security information management. thesis managing security event information is a difficult task ...
TRANSCRIPT
Security
InformationManagement
ThesisManaging security event information is a difficult taskMost successful deployments start with a clear understanding
of business needs And plans for what to do with the information
Security event information management tools are maturing and moving from the outside – in
But there are limitations regarding what the products can accomplish
Leveraging Security Event Information
Leveraging Security Event Information
AgendaWhy managing security event information is a difficult taskSolutions and technologyEmerging trendsRecommendations
Leveraging Security Event Information
AgendaWhy managing security event information is a difficult taskSolutions and technologyEmerging trendsRecommendations
Why Managing Security Event Information is…
Even finding a name for it is hard!Security Information Management (SIM)Security Event Management (SEM)Security Intelligence Management (SIM)Enterprise Security Management (ESM)Defense Information Management/Security Operations
Management (DIM/SOM) Just kidding about that last one…
This is: Security Event Information Management (SEIM)
Why Managing Security Event Information is…
“Billions and Billions” of eventsFirewalls, IDS,IPS, Anti-Virus,
Databases, Operating Systems,
Content filtersInformation overload
Lack of standards Difficult correlation
Making sense of event sequences that appear unrelatedFalse positives and validation issues
Why Managing Security Event Information is…
Business Objectives of SEIM – Increase overall security posture of an organization
Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network
in near real-time Build a historical forensic foundation
Why Managing Security Event Information is…
Things SEIMs can look forInternal policy compliance on hosts and systemsTrack usage throughout the enterprise
Access to strategic applications and servers
Password change eventsPath of a worm or virus through the network
What does your company want to look for with the SEIM?
Leveraging Security Event Information
AgendaWhy managing security event information is a difficult taskSolutions and technologyEmerging trendsRecommendations
INPUTS
• Access control• Directories• Provisioning
Identity Management
Agent Logging
• Host & DB configuration• Patch management• Vulnerability management
System Management
Agent Logging
COLLECTION / AGGREGATION / CORRELATION
Distributed collectors
Central / master collector
Security alerts
REAL-TIME ANALYSIS / RESPONSE
VISUALIZATION / ADMINISTRATION
Reports
Visualization
Policies / compliance rules
Signatures / attack patterns
OPERATIONS INTEGRATIONR
ES
PO
NS
E
RE
SP
ON
SE
LONG-TERM STORAGE / AUDIT / INVESTIGATIONNetwork / security operations
raw log101010001011100110
Help desk ticketing
• Routers• Firewalls• Content scanners
Perimeter Controls
Agent Logging
• Network IDS• Network IPS• Other sensors
IDS / Response
Agent Logging
Solutions and Technology
How the Products Work Collect
Inputs from target sources Agent and agentless methods
Aggregate Bring all the information to a central point
Normalize Translate disparate syntax into a standardized one
Correlate If A and B then C
Report State of health Policy conformance
Archive
Collect Aggregate Normalize Correlate Report Archive
Solutions and Technology
Understand the business case for the productBuild a strong set of requirementsWhat will it do?How will it add business value?
Understand the assetsPrioritize valueIt’s critical, but few products do this successfully today
Understand PoliciesWhat are the technical security policies?Data lifecycle considerations
Policies / compliance rules
Solutions and Technology
Consideration–Requirements for visualization?The Big Red ButtonTailoring views
Geographic Configurability Drill down options
Hierarchical views Cross-cutting data sharing CIO view, auditor view
Security alerts
VISUALIZATION / ADMINISTRATION
Reports
Visualization
Solutions and Technology
Consideration – What are the life cycle and storage needs? Internal policies
Archive everything? Best have a robust SAN! What information is critical to the business? What’s in those audit logs?
Regulatory requirements Normalization questions
Is the original log data still available? Has it been “normalized”?
Know where the backups will go Understand lifecycle and mining needs
Filters and searching- Can’t sift through petabytes of data manually
LONG-TERM STORAGE / AUDIT / INVESTIGATION
raw log101010001011100110
Solutions and Technology
Consideration–How the data will be used after its collected?
Will the data be used for Historical “forensics”?
Track back and replay
Legal forensics?
Legal Matters Chain of custody Tamper proof/evident Original audit/log data (not normalized) Integrity or “garbage in garbage out”
LONG-TERM STORAGE / AUDIT / INVESTIGATION
raw log101010001011100110
Leveraging Security Event Information
AgendaWhy managing security information is a difficult taskSolutions and technologyEmerging trendsRecommendations
Emerging Trends
“The Manager of Managers”Automated remediation, change and compliance managementBut will it break the separation of duties model?May be viable with larger vendors, but market longevity may
be a concern with smaller, niche vendors Identity Management and Security Event Information
Management Wireless LAN Security Information Voice Over IP Security Management Sharing Security Operations Center data with the Network
Operations Center
Emerging Trends
Early SEMs focused on gathering logs from the perimeter security devices
Firewalls, routersEvolution is toward a more comprehensive integrationTake in more input for greater visionMonitoring activity both inside the organization as well as on
the perimeterAdditional intelligence can lead to more precise correlation
Emerging Trends
Monitoring for AbuseAs the focus is turned inwardUser behavior can be capturedLinks back to Identity Management synch with SEIM
Emerging Trends
SEIM is not currently a standards-based approach Vendor proprietary approach to
Logging/Event reporting Normalization techniques
CVE – Common Vulnerabilities and Exposures “A dictionary, not a database” Creates standardized names for vulnerabilities
CVSS – Common Vulnerability Scoring System Standard ratings of vulnerabilities Very early stage
Leveraging Security Event Information
AgendaWhy managing security information is a difficult taskSolutions and technologyEmerging trendsRecommendations
Understand the business goals for the SEIM Determine which systems must be covered
What level of data gathering is required Appropriate storage mechanisms
Make some friends! Talk to others who have deployed SEIMs in environments similar to yours Since the SEIM may touch cross-enterprise systems, making friends inside
the organization is import too Build solid RFPs before speaking to vendors
Vendors like their products best (understandably) Make the SEIM work for your company, don’t compromise your business
requirements to fit into the SEIM vendor’s framework
Recommendations
Recommendations
Weigh vendor claims carefullyScalability can affect utility of the productThroughput, events per second (EPS) numbers may be
apples to oranges Take an architectural approach
Incorporate the SEIM into the network architectureConsider ability to integrate with existing network
systems managers consolesDon’t forget separation of duties requirementsFlexibility of solution for
Views, privacy, lifecycle and storage control
Recommendations
Remember you don’t need to solve world hunger, yet
Consider phased implementations
Cover a smaller subset of systems, perhaps on the perimeter
Before moving to more comprehensive, whole-enterprise, event information management deployments
• Routers• Firewalls• Content scanners
Perimeter Controls
Agent Logging
• Network IDS• Network IPS• Other sensors
Intrusion Detection / Response
Agent Logging
ConclusionManaging information security is a difficult taskSEIM is an emerging technology
With emerging capabilities and uses Not all products work the same way Or do the same things
To leverage security information Understand your needs before speaking to vendors The technology decision will be much easier if you know your
requirements up front
Leveraging Security Information