Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIPSEC Framework components: XL-SIEM

Published byMorgan Daniel Modified over 5 years ago

Similar presentations

Presentation on theme: "CIPSEC Framework components: XL-SIEM"— Presentation transcript:

1 CIPSEC Framework components: XL-SIEM
CIPSEC workshop Frankfurt 16/10/2018 Rodrigo Díaz Rodríguez, ATOS Antonio Álvarez Romero, ATOS Co-funded by the Horizon 2020 Framework Programme of the European Union

2 The anomaly detection process Security monitoring sensors XL-SIEM
Outline The anomaly detection process Security monitoring sensors XL-SIEM

3 The anomaly detection process
SENSORS XL-SIEM

4 Security monitoring sensors
A sensor is a software entity capable of processing and analysing information, eventually producing a useful output. Depending on where the information is collected: There are sensors collecting information about the network activity (network layer sensors). They work at the IP level, with data in transit. There are sensors collecting information from the applications installed in a certain machine (application layer sensors). They work with data prior to transmission of after reception. Sensors do not perform highly complex processes over the information they collect, they are based on rather simple calculations that permit to obtain a first level of aggregation.

5 Security monitoring sensors (II)
Sensors send their logs to an entity called Cyber Agent. This entity can be compatible to a wide range of sensors. The agents have modules called plugins making posible to “understand” the data coming from the different sensor types. Plugins interpret the logs related to certain types of events. There are as many plugins as number of sensors types to use. Plugins produce events which are normalized prior to be sent to the XL-SIEM.

6 Security monitoring sensors (III)

7 Security monitoring sensors (IV)
Some types of sensors: Suricata: Network Intrusion Detection System. OSSEC: Host Intrusion Detection System. DNS Traffic Sensors: detect anomalies in the DNS Traffic. Cowrie honeypot: attract attackers so as to detect their presence. Nagios: Network / systems status monitoring Daemon. Netflow: network Flow information.

8 Security monitoring sensors (V)
Some attacks detected Denial of Service. Distributed Denial of Service (botnets). Port Scanning. Brute Force Attack. SQL injection. Suspicious files (trojan). USB detection. Rootkits. Fastflux attacks. Other events High number of network connections. High/low network speeds. Port connections.

9 XL-SIEM Security Information Event Management (SIEM) solution with added high-performance correlation engine to deal with large volumes of security information. Built on top of the Open Source SIEM OSSIM. The objective of this asset is the detection of security threats. It plays the role of anomaly detection reasoner. It normalizes, filters and correlates information coming from heterogeneous sources. It obtains valuable insights about the cyber climate of the monitored infrastructure. Starting with huge amounts of data, this asset produces meaningful events and then raises alarms following complex event correlation rules.

10 XL-SIEM (II)

11 XL-SIEM (III)

12 Sophisticated real-time security analysis technology.
XL-SIEM (IV) Main features: Sophisticated real-time security analysis technology. Highly interoperable, scalable and elastic, security events processing through a cluster of nodes. Cross-layer: convergence of physical and cybersecurity. Capacity to raise security alerts. Detection capabilities at the Edge: possibility of deploying agents on Raspberry Pi platforms. Smart detection capabilities such as behavioral analysis of IoT devices.

13 Sharing of threat intelligence
XL-SIEM (V) Innovation lines Sharing of threat intelligence Having previously anonymized the information, sharing information among organizations by means of common formats. STIX(Security Threat Information eXchange). TAXII (Trusted Automated eXchange of Indicator Information). CYBOX (CYBer Observable eXpression). Helps solve the lack of cooperation / Coordination when managing incidents.

14 Innovation lines Legacy systems
XL-SIEM (VI) Innovation lines Legacy systems Closer monitoring of outdated, old-fashioned systems, difficult to evolve and very vulnerable, but very common in critical infrastructures. Patching these assets lead to issues related to loss of certification and compliance. Detect critical events affecting legacy systems and leveraging a selected group of sensors and rules to watch over outdated systems.

15 Avoid excess of information about alerts. Avoid false positives.
XL-SIEM (VII) Innovation lines Behavioural analysis Avoid excess of information about alerts. Avoid false positives. Make reports and analysis simpler. Identify normal behaviour patterns to confront with abnormal ones. Use of machine learning techniques to achieve this. Ease of deployment Automated incorporation of new clients / infrastructures Automated deployment of sensors / agents and connection to the XL-SIEM server side

16 High number of network connections Malware event MySQL connection
XL-SIEM (VIII) Some events examples Port scanning TCP connection WiFi connection High number of network connections Malware event MySQL connection High network load detected Slow network speed Some alarms examples Man in the Middle attack Brute Force attack DoS attack Phishing attack Malware detected Malicious site blocked Connection attempt against SQL services

17 Fitting in the architecture

18 Thanks for your attention! Questions?
Contact: Antonio Álvarez ATOS Rodrigo Díaz ATOS Rubén Trapero ATOS @CIPSECproject CIPSEC Technical Review Meeting Barcelona 22/11/2017

Download ppt "CIPSEC Framework components: XL-SIEM"

Similar presentations

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
ATSN 2009 Towards an Extensible Agent-based Middleware for Sensor Networks and RFID Systems Dirk Bade University of Hamburg, Germany.

ATSN 2009 Towards an Extensible Agent-based Middleware for Sensor Networks and RFID Systems Dirk Bade University of Hamburg, Germany.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Security Guidelines and Management

Security Guidelines and Management
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.

Similar presentations

Ads by Google