Presentation is loading. Please wait.

Presentation is loading. Please wait.

SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis,

Published byAlbert James Modified over 9 years ago

Similar presentations

Presentation on theme: "SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis,"— Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis, Jim Horwath, John Zabiuk April 2010

2 SANS Technology Institute - Candidate for Master of Science Degree Objective Logging Infrastructure Logging Sources & Servers What is a SIEM? Advantages of a SIEM? Using SIEM Vendor Approaches

3 SANS Technology Institute - Candidate for Master of Science Degree Logging Infrastructure What is logging to where?

4 SANS Technology Institute - Candidate for Master of Science Degree Logging Sources / Services Logging Sources Syslog and SNMP Trap Network o Cisco IOS o Snort IDS/IPS Servers/Workstations o Enterprise Linux 3/4/5 o Microsoft Windows Applications o BIND (DNS) o Exchange o MS SQL o Host Intrustion Detection Logging Services SYSLOG o SYSLOGD o SYSLOG-NG o RSYSLOG SNMP TRAP

5 SANS Technology Institute - Candidate for Master of Science Degree What is a SIEM? SIEM - Security Information Event Management Logging and Event Aggregation o Network (router,switch,firewall,etc) o System (Server,workstation,etc) o Application (Web, DB ) Correlation Engine o 2+ related events = higher alarm (1+1=3)

6 SANS Technology Institute - Candidate for Master of Science Degree Using SIEM How do SIEM Products help the following Security concerns? Countermeasures to detect attempts to infect internal system Identification of infected systems trying to exfiltrate information Mitigation of the impact of infected systems Detection of outbound sensitive information ( DLP)

7 SANS Technology Institute - Candidate for Master of Science Degree SIEM Advantages Correlation of data from multiple systems and from different events detecting security and operational conditions Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior Comprehensive view into an environment based on event types, protocols, log sources, etc APT (advanced persistent threat) protection through detection of protocol and application anomalies Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets Alerting and monitoring on events of interest to escalate priority Ability to filter events and create custom views to meet business needs Allows organizations to demonstrate adherence to polices and controls Monitor and log the access and use of sensitive data Limits exposure to breach disclosure costs by knowing the number or customer records affected Helps reduce risk to business partners and customers by detecting data loss and fraud Reduce costs by replacing redundant functions and technologies

8 SANS Technology Institute - Candidate for Master of Science Degree Vendor Approaches Log Rhythm (http://logrhythm.com/) Qradar (http://www.q1labs.com/) Prismmicrosystems (http://www.prismmicrosys.com/) Nitro Security (http://nitrosecurity.com/)

9 SANS Technology Institute - Candidate for Master of Science Degree Log Rhythm Audit privileged user activity such as new account creation for greater operational transparency Correlate privileged user behavior with specific network activity View real-time activity and drill down based on relevant criteria Map global relationships to identify communication involving suspicious sources and/or destinations Visualize network communication to identify anomalous patterns and data transfers Deliver real-time alerts on unauthorized access of sensitive data and information transfers to unapproved recipients Independently audit and log data transfer to removable media such as USB drives and memory cards Correlate access of sensitive data with printer logs and user activity Independently monitor processes for increased awareness of potential malware and spyware

10 SANS Technology Institute - Candidate for Master of Science Degree QRadar Hardened, Linux-based appliance solution Integrated flow collection enables passive profiling of network asset applying context rules to discovered assets Integration of external VA scanner results applies further context to rules, and weights to incidents. Trend analysis and anomaly detection for detecting statistical anomalies and threshold violations Ability to spot problems based on historical trends and current activity Increased forensics by combining fully integrated network activity with log data Agentless collection for most log sources, including Windows; Q1 Labs provided Windows agent option, ALE, reads event data and has plug-ins for sources such as IIS, SQL Server, etc Geo-location ability, find traffic location based on IP address Product ships with 120 standard correlation rules, 1600 out-of-the-box report templates. Adding site/industry- specific rules is easy Company autoupdates rules with every major release of QRadar Correlation rule editor is simple to use -- it resembles Microsoft Outlook's rules wizard Appliance has a distributed database (ARIEL) that excels at write-once read many times and grow incrementally as you add QRadar appliances. Eliminates backend database, enables efficient High Availability Segregation of duties based on job responsibility and business need Reports are single-pane view containing all relevant information for reporting and investigation

11 SANS Technology Institute - Candidate for Master of Science Degree Prism Microsystems Software only solution running on Windows O/S No database, log data stored in compressed CAB files, SHA-1 and 92% raw log compression Integration into current Active Directory environment, monitors log from major vendors Indexed search with custom keywords Allows central management and deployment, monitors business critical components Database Monitoring MS SQL, Oracle, and others via ODBC Point and click design of reports Provides high-level dashboards to low-level detail Optional Agents for Windows, Solaris BSM, IBM iSeries and AS 400 Windows Agent features o central management / deployment capability o monitors USB drives, application logs, network connections, processes, change audits and config assessments

12 SANS Technology Institute - Candidate for Master of Science Degree Nitro Security Fast Database - High-level to packet level No DBA management "Single pane of glass" GUI Regular expression rules engine Multiple filtering options Passive database monitoring Auto discover feature to find "rogue" database instances Resolves "pooled" connections for applications Geo-location tracking Linux-based appliance - FIPS 140-2/CC EAL Level 3 certified

13 SANS Technology Institute - Candidate for Master of Science Degree Summary

Download ppt "SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis,"

Similar presentations

The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
BalaBit Shell Control Box

BalaBit Shell Control Box
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Similar presentations

Ads by Google