SIEM Rotem Mesika System security engineering 372.2.5204.

Slides:

Advertisements

Similar presentations

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Advertisements

Guide to Network Defense and Countermeasures Second Edition

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Intrusion Detection Systems and Practices

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

IBM Security Network Protection (XGS)

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Host Intrusion Prevention Systems & Beyond

Department Of Computer Engineering

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Correlations, Alarms and Policies

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Guide to Network Defense and Countermeasures

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Chapter 5: Implementing Intrusion Prevention

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Cryptography and Network Security Sixth Edition by William Stallings.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Role Of Network IDS in Network Perimeter Defense.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.

Proactive Incident Response

INTRODUCTION Sam Wachira

OIT Security Operations

IDS Intrusion Detection Systems

Working at a Small-to-Medium Business or ISP – Chapter 8

Security Methods and Practice CET4884

Detection and Analysis of Threats to the Energy Sector (DATES)

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Joe, Larry, Josh, Susan, Mary, & Ken

Introduction to Networking

SECURITY INFORMATION AND EVENT MANAGEMENT

NETWORK SECURITY LAB Lab 9. IDS and IPS.

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

* Essential Network Security Book Slides.

Intrusion Detection & Prevention

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Intrusion Detection Systems (IDS)

Shifting from “Incident” to “Continuous” Response

Human (user) behavior patterns and analytics

Intrusion Prevention Systems

Chapter 4: Protecting the Organization

Intrusion Detection system

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

Presentation transcript:

SIEM Rotem Mesika System security engineering 372.2.5204

What we will talk today.. What is siem? Why do organizations use it? “Crown Jewels” What are we protecting from? and How? The SIEM Process Implementation SIEM - “ArcSight” Combining SIEMs

What is SIEM? SIEM = Security Information and Event Management SIEM collects log files and security information from internal and external sources Event correlation is used to detect and alert unwanted activities within the network defined by the organization An organization can use the information within the SIEM to effectively respond and detect security incidents The main focus areas which define the fundaments of SIEM are: Log management Correlation Alerting Responding [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012): 55-59.

Why do organizations use it? Threat management The ability to detect risky scenarios and common attacks, as well as attack paths defined by the organization itself Relations are established between events from different sources on the network Compliancy Joining the logs and reports of multiple systems within the organization, enabling an easy access and analysis by a built in framework in each system Forensic support The information available within SIEM is very valuable from a forensic perspective and can greatly aid a forensic analyst in his or her investigation SIEM allows forensic analysts to search within logs of many systems in a centralized way, without the need of re-collecting the log files of compromised systems [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012): 55-59.

Defining the “Crown Jewels” When an organization grows, its IT environment grows as well. Services are added and removed It is impossible for an organization to collect log files of all systems and at the same time perform real-time analysis and correlation An organization needs to know what are the ‘crown jewels’. What is the most important asset or information that is owned by the organization? “Crown jewels” can be identified by performing a risk analysis on organizational level, in other words: an organization's strategy [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

What are we protecting from? and How? Risk scenarios describe undesirable actions to the “crown jewels” and include common attacks (i.e. DDoS on online services) and attack paths (i.e. reconnaissance using a port scan) An organization knows which logs to collect and from which devices, based on the information required by “use cases” and the rules they consist of Every rule can require different log sources and events For SIEM to work correctly, all logs required by use cases and rules should be gathered, normalized and available to the SIEM tooling [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

Example of a “use case” [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

The SIEM Process

Log Management Log management is an integral part of SIEM because, log entries are greatest source of information Though highly crucial, solely collecting and aggregating logs at a central location is not enough [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

Correlation Correlation of log entries is performed based on use cases. Every use case consists of one or more rules that detect an unwanted event, which is defined by risk scenarios To trigger a use case, one typically needs to correlate multiple log entries from one or more sources [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

Alerting Alerting abnormal actions is the core purpose of the SIEM, focused on threat management [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

Responding & Evaluating Most alerts require manual analysis by a SOC analyst Experience gained from handling incidents or false- positives can serve as an input for a new use case or for fine-tuning [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)

HP SIEM implementation – “ArcSight” The model is called “The hierarchical managers model” We divide our model into 3 layers The first – devices that generate log file, i.e. firewall The second – a centralized system of dedicated servers that collects and stores all the log files in a dedicated storage The third – the monitoring layer, to monitor and review the logs and manage the servers of the second layer [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

Choose the devices and their logs Domain controllers Databases Email servers IDS and IPS Firewall Network Devices Antivirus System [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

Define “use case” [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

Define “use case” – cont. [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

Combining SIEMs

SIEM of SIEMs Central SIEM server that acts as a parent and communicates intermediary SIEM servers (called Child Managers), instead of communicating with the log sources directly The parent and the child managers each take on deferent responsibilities Alerting, filtering, normalization, reporting and anything else having to do with policy enforcement are responding of the Child Manager Correlated events are forwarded from each Child Manager to the Global Manager for global correlation [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.

sharing alarms - Collaborative Approach SIEMs in domains with similar services and traffic could be vulnerable to similar attacks sharing alarms among these SIEMs would benefit all Snort’s detection engine scans the network for attack patterns, registers possible threats, and issues alerts. SIEMs exchange directive files to correlate events reported by federation partners. Each SIEM can define its own directives as well as adopt other SIEMs’ definitions. i.e. Rules can match packets based on source or target addresses, source or target ports, particular protocols or flags, or packet content. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012): 55-59.

Refernaces [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012): 55-59.

Questions?

Different between IDS and SIEM IDS = Intrusion Detection System “monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station” Wikipedia IDS is a “sensor” to the SIEM and help to protect the organization's network by monitoring suspicious data packets and requests. SIEM is use IDS as a sensor and also sensor from the DC and the hosts (like antivirus) and not only from the network.