Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Published byChastity Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This."— Presentation transcript:

1 Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Reasons for Centralized Event Management Increase diversity of security devices and protocols Multiple types of security events and threats Manual collection and analysis of events Need quick response to threats – zero day attacks Comply with audits

3 Threat Statistics (Courtesy of Message Labs) 10 new worms are found each day Average 20 targeted attacks per day Increase use of ransomware Use of blended threats (spam and virus, spyware and Trojans, triple Trojans, etc.) Off-the-shelf virus kits

4 Security Information Management Defined Collaboration of security solutions and intelligent networking technologies Integrates heterogeneous array of network devices and security products Builds pervasive security utilizing existing security enterprise –Monitors and collects event data –Correlates and analyzes event data across enterprise –Compares against known treats –Identifies threats and alerts –Automatically locates and mitigates threats

5 Raw Event Data Collection Filtering Data Normalization & Reduction Event Aggregation & Coordination Pattern Discovery Prioritization Event Display & Report Response & Mitigation Raw Data Data Refinement Action How SIM Works

6 Drivers Behind SIM Adoption Financial discipline –Managing operations effectively –Employee efficiency –Reduce administrative overhead –ROI/business value security Security effectiveness –Operational risk –Finances required to mitigate risk

7 Incident Response and Laws Incident response –Many attack vectors –Many different information sources –Mitigation priority Federal laws –FERPA – Family Educational Rights and Privacy Act –HIPAA – Health Insurance Portability and Accountability –GLBA – Gramm-Leach-Bliley

8 Compliance Policy-driven security management program Validation of security controls Risk management approach to information security Due diligence in application of internal controls Effective security incident management process Security event reporting Archiving and document preservation

9 Consideration Factors High cost ($100K or more) Difficult to implement and deploy Takes months to tune out false positives Requires specialized training to support

10 Monitoring Functionality Correlates, reduces and categorizes events Validates incidents

11 Data Correlation Valid Incidents Sessions Rules Verify Isolated Events Correlation Reduction Router Cfg. Firewall Log Switch Cfg. Switch Log Server Log AV Alert App Log VA Scanner Firewall Cfg. Netflow NAT Cfg. IDS Event...... (Lynn: Description of this graphic?)

12 Event Analysis

13 SureVector Analysis TM 1. Host A Port Scans Target X 2. Host A Buffer Overflow Attacks X Where X is behind NAT device and Where X is Vulnerable to attack 3. Target X executes Password Attacks Target Y located downstream from NAT Device SureVector™ Analysis –Visible and accurate attack path –Drill-down, full incident and raw event details –Pinpoint the true sources of anomalous and attack behavior –More complete and accurate story Host A Target X Target Y 6

14 “Response” Uses leveraged mitigation Use control capabilities within your infrastructure –Layer 2/3 attack path is clearly visible –Mitigation enforcement devices are identified –Exact mitigation command is provided ]

15 Typical Compliance Report

16 Towson University SIM Deployment

17 Results Deployed Cisco MARS SIM Device –Communicates with multiple devices –Collects syslog data from devices –Utilizes intelligent agents to gather and correlate data from devices –Provides automated reporting and resolution of threats –Displays path of threats

18 How Does SIM Help? Greatly reduces false positives Defines effective mitigation responses Provide quick and easy access to audit compliance reports Ability to visualize attack path ID source of threats Make precise recommendations for removal of threats

19 Monitors Diverse Environments McAfee ePO Desktops Firewall IDS VPN Routers Switches Unix and Windows Servers MARS Wireless

20 Intelligent Agents Used free SNARE* agent for Windows servers operating systems –Deployed on all servers –Pushes security events in real time to SIM –Minimum performance effects to server Testing other SNARE agents –Web service (Apache and IIS) –Operating system (Unix, Linux) *System Intrusion Analysis and Reporting Environment

21 Compliance and Reporting Survived state auditor Provide instant reports to auditors Established automated reports –Track failed access, virus and worm threats, etc. –Reduced level of daily log review

22 Recommendations Devise implementation strategy –ID devices where security event data will be collected –Consider open source and commercial products –Demo and get opinions from support staff –ID storage requirements for data Integrate with incident handling procedures

23 Devise a Deployment Plan Setup team composed of server admin, network and security staff Standardize collection of syslog data Use intelligent agents to collect data Monitor all network and computer systems – OS and Web Establish administration of system Determine report that will be useful and implement automated reporting

24 System Administration Device managed by security personnel Allow automated response to threats for better protection against threats –Allow SIM admin access to all monitored devices –Obtain cooperation from other support personnel (server admin, network, etc.) Tune out false positives Setup automated reporting, record keeping and incident handling

25 Event Reports Determine reports that will be useful and Implement automated reporting SANS Institute recommends: –Attempts to gain access through existing accounts –Failed file or resource access attempts –Unauthorized changes to users, groups and services –Systems most vulnerable to attack –Suspicious or unauthorized network traffic patterns

26 Incident Response Determine how will respond to alerts Establish escalation procedures for handling suspected and confirmed intrusions Link steps to incident handling plan Keep track of efforts and decisions

27 Compliance Verification Provided evidence of compliance to state and local policies Able to rapidly provide reports

28 Summary In summary, SIM… –Provides centralized network monitoring. –Automatically pulls logs from multiple devices –Eliminates the need for manually intensive analysis –Eliminates the need to respond to threats manually. –Provides reporting capabilities required for daily review by State & University audits and security guidelines.

Download ppt "Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
CA: A New Step into Security Management.  eBusiness = business  A cultural shift — security is a part of the business fabric  Security is prevention.

CA: A New Step into Security Management.  eBusiness = business  A cultural shift — security is a part of the business fabric  Security is prevention.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.

INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Similar presentations

Ads by Google