Transcript Syslog for SIEM using iSecurity Presentation - Raz-Lee

Syslog for SIEM Products
Using iSecurity
Real-Time Monitoring of
IBM i Security Events
Syslog – Why and How?
• Fact: Multi platform environments are increasingly the norm worldwide
• Goal:
• To consolidate relevant event information from multiple environments to a
single console
• This requires a SIEM (Security Information & Event Manager) solution
• Optimally, security event information should be both infrastructure related
and also application related.
• Method: Syslog is the most widely used protocol for sending alert messages
in real time to SIEM solutions.
• iSecurity products for IBM i security, auditing and compliance interface
with the SIEM solutions on the following slide
Business Partners
OEM
Typical Syslog Environment
System Information &
Event Manager (SIEM) Products
… and other SIEM Products
Syslog (After optional filtering)
iSecurity
PC
PC
IBM i
IBM i
Individual & Multiple
IBM i Systems
Linux
Unix
MF
Real-Time Alert handling in iSecurity
Execute CL
Scripts
Send e-mail
Write to
SYSLOG
Write to MSGQ
Send SMS text
message,
SNMP, Twitter,
etc.
Issue Real-Time Alerts via iSecurity Action
QAUDJRN
(Audit)
Network
Security
(Firewall)
Critical OS
messages
(QSYSOPR/
QSYSMSG)
Database
Journals
(AP Journal)
Authority changes
(Authority on
Demand)
Syslog supported in nearly all iSecurity solutions!
* Indicates syslog is not relevant for solution
PCI, HIPAA,
SOX, JSOX,
FDA, Local
Regulations,
Auditor’s
Requests…
Security
Breach
Management
Decision
Security
Assessment
(free)
Auditing
•
•
•
•
•
•
Audit QAUDJRN, Status…
Real-time Actions, CL scripts
Capture screen activity
Compliance: Users, Native, IFS
Change Tracker
User Provisioning
Protection
•
•
•
•
•
•
Firewall FTP, ODBC,… access
Obtain Authority on Demand
Monitor CL Commands
Password Reset
2 Factor Authentication*
Anti-Virus protection
Encryption •
Database
•
DB2 Field Encryption* (FIELDPROC)
PGP Encryption*
•
•
AP-Journal DB Audit, Filter, Alerts, SIEM
DB-Gate* Native SQL to Oracle, MSSQL..
•
FileScope Secured file editor
6
Evaluation
Visualizer*
Business
Intelligence for
Security
Compliance
Evaluator*
for SOX, PCI,
HIPAA…
SIEM/DAM
Support
Syslog, SNMP
Central Admin*
Multi LPARs
iSecurity Syslog Features (1/2)
• Sends security event alerts simultaneously to up to 3 SIEM products / IP
addresses
• Sends security event information originating from:
• the system’s infrastructure (QAUDJRN, network access, virus detection, user profile
changes, user requests for stronger authorities, etc.)
• business-critical applications, both from field level writes & updates and also
unauthorized READ accesses to sensitive data
• Single keyword support for LEEF (QRadar) and CEF (ArcSight) formatted
messages
• Supports UDP, TCP and encrypted TLS syslog types
iSecurity Syslog Features (2/2)
• Includes advanced filtering capabilities and specific severity settings to finetune which events are sent to a particular SIEM
• “Super fast” iSecurity Syslog implementation enables sending extremely high
volumes of information with virtually no performance impact.
• Syslog message structure is easily definable by each site and can include
event-specific values such as user profile name, IP address, field-level before
& after values, etc.
• Syslog Self-Test enables pre-testing syslog messages to a local server
before actually sending the messages to a remote Syslog server
Syslog Success Stories (names available upon request)
• Large insurance company
• Sends all field-level data changes via AP-Journal’s Syslog facility to SIEM
• Monitors changes to ensure that only authorized PROD* users who also have
“change” authority, are the ones who changed data by more than X% or by a
specific amount.
• More than 1000 transactions/second are sent via Syslog; CPU overhead <1%
• Benefit: It is much easer to manage the journal change file on a PC rather than on
an IBM i
• AP-Journal also produces field-level change reports which are sent to corporate
and application managers
• Second phase of the project was the integration of Syslog from Audit (based on
QAUDJRN system journal) and Firewall
Syslog Success Stories (names available upon request)
• Very large mortgage bank
• Monitors all Firewall network access rejects, sending reject information via Syslog
to SIEM
• Monitors all QAUDJRN system journal activities via Audit, sending important event
information via Syslog
• SIEM performs advanced forensic analysis on Firewall and Audit log information
• Use iSecurity to provide audit reports to both internal and external auditors
Syslog Success Stories (names available upon request)
• Large national airport authority
• For years they sent alerts to internal AS/400 message queues. Simply by checking
message headers, the Syslog facility now sends SNMP alerts to a SIEM product.
• All definitions of new user profiles with high authorities, or changes to such user
profiles, are sent as SNMP alerts.
• Implemented “mass SNMP” capability; they defined which QAUDJRN audit types
DO NOT send SNMP traps, and all QAUDJRN entries with the other audit types
therefore automatically send, en masse, event information. Accomplished with very
little overhead.
Main Control Screen for SIEM & DAM
Up to 3 SIEM
servers are
supported.
Syslog Attribute Definitions
Syslog
Parameters are
easily defined.
Maximum message
structure flexibility.
Support for LEEF
& CEF formats.
This option is
shown on the
following slide.
Set Syslog handling per Audit sub-type
Severity level
can be set for
each audit
entry-type /
sub-type
combination
and for each of
up to 3 SIEM
servers.
Syslog Self-Test: Pre-test syslog messages locally
before sending to remote Syslog server
GUI- Set Syslog handling per Audit sub-type
Defining Syslog message format in Action
Variables beginning with & are
replaced with actual event values.
&DPRICE(B) is the previous
price (“before value”) of the item.
Syslog Messages in (free) Kiwi Syslog Daemon
Syslog messages: note multiproduct, multi-system & multiIP messages.
Syslog Messages in (free) Kiwi Syslog Daemon
Note real-time user-defined messages
from AP-Journal include before and
after quantity and price values.
Syslog in iSecurity – Summary
• Easy to define, Easy to use, Easy to implement
• Fully parameterized, includes event-specific variable substitution
• Proven integration with nearly all SIEM products; native support for
LEEF (QRadar) and CEF (ArcSight)
• Sends messages to up to 3 SIEM products simultaneously
• Supports UDP, TCP, TLS
• Includes Self-Test to send messages locally prior to sending to a
remote Syslog server
• Success Stories available
Thank You!
Visit us at
www.razlee.com
[email protected]