In this presentation we discuss gathering data with syslog-ng in order to properly feed your SIEM system such as ArcSight ESM. This presentation is from HP/ArcSight Protect 2011.
HP ArcSight solutions including logger, ESM and Express. with quick introduction about SIRM and SIEM platform. the presentation descrip information related to ArcSight smart Connector and flex connector
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Talk that I gave in 2010 for the MIS Training Institute in Orlando. Two areas that garnered the most questions from the crowd were how to establish effective business objectives prior to implementing the SIEM in order to effectively manage expectations and of course vendor selection criteria. I could probably do a whole other talk on selecting a SIEM vendor.
Back in 2003, Telindus developed a business case for delivering SIEM managed security services to the enterprise market. This session sheds light on the different tooling migrations and explains in depth the different evolutions we achieved from an architecture, security operations, services and content evolution standpoint. It is geared towards application developers, architects, SOC employees, business consultants and program managers.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
Apache Solr on Hadoop is enabling organizations to collect, process and search larger, more varied data. Apache Spark is is making a large impact across the industry, changing the way we think about batch processing and replacing MapReduce in many cases. But how can production users easily migrate ingestion of HDFS data into Solr from MapReduce to Spark? How can they update and delete existing documents in Solr at scale? And how can they easily build flexible data ingestion pipelines? Cloudera Search Software Engineer Wolfgang Hoschek will present an architecture and solution to this problem. How was Apache Solr, Spark, Crunch, and Morphlines integrated to allow for scalable and flexible ingestion of HDFS data into Solr? What are the solved problems and what's still to come? Join us for an exciting discussion on this new technology.
HP ArcSight solutions including logger, ESM and Express. with quick introduction about SIRM and SIEM platform. the presentation descrip information related to ArcSight smart Connector and flex connector
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Talk that I gave in 2010 for the MIS Training Institute in Orlando. Two areas that garnered the most questions from the crowd were how to establish effective business objectives prior to implementing the SIEM in order to effectively manage expectations and of course vendor selection criteria. I could probably do a whole other talk on selecting a SIEM vendor.
Back in 2003, Telindus developed a business case for delivering SIEM managed security services to the enterprise market. This session sheds light on the different tooling migrations and explains in depth the different evolutions we achieved from an architecture, security operations, services and content evolution standpoint. It is geared towards application developers, architects, SOC employees, business consultants and program managers.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
Apache Solr on Hadoop is enabling organizations to collect, process and search larger, more varied data. Apache Spark is is making a large impact across the industry, changing the way we think about batch processing and replacing MapReduce in many cases. But how can production users easily migrate ingestion of HDFS data into Solr from MapReduce to Spark? How can they update and delete existing documents in Solr at scale? And how can they easily build flexible data ingestion pipelines? Cloudera Search Software Engineer Wolfgang Hoschek will present an architecture and solution to this problem. How was Apache Solr, Spark, Crunch, and Morphlines integrated to allow for scalable and flexible ingestion of HDFS data into Solr? What are the solved problems and what's still to come? Join us for an exciting discussion on this new technology.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the overall security of the assets.
Reid Wightman's presentation at AppSec DC 2012. Reid provides background and the lates on Digital Bond's Project Basecamp. New PLC exploit modules include a Stuxnet-type attack on the Modicon Quantum.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Our Application development is nearing completion. It's time to prepare our cluster for production, but are we sure the system is capable of handing the load? Have we achieved high availability? What preflight checks should we be running. Learn how Dev & Ops work together to achieve production readiness and plan for scale, availability, monitoring.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Take Control of Port 514: Taming the Syslog BeastAnthony Reinke
Take Control of Port 514: Taming the Syslog Beast
Presentation about Splunk Connect for Syslog (SC4S)
This has been seen at .conf and at Splunk User Groups.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
Similar to You Can't Correlate what you don't have - ArcSight Protect 2011 (20)
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?Scott Carlson
slides from my 2018 talk at the RSA Asia Pacific Conference in Singapore. First a basic overview of Blockchain for the audience and then a complete discussion of how the security of blockchain is really about the security of the whole stack, with the chain itself being the last thing you focus on.
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly, which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface can bring peace of mind and actual direct improvements to your information security posture.
RSA 2015 Realities of Private Cloud SecurityScott Carlson
My 2015 Talk at the RSA US Conference on Private Cloud Security and ways that companies need to think about their cloud as they built it within their private data center
2016 RSA US Conference Talk on Data Security
Follows along the pattern of my previous talks about Data, Security, and the Reality that you can't find a silver bullet, but there are a lot of things surrounding it that you need to think of too
Will Your Cloud Be Compliant? OpenStack SecurityScott Carlson
Presentation from 2014 Atlanta OpenStack Summit
Will Your Cloud Be Compliant?
Scott Carlson - PayPal
Evgeniya Schumakher - Mirantis
https://www.youtube.com/watch?v=gTqyWsV5nzI&list=PLF2SitUlktI43byuCqY8L_KVT34NnpciS
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterScott Carlson
Presentation materials from 2014 Interop Conference - Cloud Connect Summit - Scott Carlson from PayPal in Las Vegas
Audio: https://www.youtube.com/watch?v=tyYGupLg7IE
HP Enterprise Security Customer Case Study - Apollo GroupScott Carlson
Summary:
Apollo Group is a publicly traded parent company that owns the University of Phoenix and a number of other higher education subsidiaries. The organization needs to be able to meet rigorous audit and compliance requirements and aimed to take its security to the next level by building a more mature security operations center.
Business Challenge:
With 300 physical location in six countries, 500,000 students, 50,000 faculty and 22,000 employees, Apollo Group has a formidable challenge in securing all its systems data and endpoints.
Solution:
ArcSight ESM enables Apollo Group to increase its visibility and intelligence into its network and protect against zero day cyberthreats. With ArcSight ESM, Apollo Group has been able to create unique use cases to identify events specific to its environment - for example, preventing student misuse of Internet resources and protecting against data leakage via mobile media.
Benefits:
The comprehensive correlation and reporting capabilities within ArcSight ESM enable Apollo Group to effectively process billions of security events and maintain compliance with SOX and PCI regulations. "We are extremely pleased to have ArcSight ESM as the basis for our security foundation. Its versatility and raw ability to combat cyberthreats and risk make it an excellent choice," says Scott Carlson, Principal Engineer, Apollo Group Data Center Architecture.
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Scott Carlson
VSVC4994 - Marriage of ESX and OpenStack at PayPal
PayPal is quickly moving forward to utilize open source and open standards based technologies in the build-out of our private cloud. With our internal release of OpenStack software based on 'Grizzly' we have integrated ESX 5 support and now can deploy workloads against ESX as well as against KVM.
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesScott Carlson
Learn the latest trends and protections for the mobile workforce, including managing multiple devices. Security risks rise with the addition of more and more devices both in the traditional office and in the teleworking and mobile workforce. Join the interactive discussion on best practices for proactively managing devices across all levels of your agency.
Apollo Group, New York City Health and Hospitals, NJVC, and Physiotherapy Associates: Security in the Age of a Mobile Workforce and Mobile Devices
Scott Carlson, Principal Security Engineer, Apollo Group
Kevin Brownstein, Manager – Systems Engineers, McAfee, Inc.
Egon Rinderer, Chief of Cyber Security, NJVC, Inc., NGA
Corey Cush, Assistant Vice President – Infrastructure Services, NYC Health & Hospitals Corp
Kevin Slate, Vice President – Information Technology, Physiotherapy Associates
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Scott Carlson
These are the slides from the presentation given at the OpenStack Summit in Hong Kong in Fall 2013
PayPal has adopted a hypervisor agnostic stance within our Openstack Grizzly cloud. This presentation will cover the details surrounding our grizzly implementation and integration of both KVM and ESX hypervisors under one management umbrella. Grizzly deployment details configuration details for ESX integration Reasons for execution of this strategy benefits and pitfalls of this plan This will be an audience modified presentation of one that I am giving at VMWorld 2013 in San Francisco in August 2013.
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013Scott Carlson
This is the presentation from the OpenStack Hong Kong Conference from Fall 2013.
There are many different blueprints describing how high-availability can be achieved underneith an OpenStack cloud. At PayPal, we have chosen to utilize some of the common OpenStack best practices as well as introducing common Data Center best practices to bring high availability to the management/control infrastructure within our cloud. Topics Included: Design of our Openstack Control infrastructure Pros and Cons of management and infrastructure racks separate from a compute rack High Availability requirements by component Pros and cons of High Availability choices external to and within the cloud Trade-offs that need to be made now to ensure availability
http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/openstack-high-availability-paypal
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
You Can't Correlate what you don't have - ArcSight Protect 2011
1. CSN08: You Can't Correlate
What You Don't Have
Scott Carlson & Rick Yetter
Apollo Group Inc.
2. Apollo Group
The Apollo Group Challenge
Apollo Group is a publicly traded parent company that
owns the University of Phoenix and a number of other
subsidiaries in the education arena. With 300 physical
locations in six countries, 500,000 students, 50,000
faculty and 22,000 employees, Apollo Group has a
formidable challenge in securing all its systems, data
and endpoints.
Reference:
http://www.arcsight.com/collateral/case_studies/ArcSight_CaseStudy_Apollo.pdf
2
4. What’s this about?
• ArcSight products are awesome, as long as you send them
information. The products can’t do anything unless you send
them as much data as possible!
• Normal steps to implementation
1.
2.
3.
4.
5.
Define Use Cases
Send Logs
Build Correlation Rules in ArcSight ESM
…
Profit!!!
4
5. Our Environment
• 4,500 Servers
– Oracle Enterprise Linux, Red Hat Linux
– Windows 2000, 2003, 2008
– Solaris 9,10
•
•
•
•
•
•
•
60% Virtualized on VMWARE
Multiple international locations & data centers
Firewalls (Cisco, Juniper, Checkpoint)
Proxy (BlueCoat)
IDS (SourceFire)
AV/HIPS/DLP (McAfee)
….
5
6. It’s the Logs that matter
“The powerful correlation engine of ArcSight ESM sifts through MILLIONS OF LOG
RECORDS to find the critical incidents that matter” (www.arcsight.com)
Server Stuff
Security Events
Change Monitoring
Failure Events
Application Logs
Web Logs
Host Firewalls
Active Directory Activity
Network Stuff
Firewalls
Proxies
Intrusion Detection
Antivirus
Data Loss Prevention
Email Traffic & Alerts
Wireless
Network Change Monitoring
6
7. Where to store the logs
• Long term storage is critical for large companies
– Determine retention requirements (30 days, 1 year, infinite)
• Determine who may need the logs, do you need them online?
– SysAdmin, Forensics, InfoSec, Legal
• Do you need non-repudiation?
• Determine Storage method
– Splunk
– ArcSight Logger
- Filesystem(s) full of Raw Log files
- Alternate Logging Product
• If you build your own
– SAN versus NAS versus Local JBOD. You need to log even if things
break!
7
8. Syslog Relay
• Red Hat Linux
• Syslog-ng v4 running on multiple ports
– For receiving logs from multiple sources with unique filters
• Local JBOD w/12TB configured as RAID-5
– Make sure you can log even if your SAN is borked!
• Additional security of SAMHAIN, tripwire, Solid Core to protect
your files from modification
• 64GB of ram
• Lots of processors
2
9. How to Get the Logs
•
•
•
•
•
Built In Syslog
Syslog-NG
SNARE or Epilog agent, kiwi
File-Reader ArcSight Connector
Something entirely custom, just put it in a FILE!
– Syslog format or CEF Format, you pick.
You found something without logs???? Well, Ask the developer or
company to add logging!!!!
9
10. Single Endpoint
• For smaller environments, or environments with fewer layer-2
boundaries
• Should configure server with redundancy in mind in case of
failure
• Can use file reader connector to read from local logs
• Single destination, easy to script
• May not scale
• Limited to small number of
networks unless you traverse
firewalls
2
11. Single Endpoint with DR Site
• Makes a copy of all logs to an alternate site
• Saves you in case of catastrophic failure
• Adds bandwidth to the WAN or remote site link
Data Center
Alternate Facility
Server(s)
Relay
2
12. Local Collect & Forward
• Individual Syslog collection in each major network block or
international location
12
13. How to send the Logs
• Configure syslog
– *.debug @loghost.mydomain.com
– *.*
@loghost
(Solaris)
(Linux)
• Configure SNARE
– Destination Snare Server address
– Destination Port
– Enable SYSLOG Header
= loghost
= 514
= Selected
• Read the Fine Manual of your product to enable logging with a
remote destination. If that’s not there, write to a file!
13
14. Decision points
• What’s your Double-Send point?
– Host
• Not available in all “free logging tools”
• Some things cannot double send (network gear, appliances)
– Relay
• Adds cross-data center traffic times # Relay
– Central
• Easy to control flow, exposure is at this point in each DC
• Blind to logs if central server is gone
• What about things that don’t have syslog?
– File Reader to multiple ArcSight ESM Targets is a possibility
14
15. Redundancy and Double-Sending
• Fail-over scenarios in use for Apollo Group using Syslog-ng
– Redundancy at the Syslog Relay level
• Logs are sent from Snare agents on Windows or by Syslog to relays
– Each Syslog relay has a VM hot standby in case of a hardware
failure.
• Each Syslog relay is configured to send all information received to
multiple central servers for redundancy and fault tolerance.
• Each Syslog relay retains all logs received for a period of 30 days
before being rotated out.
15
16. Syslog-NG Configuration
• Syslog-ng configuration (4 simple steps)
– Simple Configuration
• Source
– Where are the logs coming from? UDP, TCP, File
• Destination
– Where are you going to send the logs? Disk, output to TCP or
UDP?
» Can you handle the TCP Overhead?
• Filters
– Keep what you want, discard the rest!
• Log
– Log the source, process it, send it to the destination.
• Encrypted communications must use TCP
16
17. Syslog-NG Configuration Sample
•
•
•
•
•
•
•
source s_local {
internal();
unix-stream("/dev/log");
file("/proc/kmsg" program_override("kernel:"));
udp(ip(0.0.0.0) port(514) flags(store-legacy-msghdr));
udp(ip(10.11.12.13) port(514) flags(store-legacy-msghdr));
};
•
•
•
•
•
•
•
•
•
•
•
•
•
•
#
# Local filters
#
filter f_boot { facility(local1); };
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
# Snare *NIX Filters
#
#filter f_filter_nix { match(":") and not match("snmp") and not match("printd") and not match("-6-302013") and
not match("-6-302015") and not match("kernel") and not match("lpstat") and not match("Application") and not
match("System") and not host("10.29.10.100") and not match("dhcpd") and not match("xinetd") and not
match("puppetmasterd") and not match("crond") and not match("multipathd") and not match("modprobe"); };
17
20. Crazy Use Case #1
Get the unique customer # out of a sub-url string within the debug
log of a firewall in order to perform tracking/troubleshooting
• Debug Logging ON on firewall (LOTS OF TRAFFIC!)
• Logs send to Syslog
• Syslog filter or external program called to trim out the customer
number and write it to a separate file
20
21. Crazy Use Case #2
Forward non-security events directly to your NOC Console, email
queue, or whatever
• Syslog filter or external program called to grab the events you’re
interested in, and send them to external mailer (mail –s “alert”)
or a syslog-ng filter
• Don’t forget the System Administrators
• IMHO 90% of problems are misconfigured systems
21
22. Crazy Use Case #3
Gather logs from a proxy server, at 5 minute intervals, and make
sure that they’re going to your DR Site with minimal delay, add a
filter to find naughty surfing.
•
•
•
•
Proxy server sends logs via SCP to syslog relay
Syslog relay writes file to local JBOD
Syslog-ng or local script scrapes naughtiness from file
Cron job runs at 5 minute intervals to SCP completed files to DR
Watch out for incomplete files!
Make sure your formatting is good!!!
22
23. Multiple ArcSight ESM Instances
• Double sending all logs allows you have two independent
ArcSight ESM instances, in multiple data centers capable of
performing your SOC duties at a moments notice.
23
Apollo Group Inc. is a public company, founded in 1973.We believed that lifelong employment with a single employer would be replaced by lifelong learning and employment with a variety of employers. Lifelong learning requires an institution dedicated solely to the education of working adults