spiceworks webinar: whose logs, what logs, why logs

33
Tom D’Aquino Senior Security Engineer AlienVault WHOSE LOGS, WHAT LOGS, WHY LOGS: YOUR QUICKEST PATH TO SECURITY VISIBILITY

Upload: alienvault

Post on 15-Jan-2015

2.228 views

Category:

Technology


5 download

DESCRIPTION

Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn: • What network, system and host data you should be collecting for the quickest path to security visibility • Best practices for network, perimeter and host monitoring • Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks

TRANSCRIPT

Page 1: SpiceWorks Webinar: Whose logs, what logs, why logs

Tom D’Aquino Senior Security Engineer

AlienVault

WHOSE LOGS, WHAT LOGS, WHY LOGS:YOUR QUICKEST PATH TO SECURITY VISIBILITY

Page 2: SpiceWorks Webinar: Whose logs, what logs, why logs

AGENDA

The Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the key• Unified Security Management• AlienVault’s Threat Intelligence LabsComing Soon to SpiceWorks: AlienVault Threat Alerts

Page 3: SpiceWorks Webinar: Whose logs, what logs, why logs

HUMANS MEET TECHNOLOGY

Page 4: SpiceWorks Webinar: Whose logs, what logs, why logs

HUMANS MEET TECHNOLOGY Something is down?

YouTube is up though.

Page 5: SpiceWorks Webinar: Whose logs, what logs, why logs

THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything

Page 6: SpiceWorks Webinar: Whose logs, what logs, why logs

BUT AT WHAT HARDWARE COST?

How much storage, CPU and RAM will you need to collect, correlate and store all of this data?

• High-performance storage is not cheap

How effective is the automated analysis, i.e. correlation really going to be?

• Correlation is CPU and memory intensive

Page 7: SpiceWorks Webinar: Whose logs, what logs, why logs

AND AT WHAT HUMAN RESOURCE COST?

How effective is your team really going to be?

• Can one person realistically review 10,000 alerts in a day

Page 8: SpiceWorks Webinar: Whose logs, what logs, why logs

IS THERE A BETTER APPROACH TO LOG MANAGEMENT?

Why do you need the logs?• Do you have an intended result in mind?

Why

What if we took a more strategic approach by identifying the problem more effectively?

Page 9: SpiceWorks Webinar: Whose logs, what logs, why logs

IS THERE A BETTER APPROACH TO LOG MANAGEMENT?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

WhatWhy

What if we took a more strategic approach by identifying the problem more effectively?

Page 10: SpiceWorks Webinar: Whose logs, what logs, why logs

IS THERE A BETTER APPROACH TO LOG MANAGEMENT?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

Who will the logs you collect pertain to?• Is there a specific user group/community

you should be focused on?

What

Who

Why

What if we took a more strategic approach by identifying the problem more effectively?

Page 11: SpiceWorks Webinar: Whose logs, what logs, why logs

LET’S LOOK AT SOME EXAMPLES

What log sources should you start with?

Page 12: SpiceWorks Webinar: Whose logs, what logs, why logs

EVERYONE COLLECTS FIREWALL LOGS, RIGHT?Why do you need Firewall logs?• I need to see what is getting in to my

network

What logs will you need to get that result?• Firewall permit logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

blacklisted IPs/domains

Page 13: SpiceWorks Webinar: Whose logs, what logs, why logs

WHAT’S GETTING IN YOUR WAY?

You are probably only seeing these:

When you should be looking for this:

Page 14: SpiceWorks Webinar: Whose logs, what logs, why logs

WHAT ABOUT OS LOGS?

Why do you need OS logs?• I need to detect unauthorized access

attempts and account lockouts

What logs will you need to get that result?• OS authentication failure and account

lockout logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

admin level accounts

Page 15: SpiceWorks Webinar: Whose logs, what logs, why logs

WHAT’S GETTING IN YOUR WAY HERE?

Multiple events to indicate a single login:

No login failure events to be found…

Page 16: SpiceWorks Webinar: Whose logs, what logs, why logs

WHAT ABOUT YOUR NETWORK GEAR?

Why do you need Switch/Router logs?• I need to see when someone logs in to

my network gear and makes config changes

What logs will you need to get that result?• Syslog data from my Routers and

Switches

Who will the logs you collect pertain to?• Anyone connecting to my network gear

Page 17: SpiceWorks Webinar: Whose logs, what logs, why logs

MORE NOISE IN YOUR WAY…

You may have to process 10’s of thousands of these:

Just to get one or two of these:

Page 18: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW CAN ALIENVAULT HELP WITH FIREWALL LOGS?

Managing Firewall logs is all about context:

Page 19: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW CAN ALIENVAULT HELP WITH OS LOGS?Use policy filters to eliminate repetitive data:

Page 20: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW CAN ALIENVAULT HELP WITH OS LOGS?Use correlation to detect mischievous activity:

Page 21: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW CAN ALIENVAULT HELP WITH DEVICE LOGS?

Use policy filters to eliminate the noise:

Page 22: SpiceWorks Webinar: Whose logs, what logs, why logs

Or use policy filters to explicitly include the interesting stuff:

HOW CAN ALIENVAULT HELP WITH DEVICE LOGS?

Page 23: SpiceWorks Webinar: Whose logs, what logs, why logs

UNIFIED SECURITY MANAGEMENT

“SECURITY VISIBILITY THROUGH OPEN SOURCE INTEGRATION”

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

Page 24: SpiceWorks Webinar: Whose logs, what logs, why logs

BENEFITS OF UNIFIED SECURITY CONTROLS

Accelerated time to value• Go from install to insight quickly

Reduce cost and complexity• At deployment time: Focus on integrating the infrastructure event data

only• Over the long term: Manage all through the same console, better

workflow, etc.

More coordinated detection for accurate alarms• Built-in event correlation rules• Attacker intelligence provides more accurate correlation

Page 25: SpiceWorks Webinar: Whose logs, what logs, why logs

UNIFYING BEST-IN-BREED TECHNOLOGY WITH SHARED INTELLIGENCE

AlienVault Labs monitor, analyze, reverse engineer and report on sophisticated zero-day threats including malware, bots, phishing campaigns and more.

Findings are published in the Open Threat Exchange (OTX), pushing the latest threat intelligence including correlation rules, policies, and reputation data directly to AlienVault USM.

AlienVault OTX

500,000Malware Samples Analyzed per day

100,000Malicious IPs Validated per day

8,000+Global Collection Points in 140+ countries

> 7 MillionURLs Analyzed

Page 26: SpiceWorks Webinar: Whose logs, what logs, why logs

CROWD-SOURCED THREAT DATA IN ACTION

Since March 2012, OSSIM & USM users have flagged 196 million malicious events that were contributed to the OTX database

Average of ~11 million per month (365,000 a day)

3/1/12 4/1/12 5/1/12 6/1/12 7/1/12 8/1/12 9/1/12 10/1/12 11/1/12 12/1/12 1/1/13 2/1/13 3/1/13 4/1/13 5/1/13 6/1/13 7/1/13 8/1/13 9/1/13

0

50000000

100000000

150000000

200000000

250000000

Page 27: SpiceWorks Webinar: Whose logs, what logs, why logs

SpiceHead Benefits:Identify compromised hosts in a monitored network without having to deploy Anti-Virus or any other agentRemediation advice from world’s largest crowd sourced threat intelligence database

ALIENVAULT THREAT ALERTS FOR SPICEWORKS

Page 28: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW IT WORKS – THREAT MONITORING

Internet

Customers’ Internal Assets In SpiceWorks

Search for connections with known malicious hosts

Page 29: SpiceWorks Webinar: Whose logs, what logs, why logs

HOW IT WORKS – ALERT TRIGGERED

Customers’ Internal Assets In SpiceWorks

Alert on connection with known malicious host

Page 30: SpiceWorks Webinar: Whose logs, what logs, why logs

THREAT ALERTS IN SPICEWORKS:DASHBOARD & DEVICE DETAILS PAGE

“SpiceWorks has found a connection with a potentially suspicious IP Address 77.240.191.89 on device tmg-mbh.

AlienVault Threat Analysis for suspicious IP

Page 31: SpiceWorks Webinar: Whose logs, what logs, why logs

ALIENVAULT THREAT ANALYSIS - SUMMARY

Page 32: SpiceWorks Webinar: Whose logs, what logs, why logs

ALIENVAULT THREAT ANALYSIS - REMEDIATION

Page 33: SpiceWorks Webinar: Whose logs, what logs, why logs

NOW FOR SOME Q&A…

Follow us on SpiceWorks

http://community.spiceworks.com/pages/

AlienVault

Join us for a LIVE Demo!

http://www.alienvault.com/marketing/alienva

ult-usm-live-

demo

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Questions? Ping me (Tomdaq) in the SpiceWorks community