Security

Security

InformationManagement

ThesisManaging security event information is a difficult taskMost successful deployments start with a clear understanding

of business needs And plans for what to do with the information

Security event information management tools are maturing and moving from the outside – in

But there are limitations regarding what the products can accomplish

Leveraging Security Event Information


AgendaWhy managing security event information is a difficult taskSolutions and technologyEmerging trendsRecommendations

Why Managing Security Event Information is…

Even finding a name for it is hard!Security Information Management (SIM)Security Event Management (SEM)Security Intelligence Management (SIM)Enterprise Security Management (ESM)Defense Information Management/Security Operations

Management (DIM/SOM) Just kidding about that last one…

This is: Security Event Information Management (SEIM)


“Billions and Billions” of eventsFirewalls, IDS,IPS, Anti-Virus,

Databases, Operating Systems,

Content filtersInformation overload

Lack of standards Difficult correlation

Making sense of event sequences that appear unrelatedFalse positives and validation issues


Business Objectives of SEIM – Increase overall security posture of an organization

Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network

in near real-time Build a historical forensic foundation


Things SEIMs can look forInternal policy compliance on hosts and systemsTrack usage throughout the enterprise

Access to strategic applications and servers

Password change eventsPath of a worm or virus through the network

What does your company want to look for with the SEIM?


AgendaWhy managing security event information is a difficult taskSolutions and technologyEmerging trendsRecommendations

INPUTS

• Access control• Directories• Provisioning

Identity Management

Agent Logging

• Host & DB configuration• Patch management• Vulnerability management

System Management

Agent Logging

COLLECTION / AGGREGATION / CORRELATION

Distributed collectors

Central / master collector

Security alerts

REAL-TIME ANALYSIS / RESPONSE

VISUALIZATION / ADMINISTRATION

Reports

Visualization

Policies / compliance rules

Signatures / attack patterns

OPERATIONS INTEGRATIONR

ES

PO

NS

E

RE

SP

ON

SE

LONG-TERM STORAGE / AUDIT / INVESTIGATIONNetwork / security operations

raw log101010001011100110

Help desk ticketing

• Routers• Firewalls• Content scanners

Perimeter Controls

Agent Logging

• Network IDS• Network IPS• Other sensors

IDS / Response

Agent Logging

Solutions and Technology

How the Products Work Collect

Inputs from target sources Agent and agentless methods

Aggregate Bring all the information to a central point

Normalize Translate disparate syntax into a standardized one

Correlate If A and B then C

Report State of health Policy conformance

Archive

Collect Aggregate Normalize Correlate Report Archive


Understand the business case for the productBuild a strong set of requirementsWhat will it do?How will it add business value?

Understand the assetsPrioritize valueIt’s critical, but few products do this successfully today

Understand PoliciesWhat are the technical security policies?Data lifecycle considerations

Policies / compliance rules


Consideration–Requirements for visualization?The Big Red ButtonTailoring views

Geographic Configurability Drill down options

Hierarchical views Cross-cutting data sharing CIO view, auditor view

Security alerts

VISUALIZATION / ADMINISTRATION

Reports

Visualization


Consideration – What are the life cycle and storage needs? Internal policies

Archive everything? Best have a robust SAN! What information is critical to the business? What’s in those audit logs?

Regulatory requirements Normalization questions

Is the original log data still available? Has it been “normalized”?

Know where the backups will go Understand lifecycle and mining needs

Filters and searching- Can’t sift through petabytes of data manually

LONG-TERM STORAGE / AUDIT / INVESTIGATION

raw log101010001011100110


Consideration–How the data will be used after its collected?

Will the data be used for Historical “forensics”?

Track back and replay

Legal forensics?

Legal Matters Chain of custody Tamper proof/evident Original audit/log data (not normalized) Integrity or “garbage in garbage out”

LONG-TERM STORAGE / AUDIT / INVESTIGATION

raw log101010001011100110


AgendaWhy managing security information is a difficult taskSolutions and technologyEmerging trendsRecommendations

Emerging Trends

“The Manager of Managers”Automated remediation, change and compliance managementBut will it break the separation of duties model?May be viable with larger vendors, but market longevity may

be a concern with smaller, niche vendors Identity Management and Security Event Information

Management Wireless LAN Security Information Voice Over IP Security Management Sharing Security Operations Center data with the Network

Operations Center

Emerging Trends

Early SEMs focused on gathering logs from the perimeter security devices

Firewalls, routersEvolution is toward a more comprehensive integrationTake in more input for greater visionMonitoring activity both inside the organization as well as on

the perimeterAdditional intelligence can lead to more precise correlation

Emerging Trends

Monitoring for AbuseAs the focus is turned inwardUser behavior can be capturedLinks back to Identity Management synch with SEIM

Emerging Trends

SEIM is not currently a standards-based approach Vendor proprietary approach to

Logging/Event reporting Normalization techniques

CVE – Common Vulnerabilities and Exposures “A dictionary, not a database” Creates standardized names for vulnerabilities

CVSS – Common Vulnerability Scoring System Standard ratings of vulnerabilities Very early stage


AgendaWhy managing security information is a difficult taskSolutions and technologyEmerging trendsRecommendations

Understand the business goals for the SEIM Determine which systems must be covered

What level of data gathering is required Appropriate storage mechanisms

Make some friends! Talk to others who have deployed SEIMs in environments similar to yours Since the SEIM may touch cross-enterprise systems, making friends inside

the organization is import too Build solid RFPs before speaking to vendors

Vendors like their products best (understandably) Make the SEIM work for your company, don’t compromise your business

requirements to fit into the SEIM vendor’s framework

Recommendations

Recommendations

Weigh vendor claims carefullyScalability can affect utility of the productThroughput, events per second (EPS) numbers may be

apples to oranges Take an architectural approach

Incorporate the SEIM into the network architectureConsider ability to integrate with existing network

systems managers consolesDon’t forget separation of duties requirementsFlexibility of solution for

Views, privacy, lifecycle and storage control

Recommendations

Remember you don’t need to solve world hunger, yet

Consider phased implementations

Cover a smaller subset of systems, perhaps on the perimeter

Before moving to more comprehensive, whole-enterprise, event information management deployments

• Routers• Firewalls• Content scanners

Perimeter Controls

Agent Logging

• Network IDS• Network IPS• Other sensors

Intrusion Detection / Response

Agent Logging

ConclusionManaging information security is a difficult taskSEIM is an emerging technology

With emerging capabilities and uses Not all products work the same way Or do the same things

To leverage security information Understand your needs before speaking to vendors The technology decision will be much easier if you know your

requirements up front

Leveraging Security Information

Security

Documents

Transcript of Security