syslog for siem using isecurity
TRANSCRIPT
Syslog for SIEM ProductsUsing iSecurity
Real-Time Monitoring of IBM i Security Events
Syslog – Why and How?
• Fact: Multi platform environments are increasingly the norm worldwide
• Goal: • To consolidate relevant event information from multiple environments to a
single console• This requires a SIEM (Security Information & Event Manager) solution• Optimally, security event information should be both infrastructure related
and also application related.
• Method: Syslog is the most widely used protocol for sending alert messages in real time to SIEM solutions.
• iSecurity products for IBM i security, auditing and compliance interface with the SIEM solutions on the following slide
OEM
Business Partners
System Information & Event Manager (SIEM) Products
IBM i IBM iPCPC Linux Unix MF
Individual & Multiple IBM i Systems
iSecurity
Syslog (After optional filtering)
Typical Syslog Environment
… and other SIEM Products
Issue Real-Time Alerts via iSecurity Action
QAUDJRN (Audit)
Network Security
(Firewall)
Critical OS messages
(QSYSOPR/QSYSMSG)
Database Journals
(AP Journal)
Authority changes (Authority on
Demand)
Real-Time Alert handling in iSecurity
Execute CL Scripts
Send e-mail Write to SYSLOG Write to MSGQ
Send SMS text message,
SNMP, Twitter, etc.
6
ComplianceEvaluator
VisualizerSyslog, SNMP
Evaluation
Protection FirewallAuthority on DemandAnti-Virus ScreenPasswordNative Object SecurityCommand
Databases DB-GateAP-Journal View FileScope
iSecurity Overview – Syslog Coverage
Assessment
PCI, HIPAA, SOX orSecurity Breach orManagement Decision
Auditing Audit & ActionCapture User Management System ControlUser Profile & SV ReplicationChange TrackerCentral Admin
7
iSecurity Functional Overview- Syslog Coverage
EvaluationEvaluation
Compliance Evaluator for SOX, PCI,
HIPAA…
Visualizer- BI forsecurity
Syslog, SNMP for SIEM
AuditingAuditing Audit QAUDJRN, Status…Real-time Actions, CL scriptsCapture screen activityUser Management
Central Admin of multiple LPARSUser Profile & SV ReplicationTrack Source & Object Changes
ProtectionProtection Firewall FTP, ODBC,… accessObtain Authority on DemandMonitor CL Commands Native Object SecurityAnti-Virus protectionManage Screen Timeouts
DatabasesDatabases DB-Gate: SQL to non-DB2 DBs (Oracle, MS SQL,…) AP-Journal for DB audit, filter, archive, real-time alerts View/hide sensitive data FileScope secured file editor
SecurityAssessmentFREE!
PCI, HIPAA, SOX …
Security Breach
Management Decision
iSecurity Syslog Features (1/2)
• Sends security event alerts simultaneously to up to 3 SIEM products / IP addresses
• Sends security event information originating from:• the system’s infrastructure (QAUDJRN, network access, virus detection, user profile
changes, user requests for stronger authorities, etc.) • business-critical applications, both from field level writes & updates and also
unauthorized READ accesses to sensitive data
• Single keyword support for LEEF (QRadar) and CEF (ArcSight) formatted messages
• Supports UDP, TCP and encrypted TLS syslog types
iSecurity Syslog Features (2/2)
•Includes advanced filtering capabilities and specific severity settings to fine-tune which events are sent to a particular SIEM
•“Super fast” iSecurity Syslog implementation enables sending extremely high volumes of information with virtually no performance impact.
•Syslog message structure is easily definable by each site and can include event-specific values such as user profile name, IP address, field-level before & after values, etc.
•Syslog Self-Test enables pre-testing syslog messages to a local server before actually sending the messages to a remote Syslog server
Syslog Success Stories (names available upon request)
• Large insurance company
• Sends all field-level data changes via AP-Journal’s Syslog facility to SIEM
• Monitors changes to ensure that only authorized PROD* users who also have “change” authority, are the ones who changed data by more than X% or by a specific amount.
• More than 1000 transactions/second are sent via Syslog; CPU overhead <1%
• Benefit: It is much easer to manage the journal change file on a PC rather than on an IBM i
• AP-Journal also produces field-level change reports which are sent to corporate and application managers
• Second phase of the project was the integration of Syslog from Audit (based on QAUDJRN system journal) and Firewall
Syslog Success Stories (names available upon request)
• Very large mortgage bank
• Monitors all Firewall network access rejects, sending reject information via Syslog to SIEM
• Monitors all QAUDJRN system journal activities via Audit, sending important event information via Syslog
• SIEM performs advanced forensic analysis on Firewall and Audit log information
• Use iSecurity to provide audit reports to both internal and external auditors
Syslog Success Stories (names available upon request)
• Large national airport authority
• For years they sent alerts to internal AS/400 message queues. Simply by checking message headers, the Syslog facility now sends SNMP alerts to a SIEM product.
• All definitions of new user profiles with high authorities, or changes to such user profiles, are sent as SNMP alerts.
• Implemented “mass SNMP” capability; they defined which QAUDJRN audit types DO NOT send SNMP traps, and all QAUDJRN entries with the other audit types therefore automatically send, en masse, event information. Accomplished with very little overhead.
Main Control Screen for SIEM & DAM
Up to 3 SIEM servers are supported.
Syslog Attribute Definitions
Maximum message structure flexibility. Support for LEEF & CEF formats.
Syslog Parameters are easily defined.
This option is shown on the following slide.
Set Syslog handling per Audit sub-type
Severity level can be set for each audit entry-type / sub-type combination and for each of up to 3 SIEM servers.
Syslog Self-Test: Pre-test syslog messages locally before sending to remote Syslog server
GUI- Set Syslog handling per Audit sub-type
Variables beginning with & are replaced with actual event values. &DPRICE(B) is the previousprice (“before value”) of the item.
Defining Syslog message format in Action
Syslog messages: note multi-product, multi-system & multi-IP messages.
Syslog Messages in (free) Kiwi Syslog Daemon
Note real-time user-defined messages from AP-Journal include before and after quantity and price values.
Syslog Messages in (free) Kiwi Syslog Daemon
Syslog in iSecurity – Summary
• Easy to define, Easy to use, Easy to implement
• Fully parameterized, includes event-specific variable substitution
• Proven integration with nearly all SIEM products; native support for LEEF (QRadar) and CEF (ArcSight)
• Sends messages to up to 3 SIEM products simultaneously
• Supports UDP, TCP, TLS
• Includes Self-Test to send messages locally prior to sending to a remote Syslog server
• Case studies available