1 / 25

Security

Security. Information Management. Leveraging Security Event Information. Thesis Managing security event information is a difficult task Most successful deployments start with a clear understanding of business needs And plans for what to do with the information

roth-golden
Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security InformationManagement

  2. Leveraging Security Event Information • Thesis • Managing security event information is a difficult task • Most successful deployments start with a clear understanding of business needs • And plans for what to do with the information • Security event information management tools are maturing and moving from the outside – in • But there are limitations regarding what the products can accomplish

  3. Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations

  4. Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations

  5. Why Managing Security Event Information is… • Even finding a name for it is hard! • Security Information Management (SIM) • Security Event Management (SEM) • Security Intelligence Management (SIM) • Enterprise Security Management (ESM) • Defense Information Management/Security Operations Management (DIM/SOM) • Just kidding about that last one… • This is: Security Event Information Management (SEIM)

  6. Why Managing Security Event Information is… • “Billions and Billions” of events • Firewalls, IDS,IPS, Anti-Virus, Databases, Operating Systems, Content filters • Information overload • Lack of standards • Difficult correlation • Making sense of event sequences that appear unrelated • False positives and validation issues

  7. Why Managing Security Event Information is… • Business Objectives of SEIM – • Increase overall security posture of an organization • Turn chaos into order • Aggregate log file data from disparate sources • Create holistic security views for compliance reporting • Identify and track causal relationships in the network in near real-time • Build a historical forensic foundation

  8. Why Managing Security Event Information is… • Things SEIMs can look for • Internal policy compliance on hosts and systems • Track usage throughout the enterprise • Access to strategic applications and servers • Password change events • Path of a worm or virus through the network • What does your company want to look for with the SEIM?

  9. Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations

  10. raw log Logging Logging Logging Logging Agent Agent Agent Agent Perimeter Controls IDS / Response System Management Identity Management • Routers • Firewalls • Content scanners • Network IDS • Network IPS • Other sensors • Host & DB configuration • Patch management • Vulnerability management • Access control • Directories • Provisioning OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION Security alerts Reports Help desk ticketing Visualization Network / security operations REAL-TIME ANALYSIS / RESPONSE LONG-TERM STORAGE / AUDIT / INVESTIGATION Policies / compliance rules Signatures / attack patterns 101010001011100110 COLLECTION / AGGREGATION / CORRELATION RESPONSE RESPONSE Central / master collector Distributed collectors INPUTS

  11. Collect Aggregate Normalize Correlate Report Archive Solutions and Technology • How the Products Work • Collect • Inputs from target sources • Agent and agentless methods • Aggregate • Bring all the information to a central point • Normalize • Translate disparate syntax into a standardized one • Correlate • If A and B then C • Report • State of health • Policy conformance • Archive

  12. Solutions and Technology • Understand the business case for the product • Build a strong set of requirements • What will it do? • How will it add business value? • Understand the assets • Prioritize value • It’s critical, but few products do this successfully today • Understand Policies • What are the technical security policies? • Data lifecycle considerations Policies / compliance rules

  13. Solutions and Technology • Consideration–Requirements for visualization? • The Big Red Button • Tailoring views • Geographic • Configurability • Drill down options • Hierarchical views • Cross-cutting data sharing • CIO view, auditor view VISUALIZATION / ADMINISTRATION Security alerts Reports Visualization

  14. Solutions and Technology • Consideration – What are the life cycle and storage needs? • Internal policies • Archive everything? Best have a robust SAN! • What information is critical to the business? • What’s in those audit logs? • Regulatory requirements • Normalization questions • Is the original log data still available? • Has it been “normalized”? • Know where the backups will go • Understand lifecycle and mining needs • Filters and searching- Can’t sift through petabytes of data manually LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log 101010001011100110

  15. raw log Solutions and Technology • Consideration–How the data will be used after its collected? • Will the data be used for • Historical “forensics”? • Track back and replay • Legal forensics? • Legal Matters • Chain of custody • Tamper proof/evident • Original audit/log data (not normalized) • Integrity or “garbage in garbage out” LONG-TERM STORAGE / AUDIT / INVESTIGATION 101010001011100110

  16. Leveraging Security Event Information • Agenda • Why managing security information is a difficult task • Solutions and technology • Emerging trends • Recommendations

  17. Emerging Trends • “The Manager of Managers” • Automated remediation, change and compliance management • But will it break the separation of duties model? • May be viable with larger vendors, but market longevity may be a concern with smaller, niche vendors • Identity Management and Security Event Information Management • Wireless LAN Security Information • Voice Over IP Security Management • Sharing Security Operations Center data with the Network Operations Center

  18. Emerging Trends • Early SEMs focused on gathering logs from the perimeter security devices • Firewalls, routers • Evolution is toward a more comprehensive integration • Take in more input for greater vision • Monitoring activity both inside the organization as well as on the perimeter • Additional intelligence can lead to more precise correlation

  19. Emerging Trends • Monitoring for Abuse • As the focus is turned inward • User behavior can be captured • Links back to Identity Management synch with SEIM

  20. Emerging Trends • SEIM is not currently a standards-based approach • Vendor proprietary approach to • Logging/Event reporting • Normalization techniques • CVE – Common Vulnerabilities and Exposures • “A dictionary, not a database” • Creates standardized names for vulnerabilities • CVSS – Common Vulnerability Scoring System • Standard ratings of vulnerabilities • Very early stage

  21. Leveraging Security Event Information • Agenda • Why managing security information is a difficult task • Solutions and technology • Emerging trends • Recommendations

  22. Recommendations • Understand the business goals for the SEIM • Determine which systems must be covered • What level of data gathering is required • Appropriate storage mechanisms • Make some friends! • Talk to others who have deployed SEIMs in environments similar to yours • Since the SEIM may touch cross-enterprise systems, making friends inside the organization is import too • Build solid RFPs before speaking to vendors • Vendors like their products best (understandably) • Make the SEIM work for your company, don’t compromise your business requirements to fit into the SEIM vendor’s framework

  23. Recommendations • Weigh vendor claims carefully • Scalability can affect utility of the product • Throughput, events per second (EPS) numbers may be apples to oranges • Take an architectural approach • Incorporate the SEIM into the network architecture • Consider ability to integrate with existing network systems managers consoles • Don’t forget separation of duties requirements • Flexibility of solution for • Views, privacy, lifecycle and storage control

  24. Logging Logging Agent Agent Perimeter Controls Intrusion Detection / Response • Routers • Firewalls • Content scanners • Network IDS • Network IPS • Other sensors Recommendations • Remember you don’t need to solve world hunger, yet • Consider phased implementations • Cover a smaller subset of systems, perhaps on the perimeter • Before moving to more comprehensive, whole-enterprise, event information management deployments

  25. Leveraging Security Information • Conclusion • Managing information security is a difficult task • SEIM is an emerging technology • With emerging capabilities and uses • Not all products work the same way • Or do the same things • To leverage security information • Understand your needs before speaking to vendors • The technology decision will be much easier if you know your requirements up front

More Related