Security - Best IT Documents
Download
Report
Transcript Security - Best IT Documents
Security
Information
Management
Leveraging Security Event Information
Thesis
Managing security event information is a difficult task
Most successful deployments start with a clear understanding
of business needs
And plans for what to do with the information
Security event information management tools are maturing
and moving from the outside – in
But there are limitations regarding what the products can accomplish
Leveraging Security Event Information
Agenda
Why managing security event information is a difficult task
Solutions and technology
Emerging trends
Recommendations
Leveraging Security Event Information
Agenda
Why managing security event information is a difficult task
Solutions and technology
Emerging trends
Recommendations
Why Managing Security Event Information is…
Even finding a name for it is hard!
Security Information Management (SIM)
Security Event Management (SEM)
Security Intelligence Management (SIM)
Enterprise Security Management (ESM)
Defense Information Management/Security Operations
Management (DIM/SOM)
Just kidding about that last one…
This is: Security Event Information Management
(SEIM)
Why Managing Security Event Information is…
“Billions and Billions” of events
Firewalls, IDS,IPS, Anti-Virus,
Databases, Operating Systems,
Content filters
Information overload
Lack of standards
Difficult correlation
Making sense of event sequences that appear unrelated
False positives and validation issues
Why Managing Security Event Information is…
Business Objectives of SEIM –
Increase overall security posture of an organization
Turn chaos into order
Aggregate log file data from disparate sources
Create holistic security views for compliance reporting
Identify and track causal relationships in the network
in near real-time
Build a historical forensic foundation
Why Managing Security Event Information is…
Things SEIMs can look for
Internal policy compliance on hosts and systems
Track usage throughout the enterprise
Access to strategic applications and servers
Password change events
Path of a worm or virus through the network
What does your company want to look for with the
SEIM?
Leveraging Security Event Information
Agenda
Why managing security event information is a difficult task
Solutions and technology
Emerging trends
Recommendations
OPERATIONS INTEGRATION
VISUALIZATION / ADMINISTRATION
Security alerts
Reports
Visualization
LONG-TERM STORAGE / AUDIT / INVESTIGATION
raw log
Policies /
compliance rules
Signatures /
attack
patterns
COLLECTION / AGGREGATION / CORRELATION
RESPONSE
1010100010
11100110
Central /
master
collector
Distribute
d
collectors
INPUTS
Agent
Logging
Identity Management
• Access control
• Directories
• Provisioning
Agent
Logging
System Management
• Host & DB
configuration
• Patch management
• Vulnerability
management
Agent
Logging
Perimeter Controls
• Routers
• Firewalls
• Content
scanners
Agent
RESPONSE
Help desk ticketing
Network / security operations
REAL-TIME ANALYSIS / RESPONSE
Logging
IDS / Response
• Network IDS
• Network IPS
• Other sensors
Solutions and Technology
How the Products Work
Collect
Inputs from target sources
Agent and agentless methods
Aggregate
Bring all the information to a central point
Normalize
Translate disparate syntax into a standardized one
Correlate
If A and B then C
Report
State of health
Policy conformance
Archive
Collect
Aggregate
Normalize
Correlate
Report
Archive
Solutions and Technology
Understand the business case for the product
Build a strong set of requirements
What will it do?
How will it add business value?
Understand the assets
Prioritize value
It’s critical, but few products do this successfully today
Understand Policies
What are the technical security policies?
Data lifecycle considerations
Policies /
compliance
rules
Solutions and Technology
Consideration–Requirements for visualization?
The Big Red Button
Tailoring views
Geographic
Configurability
Drill down options
Hierarchical views
Cross-cutting data sharing
CIO view, auditor view
VISUALIZATION / ADMINISTRATION
Security alerts
Reports
Visualization
Solutions and Technology
Consideration – What are the life cycle and storage needs?
Internal policies
Archive everything? Best have a robust SAN!
What information is critical to the business?
What’s in those audit logs?
Regulatory requirements
Normalization questions
LONG-TERM STORAGE / AUDIT / INVESTIGATION
Is the original log data still available?
Has it been “normalized”?
raw log
1010100010
11100110
Know where the backups will go
Understand lifecycle and mining needs
Filters and searching- Can’t sift through petabytes of data manually
Solutions and Technology
Consideration–How the data will be used after its
collected?
Will the data be used for
Historical “forensics”?
Track back and replay
LONG-TERM STORAGE / AUDIT / INVESTIGATION
Legal forensics?
Legal Matters
Chain of custody
Tamper proof/evident
Original audit/log data (not normalized)
Integrity or “garbage in garbage out”
raw log
101010001
011100110
Leveraging Security Event Information
Agenda
Why managing security information is a difficult task
Solutions and technology
Emerging trends
Recommendations
Emerging Trends
“The Manager of Managers”
Automated remediation, change and compliance management
But will it break the separation of duties model?
May be viable with larger vendors, but market longevity may
be a concern with smaller, niche vendors
Identity Management and Security Event Information
Management
Wireless LAN Security Information
Voice Over IP Security Management
Sharing Security Operations Center data with the Network
Operations Center
Emerging Trends
Early SEMs focused on gathering logs from the
perimeter security devices
Firewalls, routers
Evolution is toward a more comprehensive integration
Take in more input for greater vision
Monitoring activity both inside the organization as well as on
the perimeter
Additional intelligence can lead to more precise correlation
Emerging Trends
Monitoring for Abuse
As the focus is turned inward
User behavior can be captured
Links back to Identity Management synch with SEIM
Emerging Trends
SEIM is not currently a standards-based approach
Vendor proprietary approach to
Logging/Event reporting
Normalization techniques
CVE – Common Vulnerabilities and Exposures
“A dictionary, not a database”
Creates standardized names for vulnerabilities
CVSS – Common Vulnerability Scoring System
Standard ratings of vulnerabilities
Very early stage
Leveraging Security Event Information
Agenda
Why managing security information is a difficult task
Solutions and technology
Emerging trends
Recommendations
Recommendations
Understand the business goals for the SEIM
Determine which systems must be covered
What level of data gathering is required
Appropriate storage mechanisms
Make some friends!
Talk to others who have deployed SEIMs in environments similar to yours
Since the SEIM may touch cross-enterprise systems, making friends inside
the organization is import too
Build solid RFPs before speaking to vendors
Vendors like their products best (understandably)
Make the SEIM work for your company, don’t compromise your business
requirements to fit into the SEIM vendor’s framework
Recommendations
Weigh vendor claims carefully
Scalability can affect utility of the product
Throughput, events per second (EPS) numbers may be
apples to oranges
Take an architectural approach
Incorporate the SEIM into the network architecture
Consider ability to integrate with existing network
systems managers consoles
Don’t forget separation of duties requirements
Flexibility of solution for
Views, privacy, lifecycle and storage control
Recommendations
Remember you don’t need to
solve world hunger, yet
Consider phased
implementations
Cover a smaller subset of systems,
perhaps on the perimeter
Before moving to more comprehensive,
whole-enterprise, event information
management deployments
Agent
Logging
Perimeter Controls
• Routers
• Firewalls
• Content scanners
Agent
Logging
Intrusion Detection / Response
• Network IDS
• Network IPS
• Other sensors
Leveraging Security Information
Conclusion
Managing information security is a difficult task
SEIM is an emerging technology
With emerging capabilities and uses
Not all products work the same way
Or do the same things
To leverage security information
Understand your needs before speaking to vendors
The technology decision will be much easier if you know your
requirements up front