Tom D’Aquino – Sr. Security Engineer

HOW TO LEVERAGE LOG DATA FOR EFFECTIVE THREAT DETECTION

AGENDAThe Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the keyThe Wrap Up• Unified Security Management• AlienVault’s Threat Intelligence LabsQuestions & Answers as time permits

HUMANS MEET TECHNOLOGY

HUMANS MEET TECHNOLOGYSomething is down?

YouTube is up though.

THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything

BUT AT WHAT HARDWARE COST?

How much storage, CPU and RAM will you need to collect, correlate and store all of this data?

• High-performance storage is not cheap

How effective is the automated analysis, i.e. correlation really going to be?

• Correlation is CPU and memory intensive• This is a case of garbage in, garbage out

AND AT WHAT HUMAN RESOURCE COST?

How effective is your team really going to be?

• Can one person realistically review 10,000 alerts in a day

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

Why

What if we took a more strategic approach by identifying the problem more effectively?

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

WhatWhy

What if we took a more strategic approach by identifying the problem more effectively?

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

Who will the logs you collect pertain to?• Is there a specific user group/community

you should be focused on?

What

Who

Why

What if we took a more strategic approach by identifying the problem more effectively?

LET’S LOOK AT SOME EXAMPLES

Why do you need Firewall logs?• I need to see what is getting in to my

network

What logs will you need to get that result?• Firewall permit logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

blacklisted IPs/domains

EXAMPLE ILLUSTRATEDYou are probably only seeing these:

When you should be looking for this:

EXAMPLES CONTINUED

Why do you need OS logs?• I need to detect unauthorized access

attempts and account lockouts

What logs will you need to get that result?• OS authentication failure and account

lockout logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

admin level accounts

EXAMPLE ILLUSTRATEDMultiple events to indicate a single login:

ONE MORE EXAMPLE

Why do you need Switch/Router logs?• I need to see when someone logs in to

my network gear and makes config changes

What logs will you need to get that result?• Authentication and authorization logs

from my TACACS server would do the job

Who will the logs you collect pertain to?• Anyone connecting to my network gear

EXAMPLE ILLUSTRATEDYou may have to process thousands of these:

Just to get one or two of these:

UNIFIED SECURITY MANAGEMENT

“VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU”

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

AlienVault Labs Threat Intelligence:Coordinated Analysis, actionable Guidance

• Updates every 30 minutes• 200-350,000 IP validated daily• 8,000 Collection points• 140 Countries

ALIENVAULT LABS THREAT INTELLIGENCE:COORDINATED ANALYSIS, ACTIONABLE GUIDANCE

Weekly updates that cover all your coordinated rule sets: Network-based IDS signatures Host-based IDS signatures Asset discovery and inventory database updates Vulnerability database updates Event correlation rules Report modules and templates Incident response templates / “how to” guidance for each alarm Plug-ins to accommodate new data sources

Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Questions? hello@alienvault.com