Security Information Management.  Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding.

Slides:

Advertisements

Similar presentations

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Advertisements

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

Privileged Identity Management Enterprise Password Vault

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

1 Telstra in Confidence Managing Security for our Mobile Technology.

Information Security Policies and Standards

The State of Security Management By Jim Reavis January 2003.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director

seminar on Intrusion detection system

Stephen S. Yau CSE , Fall Security Strategies.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Security Guidelines and Management

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

BMC Software confidential. BMC Performance Manager Will Brown.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Unify and Simplify: Security Management

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

The Most Analytical and Comprehensive Defense Network in a Box.

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

Honeypot and Intrusion Detection System

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.

The Coles Notes Approach to Effective Network Security Management Reporting Dave Millier.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

SiteWiz – RiT ’ s CAM Solution. Daily IT Challenges Overload of infrastructure information Numerous daily changes Many departments involved No clear picture.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

Wireless Intrusion Prevention System

Security Information and Event Management

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

SQL Server 2008 R2 Manageability. Challenges facing database administrators today: Scaling management to multiple data centers Proactively monitoring.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

STORAGE MANAGEMENT/ SMART SHOPPER: What to Ask and What to Avoid in Provisioning Tools Stephanie Balaouras Senior Analyst, The Yankee Group

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager Overview.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Dr. Hussein Al-Bahadili Faculty of Information Technology Petra University Week #5 1/10 Securing E-Transaction - SIEM.

5/29/2001Y. D. Wu & M. Liu1 Content Management for Digital Library May 29, 2001.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Some Great Open Source Intrusion Detection Systems (IDSs)

SIEM Rotem Mesika System security engineering

IoT Security Part 2, The Malware

OIT Security Operations

CIM Modeling for E&U - (Short Version)

Security Methods and Practice CET4884

Detection and Analysis of Threats to the Energy Sector (DATES)

SECURITY INFORMATION AND EVENT MANAGEMENT

IS4680 Security Auditing for Compliance

Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Security Information Management

 Thesis  Managing security event information is a difficult task  Most successful deployments start with a clear understanding of business needs  And plans for what to do with the information  Security event information management tools are maturing and moving from the outside – in  But there are limitations regarding what the products can accomplish Leveraging Security Event Information

 Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

Leveraging Security Event Information  Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

Why Managing Security Event Information is…  Even finding a name for it is hard!  Security Information Management (SIM)  Security Event Management (SEM)  Security Intelligence Management (SIM)  Enterprise Security Management (ESM)  Defense Information Management/Security Operations Management (DIM/SOM)  Just kidding about that last one…  This is: Security Event Information Management (SEIM)

Why Managing Security Event Information is…  “Billions and Billions” of events  Firewalls, IDS,IPS, Anti-Virus, Databases, Operating Systems, Content filters  Information overload  Lack of standards  Difficult correlation  Making sense of event sequences that appear unrelated  False positives and validation issues

Why Managing Security Event Information is…  Business Objectives of SEIM –  Increase overall security posture of an organization  Turn chaos into order  Aggregate log file data from disparate sources  Create holistic security views for compliance reporting  Identify and track causal relationships in the network in near real-time  Build a historical forensic foundation

Why Managing Security Event Information is…  Things SEIMs can look for  Internal policy compliance on hosts and systems  Track usage throughout the enterprise  Access to strategic applications and servers  Password change events  Path of a worm or virus through the network  What does your company want to look for with the SEIM?

Leveraging Security Event Information  Agenda  Why managing security event information is a difficult task  Solutions and technology  Emerging trends  Recommendations

INPUTS Access control Directories Provisioning Identity Management AgentLogging Host & DB configuration Patch management Vulnerability management System Management AgentLogging COLLECTION / AGGREGATION / CORRELATION Distribute d collectors Central / master collector Security alerts REAL-TIME ANALYSIS / RESPONSE VISUALIZATION / ADMINISTRATION Reports Visualization Policies / compliance rules Signatures / attack patterns OPERATIONS INTEGRATION RESPONSE LONG-TERM STORAGE / AUDIT / INVESTIGATION Network / security operations raw log Help desk ticketing Routers Firewalls Content scanners Perimeter Controls AgentLogging Network IDS Network IPS Other sensors IDS / Response AgentLogging

Solutions and Technology  How the Products Work  Collect  Inputs from target sources  Agent and agentless methods  Aggregate  Bring all the information to a central point  Normalize  Translate disparate syntax into a standardized one  Correlate  If A and B then C  Report  State of health  Policy conformance  Archive CollectAggregateNormalizeCorrelateReportArchive

Solutions and Technology  Understand the business case for the product  Build a strong set of requirements  What will it do?  How will it add business value?  Understand the assets  Prioritize value  It’s critical, but few products do this successfully today  Understand Policies  What are the technical security policies?  Data lifecycle considerations Policies / compliance rules

Solutions and Technology  Consideration–Requirements for visualization?  The Big Red Button  Tailoring views  Geographic  Configurability  Drill down options  Hierarchical views  Cross-cutting data sharing  CIO view, auditor view Security alerts VISUALIZATION / ADMINISTRATION Reports Visualization

Solutions and Technology  Consideration – What are the life cycle and storage needs?  Internal policies  Archive everything? Best have a robust SAN!  What information is critical to the business?  What’s in those audit logs?  Regulatory requirements  Normalization questions  Is the original log data still available?  Has it been “normalized”?  Know where the backups will go  Understand lifecycle and mining needs  Filters and searching- Can’t sift through petabytes of data manually LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log

Solutions and Technology  Consideration–How the data will be used after its collected?  Will the data be used for  Historical “forensics”?  Track back and replay  Legal forensics?  Legal Matters  Chain of custody  Tamper proof/evident  Original audit/log data (not normalized)  Integrity or “garbage in garbage out” LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log

Leveraging Security Event Information  Agenda  Why managing security information is a difficult task  Solutions and technology  Emerging trends  Recommendations

Emerging Trends  “The Manager of Managers”  Automated remediation, change and compliance management  But will it break the separation of duties model?  May be viable with larger vendors, but market longevity may be a concern with smaller, niche vendors  Identity Management and Security Event Information Management  Wireless LAN Security Information  Voice Over IP Security Management  Sharing Security Operations Center data with the Network Operations Center

Emerging Trends  Early SEMs focused on gathering logs from the perimeter security devices  Firewalls, routers  Evolution is toward a more comprehensive integration  Take in more input for greater vision  Monitoring activity both inside the organization as well as on the perimeter  Additional intelligence can lead to more precise correlation

Emerging Trends  Monitoring for Abuse  As the focus is turned inward  User behavior can be captured  Links back to Identity Management synch with SEIM

Emerging Trends  SEIM is not currently a standards-based approach  Vendor proprietary approach to  Logging/Event reporting  Normalization techniques  CVE – Common Vulnerabilities and Exposures  “A dictionary, not a database”  Creates standardized names for vulnerabilities  CVSS – Common Vulnerability Scoring System  Standard ratings of vulnerabilities  Very early stage

Leveraging Security Event Information  Agenda  Why managing security information is a difficult task  Solutions and technology  Emerging trends  Recommendations

 Understand the business goals for the SEIM  Determine which systems must be covered  What level of data gathering is required  Appropriate storage mechanisms  Make some friends!  Talk to others who have deployed SEIMs in environments similar to yours  Since the SEIM may touch cross-enterprise systems, making friends inside the organization is import too  Build solid RFPs before speaking to vendors  Vendors like their products best (understandably)  Make the SEIM work for your company, don’t compromise your business requirements to fit into the SEIM vendor’s framework Recommendations

 Weigh vendor claims carefully  Scalability can affect utility of the product  Throughput, events per second (EPS) numbers may be apples to oranges  Take an architectural approach  Incorporate the SEIM into the network architecture  Consider ability to integrate with existing network systems managers consoles  Don’t forget separation of duties requirements  Flexibility of solution for  Views, privacy, lifecycle and storage control

Recommendations  Remember you don’t need to solve world hunger, yet  Consider phased implementations  Cover a smaller subset of systems, perhaps on the perimeter  Before moving to more comprehensive, whole-enterprise, event information management deployments Routers Firewalls Content scanners Perimeter Controls Agent Logging Network IDS Network IPS Other sensors Intrusion Detection / Response Agent Logging

 Conclusion  Managing information security is a difficult task  SEIM is an emerging technology  With emerging capabilities and uses  Not all products work the same way  Or do the same things  To leverage security information  Understand your needs before speaking to vendors  The technology decision will be much easier if you know your requirements up front Leveraging Security Information