CIPSEC Framework components: XL-SIEM

Slides:



Advertisements
Similar presentations
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
ATSN 2009 Towards an Extensible Agent-based Middleware for Sensor Networks and RFID Systems Dirk Bade University of Hamburg, Germany.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Security Guidelines and Management
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
BotNet Detection Techniques By Shreyas Sali
The Most Analytical and Comprehensive Defense Network in a Box.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Network security Product Group 2 McAfee Network Security Platform.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security Methods and Practice CET4884
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
Network System Security - Task 2. Russell Johnston.
SIEM Rotem Mesika System security engineering
Botnets A collection of compromised machines
Celtic-Plus Proposers Day 22 September 2016, Istanbul
IoT Security Part 2, The Malware
Snort – IDS / IPS.
Proventia Network Intrusion Prevention System
Instructor Materials Chapter 7 Network Security
High Performance Computing Lab.
Real-time protection for web sites and web apps against ATTACKS
Flow Collection and Analytics
Instantiation of the Concept in GAMMA Prototypes
Botnets A collection of compromised machines
SECURITY INFORMATION AND EVENT MANAGEMENT
Cloud Testing Shilpi Chugh.
Security Operations Without Going Blind
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Building an Integrated Security System Microsoft Forefront code name “Stirling” Ravi Sankar Technology Evangelist | Microsoft
CIPSEC architecture CIPSEC workshop Frankfurt 16/10/2018
FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018
Denial-of-Service Jammer Detector Training Course Worldsensing
Intrusion Detection system
Security for Safety: Enabling Digitalization of Railway Systems
The Antimalware component: Bitdefender Gravity Zone
CIPSEC Future Activities
Matteo Merialdo RHEA Group Innovative aspects in cyber range solutions.
Wenyu Ren, Timothy Yardley, Klara Nahrstedt
Experiences from testing security solutions in the railway use-case
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

CIPSEC Framework components: XL-SIEM CIPSEC workshop Frankfurt 16/10/2018 Rodrigo Díaz Rodríguez, ATOS Antonio Álvarez Romero, ATOS Co-funded by the Horizon 2020 Framework Programme of the European Union

The anomaly detection process Security monitoring sensors XL-SIEM Outline The anomaly detection process Security monitoring sensors XL-SIEM

The anomaly detection process SENSORS XL-SIEM

Security monitoring sensors A sensor is a software entity capable of processing and analysing information, eventually producing a useful output. Depending on where the information is collected: There are sensors collecting information about the network activity (network layer sensors). They work at the IP level, with data in transit. There are sensors collecting information from the applications installed in a certain machine (application layer sensors). They work with data prior to transmission of after reception. Sensors do not perform highly complex processes over the information they collect, they are based on rather simple calculations that permit to obtain a first level of aggregation.

Security monitoring sensors (II) Sensors send their logs to an entity called Cyber Agent. This entity can be compatible to a wide range of sensors. The agents have modules called plugins making posible to “understand” the data coming from the different sensor types. Plugins interpret the logs related to certain types of events. There are as many plugins as number of sensors types to use. Plugins produce events which are normalized prior to be sent to the XL-SIEM.

Security monitoring sensors (III)

Security monitoring sensors (IV) Some types of sensors: Suricata: Network Intrusion Detection System. OSSEC: Host Intrusion Detection System. DNS Traffic Sensors: detect anomalies in the DNS Traffic. Cowrie honeypot: attract attackers so as to detect their presence. Nagios: Network / systems status monitoring Daemon. Netflow: network Flow information.

Security monitoring sensors (V) Some attacks detected Denial of Service. Distributed Denial of Service (botnets). Port Scanning. Brute Force Attack. SQL injection. Suspicious files (trojan). USB detection. Rootkits. Fastflux attacks. Other events High number of network connections. High/low network speeds. Port connections.

XL-SIEM Security Information Event Management (SIEM) solution with added high-performance correlation engine to deal with large volumes of security information. Built on top of the Open Source SIEM OSSIM. The objective of this asset is the detection of security threats. It plays the role of anomaly detection reasoner. It normalizes, filters and correlates information coming from heterogeneous sources. It obtains valuable insights about the cyber climate of the monitored infrastructure. Starting with huge amounts of data, this asset produces meaningful events and then raises alarms following complex event correlation rules.

XL-SIEM (II)

XL-SIEM (III)

Sophisticated real-time security analysis technology. XL-SIEM (IV) Main features: Sophisticated real-time security analysis technology. Highly interoperable, scalable and elastic, security events processing through a cluster of nodes. Cross-layer: convergence of physical and cybersecurity. Capacity to raise security alerts. Detection capabilities at the Edge: possibility of deploying agents on Raspberry Pi platforms. Smart detection capabilities such as behavioral analysis of IoT devices.

Sharing of threat intelligence XL-SIEM (V) Innovation lines Sharing of threat intelligence Having previously anonymized the information, sharing information among organizations by means of common formats. STIX(Security Threat Information eXchange). TAXII (Trusted Automated eXchange of Indicator Information). CYBOX (CYBer Observable eXpression). Helps solve the lack of cooperation / Coordination when managing incidents.

Innovation lines Legacy systems XL-SIEM (VI) Innovation lines Legacy systems Closer monitoring of outdated, old-fashioned systems, difficult to evolve and very vulnerable, but very common in critical infrastructures. Patching these assets lead to issues related to loss of certification and compliance. Detect critical events affecting legacy systems and leveraging a selected group of sensors and rules to watch over outdated systems.

Avoid excess of information about alerts. Avoid false positives. XL-SIEM (VII) Innovation lines Behavioural analysis Avoid excess of information about alerts. Avoid false positives. Make reports and analysis simpler. Identify normal behaviour patterns to confront with abnormal ones. Use of machine learning techniques to achieve this. Ease of deployment Automated incorporation of new clients / infrastructures Automated deployment of sensors / agents and connection to the XL-SIEM server side

High number of network connections Malware event MySQL connection XL-SIEM (VIII) Some events examples Port scanning TCP connection WiFi connection High number of network connections Malware event MySQL connection High network load detected Slow network speed Some alarms examples Man in the Middle attack Brute Force attack DoS attack Phishing attack Malware detected Malicious site blocked Connection attempt against SQL services

Fitting in the architecture

Thanks for your attention! Questions? Contact: Antonio Álvarez ATOS antonio.alvarez@atos.net Rodrigo Díaz ATOS rodrigo.diaz@atos.net Rubén Trapero ATOS ruben.trapero@atos.net www.cipsec.eu @CIPSECproject https://www.linkedin.com/in/cipsec-project/ https://www.youtube.com/channel/UCekxicSFAwZdIPAV3iLHttg CIPSEC Technical Review Meeting Barcelona 22/11/2017

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.