент".
Многие возникающие проблемы касаются только обслуживания (датацентр, OS, каналы) и мониторинг, естественно, необходим. Ну, а раз уж у нас есть мониторинг, то давайте считать систему единым целым, которая может выходить из строя по различным причинам, одной из которых является ошибка в коде. Это привело нас к идее использовать мониторинг вместо тестирования. К чему это привело, почему мы любим Anturis, Graylog, Grafana, что главное в деплое - это быстрый откат и другие прелести управления звездолётом Ultimate-Guitar с дневным населением больше Москвы на скорости 10 деплоев/час - обо всё этом пойдёт речь в этом докладе:
- Про скорость и цену быстрого развития (Innovation Costs).
- Холакратия в бранчах, "сам себе релиз-инженер", ответственность и честность.
- Скорость отката > скорость деплоя.
- Как умер QA или демоны с tail и Graylog.
- Когда не нужны микросервисы: успеть за 30 секунд, медленный Mercurial и шустрое комбо Git + Capistrano + Ansible.
- Бесполезные фичи, бритва Оккама и пользователи, которые на самом деле любят изменения :-)
The document summarizes an OSINT meetup discussing open-source intelligence (OSINT) and the Recon-ng tool. The meetup agenda included an introduction to OSINT and Recon-ng, a demonstration of the tool's modules and capabilities through test cases, and a special thanks to the creators of Recon-ng. The document promoted freely collecting intelligence from public sources and using tools like Recon-ng to conduct passive reconnaissance and vulnerability hunting.
Сканирование уязвимостей со вкусом Яндекса. Тарас Иващенко, Яндексyaevents
Тарас Иващенко, Яндекс
Администратор информационной безопасности в Яндексе. Специалист по информационной безопасности, проповедник свободного программного обеспечения, автор Termite, xCobra и участник проекта W3AF.
Тема доклада
Сканирование уязвимостей со вкусом Яндекса.
Тезисы
В докладе будет рассказано о внедрении в Яндексе сканирования сервисов на уязвимости как одного из контроля безопасности в рамках SDLC (Secure Development Life Cycle). Речь пойдет о сканировании уязвимостей на этапе тестирования сервисов, а также о сканировании сервисов, находящихся в промышленной эксплуатации. Мы рассмотрим проблемы, с которыми столкнулись, и объясним, почему в качестве основного механизма решили выбрать открытое программное обеспечение (сканер уязвимостей w3af), доработанное под наши нужды.
- Out of box: базовые настройки современных роутеров?
- Почему на коробке написано 300Mb/s а реальная скорость около 140Mb/s?
- Сколько роутеру нужно антенн?
- Несколько способов борьбы с соседями;
- Шифрование, скрывать имя сети или нет?
An SIEM solution provides the ability to collect, analyze, and manage log data from across an organization. It can collect data from various sources using different protocols and store large volumes of raw data in a scalable platform. This centralized log management allows organizations to generate insightful reports, detect threats in real-time, investigate incidents, ensure compliance, and more. By automatically learning baselines of normal activity, an SIEM can detect anomalies and prioritize the most critical alerts. Its analytics capabilities like correlation rules and taxonomy-driven classification further enhance threat detection and security operations.
This document discusses data intensive applications and some of the challenges, tools, and best practices related to them. The key challenges with data intensive applications include large quantities of data, complex data structures, and rapidly changing data. Common tools mentioned include NoSQL databases, message queues, caches, search indexes, and batch/stream processing frameworks. The document also discusses concepts like distributed systems architectures, outage case studies, and strategies for improving reliability, scalability, and maintainability in data systems. Engineers working in this field need an accurate understanding of various tools and how to apply the right tools for different use cases while avoiding common pitfalls.
The document discusses monitoring strategies for cloud infrastructure and applications. It notes that effective monitoring involves more than just collecting data and requires tiered escalation processes and incorporating lessons learned into policies. The document outlines key considerations for what to monitor including infrastructure, software services, and business processes. It also discusses challenges in monitoring cloud environments and strategies for adopting cloud-native monitoring tools.
Dr. Anton Chuvakin provides an overview of SIEM architecture and operational processes. He notes that while a SIEM tool can be purchased, developing a full security monitoring capability requires growing people and maturing processes over time. The document outlines key aspects of deploying, running, and evolving a SIEM program, including common pitfalls to avoid, such as failing to define an initial scope or assuming the SIEM will run itself. It emphasizes taking an "output-driven" approach focused on solving security problems.
Network management involves controlling complex data networks to maximize efficiency and ensure data transmission. It aims to help with network complexity and transparency for users. The key aspects of network management include fault, configuration, security, performance, and accounting management. Network management standards and protocols like SNMP and CMIP allow for monitoring and configuration of network devices. Network management platforms provide the software and tools to integrate and manage different network components from a centralized location.
The document discusses maintaining non-stop services through multi-layered monitoring. It recommends monitoring each process, component and application separately as well as collectively to proactively identify and address problems. A multi-layered approach including monitoring services, applications, operating systems and infrastructure helps correlate information and troubleshoot issues. Visual dashboards can aggregate and display monitoring data across these layers to provide a unified view of system health and performance.
Security Monitoring Course - Ali AhangariAli Ahangari
This document outlines the topics and modules covered in a security monitoring course. Module 1 covers security monitoring fundamentals including components of a security operations center (SOC), the security monitoring process, and using Splunk as a security information and event management (SIEM) solution. Module 2 focuses on endpoint security monitoring on Windows and Linux systems. Module 3 covers network security monitoring including network protocols, firewalls, and intrusion detection. Module 4 discusses security monitoring functions such as incident response, threat intelligence, and automation.
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup Ricoh India Limited
Ricoh provides automated managed IT services that:
- Can be deployed remotely in hours without infrastructure changes and allows remote management from anywhere.
- Automate routine IT tasks through a single centralized framework to efficiently manage systems and demonstrate value to customers.
- Transition companies from reactive break-fix models to proactive IT service delivery through automation of tasks like patching, monitoring and remote management.
Operational intelligence (OI) provides real-time analytics on streaming data to enable proactive decision-making and response, monitoring business activities, detecting events, analyzing trends, and diagnosing root causes. It differs from business intelligence in being activity-centric and analyzing real-time data streams rather than structured data. OI has applications in industries like telecom, banking, retail warehousing, and logistics to improve customer experience, order processing, infrastructure scaling, and security through visibility across IT systems.
The document outlines how to build an effective security program with limited resources as a one-person shop. It discusses establishing people and processes, designing a secure network architecture by dividing the network into zones and applying security controls at boundaries, securing system design through least privilege and centralized logging, performing continuous monitoring through vulnerability scanning and log analysis, obtaining external validation through auditing and penetration testing, and ensuring compliance through following security best practices and frameworks. The overall goal is to prioritize security based on risks through people-focused automation and standardization of processes.
The document discusses three key aspects of deployment and operations for software engineers: telemetry, incident response, and live testing. Telemetry involves collecting various metrics and logs to monitor systems. When incidents occur, the response aims to restore service, analyze the cause, and prevent future occurrences. Companies differ in whether developers or dedicated teams handle incidents. Live testing after deployment identifies weaknesses by intentionally introducing failures or performing maintenance tasks.
This document summarizes a presentation on avoiding "snowflakes", which are uniquely configured systems, when migrating applications to the cloud. The presentation discusses how snowflakes can cause problems with management, updates, and failures. It then outlines how the organization standardized components, implemented infrastructure as code, and adopted other DevOps practices to allow new systems to be set up quickly and reliably while maintaining existing systems in a consistent way during their cloud migration.
The document discusses various aspects of IT asset management including identifying and inventorying hardware and software assets. It highlights the importance of having approved software lists and controlling production code through date-time stamping. Other areas covered include job scheduling, end user computing risks, system performance factors like activity logging and problem/incident management. The document also summarizes change, configuration and patch management processes and the role of database management systems.
Presented by Matt Brasier, C2B2 Principal Consultant, at the Oracle User Group Scotland Conference on the 10th of June 2015
Find out more about C2B2 Oracle SOA Suite servcies here: http://www.c2b2.co.uk/soa
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
SIEM provides a single view of an organization's security by connecting and analyzing data from various security tools and systems. It gives security teams visibility into network activity, vulnerabilities, configurations, and risks. This allows SIEM to be the foundation for risk management, security operations centers, and governance, risk, and compliance programs. By providing security intelligence in real-time from logs, events, and other data sources, SIEM helps organizations detect threats, contain incidents, and ensure ongoing compliance.
This document summarizes a presentation on intrusion detection systems. It discusses the growing risks of e-business and need for intrusion detection strategies. It covers misuse and anomaly detection approaches, and tools that operate at the application, host, and network levels. It also addresses active and passive response techniques, system architectures, technical challenges, legal issues, and commercial and open source intrusion detection systems.
Zentral is an open source tool that aggregates system logs, events, and inventory data from various sources like osquery, Santa, Munki, Jamf Pro, and ELK. It allows filtering and custom actions on events. The demo shows how Zentral can connect Jamf Pro and osquery to detect configuration changes, trigger remediation, and provide an audit trail of management activities across an organization's endpoints and servers.
Unified Monitoring Webinar with Dustin WhittleAppDynamics
Listen to the recorded webinar here: https://www.appdynamics.com/lp/q3-unified-monitoring-webinar/
Dustin Whittle, AppDynamics' Director of Web Engineering, covers
-the problems and struggles with monitoring tools today
-how to identify and resolve critical issues before your customers are impacted
-how AppDynamics provides one approach for unified monitoring
And much, much more!
This document discusses telemetry in applications. It defines telemetry as gathering data on application use and performance. Telemetry includes logs, metrics, and traces. Logs provide information for debugging, monitoring, and analysis. Metrics measure performance, health, errors and other indicators. Traces provide low-level debugging information. The document discusses how to implement logging, metrics and tracing in applications and what types of data each provides to various consumers like developers and security teams.
Руководство по формату событий для разработчиков программного обеспечения в целях полноценного логирования и интеграции с любыми системами SIEM (Security information and event management) и LM (log management).
RuSIEM provides security information and event management capabilities that can serve as a security operation center (SOC). It allows forwarding of syslog events, notification via email, and triggering of scripts based on correlation rules. RuSIEM has a hierarchical structure that allows distributed event collection, correlation, and storage across multiple nodes that can be remotely managed from a single console. It also offers an "only SOC" option where customer sites install collectors and storage nodes that are managed solely by the SOC for access to incidents and events.
This document discusses using RuSIEM software to collect and forward event logs between different server regions. It provides examples of configuring RuSIEM nodes to:
1. Forward all event logs or logs matching conditions from Server Region A to Server Region B using TCP/UDP or a message queue.
2. Collect logs from other servers in a DMZ and forward to Server Region B, with firewall rules only allowing connections to the DMZ.
3. Stream events from Region A to a load balanced cluster in Region B using a message queue.
4. Correlate events across Region A, B, and C by forwarding selected events to a central HQ using a message queue.
It details the
1) The document discusses IT assets including hardware, software, processes, services, users and groups.
2) IT assets that can be monitored include NetBIOS/FQDN, IP/MAC addresses, processes and their hashes, Windows services, installed software and patches.
3) A SIEM can provide real-time information about changes to assets by monitoring event logs, network traffic, and through active checks and integrations to identify risks, vulnerabilities, and policy violations.
How to create correlation rule for threat detection in RuSIEMOlesya Shelestova
How to create correlation rule for threat detection in RuSIEM. In case - Ransomware Win32/Diskcoder.Petya.C
Video for this presentation: https://youtu.be/WK5q26iE09I
This document provides step-by-step instructions for deploying the RvSIEM virtual machine and configuring the RuSIEM agent to collect and analyze Windows event logs. Key steps include downloading the RvSIEM virtual image, deploying it in VMware or Hyper-V, configuring the network settings, installing the RuSIEM agent on Windows machines, and configuring the agent to send events to the RvSIEM server for analysis and querying. The document also provides tips on licensing, event searching, and troubleshooting log collection.
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
2. Our Team
• Development grows from 2014
• Team members have extensive experience in developing
• Product architects have experience in development other than SIEM
• RUSIEM’s technology is based on practical experience and use of
SIEM/LM
• Our product already has a functional. Already it is working stably.
• RUSIEM has already been used successfully story in many Enterprise
companies in world
• We are residents of Skolkovo
3
3. • Your company has a lot of devices, databases, different systems
• Many various vendors
• Many errors
• Big chaos
• Nobody knows what is really happening?
4
4. 5
Why you need a control:
• System downtime, data loss and leakage have a negative impact on
business
• In some cases, you can prevent an incident in the early stages
• Assessment of compliance with the standards required in real time,
rather than after the fact
• You must bring the facts to investigate the causes of the incidents if
the event logs will be lost
Raising awareness about what is going on and obtaining control over it
5. There are two approaches of use SIEM:
1. You have a problem with the control of something. For example,
antifraud, control privileged user actions, monitoring visits to the
office employees or even the assessment of the causes of failures of
your customers on the site
2. In your infrastructure a lot of heterogeneous devices and software.
You need to solve the problems associated with both their
operability, attacks, performance and vulnerability to them.
6
6. Wherein:
• Monitoring should be automatic
• Operators must be notified immediately in the event of critical incidents
• The system must be controlled and customized
• There should be details about what happened
7
7. • Almost any software and hardware in the event logs inform about
what was happening to her. It may be failures, the sequence of user
actions, vulnerability, denial of service, etc.
• If able to analyze these events - you can automatically evaluate the
state systems, the influence of external factors on their work.
• The person can not be estimated from the large number of events
themselves, and their relationships to various factors
• The program algorithms can not only see the status of a single
system, but also to work together thousands of such systems in
relation
8
8. SIEM: Purpose
• Real time events monitoring of the infrastructure and business systems
• Understand what is going on in the all levels (network, OS, business
processes, databases, transactions)
• Incidents fixing
• Fast respond to emerging incidents
• Ensure the evidence base for lawsuits
• Collect and provide investigation basis of possible incidents
• Software, hardware, user accounts and privileges inventory
• Standard compliance, policy compliance
9
9. Variety of Incidents types
• Unauthorized access
• Information security threats (spam/malware/data leak/anti-fraud/etc)
• Abuses and use of official authority
• Software, network and hardware failures
• Violation availability of services
• Financial frauds
• Installation and use of the software control
• Detection of changes in the network infrastructure, software environment
• User actions control at the database level
• Any other
10
10. Common SIEM scheme
11
User actions
Network
Hardware
Applications
RAW Events
Normalize
Real-time
processing
Save, Search,
Report
Active checks
11. The Input Is…
• Absolutely any event
• It may be obtained from active checks, inquiries, passive technique
and other source
• Operating system, transaction, access control systems, business
systems, databases, network infrastructure, applications and etc.
12
12. SIEM
• Translates events in the uniform format (parsers)
• Enriches the event additional data
• Correlates millions of events looking for malfunctions, anomalies,
bursts—and overlaps with the described threats
• Immediately sends alerts to operators about detected threats and
anomalies
• Performs proactive measures to minimize the risks as a result of
threats
• Saves events for analysis and lawsuits
13
19. Installation Variety
• 1 LM, minimal
• 1 SIEM, minimal
• 2 or more LM servers + 1 SIEM
• Array of SIEM servers + a lot of LM
• 1 SIEM server + Analytics
• SIEM + Analytics + Network sensor
20
Restrictions:
• Analytics could not be installed without SIEM
• SIEM/Analytics/Network sensor must have different servers
20. Data Scaling
21
• Different dataset per server node in a single cluster
• A single request to all the nodes or to specific one
• Ability to place Web console on any node
• Physical separation of the data node is possible
• Fast correlation without copying all data between nodes
• Connecting event sources as one node or different ones
MQ
Source
group-1
Source
group-2
21. Single Data Cluster
22
MQ
Source
group-1
Source
group-2
• A single set of data
• Database replication with native tools
• Possibility to limit replication
• Ability to work with events on a dedicated node to increase
speed of search queries
22. Hybrid Location of the Data
23
• Single and/or different set of data
• Correlation with different place locations of the server node®
• Possibility of console location on any of the nodes
Data-set 1
Data-set 2
Data-set 3
MQ
23. Data Layer Scaling
24
Events data
KB, incidents
Analytics
Correlations counters
and triggers
• We can scale any data layer
• Cluster with a different set of data or full copies
node
• Size of the database has no limits
• Cluster provides minimal response and
maximum performance
24. RuSIEM Agent
• Out-off-box. Supported all MS Windows OS from Windows 2003+ version
• Requires .Net 4.0+
• Installs either on endpoints or as a central collector
• Collects one agent locally or remotely from a multitude of sources at once, including
multi-format sources
• Universal connectors:
• File log (txt, csv, w3c)
• Ftp/sftp/ftps
• MySQL
• Oracle
• MS SQL
• Hash process map
• WMI query
• SDEE
• Windows Event Log—with any journal
25
25. Features of SIEM Agent
• Fully manageable from a single management server web console
• Modular architecture
• Supports DHCP and ARP-proxy
• Agent and modules updates from the management server
• Transfer agent logs to the management server and save locally
• Use pre-defined accounts in the console for each source
• Continuous collection on secure local storage in case of connection loss with the server
• Adjustable parameters for survey sources
• Encryption and secure event local storage
• Encrypting communication channel between agent and server
• Managing server and logger may be different
26
26. Correlation
• One event correlation
• By the number of events
• Complex logical condition
• Sequence of events/conditions
• Accounting incidents
• Using symptoms
• Using arrays containing values list
• Ability to run commands with incident parameters transfer: proactive actions.
Example: run block.sh [src][ip], where src.ip – trigger incident
• Time ranges of operation rules
• Limiting incident zone of visibility for other personal/user groups
• Setting priorities/theme and descriptions of the incident/assignment to users and groups
27
27. Receive & Send Events to Other Systems
• Sending notifications by e-mail incidents
• Sending normalized/raw events
• Sending events by the condition/pattern
• TLS encryption channel to send and receive events
• Translating any event source format to CEF for other systems
• Receiving syslog plain/CEF/Json
• Supports all formats of RFC syslog
28
28. What is Analytics?
• Classic SIEM have the same set of mechanisms (normalization,
correlation, etc)
• But detection of threats to write a rule of correlation. No rules - no
automatic detection of threats
• For analysts of other vendors offer dedicated power data centers
• Local particular hardware facilities at the customer not enough
• Transfer events to the date centers often have difficulty because of
data privacy
• In the case of anonymization of data - are lost sense of analysts
29
29. Analytics
• Our component analysts set a dedicated server(s) and has a custom
artificial intelligence mechanisms
• We were able to adapt the intelligence mechanism to work on a
limited hardware
• And it works!
30
• Baseline on selected key fields in analytics rules
• Symptoms aggregation by host/user/etc
• Feeds
• Assets
• Statistics
• Difficult calculations
30. How it works?
• Our Storm applications work in real-time with normalized events
• Different applications receive the data set from events and analyzed
• At detection of anomalies generated and sent to the event correlation
• Correlation rules are used to clarify and minimize false positives
31
31. Analytics example
• The anomalies and incidents were accompanied by a surge of specific
events. For example, if users can not place an order on the site as a
result of errors or delivery time of the ordered goods - is likely to be a
splash of orders or the number of unformed server errors as
compared to other days of the week. For example, it is not typical for
the rest of Tuesday / Saturday or other day of weeks.
• Our analysts component using Baseline keep track of this anomaly,
send event to the correlation and create incident
32
32. Analytics example
• Suppose that we know nothing about the threat. It happened
something with hardware or software, and gave rise to some errors in
the event log
• The analyst set a rule for tracking errors in the context of hosts
• Splash events not typical for that host or events are not described in
the correlation or symptoms and generate incident about this
anomaly
• The source of information about the anomaly can be not only events
from that host, but also data from other systems (black box method)
or network traffic
33
33. Box VS Customization
• Division into system and user essence
• Predefined reports, dashboards, symptoms, correlation rules, search
query examples
• Ability to change correlation rules, reports, and other entities without
writing code
• Individual representation for each user
• Connecting new sources from 3 hours to 3 days
34
34. Web interface
• All server management is performed and agents from the Web
console over common browsers (Chrome/Opera/etc).
• Optimized for mobile devices
• Language: Russian, English (we may add other language)
• Https secure
• Role-based separation access based on roles from are preset or
created by the user with access rights
• LDAP pass-through authentication or internal
35
35. System Update
• Online/offline update without internet connection
• Component wise update option
• Servers do not transmit any customer data
• Support updates through a proxy or sslstrip
• Update:
• Feeds – every hour;
• Correlation rules and symptoms - every day with forced emergency update;
• Binary and configuration update – daily / weekly.
36
36. What Makes Us Different From Other SIEM
• No need to transmit all events from remote offices for correlation
• Flexible, unique correlation rules, symptoms allow an analyst to detect even new
unknown threats earlier
• No separation of online and archived sample that allows you to store important
events for longer period
• Symptomatic model allows us to operate more flexibly with events even for
novice operators
• Analytics in the composition of the product allows you to detect threats even
without writing correlation rules
• High performance and no limits for storage, EPS and scaling
…and other system capabilities based on practical experience and applying SIEM
37
37. Current status
• Our product already has a functional. Already it is working stably.
• Our product is installed at the a plurality of customer in and
successfully used (banks, oil and gas industry, online shops, service
provider, SOC, telecomm)
• We are constantly working to improve and product development, the
addition of new tools, connecting new sources and collection
methods
38
38. Performance
• Over 30 000 EPS per one virtual node
• Over 90 000 EPS per server for hardware appliance
• There are no scalability limitations to EPS/storage
39
Minimal hardware required resource 2 000 – 5 000 EPS 5 000 – 10 000 10 000 – 30 000 30 000 – 90 000
CPU, kernel count 2-4 4-6 8-14 14+
CPU count 1-2 2+ 2-4 4+
CPU, MHz 2+ 2+ 2.4+ 3.2+
RAM, GB 16 24-32 64-128 64-128+
HDD, speed 7200+ 7200+ 7200+ 7200+
HDD, mode Stand-alone,
SAS/SATA
Stand-alone,
SAS/SATA or
raid mirror-
mode
Raid 5+ Raid 5+ performance,
SSD for system disk
HDD, size for OS 100 GB 100 GB 150 GB 200 GB
HDD, size for data 300+ GB 600+ GB 1TB+ 3TB+
39. Knowledge base
In are preset by default installation:
• More 2000 symptoms (and frequently replenished)
• 300+ correlation rules
• 50+ typical reports
• 300+ types of sources events parsers
40
• Through the graphic designer of the new rules, reports, and symptoms of the
user can create their own without the need for code writing
• Our team of analysts in real time monitors the current threat and adds rules to
detect them
• We help our customers with the projects implemented, connecting the event
sources and the definition of threats typical for them
40. 2017 Roadmap
• MSSP, managed secure service provider
• SOC-oriented
• Separation of access according to role-model to a set of events
• Infrastructure Inventory: passive and active checks, asset management
• Building vulnerability management process, integration with scanners
• Centralized management of all components
• Filling the Knowledge Base
• Development of threat detection mechanisms in the early stages
• Development of the policy/standard compliance—PCI, SOX and other
• Evolution of approaches to assess the impact of threats to business
processes
41
41. Contacts
Web site: https://www.rusiem.com (only Russian at this moment)
Facebook: https://www.facebook.com/rusiem
E-mail: support@rusiem.com
Olesya Shelestova, CEO, co-founder: oshelestova@rusiem.com (skype, e-mail)
Maxim Stepchenkov, co-founder: m.stepchenkov@it-task.ru
Thank You!
42