Enterprise Log Management / SIEM

Christian HaveVice President

Products and Innovation

2

- Founded in 2001; doing Security consulting- Focus on Security Analytics from 2008 – Bought Immune APS

- Danish company- 250+ Customers- 75 employees – 45 developers (!)- Offices in Denmark, Sweden,

Germany, France and the UK- 100% Year over Year growth

Vision:Creating the worlds greatest

SIEM platform

3http://www.logpoint.com/images/Articles/Borsen_ImmuneSecurity_LogPoint_Boeing.pdf

4

Decentralized logging – Problem areas

Separate logging of different systemsSearching in AD requires manual search of X logs

Some logs/systems are not handled todayDifficult and time consuming to search information

Up to X working days for basic reports

No overview of the entire environmentHighly dependent on individual employees(Way) too short retention times on some systems

Decentralized logging - Consequences

Limited traceabilityDecreased security for customers AND staff

Lacking in compliance in various areasTime consuming reporting, search and forensicsLimited information for troubleshooting and supportReactive incident handling, no statistics, no trendsExpensive management of many local log archives

What should you log?

”Everything” – you don’t know what you will need!

Changes in system configurationsChanges in critical system filesChanges and access in critical databasesAccess and use of business applicationsActions by privileged users and administratorsUser and Device management

Creations, Changes, Deletions

Session logging from network devices

Where should you log?

Operating systems Infrastructure components

Switches, RoutersNetwork security - Firewalls, Proxy, IPS, VPN…Wireless

User AuthenticationActive Directory, IDM systems, Policy Servers

Device ManagementMDM, Software Deployment, Antivirus, Asset Management

Applications!

How do you identify security incidents without a SIEM?

Manual log review and log analysisHost and Network-based IDS AntimalwareStructured observations, monitoring etc.

But it is typically unorganized:External parties, customers, users, administratorsPost-incident / leaked to the press

Log Analysis

That which is strange, unusual, unknownEverything not uninteresting is interesting

The common item to look for when reviewing log files is

anything that appears out of the ordinary. CERT Coordination Center, Intrusion

Detection Checklist

If the statistics are boring, then you've got the wrong numbers.Edward Tufte on analysis and visualization

Log Analysis - Baseline

Typically security incidents make out less than 0.001% of the total amount of log dataBaseline, thresholding, what’s interestingFalse positives

Trends, different types of data – historical informationKnown badUnknowns

Look at the baseline:What is strange?How many times have a given event occurred in a given timeframe – frequency thresholdingMessage if a log source stops sending logs.

10

Log Analysis - investigationHow is an investigation initiated?

As standard a set of rule based alerts are usedFollowed by periodic manual review collected and analyzed data and dashboards

The ”can you tell me” scenarioSpecific investigations of events on

TimeUserIPetc

All based on the collected and analyzed data

Everything that looks unusual

11

Identifying the unusual

Statistical eventsHigh response times / LatencyDeviating session-length: time / frequency

Chronological eventsInstallation of kernel-drivers during the nightLogins with service-accounts on day-time systems

Machine Learning / Advanced AlgorithmsIdentifying clusters or groups of similar patternsPredictive “what’s next” analytics

ApplicationsNetwork

13

Technology development and maturity

No log-management

Log-Management

Classical SIEM tools

“Next Generation” SIEM

Decentralized loggingSilo and competence-orientedNo utilization of collected dataNo structured retention of dataOpportunistic search and samples based

Ontology (Greek on, = ”the being", logi = ”learning of") describes the study of the being, the study of what exists and how it exists.

Centralized (network) loggingNo analysis layer, no intelligenceCollecting log-data, nothing else

Centralized LoggingAnalysis LayerStatic data and concepts modelCorrelation of defined events

Deep application integrationDynamic ontology“Big Data”Wide enterprise integration

TechnicalOrganizational

14

Next Generation SIEM

16

Example of contextual analysis

17

Another example

Public Danish organization to implement trust based managementLogs from firewallsClassification of firewall traffic (context)Filter searches on job-sitesCorrelate user-names (context) from ADCorrelation organizational associationCorrelate the manager of the given employee

Dashboard with KPI:Percentual share of employees looking for new jobsBracketing middle-managers– Red/Yellow/Green

18

Business-driven (ERP) use-cases

Detect invoices without purchase ordersIdentify vendors where alternate payee names have been changed before paymentMultiple use of one-time vendorsDetection of payments more than the threshold value to one time vendorsIdentify transactions where the purchase approver is equal to the goods receipt creatorIdentify transactions where the order approver is equal to the invoice creatorIdentify transactions where the order creator is equal to the payment creatorIdentify purchase orders that were created on or after the date the invoice was issuedInvoice receipt  is more than goods receipt documentDetect value increases for purchases orders over a certain thresholdCheck for bank accounts bookings not processed with one of the known transactionsCheck suspicious manual bookings at unusual timesDetect split invoices to avoid increasing certain threshold

Identifying Botnets

Inbound accepted connections

Outbound DNS Requests (+35.000): Searching forCommand&Control Servers

Botnet identification:

Accept inbound to (172.28.160.122)threat category=ZeroAccess.Gen Command and Control Traffic threat severity=criticalIdentify activity through DNS requests

Find MAC address and correlate physical location:mac-addr: 00:1e:0b:31:18:b7Correlate MAC With AV-oplysninger(Trend Micro) to get name and actions: M4986GE

IP Reptutation - router

Next-Gen Firewall

Next-Gen DNS/DHCP

Correlate switch-inf

Correlate AV-Inf

21

Security Operations Center View

Security Operations Center View

22

Health Care data – structured, readable, easily accessible