Download presentation
Presentation is loading. Please wait.
Published byDerick Watts Modified over 7 years ago
1
SIEM Rotem Mesika System security engineering
2
What we will talk today.. What is siem? Why do organizations use it?
“Crown Jewels” What are we protecting from? and How? The SIEM Process Implementation SIEM - “ArcSight” Combining SIEMs
3
What is SIEM? SIEM = Security Information and Event Management
SIEM collects log files and security information from internal and external sources Event correlation is used to detect and alert unwanted activities within the network defined by the organization An organization can use the information within the SIEM to effectively respond and detect security incidents The main focus areas which define the fundaments of SIEM are: Log management Correlation Alerting Responding [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):
4
Why do organizations use it?
Threat management The ability to detect risky scenarios and common attacks, as well as attack paths defined by the organization itself Relations are established between events from different sources on the network Compliancy Joining the logs and reports of multiple systems within the organization, enabling an easy access and analysis by a built in framework in each system Forensic support The information available within SIEM is very valuable from a forensic perspective and can greatly aid a forensic analyst in his or her investigation SIEM allows forensic analysts to search within logs of many systems in a centralized way, without the need of re-collecting the log files of compromised systems [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):
5
Defining the “Crown Jewels”
When an organization grows, its IT environment grows as well. Services are added and removed It is impossible for an organization to collect log files of all systems and at the same time perform real-time analysis and correlation An organization needs to know what are the ‘crown jewels’. What is the most important asset or information that is owned by the organization? “Crown jewels” can be identified by performing a risk analysis on organizational level, in other words: an organization's strategy [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
6
What are we protecting from? and How?
Risk scenarios describe undesirable actions to the “crown jewels” and include common attacks (i.e. DDoS on online services) and attack paths (i.e. reconnaissance using a port scan) An organization knows which logs to collect and from which devices, based on the information required by “use cases” and the rules they consist of Every rule can require different log sources and events For SIEM to work correctly, all logs required by use cases and rules should be gathered, normalized and available to the SIEM tooling [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
7
Example of a “use case” [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
8
The SIEM Process
9
Log Management Log management is an integral part of SIEM because, log entries are greatest source of information Though highly crucial, solely collecting and aggregating logs at a central location is not enough [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
10
Correlation Correlation of log entries is performed based on use cases. Every use case consists of one or more rules that detect an unwanted event, which is defined by risk scenarios To trigger a use case, one typically needs to correlate multiple log entries from one or more sources [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
11
Alerting Alerting abnormal actions is the core purpose of the SIEM, focused on threat management [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
12
Responding & Evaluating
Most alerts require manual analysis by a SOC analyst Experience gained from handling incidents or false- positives can serve as an input for a new use case or for fine-tuning [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
13
HP SIEM implementation – “ArcSight”
The model is called “The hierarchical managers model” We divide our model into 3 layers The first – devices that generate log file, i.e. firewall The second – a centralized system of dedicated servers that collects and stores all the log files in a dedicated storage The third – the monitoring layer, to monitor and review the logs and manage the servers of the second layer [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.
14
Choose the devices and their logs
Domain controllers Databases servers IDS and IPS Firewall Network Devices Antivirus System [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.
15
Define “use case” [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.
16
Define “use case” – cont.
[2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.
17
Combining SIEMs
18
SIEM of SIEMs Central SIEM server that acts as a parent and communicates intermediary SIEM servers (called Child Managers), instead of communicating with the log sources directly The parent and the child managers each take on deferent responsibilities Alerting, filtering, normalization, reporting and anything else having to do with policy enforcement are responding of the Child Manager Correlated events are forwarded from each Child Manager to the Global Manager for global correlation [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014.
19
sharing alarms - Collaborative Approach
SIEMs in domains with similar services and traffic could be vulnerable to similar attacks sharing alarms among these SIEMs would benefit all Snort’s detection engine scans the network for attack patterns, registers possible threats, and issues alerts. SIEMs exchange directive files to correlate events reported by federation partners. Each SIEM can define its own directives as well as adopt other SIEMs’ definitions. i.e. Rules can match packets based on source or target addresses, source or target ports, particular protocols or flags, or packet content. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):
20
Refernaces [1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015) [2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and distributed environments." Computer Applications and Information Systems (WCCAIS), 2014 World Congress on. IEEE, 2014. [3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012):
21
Questions?
22
Different between IDS and SIEM
IDS = Intrusion Detection System “monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station” Wikipedia IDS is a “sensor” to the SIEM and help to protect the organization's network by monitoring suspicious data packets and requests. SIEM is use IDS as a sensor and also sensor from the DC and the hosts (like antivirus) and not only from the network.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.