Syslog for SIEM using iSecurity
•Download as PPT, PDF•
0 likes•470 views
This presentation reviews Raz-Lee's syslog solution for integrating with all SIEM solutions offered, and lists our business partners in this area.
More Related Content
What's hot
What's hot (20)
Similar to Syslog for SIEM using iSecurity
Similar to Syslog for SIEM using iSecurity (20)
More from Raz-Lee Security
Recently uploaded
Recently uploaded (20)
Syslog for SIEM using iSecurity
- 1. Syslog for SIEM Products Using iSecurity Real-Time Monitoring of IBM i Security Events
- 2. Syslog – Why and How? • Fact: Multi platform environments are increasingly the norm worldwide • Goal: • To consolidate relevant event information from multiple environments to a single console • This requires a SIEM (Security Information & Event Manager) solution • Optimally, security event information should be both infrastructure related and also application related. • Method: Syslog is the most widely used protocol for sending alert messages in real time to SIEM solutions. • iSecurity products for IBM i security, auditing and compliance interface with the SIEM solutions on the following slide
- 4. System Information & Event Manager (SIEM) Products IBM i IBM iPCPC Linux Unix MF Individual & Multiple IBM i Systems iSecurity Syslog (After optional filtering) Typical Syslog Environment … and other SIEM Products
- 5. Issue Real-Time Alerts via iSecurity Action QAUDJRN (Audit) Network Security (Firewall) Critical OS messages (QSYSOPR/ QSYSMSG) Database Journals (AP Journal) Authority changes (Authority on Demand) Real-Time Alert handling in iSecurity Execute CL Scripts Send e-mail Write to SYSLOG Write to MSGQ Send SMS text message, SNMP, Twitter, etc.
- 6. 6 Compliance Evaluator Visualizer Syslog, SNMP Evaluation Protection Firewall Authority on Demand Anti-Virus Screen Password Native Object Security Command Databases DB-Gate AP-Journal View FileScope iSecurity Overview – Syslog Coverage Assessment PCI, HIPAA, SOX or Security Breach or Management Decision Auditing Audit & Action Capture User Management System Control User Profile & SV Replication Change Tracker Central Admin
- 7. 7 iSecurity Functional Overview- Syslog Coverage EvaluationEvaluation Compliance Evaluator for SOX, PCI, HIPAA… Visualizer- BI for security Syslog, SNMP for SIEM AuditingAuditing Audit QAUDJRN, Status… Real-time Actions, CL scripts Capture screen activity User Management Central Admin of multiple LPARS User Profile & SV Replication Track Source & Object Changes ProtectionProtection Firewall FTP, ODBC,… access Obtain Authority on Demand Monitor CL Commands Native Object Security Anti-Virus protection Manage Screen Timeouts DatabasesDatabases DB-Gate: SQL to non-DB2 DBs (Oracle, MS SQL,…( AP-Journal for DB audit, filter, archive, real-time alerts View/hide sensitive data FileScope secured file editor Security Assessment FREE! PCI, HIPAA, SOX… Security Breach Management Decision
- 8. iSecurity Syslog Features (1/2) • Sends security event alerts simultaneously to up to 3 SIEM products / IP addresses • Sends security event information originating from: • the system’s infrastructure (QAUDJRN, network access, virus detection, user profile changes, user requests for stronger authorities, etc.) • business-critical applications, both from field level writes & updates and also unauthorized READ accesses to sensitive data • Single keyword support for LEEF (QRadar) and CEF (ArcSight) formatted messages • Supports UDP, TCP and encrypted TLS syslog types
- 9. iSecurity Syslog Features (2/2) •Includes advanced filtering capabilities and specific severity settings to fine- tune which events are sent to a particular SIEM •“Super fast” iSecurity Syslog implementation enables sending extremely high volumes of information with virtually no performance impact. •Syslog message structure is easily definable by each site and can include event-specific values such as user profile name, IP address, field-level before & after values, etc. •Syslog Self-Test enables pre-testing syslog messages to a local server before actually sending the messages to a remote Syslog server
- 10. Syslog Success Stories (names available upon request) • Large insurance company • Sends all field-level data changes via AP-Journal’s Syslog facility to SIEM • Monitors changes to ensure that only authorized PROD* users who also have “change” authority, are the ones who changed data by more than X% or by a specific amount. • More than 1000 transactions/second are sent via Syslog; CPU overhead <1% • Benefit: It is much easer to manage the journal change file on a PC rather than on an IBM i • AP-Journal also produces field-level change reports which are sent to corporate and application managers • Second phase of the project was the integration of Syslog from Audit (based on QAUDJRN system journal) and Firewall
- 11. Syslog Success Stories (names available upon request) • Very large mortgage bank • Monitors all Firewall network access rejects, sending reject information via Syslog to SIEM • Monitors all QAUDJRN system journal activities via Audit, sending important event information via Syslog • SIEM performs advanced forensic analysis on Firewall and Audit log information • Use iSecurity to provide audit reports to both internal and external auditors
- 12. Syslog Success Stories (names available upon request) • Large national airport authority • For years they sent alerts to internal AS/400 message queues. Simply by checking message headers, the Syslog facility now sends SNMP alerts to a SIEM product. • All definitions of new user profiles with high authorities, or changes to such user profiles, are sent as SNMP alerts. • Implemented “mass SNMP” capability; they defined which QAUDJRN audit types DO NOT send SNMP traps, and all QAUDJRN entries with the other audit types therefore automatically send, en masse, event information. Accomplished with very little overhead.
- 13. Main Control Screen for SIEM & DAM Up to 3 SIEM servers are supported.
- 14. Syslog Attribute Definitions Maximum message structure flexibility. Support for LEEF & CEF formats. Syslog Parameters are easily defined. This option is shown on the following slide.
- 15. Set Syslog handling per Audit sub-type Severity level can be set for each audit entry-type / sub-type combination and for each of up to 3 SIEM servers.
- 16. Syslog Self-Test: Pre-test syslog messages locally before sending to remote Syslog server
- 17. GUI- Set Syslog handling per Audit sub-type
- 18. Variables beginning with & are replaced with actual event values. &DPRICE(B) is the previous price (“before value”) of the item. Defining Syslog message format in Action
- 19. Syslog messages: note multi- product, multi-system & multi- IP messages. Syslog Messages in (free) Kiwi Syslog Daemon
- 20. Note real-time user-defined messages from AP-Journal include before and after quantity and price values. Syslog Messages in (free) Kiwi Syslog Daemon
- 21. Syslog in iSecurity – Summary • Easy to define, Easy to use, Easy to implement • Fully parameterized, includes event-specific variable substitution • Proven integration with nearly all SIEM products; native support for LEEF (QRadar) and CEF (ArcSight) • Sends messages to up to 3 SIEM products simultaneously • Supports UDP, TCP, TLS • Includes Self-Test to send messages locally prior to sending to a remote Syslog server • Case studies available
- 22. Thank You! Visit us at www.razlee.com marketing@razlee.com