SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology

1. SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology

2. OVERVIEW • LOGS • VALUE IN COLLECTING LOGS • SIEM – EVENT LOG MANAGEMENT • TECHNOLOGY DIFFERENCES • GARTNER ANALYSIS • IDENTITY MANAGEMENT COMBINED WITH LOG MANAGEMENT • BENEFITS OF USING SIEM TECHNOLOGIES • HOW LOOP TECHNOLOGY CAN HELP YOU

3. WHAT ARE LOGS? • Messages generated by computer systems • It is a record of an event that has occurred • Different formats for each application and system • Commonly use Syslog port 514 • They all contain common information: • Date and time • Source (IP Address, Computer name, UserID) • Destination • Type of event

4. Types of Log data: Audit logs Transaction logs Connection logs System performance records User activity Intrusion detection and Alerts LOG DATA • These can come from any source that generates logs, including: • Firewalls • Routers, switches • Operating systems • Content filtering programs • Anti virus • Physical alarm systems • VoIP phone systems

5. WHY ANALYSE LOGS? • Gain an understanding of what is going on • Discover new threats before they happen • Measure security and IT performance • Compliance • Incident investigation

6. RISK OF IP THEFT OR DATA LEAKAGE • Could be malicious or profit motivated • Perimeter security not always effective • Attacks attempting to collect sensitive organisational data are flexible enough to deploy against applications, databases or unstructured data (e.g. Excel) • Impacts on data integrity • Focus by the industry on either forensic investigation, or restrictive point solutions

7. ANALYSING AND MONITORING LOGS • Real-time? Hourly? Weekly? • Collect some or all logs? • False Positives • How much data do you need to correlate • events? • Duplication of Logging • Ensuring Data Integrity • Size and diversity of environment considerations • How do these items affect your monitoring strategy? s

8. VALUE IN VIEWING LOGS

9. MONITORING SAMPLES

10. Feb 12 15:47:40 localhost su[29149]: - pts/5 dcid:root Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilegeFeb 12 15:11:41 enigma su[2936]: failed: ttyq4 changing from xx to root ACCESS,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32 was unable to obtain permission for connecting to the Internet (169.254.207.118:Port 7000); access was denied.,N/A,N/A PE,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32,C:\Program Files\Network Chemistry\RogueScanner GUI\RogueScannerGUI.exe,169.254.207.118:7001,N/A 100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] "POST /blog/xmlrpc.php HTTP/1.0" 404 288 VIEWING LOG SAMPLES- Do you recognise these?

11. USING TOOLS WE CAN VIEW LOGS INSTANTLY TO FIND OUT • Who – was it a userID, system event, automated process? • When - Out of hours? Another time zone? • Where from - Source IP address, computer name, operating system, program? • Where to - Application? Database? Sensitive file? • What - What actually happened? • How - Can you trace all activity relating to the incident?

12. AUTOMATED METHOD OF VIEWING LOGS Source – RSA Envision Dashboard

13. GRAPHICAL REPRESENTATION OF LOG EVENTS Source – Tier3 Huntsman Dashboard

14. AUTOMATED METHOD FOR VIEWING LOGS- NETWORK TRAFFIC DASHBOARD

15. AUTOMATED REPORT- PASSWORD CHARACTERISTICS

16. “The effective way to manage all your events is through the use of an automated solution, allowing you to automate the analysis and review of your logs from a central location” Your solution depends on what your requirements are USING SIEM TECHNOLOGY What is important to your organisation?

17. DO YOUR HOMEWORK • Do your homework – identify every requirement you have • Be as granular as you can • ‘ We want forensics’ or ‘ we have compliance issues’ is not a good answer • Loop Technology can help you identify what you need, then match your requirements to a solution that will best work for you

18. WHY DO YOUR HOMEWORK? • SIEM technologies vary quite differently from one to another • If you are not clear in what you want to monitor you risk purchasing a solution that will not do what you want it to Many organisations have made this mistake – don’t let yours be next!

19. EXAMPLE- TYPES OF WINDOWS XP WORKSTATION LOGS • Logon / logoff • Access to sensitive files and directories • Process start / process stop • User access rights • Account administration • Changes to the security policy • Shutdown and startup events • System events What else could there be? What about network logs? Proxy logs? Email server logs? Content management logs?

20. SIEM COMMON FEATURES • Many types of ‘out of the box’ reporting • Use of a back end database for storing data – may normalise data – BEWARE!!! • Large number of defined rules provide a base for standard reports • Support many technologies but not always all of your technologies • Provide a way to parse any logs that are not recognised ‘out of the box’ • Dashboard display, accessed by web browser • Multiple reporting options

21. SIEM TECHNOLOGY DIFFERENCES • In November 2007, the number of fully integrated SIEM solutions in the marketplace is ZERO • Every SIEM solution today is historically either a SIM or a SEM solution – not both • Many of these solutions are implementing short cuts to satisfy the marketing side of things, but will give you a lot of headaches

22. SIM VERSUS SEM

23. AGENT VERSUS AGENTLESS

24. SYSLOG AND EVENT LOG PARSING • Examples of technologies rarely with ‘out of the box’ recognition by event log management technologies: • RSA authentication manager (all except 1) • Clearswift SMTP and Clearswift Web • Aventail VPN • Various Linux versions • VAX • Tru64 • This is not unusual and you may find yourself in a situation where you need to parse and filter logs such as these. Most products offer a form of ‘universal log parsing’ where a few lines of code will provide a means to filter these logs. Make sure you check to see how each vendor performs this task, and compare each method.

25. USING OPEN SOURCE TECHNOLOGIES TO BOLSTER CAPABILITIES • There are a wide range of syslog tools on the internet that can be used to provide rudimentary forms of monitoring. They serve a specific task and perform their task well • Many so-called ‘enterprise’ SIEM solutions utilise open-source tools to complement areas which their tools were not designed to work – many SEM products will use these to provide basic SIM capabilities • The use of open-source tools are not supported by the large vendors. If you use a product that relies on open source tools, don’t expect these tools to be supported

26. GARTNER MAGIC QUADRANT 1Q07

27. THE IDENTITY MANAGEMENT CONUNDRUM Identity management checks to ensure the userID requesting access is valid. It authenticates against the userID, then authorises access • The userID is then permitted to access your systems

28. THE IDENTITY MANAGEMENT CONUNDRUM • 80 percent of all IT security breaches are internal – these are by people who already have userID’s and passwords. * • Can you be sure the person authorised to use that userID is using it? Example: Common practice in enquiries and help desk areas is to allow new people the use of other people’s userID’s that are already set up • IDM authorises access – log management tracks the access once authorised – these two technologies are designed to work together * zdnet.com.au report – inside intrusion statistics Feb 2005

29. Costly to manage users and access to assets Difficult to know who has access to what Helpdesk costs continue to grow Difficult to manage users across different systems and applications Too many vulnerabilities & viruses , and patching is costly Unwanted emails and access to inappropriate websites is reducing productivity Blocking and tackling isn’t enough Compliance for various regulations – ISO27001, ACSI33, Basel II, SOX 404, EU directive, GLBA, HIPAA ISSUES THAT CAN BE SOLVED BY USING AUTOMATED LOG MANAGEMENT SOLUTIONS

30. Secures ICT system integrity against known and unknown threats Proactive protection against asset misuse, loss of IP or sensitive data and stakeholder confidence Reduces Costs: Remediation and business continuity – eliminate downtime by preventing events occurring Automated ICT compliance – replace expensive non-systematic manual processes Automated process controls – real time audit capability Audit and automate transaction processing – non-repudiation capabilities Turn risk management & compliance costs into business value USING LOG MANAGEMENT TO REDUCE COSTS- AT A GLANCE

31. Trusted partnerships with leading vendors in the security space Products are best of breed Products that are easy to deploy and configure (you want to be able to make your evaluation after 1 week) Products using flexible web based access Secure protocols for protection of data No normalisation of logs 100 percent fully supported – either agent or agentless or both Local support for all product sets Multiple reporting options i.e – SMS, email, CSV, PDF, HTML CRITERIA LOOP TECHNOLOGY HAS USED TO SELECT ITS LOG MANAGEMENT PRODUCT SET

32. Information Security….. It’s what we do