Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY INFORMATION AND EVENT MANAGEMENT

Published byJakob Schmitt Modified over 6 years ago

Similar presentations

Presentation on theme: "SECURITY INFORMATION AND EVENT MANAGEMENT"— Presentation transcript:

1 SECURITY INFORMATION AND EVENT MANAGEMENT
SIEM SECURITY INFORMATION AND EVENT MANAGEMENT Montgomery, Salvas, Shepardson

2 Overview Combines both security information management (SIM) and security event management (SEM) Provides real time analysis of security alerts Data aggregated for a single point of view TRENDS & PATTERNS most organizations today deploy a Security Incident and Event Management (SIEM) solution as a proactive measure for threat management, to get a centralized view of their organization’s security posture and for advanced reporting of security incidents Video - What is a SIEM?

3        SIM                  vs.            SEM Automates collection of event log data from security devices  Detailed searching and reporting Long-term storage/analysis of LOG data Real-time monitoring/alerts Correlation of events SPECIFIC EVENTS Since SIM tends to be better at log collections, it can be used to drive or feed SEM solutions.

4 Benefits of SIEM Prevent/detect potential security breaches
Reduce impact of security events Evaluate policy/IT compliance Improve incident handling efficiency 

5 How SIEMs Work Monitoring, Standards, Issues, Action

6 Monitoring End-user devices Network devices Security applications
Ideally, a properly secured network should have multiple sources generating event logs. These should include sources like system logs from end-user devices, server and network device logs, and logs from various security applications (anti-virus, firewalls, intrusion detection software, etc.). A SIEM takes all these events and makes them accessible from one location.

7 Standards Normal activity Established exceptions Blacklisted actions
A SIEM then takes all the log data and compares it to a set of pre-established standards. These are things like typical activity that shouldn't raise any alarms, actions that by pre-specified users that would otherwise cause concern, and actions that always warrant closer examination. In order for a SIEM to be the most effective, time needs to be taken to analyze network activity and determine what sort of network patterns make sense for the organization and what activity is unwanted. 

8 Issues and Actions Rating Method of notification Recommendations
If the SIEM receives an event notification that falls outside the expected or acceptable standards, it will then rate the event on a scale according to its severity. Similar to the pre-determined acceptable activity, the severity of an action also needs to be set up ahead of time for a SIEM to work effectively. Once an event is rated, the SIEM determines who needs to be specifically notified and how, whether through adding the event to a log, highlighting it in a report, or sending an immediate alert. It will also provide recommendations on how an event may be resolved.

9 More layers! ITIL Information Technology Infrastructure Library contains a comprehensive set of best practices that are used to develop and execute IT service management. Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company.

10 Examples A good SIEM gives you the ability to proactively analyze problems and take immediate action without having to manually gather, organize and sift through gigabytes of log data. Quickly Gain Insight Into Threat and Malware Activity Generally behavioural approach, considers individual events to be insufficient to draw conclusions

11 splunk> Index > Search and investigate > add knowledge > monitor and alert > report and analyze Splunk uses this thing called SPL (Search Processing Logic) which is pretty much like a combination of SQL queries and python or any other high level programming language

12 Example Use Case Detection of Possible Brute Force Attacks
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2 Go into your local security policy, and start auditing logon events. This creates the necessary logs that can be fed into Splunk EventCode: 4625 is used in new versions of the Windows family like Win 7. In older versions, the event code for invalid login attempts is 675, 529. Failure Code 0x19 is error code 25 for Additional pre-authentication required* Since these activities gets logged in Win:Security, which in turn is feeding Splunk in real time, an alert will be created in Splunk, giving analysts an incident to investigate and take responsive actions, like changing the firewall policy to blacklist that IP. Failure Codes:

13 IBM QRadar Named best SIEM in 2015 by SANS Institute
IBM QRadar Security Intelligence Platform

14 Resources http://resources.infosecinstitute.com/top-6-seim-use-cases/
information-and-event-management-SIEM detection/log-management-siem/what-is-a-siem/

Download ppt "SECURITY INFORMATION AND EVENT MANAGEMENT"

Similar presentations

Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.

Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,

2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,
Correlations, Alarms and Policies

Correlations, Alarms and Policies
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

Similar presentations

Ads by Google