SECURITY INFORMATION AND EVENT MANAGEMENT

Slides:



Advertisements
Similar presentations
Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering
Network security policy: best practices
2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,
Correlations, Alarms and Policies
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
HIPAA COMPLIANCE WITH DELL
The Most Analytical and Comprehensive Defense Network in a Box.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.
Event Management & ITIL V3
© Siemens AG All rights reserved. openlab III Board of Sponsors 3-4 May 2011 at CERN Joint Report Siemens - CERN.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Security Information and Event Management
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
IS3220 Information Technology Infrastructure Security
1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.
Slide 1 © 2016, Lera Technologies. All Rights Reserved. SAP BO vs SPLUNK vs OBIEE By Lera Technologies.
Dr. Hussein Al-Bahadili Faculty of Information Technology Petra University Week #5 1/10 Securing E-Transaction - SIEM.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
 Remote monitoring and management (RMM), also known as network management or remote service software, is a built on application to help managed IT service.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Is Endpoint security dead?
INTRODUCTION Sam Wachira
SIEM Rotem Mesika System security engineering
Information Technology Acceptable Use An Overview
Ch.22 INTRUSION DETECTION
Nicholas Hsiao Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.
Hybrid Management and Security
Configuring Windows Firewall with Advanced Security
IBM Software Group | Tivoli Brand Software
IT Service Operation - purpose, function and processes
Introduction of Week 6 Assignment Discussion
SVTRAININGS. SVTRAININGS Splunk overview  Overview  These use cases walk you through monitoring, investigation, and detection scenarios for security.
SysKit Insights SharePoint Monitoring & Troubleshooting.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Shifting from “Incident” to “Continuous” Response
Lesson 16-Windows NT Security Issues
Automating Security Operations using Phantom
A 5-minute overview of ADAudit Plus
Enhanced alerting and collaborative incident management
CIPSEC Framework components: XL-SIEM
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Security intelligence: solving the puzzle for actionable insight
OSL150 – Get Hands on with Ivanti Endpoint Security
Cloud Computing for Wireless Networks
Presentation transcript:

SECURITY INFORMATION AND EVENT MANAGEMENT SIEM SECURITY INFORMATION AND EVENT MANAGEMENT Montgomery, Salvas, Shepardson

Overview Combines both security information management (SIM) and security event management (SEM) Provides real time analysis of security alerts Data aggregated for a single point of view TRENDS & PATTERNS most organizations today deploy a Security Incident and Event Management (SIEM) solution as a proactive measure for threat management, to get a centralized view of their organization’s security posture and for advanced reporting of security incidents Video - What is a SIEM?

       SIM                  vs.            SEM Automates collection of event log data from security devices  Detailed searching and reporting Long-term storage/analysis of LOG data Real-time monitoring/alerts Correlation of events SPECIFIC EVENTS Since SIM tends to be better at log collections, it can be used to drive or feed SEM solutions.

Benefits of SIEM Prevent/detect potential security breaches Reduce impact of security events Evaluate policy/IT compliance Improve incident handling efficiency 

How SIEMs Work Monitoring, Standards, Issues, Action

Monitoring End-user devices Network devices Security applications Ideally, a properly secured network should have multiple sources generating event logs. These should include sources like system logs from end-user devices, server and network device logs, and logs from various security applications (anti-virus, firewalls, intrusion detection software, etc.). A SIEM takes all these events and makes them accessible from one location.

Standards Normal activity Established exceptions Blacklisted actions A SIEM then takes all the log data and compares it to a set of pre-established standards. These are things like typical activity that shouldn't raise any alarms, actions that by pre-specified users that would otherwise cause concern, and actions that always warrant closer examination. In order for a SIEM to be the most effective, time needs to be taken to analyze network activity and determine what sort of network patterns make sense for the organization and what activity is unwanted. 

Issues and Actions Rating Method of notification Recommendations https://www.youtube.com/watch?v=fXBnjhpDXPE If the SIEM receives an event notification that falls outside the expected or acceptable standards, it will then rate the event on a scale according to its severity. Similar to the pre-determined acceptable activity, the severity of an action also needs to be set up ahead of time for a SIEM to work effectively. Once an event is rated, the SIEM determines who needs to be specifically notified and how, whether through adding the event to a log, highlighting it in a report, or sending an immediate alert. It will also provide recommendations on how an event may be resolved.

More layers! ITIL Information Technology Infrastructure Library contains a comprehensive set of best practices that are used to develop and execute IT service management. Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company.

Examples A good SIEM gives you the ability to proactively analyze problems and take immediate action without having to manually gather, organize and sift through gigabytes of log data. Quickly Gain Insight Into Threat and Malware Activity Generally behavioural approach, considers individual events to be insufficient to draw conclusions

splunk> Index > Search and investigate > add knowledge > monitor and alert > report and analyze Splunk uses this thing called SPL (Search Processing Logic) which is pretty much like a combination of SQL queries and python or any other high level programming language

Example Use Case Detection of Possible Brute Force Attacks sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2 Go into your local security policy, and start auditing logon events. This creates the necessary logs that can be fed into Splunk EventCode: 4625 is used in new versions of the Windows family like Win 7. In older versions, the event code for invalid login attempts is 675, 529. Failure Code 0x19 is error code 25 for Additional pre-authentication required* Since these activities gets logged in Win:Security, which in turn is feeding Splunk in real time, an alert will be created in Splunk, giving analysts an incident to investigate and take responsive actions, like changing the firewall policy to blacklist that IP. Failure Codes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

IBM QRadar Named best SIEM in 2015 by SANS Institute IBM QRadar Security Intelligence Platform

Resources http://resources.infosecinstitute.com/top-6-seim-use-cases/ http://searchsecurity.techtarget.com/definition/security- information-and-event-management-SIEM https://www.tripwire.com/state-of-security/incident- detection/log-management-siem/what-is-a-siem/ https://www.splunk.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.