Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Information Management.  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding.

Published byLoren Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Information Management.  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding."— Presentation transcript:

1 Security Information Management

2  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding of business needs  And plans for what to do with the information  Security event information management tools are maturing and moving from the outside – in  But there are limitations regarding what the products can accomplish Leveraging Security Event Information

3  Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

4 Leveraging Security Event Information  Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

5 Why Managing Security Event Information is…  Even finding a name for it is hard!  Security Information Management (SIM)  Security Event Management (SEM)  Security Intelligence Management (SIM)  Enterprise Security Management (ESM)  Defense Information Management/Security Operations Management (DIM/SOM)  Just kidding about that last one…  This is: Security Event Information Management (SEIM)

6 Why Managing Security Event Information is…  “Billions and Billions” of events  Firewalls, IDS,IPS, Anti-Virus, Databases, Operating Systems, Content filters  Information overload  Lack of standards  Difficult correlation  Making sense of event sequences that appear unrelated  False positives and validation issues

7 Why Managing Security Event Information is…  Business Objectives of SEIM –  Increase overall security posture of an organization  Turn chaos into order  Aggregate log file data from disparate sources  Create holistic security views for compliance reporting  Identify and track causal relationships in the network in near real-time  Build a historical forensic foundation

8 Why Managing Security Event Information is…  Things SEIMs can look for  Internal policy compliance on hosts and systems  Track usage throughout the enterprise  Access to strategic applications and servers  Password change events  Path of a worm or virus through the network  What does your company want to look for with the SEIM?

9 Leveraging Security Event Information  Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

10 INPUTS Access control Directories Provisioning Identity Management AgentLogging Host & DB configuration Patch management Vulnerability management System Management AgentLogging COLLECTION / AGGREGATION / CORRELATION Distribute d collectors Central / master collector Security alerts REAL-TIME ANALYSIS / RESPONSE VISUALIZATION / ADMINISTRATION Reports Visualization Policies / compliance rules Signatures / attack patterns OPERATIONS INTEGRATION RESPONSE LONG-TERM STORAGE / AUDIT / INVESTIGATION Network / security operations raw log 1010100010 11100110 Help desk ticketing Routers Firewalls Content scanners Perimeter Controls AgentLogging Network IDS Network IPS Other sensors IDS / Response AgentLogging

11 Solutions and Technology  How the Products Work  Collect  Inputs from target sources  Agent and agentless methods  Aggregate  Bring all the information to a central point  Normalize  Translate disparate syntax into a standardized one  Correlate  If A and B then C  Report  State of health  Policy conformance  Archive CollectAggregateNormalizeCorrelateReportArchive

12 Solutions and Technology  Understand the business case for the product  Build a strong set of requirements  What will it do?  How will it add business value?  Understand the assets  Prioritize value  It’s critical, but few products do this successfully today  Understand Policies  What are the technical security policies?  Data lifecycle considerations Policies / compliance rules

13 Solutions and Technology  Consideration–Requirements for visualization?  The Big Red Button  Tailoring views  Geographic  Configurability  Drill down options  Hierarchical views  Cross-cutting data sharing  CIO view, auditor view Security alerts VISUALIZATION / ADMINISTRATION Reports Visualization

14 Solutions and Technology  Consideration – What are the life cycle and storage needs?  Internal policies  Archive everything? Best have a robust SAN!  What information is critical to the business?  What’s in those audit logs?  Regulatory requirements  Normalization questions  Is the original log data still available?  Has it been “normalized”?  Know where the backups will go  Understand lifecycle and mining needs  Filters and searching- Can’t sift through petabytes of data manually LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log 1010100010 11100110

15 Solutions and Technology  Consideration–How the data will be used after its collected?  Will the data be used for  Historical “forensics”?  Track back and replay  Legal forensics?  Legal Matters  Chain of custody  Tamper proof/evident  Original audit/log data (not normalized)  Integrity or “garbage in garbage out” LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log 101010001 011100110

16 Leveraging Security Event Information  Agenda  Why managing security information is a difficult task  Solutions and technology  Emerging trends  Recommendations

17 Emerging Trends  “The Manager of Managers”  Automated remediation, change and compliance management  But will it break the separation of duties model?  May be viable with larger vendors, but market longevity may be a concern with smaller, niche vendors  Identity Management and Security Event Information Management  Wireless LAN Security Information  Voice Over IP Security Management  Sharing Security Operations Center data with the Network Operations Center

18 Emerging Trends  Early SEMs focused on gathering logs from the perimeter security devices  Firewalls, routers  Evolution is toward a more comprehensive integration  Take in more input for greater vision  Monitoring activity both inside the organization as well as on the perimeter  Additional intelligence can lead to more precise correlation

19 Emerging Trends  Monitoring for Abuse  As the focus is turned inward  User behavior can be captured  Links back to Identity Management synch with SEIM

20 Emerging Trends  SEIM is not currently a standards-based approach  Vendor proprietary approach to  Logging/Event reporting  Normalization techniques  CVE – Common Vulnerabilities and Exposures  “A dictionary, not a database”  Creates standardized names for vulnerabilities  CVSS – Common Vulnerability Scoring System  Standard ratings of vulnerabilities  Very early stage

21 Leveraging Security Event Information  Agenda  Why managing security information is a difficult task  Solutions and technology  Emerging trends  Recommendations

22  Understand the business goals for the SEIM  Determine which systems must be covered  What level of data gathering is required  Appropriate storage mechanisms  Make some friends!  Talk to others who have deployed SEIMs in environments similar to yours  Since the SEIM may touch cross-enterprise systems, making friends inside the organization is import too  Build solid RFPs before speaking to vendors  Vendors like their products best (understandably)  Make the SEIM work for your company, don’t compromise your business requirements to fit into the SEIM vendor’s framework Recommendations

23  Weigh vendor claims carefully  Scalability can affect utility of the product  Throughput, events per second (EPS) numbers may be apples to oranges  Take an architectural approach  Incorporate the SEIM into the network architecture  Consider ability to integrate with existing network systems managers consoles  Don’t forget separation of duties requirements  Flexibility of solution for  Views, privacy, lifecycle and storage control

24 Recommendations  Remember you don’t need to solve world hunger, yet  Consider phased implementations  Cover a smaller subset of systems, perhaps on the perimeter  Before moving to more comprehensive, whole-enterprise, event information management deployments Routers Firewalls Content scanners Perimeter Controls Agent Logging Network IDS Network IPS Other sensors Intrusion Detection / Response Agent Logging

25  Conclusion  Managing information security is a difficult task  SEIM is an emerging technology  With emerging capabilities and uses  Not all products work the same way  Or do the same things  To leverage security information  Understand your needs before speaking to vendors  The technology decision will be much easier if you know your requirements up front Leveraging Security Information

Download ppt "Security Information Management.  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding."

Similar presentations

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Privileged Identity Management Enterprise Password Vault

Privileged Identity Management Enterprise Password Vault
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director

Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director
seminar on Intrusion detection system

seminar on Intrusion detection system
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Security Guidelines and Management

Security Guidelines and Management
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Similar presentations

Ads by Google