Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIEM Rotem Mesika System security engineering 372.2.5204.

Published byDerick Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "SIEM Rotem Mesika System security engineering 372.2.5204."— Presentation transcript:

1 SIEM Rotem Mesika System security engineering

2 What we will talk today.. What is siem? Why do organizations use it?
“Crown Jewels” What are we protecting from? and How? The SIEM Process Implementation SIEM - “ArcSight” Combining SIEMs

3 What is SIEM? SIEM = Security Information and Event Management
SIEM collects log files and security information from internal and external sources Event correlation is used to detect and alert unwanted activities within the network defined by the organization An organization can use the information within the SIEM to effectively respond and detect security incidents The main focus areas which define the fundaments of SIEM are: Log management Correlation Alerting Responding [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):

4 Why do organizations use it?
Threat management The ability to detect risky scenarios and common attacks, as well as attack paths defined by the organization itself Relations are established between events from different sources on the network Compliancy Joining the logs and reports of multiple systems within the organization, enabling an easy access and analysis by a built in framework in each system Forensic support The information available within SIEM is very valuable from a forensic perspective and can greatly aid a forensic analyst in his or her investigation SIEM allows forensic analysts to search within logs of many systems in a centralized way, without the need of re-collecting the log files of compromised systems [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):

5 Defining the “Crown Jewels”
When an organization grows, its IT environment grows as well. Services are added and removed It is impossible for an organization to collect log files of all systems and at the same time perform real-time analysis and correlation An organization needs to know what are the ‘crown jewels’. What is the most important asset or information that is owned by the organization? “Crown jewels” can be identified by performing a risk analysis on organizational level, in other words: an organization's strategy [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

6 What are we protecting from? and How?
Risk scenarios describe undesirable actions to the “crown jewels” and include common attacks (i.e. DDoS on online services) and attack paths (i.e. reconnaissance using a port scan) An organization knows which logs to collect and from which devices, based on the information required by “use cases” and the rules they consist of Every rule can require different log sources and events For SIEM to work correctly, all logs required by use cases and rules should be gathered, normalized and available to the SIEM tooling [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

7 Example of a “use case” [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

8 The SIEM Process

9 Log Management Log management is an integral part of SIEM because, log entries are greatest source of information Though highly crucial, solely collecting and aggregating logs at a central location is not enough [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

10 Correlation Correlation of log entries is performed based on use cases. Every use case consists of one or more rules that detect an unwanted event, which is defined by risk scenarios To trigger a use case, one typically needs to correlate multiple log entries from one or more sources [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

11 Alerting Alerting abnormal actions is the core purpose of the SIEM, focused on threat management [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

12 Responding & Evaluating
Most alerts require manual analysis by a SOC analyst Experience gained from handling incidents or false- positives can serve as an input for a new use case or for fine-tuning [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

13 HP SIEM implementation – “ArcSight”
The model is called “The hierarchical managers model” We divide our model into 3 layers The first – devices that generate log file, i.e. firewall The second – a centralized system of dedicated servers that collects and stores all the log files in a dedicated storage The third – the monitoring layer, to monitor and review the logs and manage the servers of the second layer [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

14 Choose the devices and their logs
Domain controllers Databases servers IDS and IPS Firewall Network Devices Antivirus System [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

15 Define “use case” [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

16 Define “use case” – cont.
[2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

17 Combining SIEMs

18 SIEM of SIEMs Central SIEM server that acts as a parent and communicates intermediary SIEM servers (called Child Managers), instead of communicating with the log sources directly The parent and the child managers each take on deferent responsibilities Alerting, filtering, normalization, reporting and anything else having to do with policy enforcement are responding of the Child Manager Correlated events are forwarded from each Child Manager to the Global Manager for global correlation [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

19 sharing alarms - Collaborative Approach
SIEMs in domains with similar services and traffic could be vulnerable to similar attacks sharing alarms among these SIEMs would benefit all Snort’s detection engine scans the network for attack patterns, registers possible threats, and issues alerts. SIEMs exchange directive files to correlate events reported by federation partners. Each SIEM can define its own directives as well as adopt other SIEMs’ definitions. i.e. Rules can match packets based on source or target addresses, source or target ports, particular protocols or flags, or packet content. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):

20 Refernaces [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):

21 Questions?

22 Different between IDS and SIEM
IDS = Intrusion Detection System “monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station” Wikipedia IDS is a “sensor” to the SIEM and help to protect the organization's network by monitoring suspicious data packets and requests. SIEM is use IDS as a sensor and also sensor from the DC and the hosts (like antivirus) and not only from the network.

Download ppt "SIEM Rotem Mesika System security engineering 372.2.5204."

Similar presentations

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Correlations, Alarms and Policies

Correlations, Alarms and Policies
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Similar presentations

Ads by Google