Cyber attacks
sravz
Log-SIEM-Presentation.pdf
TITLE DATE
Customer Presenta-on
Security Information
Event Management (SIEM)
Gamini Bulumulle Ph.D.
Orlando, FL
Gamini Bulumulle Presentation
June 15, ,2016
Agenda
● Introduction
● Presentation
● Backup Slides
TITLE DATE
Gamini Bulumulle Presentation June 15, ,2016
Agenda
Why Security Incidents are Important?
● Security Incident response has become one of the primary functions of today’s information security department (SP800-61rev2: Computer Security Incident Handling Guide).
● Federal law requires Federal agencies to report
incidents to the United States Computer Emergency Readiness Team (US-CERT).
Gamini Bulumulle Presentation June 15, ,2016
Presentation
Why Security Incidents are Important?
● Organizations must create, provision, and operate a formal incident response capability.
● Increased importance is due to ever-increasing
attacks against networks and systems. ● Security Incident management effectiveness is
increased by using a SIEM.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
What is a SIEM?
● SIEM technology is used in many enterprise organizations to provide real time reporting and analysis of security events.
● According to the NIST, SIEM software is a relatively
new type of centralized logging software compared to syslog (IETF, RFC 5424).
● SANS Institute Log Management Survey shows 51
percent of respondents ranked collecting logs as their most critical challenge.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
Why use a SIEM?
● Point security solutions provide log messages about critical network events.
● Main focus on firewalls and IDS/IPS devices. ● Correlation of events from multiple security points
reduces false positives.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
Web Server
Gamini Bulumulle Presentation June 15, ,2016
Presentation
IDS
Firewall
Proxy Server
High Level Enterprise SIEM Architecture
SIEM Server Console
Logs
Logs
Logs
Logs
SIEM Functions:
There are four major functions of SIEM solutions: 1. Log Consolidation – centralized logging to a server. 2. Threat Correlation – multiple logs and log entries to identify attackers.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
SIEM Functions: Continued 3. Incident Management – What happens once a threat is identified?
● Notification – email, pagers, informs to enterprise managers
● Trouble Ticket Creation ● Automated responses – execution of scripts ● Response and Remediation logging
4. Reporting
● Operational Efficiency/Effectiveness ● Compliance / SOX, HIPPA, FISMA, FFIEC.... ● Ad Hoc / Forensic Investigations
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Importance of Log Data:
Event log data is the single most underutilized source of information within the organization. Logs tell the story that other debugging techniques miss...
*Source: Ken Thompson and Dennis Ritchie, Bell Labs
Gamini Bulumulle Presentation June 15, ,2016
Presentation
What are We Collecting: Source Device Protocols
● Syslog
● SNMP
● Windows event logging API
● FTP
● Cisco IDS POP/RDEP/SDEE
● Palo Alto IDS/IPS
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Security Logs: Events, Alerts & Incidents
● As a result of a security incident, we should be able to handle as many events as ALL our devices could simultaneously produce.
● But that isn’t a likely scenario, nor is it practical or
necessary. ● So, it is critical to create a methodology (policy)
for prioritizing and capturing the pertinent events.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Creating Policies:
● Before creating a policy let’s discuss, What constitutes an Event, an Alert and an Incident?
● When creating a policy, it is imperative distinguish
the difference among an event, an alert and an incident.
● Failure to do so can lead potential
misclassification of events and alerts as incidents and this could be costly.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Approach: What constitutes an Incident?
● Event: Any action that is directed at an object (i.e., file) which attempt to change the state of an object is an event.
● When events are found further analysis is
necessary - Evaluate to match signature based or anomaly based.
● If an event match the preset condition then
generate alters.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
What constitutes an Incident? Alerts: These are flagged events and must be further scrutinized to confirm that the event occurrence is an incident. Types of Incidents: ● Denial of Services ● Malicious Code ● Unauthorized Access ● Inappropriate Usage
Gamini Bulumulle Presentation June 15, ,2016
Presentation
Events
Alerts
Incidents
TITLE DATE
Creating a Policy: General Requirements ● Capturing logs from all the devices? ● What is the percentage of events to be logged? ● What are the requirements for an event to be
classified as an alert? ● What are the requirements for an alert to be
classified as an incident?
Presentation
Gamini Bulumulle Presentation June 15, ,2016
TITLE DATE
Creating a Policy: General Requirements ● Capture logs from all systems that handle confidential
information, accept network connections, or make access control (authentication and authorization) decisions.
● Record and retain audit-logging information: Example:
What activity performed, who (subject) performed the activity and on what object?
● Logs create due to the activities: Example: Create, read,
update, or delete confidential information, including confidential authentication information such as passwords.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Real World Example
Manufacturing Company Central USA – 24 hour average, un-tuned SIEM day of deployment.
Gamini Bulumulle Presentation June 15, ,2016
Presentation
Number of Events/Day (24 Hrs) 397471 5 EPS
Number of Alerts generated 3722 99.06%
Number of Incidents/day 170 99.96%
TITLE DATE
Conclusions: Incident Investigation & Forensics ● A strong historical record is your best friend ● What seems benign today can turn out to be
harmful tomorrow… ● Logs can quickly narrow down the search ● Similar incidents become easier to resolve ● It’s hard to intimidate an event log… (non-
repudiation)
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Conclusions: Audit & Enforce IT Security Policy
● Apply risk metrics to IT processes ● Finding breakdowns in IT security policy faster
reduces IT risk ● Only effective way to validate point source
security technologies
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Conclusions: Detect & Protect I.P. Theft
● Makes spotting unusual patterns easier ● Proper resource access can be monitored ● An effective logging policy can serve as a strong
deterrent to casual I.P. theft ● Supports efficient prosecution
Gamini Bulumulle Presentation June 15, ,2016
Presentation
TITLE DATE
Thank you !!!
Gamini Bulumulle Presentation June 15, ,2016
Presentation
