Security Information Management
Thesis Managing security event information is a difficult task Most successful deployments start with a clear understanding of business needs And plans for what to do with the information Security event information management tools are maturing and moving from the outside – in But there are limitations regarding what the products can accomplish Leveraging Security Event Information
Agenda Why managing security event information is a difficult task Solutions and technology Emerging trends Recommendations
Leveraging Security Event Information Agenda Why managing security event information is a difficult task Solutions and technology Emerging trends Recommendations
Why Managing Security Event Information is… Even finding a name for it is hard! Security Information Management (SIM) Security Event Management (SEM) Security Intelligence Management (SIM) Enterprise Security Management (ESM) Defense Information Management/Security Operations Management (DIM/SOM) Just kidding about that last one… This is: Security Event Information Management (SEIM)
Why Managing Security Event Information is… “Billions and Billions” of events Firewalls, IDS,IPS, Anti-Virus, Databases, Operating Systems, Content filters Information overload Lack of standards Difficult correlation Making sense of event sequences that appear unrelated False positives and validation issues
Why Managing Security Event Information is… Business Objectives of SEIM – Increase overall security posture of an organization Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network in near real-time Build a historical forensic foundation
Why Managing Security Event Information is… Things SEIMs can look for Internal policy compliance on hosts and systems Track usage throughout the enterprise Access to strategic applications and servers Password change events Path of a worm or virus through the network What does your company want to look for with the SEIM?
Leveraging Security Event Information Agenda Why managing security event information is a difficult task Solutions and technology Emerging trends Recommendations
INPUTS Access control Directories Provisioning Identity Management AgentLogging Host & DB configuration Patch management Vulnerability management System Management AgentLogging COLLECTION / AGGREGATION / CORRELATION Distribute d collectors Central / master collector Security alerts REAL-TIME ANALYSIS / RESPONSE VISUALIZATION / ADMINISTRATION Reports Visualization Policies / compliance rules Signatures / attack patterns OPERATIONS INTEGRATION RESPONSE LONG-TERM STORAGE / AUDIT / INVESTIGATION Network / security operations raw log Help desk ticketing Routers Firewalls Content scanners Perimeter Controls AgentLogging Network IDS Network IPS Other sensors IDS / Response AgentLogging
Solutions and Technology How the Products Work Collect Inputs from target sources Agent and agentless methods Aggregate Bring all the information to a central point Normalize Translate disparate syntax into a standardized one Correlate If A and B then C Report State of health Policy conformance Archive CollectAggregateNormalizeCorrelateReportArchive
Solutions and Technology Understand the business case for the product Build a strong set of requirements What will it do? How will it add business value? Understand the assets Prioritize value It’s critical, but few products do this successfully today Understand Policies What are the technical security policies? Data lifecycle considerations Policies / compliance rules
Solutions and Technology Consideration–Requirements for visualization? The Big Red Button Tailoring views Geographic Configurability Drill down options Hierarchical views Cross-cutting data sharing CIO view, auditor view Security alerts VISUALIZATION / ADMINISTRATION Reports Visualization
Solutions and Technology Consideration – What are the life cycle and storage needs? Internal policies Archive everything? Best have a robust SAN! What information is critical to the business? What’s in those audit logs? Regulatory requirements Normalization questions Is the original log data still available? Has it been “normalized”? Know where the backups will go Understand lifecycle and mining needs Filters and searching- Can’t sift through petabytes of data manually LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log
Solutions and Technology Consideration–How the data will be used after its collected? Will the data be used for Historical “forensics”? Track back and replay Legal forensics? Legal Matters Chain of custody Tamper proof/evident Original audit/log data (not normalized) Integrity or “garbage in garbage out” LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log
Leveraging Security Event Information Agenda Why managing security information is a difficult task Solutions and technology Emerging trends Recommendations
Emerging Trends “The Manager of Managers” Automated remediation, change and compliance management But will it break the separation of duties model? May be viable with larger vendors, but market longevity may be a concern with smaller, niche vendors Identity Management and Security Event Information Management Wireless LAN Security Information Voice Over IP Security Management Sharing Security Operations Center data with the Network Operations Center
Emerging Trends Early SEMs focused on gathering logs from the perimeter security devices Firewalls, routers Evolution is toward a more comprehensive integration Take in more input for greater vision Monitoring activity both inside the organization as well as on the perimeter Additional intelligence can lead to more precise correlation
Emerging Trends Monitoring for Abuse As the focus is turned inward User behavior can be captured Links back to Identity Management synch with SEIM
Emerging Trends SEIM is not currently a standards-based approach Vendor proprietary approach to Logging/Event reporting Normalization techniques CVE – Common Vulnerabilities and Exposures “A dictionary, not a database” Creates standardized names for vulnerabilities CVSS – Common Vulnerability Scoring System Standard ratings of vulnerabilities Very early stage
Leveraging Security Event Information Agenda Why managing security information is a difficult task Solutions and technology Emerging trends Recommendations
Understand the business goals for the SEIM Determine which systems must be covered What level of data gathering is required Appropriate storage mechanisms Make some friends! Talk to others who have deployed SEIMs in environments similar to yours Since the SEIM may touch cross-enterprise systems, making friends inside the organization is import too Build solid RFPs before speaking to vendors Vendors like their products best (understandably) Make the SEIM work for your company, don’t compromise your business requirements to fit into the SEIM vendor’s framework Recommendations
Weigh vendor claims carefully Scalability can affect utility of the product Throughput, events per second (EPS) numbers may be apples to oranges Take an architectural approach Incorporate the SEIM into the network architecture Consider ability to integrate with existing network systems managers consoles Don’t forget separation of duties requirements Flexibility of solution for Views, privacy, lifecycle and storage control
Recommendations Remember you don’t need to solve world hunger, yet Consider phased implementations Cover a smaller subset of systems, perhaps on the perimeter Before moving to more comprehensive, whole-enterprise, event information management deployments Routers Firewalls Content scanners Perimeter Controls Agent Logging Network IDS Network IPS Other sensors Intrusion Detection / Response Agent Logging
Conclusion Managing information security is a difficult task SEIM is an emerging technology With emerging capabilities and uses Not all products work the same way Or do the same things To leverage security information Understand your needs before speaking to vendors The technology decision will be much easier if you know your requirements up front Leveraging Security Information