Innovations in data security

Log management

vs

SIEM

Andris Soroka

07.07.2011

Together with

Agenda Introduction - threats, technology era, definitions

Business drivers for log management and SIEM

(Security Information and Events Management)

Market analysis, critical capabilities of solutions

Selected solutions for Your review for -

SEM (Log management)

SEM (Wider scope)

SIEM

Where to start from?

Internet has been compared to America’s Wild Wild West

countless times – now the analogy holds more weight than ever.

No DNA forensics, no overarching laws – just lawlessness.

The 21st Century – the age of cybercrime

FBI warns Congress that cybercriminals can hack

any internet-linked system Gordon M. Snow, assistant director of the FBI’s Cyber Division

(13th of April, 2011)

“Year 2010 was the year of cybercrime and

cyberwars. Year of Wikileaks” “The New York Times”, “Guardian”, “Der Spiegel”, “El

Pais”, “Le Monde”, “CNN”, “BBC” and more. 2010,

2011..

Background - technology development

IT continues taking the lead in business

(ERP, CRM, document management, digital

prototyping etc.)

Importance and development of e-World

(e-Health, e-government, e-services, social

networking, Web 2.0, unified

communications and tools for that etc.)

Mobility and borderless enterprise

Cyber culture develops faster than cyber

security

Every technology is vulnerable

New threats – targeted, professional, silent

There are Internet shops full of credit

card, bank account, privacy, business

and other confidential data. Also there

are available services to rent a botnet,

malicious code and attack anyone.

Cybercriminal «CV Online»

“Black Community” where

cybercriminals are organized better

than hi level military organizations

Video trainings and eLearning

available in social media, such as

YouTube

Business drivers that initiate LM / SIEM

EU directives

Such as for data protection

Critical infrastructure protection

Cooperation

Industry standards and regulations

Banks

Health organizations etc.

NATO directives

Security, military orgs

Related to NATO work

IT Security ISO 2700X

Local laws and regulations

Personal data protection

IT Security politics

SIEM / SEM / SIM - Where to start from?

Network Servers Databases Homegrown Applications

Log Silo

?????? ????? ???? ??? ?? ?

? ? ? ? ? ?

? ? ? ? ? ? ? ?

? ? ? ? ? ?

LOGS ? ?

? ? ? ?

? ? ? ? ?

?

Identity Management

IT & Network Operations

Operational Security

Governance & Compliance

Log Tool

Log Jam

Do You have one, central

solutions for collecting ALL

events (logs), correlate them

and have real time intelligent

visibility?

Do You monitor the

business processes instead

of network?

Do You monitor identities,

applications, information and

their context instead of just IP

addresses, OS’s and

devices?

If not – You are vulnerable!!!

No, I mean, really…do You know?

What was the attack?

Who was responsible?

How many targets involved?

Was it successful?

Where do I find them?

Are any of them vulnerable?

How valuable are they to the business?

Where is all the evidence?

Clear & concise delivery of the most relevant information …

What is in Your logs so far..? 50%? Less..?

User and System Activity

Runaway Application

Customer Transaction

Email BCC

Failed Logon

Security Breach

File Up/Download

Credit Card Data Access

Information Leak

Privileges Assigned/ Changed

50%?

What is in Your logs so far..? 50%? Less..?

What logs –

Audit logs

Transaction logs

Intrusion logs

Connection logs

System performance

records

User activity logs

Different systems alerts

and different other systems

messages

From where -

Firewalls / Intrusion

prevention

Routers / Switches

Intrusion detection

Servers, desktops,

mainframes

Business applications

Databases

Antivirus software

VPN’s

There is no standard format, transportation method for

logs, there are more than 800 log file formats used..

Introduction Definitions from IT Security solutions / technologies –

SEM – Security Events Management (Correlation – events

relation together for security benefits)

SIM – Security Information Management (Log

management – e.g. collecting the events of the applications

and operational systems.)

SIEM (Security Information And Event Management)

You cannot control what You cannot see!

SIEM evolution (from Anton Chuvakin blog)

Historically –

1997-2002 IDS & Firewall

Worms, alerts of overflow,

packets etc.

Sold as a “SOC in the box”

2003 – 2007 Above + Server +

Context

Users, compliance etc.

Sold as a “SOC in the box” +

2008+ Above + Applications +

Cybercrime, fraud prevention,

identity etc.

Sold as a “SOC in the box”+++

Log management and intelligence

Process Integration & Information Share

Collect

Time-stamping and secure collection of 100% of all log data, 100% of the time, from any device, including network, storage, servers, applications!

Alert

Alerts based on real time log forensics according to policies. According to anomalies, incidents. In any possible alerting way.

Store

As much as you want, as little as your compliance needs dictate. Automated, secure storage and archival of critical log data. Maintain chain of custody.

Report

Should have reasy to configure and report. Should be easy-to-use templates and more than 10K custom reports. Packaged SOX, PCI reporting + more.

More about SIM / SEM / SIEM coverage

Scope of usage – SIM (log management) + SEM

Standards such as –

Syslog (Unix / Linux, network devices)

Eventlog (Windows)

Journals (mainframe, midrange..)

Non standards such as logging into files and SQL

databases

Usage Central monitoring, finding anomalies, reporting, alerting

Collecting and archiving logs, forensics (search all over)

Threat protection & discovery, incident response, audit support

Advantages / Disadvantages (not always) Scalability – security logs are only about 10% of all logs, but

SIM solutions collect ALL logs correlation can be an issue later

Functionality – correlated events from different sources is with

different level than SIEM that is naturally designed to do so

More about SIM / SEM / SIEM coverage

Scope of usage and quality control SIEM – A must to have!

Log and context data collection (SIM)

Normalization and categorization (SIM)

Correlation (SEM)

Notification / Alerting (SEM)

Prioritization (SEM)

Dashboards and visualization

Reporting and reports delivery (SIM)

Security role workflow

SIEM – next generation solutions work looking at level of –

File integrity Monitoring

Database Activity Monitoring

Application Monitoring

Identity Monitoring

User Activity Monitoring

Planning a SIEM / LM project?

Planning areas (IN THAT ORDER! By Anton Chuvakin)

Goals and requirements

Functionality & features

Scope and data collection

Sizing

Architecting

Deploy Log management before SIEM….

Q: Why do You think most of the SIEM projects failed in

past?

A: There was no LM at place, SIEM alone is just not that

useful..

Quality and innovations portfolio from DSS

Market leadership in research of leading market analysts

Close partnership with local competence center,

represented vendors and regional distributor

Market industry standards and international quality

standards

Solutions to offer

SIM / SIM + SEM

Balabit IT Security

Syslog NG Store Box

SSB + Sawmill

SIEM+

Q1 Labs – The Market Leader

Suspected Incidents

Balabit IT Security

Founded in 2000, Hungary

2nd fastest growing IT company in

CEE, listed in Deloitte’s Top50 research

“The syslog -ng company” – open

source log collecting solution is used by

650000 customers world wide

SIM (Log management) and more

Balabit IT Security

Syslog –ng Premium Edition

TLS-encrypted communication

Direct SQL Access

More than 21 platform support

Windows agent with AD

IBM System I agent

Syslog –ng Store box

Complete log lifecycle management

Web based user interface

75000 messages per second

24GB messages per hour

Encrypted communication, alerting, filtering etc.

Shell Control Box (“The Black Box”)

Monitoring over admins

Monitoring over outsourcers

Balabit IT Security

Balabit IT Security + Sawmill

Database

Log Filtering & Parsing

Analysis

Reports & Report Filters

Web Server Log Files

Security Logs Security Events

Network Logs Network Events

Streaming Media Logs

Mail Server Logs

Alerts html/csv/pdf

Reports

INTERNAL

MySQL

ODBC

Dynamic Reports

E n t e r p r i s e - w i d e a n a l y t i c s ** 800+ different log formats supported **

Static Reports for email/ publishing

Real Time ‘Live’ Reports

Real Time Alerts

Pro

file

s &

Sc

hed

ule

s

Sawmill – software

package to analyze log

files

Has more than 250000

customers world wide

Works with more than

800 different log file

formats

Extremely great

reporting

Licensed by report

profiles

Balabit IT Security + Sawmill

Balabit syslog –ng is licensed by the number of log

sources hosts (LSH), licenses for 5,10,25,50,100,150,

250…Unlimited, unlimited costs about 25K Euro

Balabit SSB is licensed same way, licensed for

50,100,250,500, 750,1000…Unlimited, depending on options

(HA, support, hardware:1U or 2U, architecture) project can be

between 25K – 150K Euro

Sawmill is licensed by the number of report profiles created

and product type selected, can vary between 1K and 10K Euro

Q1 Labs SIEM Gartner

Q1 Labs business card

PCI HIPAA FISMA CoCo NERC SOX Q1 Labs – a global leader

in SIEM market from USA

Best price / performance

Next generation SIEM

+2000 customers world

wide

Gartner 2009 / 2010 Magic

quadrant leader

Biggest independent SIEM

vendor from leaders

Out of box number of

compliances covered

Q1 Labs SIEM & much more

Next-generation Log Management:

•Turnkey log management

•SME to Enterprise

•Upgradeable to enterprise SIEM

Next-generation SIEM:

•Integrated log, cyber threat, risk and

compliance management

•Scalable, Automated, Broad market

•Network activity information

Stackable Expansion:

•Event Processors, High Availability

•Network Activity Processors

•Geographic distribution

•Horizontal scale

•Embedded, real-time database

Application & Activity Monitoring:

•Layer 7 application monitoring

•Content Aware

•Identity/user-based visibility of network and

application activity

•Provides visibility into physical and virtual

Next-generation Risk Management

•Predictive threat modeling & simulation

•Automated compliance and policy verification

•Scalable configuration monitoring & audit

•Advanced threat visualization/impact analysis

Q1 in action - Malware activity

IRC on port 80? QFlow enables detection of a covert channel.

Irrefutable Botnet Communication Layer 7 data contains botnet command and control

instructions.

Potential Botnet Detected? This is as far as traditional SIEM can go.

Q1 in action - User activity monitoring

Authentication Failures Perhaps a user who forgot their

password?

Brute Force Password

Attack Numerous failed login attempts against

different user accounts.

Host Compromised All this followed by a successful login.

Automatically detected, no custom

tuning required.

Q1 in action - complex threat detection

Sounds Nasty… But how to we know this?

The evidence is a single click away.

Buffer Overflow Exploit attempt seen by Snort

Network Scan Detected by QFlow

Targeted Host Vulnerable Detected by Nessus

Total Visibility Convergence of Network, Event and Vulnerability data.

Q1 in action – data loss prevention

Potential Data Loss? Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail

Q1 Labs in figures

Based on selection, sizing,

requirements, targets there are

different models and ways how to

move forwards

All-in-One solutions

Distributed

Console

Flow processor

Event processor

Qflow collector

Many upgrade possibilities

HA and DR options

Smallest all-in-one appliance

pricing starts with 30K Euro – ends

with ……depends on everything

Business & personal risk analysis matrix

“Data Security Solutions” can help

Specialization – IT Security

IT Security consulting

(vulnerability assessment

tests, security audit, new

systems integration, HR

training, technical support)

Innovative & selected

software / hardware & hybrid

solutions from leading

technology vendors from

over 10 different countries

Think security first

www.dss.lv

andris@dss.lv

+371 2 9162784