270 likes | 480 Views
Trends in Security Management. Leveraging Security Event Information. Thesis Managing security event information is a difficult task Most successful deployments start with a clear understanding of business needs And plans for what to do with the information
E N D
Leveraging Security Event Information • Thesis • Managing security event information is a difficult task • Most successful deployments start with a clear understanding of business needs • And plans for what to do with the information • Security event information management tools are maturing and moving from the outside – in • But there are limitations regarding what the products can accomplish
Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations
Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations
Why Managing Security Event Information is… • Even finding a name for it is hard! • Security Information Management (SIM) • Security Event Management (SEM) • Security Intelligence Management (SIM) • Enterprise Security Management (ESM) • Defense Information Management/Security Operations Management (DIM/SOM) • Just kidding about that last one… • This is: Security Event Information Management (SEIM)
Why Managing Security Event Information is… • “Billions and Billions” of events • Firewalls, IDS,IPS, Anti-Virus, Databases, Operating Systems, Content filters • Information overload • Lack of standards • Difficult correlation • Making sense of event sequences that appear unrelated • False positives and validation issues
Why Managing Security Event Information is… • Business Objectives of SEIM – • Increase overall security posture of an organization • Turn chaos into order • Aggregate log file data from disparate sources • Create holistic security views for compliance reporting • Identify and track causal relationships in the network in near real-time • Build a historical forensic foundation
Why Managing Security Event Information is… • Things SEIMs can look for • Internal policy compliance on hosts and systems • Track usage throughout the enterprise • Access to strategic applications and servers • Password change events • Path of a worm or virus through the network • What does your company want to look for with the SEIM?
Leveraging Security Event Information • Agenda • Why managing security event information is a difficult task • Solutions and technology • Emerging trends • Recommendations
raw log Logging Logging Logging Logging Agent Agent Agent Agent Perimeter Controls IDS / Response System Management Identity Management • Routers • Firewalls • Content scanners • Network IDS • Network IPS • Other sensors • Host & DB configuration • Patch management • Vulnerability management • Access control • Directories • Provisioning OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION Security alerts Reports Help desk ticketing Visualization Network / security operations REAL-TIME ANALYSIS / RESPONSE LONG-TERM STORAGE / AUDIT / INVESTIGATION Policies / compliance rules Signatures / attack patterns 101010001011100110 COLLECTION / AGGREGATION / CORRELATION Central / master collector RESPONSE RESPONSE Distributed collectors INPUTS
Collect Aggregate Normalize Correlate Report Archive Solutions and Technology • How the Products Work • Collect • Inputs from target sources • Agent and agentless methods • Aggregate • Bring all the information to a central point • Normalize • Translate disparate syntax into a standardized one • Correlate • If A and B then C • Report • State of health • Policy conformance • Archive
Solutions and Technology • Understand the business case for the product • Build a strong set of requirements • What will it do? • How will it add business value? • Understand the assets • Prioritize value • It’s critical, but few products do this successfully today • Understand Policies • What are the technical security policies? • Data lifecycle considerations Policies / compliance rules
Solutions and Technology • Consideration–Requirements for visualization? • The Big Red Button • Tailoring views • Geographic • Configurability • Drill down options • Hierarchical views • Cross-cutting data sharing • CIO view, auditor view VISUALIZATION / ADMINISTRATION Security alerts Reports Visualization
Solutions and Technology • Consideration – What are the life cycle and storage needs? • Internal policies • Archive everything? Best have a robust SAN! • What information is critical to the business? • What’s in those audit logs? • Regulatory requirements • Normalization questions • Is the original log data still available? • Has it been “normalized”? • Know where the backups will go • Understand lifecycle and mining needs • Filters and searching- Can’t sift through petabytes of data manually LONG-TERM STORAGE / AUDIT / INVESTIGATION raw log 101010001011100110
raw log Solutions and Technology • Consideration–How the data will be used after its collected? • Will the data be used for • Historical “forensics”? • Track back and replay • Legal forensics? • Legal Matters • Chain of custody • Tamper proof/evident • Original audit/log data (not normalized) • Integrity or “garbage in garbage out” LONG-TERM STORAGE / AUDIT / INVESTIGATION 101010001011100110
Leveraging Security Event Information • Agenda • Why managing security information is a difficult task • Solutions and technology • Emerging trends • Recommendations
Emerging Trends • “The Manager of Managers” • Automated remediation, change and compliance management • But will it break the separation of duties model? • May be viable with larger vendors, but market longevity may be a concern with smaller, niche vendors • Identity Management and Security Event Information Management • Wireless LAN Security Information • Voice Over IP Security Management • Sharing Security Operations Center data with the Network Operations Center
Emerging Trends • Early SEMs focused on gathering logs from the perimeter security devices • Firewalls, routers • Evolution is toward a more comprehensive integration • Take in more input for greater vision • Monitoring activity both inside the organization as well as on the perimeter • Additional intelligence can lead to more precise correlation
Emerging Trends • Monitoring for Abuse • As the focus is turned inward • User behavior can be captured • Links back to Identity Management synch with SEIM
Emerging Trends • SEIM is not currently a standards-based approach • Vendor proprietary approach to • Logging/Event reporting • Normalization techniques • CVE – Common Vulnerabilities and Exposures • “A dictionary, not a database” • Creates standardized names for vulnerabilities • CVSS – Common Vulnerability Scoring System • Standard ratings of vulnerabilities • Very early stage
Emerging Trends • A community approach? • OpenSIMS – Open Source SIM Project • Ties together open source security management tools • Build collaborative intelligence via data sharing amongst enterprises • Attacker profiles • Risk metrics
Leveraging Security Event Information • Agenda • Why managing security information is a difficult task • Solutions and technology • Emerging trends • Recommendations
Recommendations • Understand the business goals for the SEIM • Determine which systems must be covered • What level of data gathering is required • Appropriate storage mechanisms • Make some friends! • Talk to others who have deployed SEIMs in environments similar to yours • Since the SEIM may touch cross-enterprise systems, making friends inside the organization is import too • Build solid RFPs before speaking to vendors • Vendors like their products best (understandably) • Make the SEIM work for your company, don’t compromise your business requirements to fit into the SEIM vendor’s framework
Recommendations • Weigh vendor claims carefully • Scalability can affect utility of the product • Throughput, events per second (EPS) numbers may be apples to oranges • Take an architectural approach • Incorporate the SEIM into the network architecture • Consider ability to integrate with existing network systems managers consoles • Don’t forget separation of duties requirements • Flexibility of solution for • Views, privacy, lifecycle and storage control
Logging Logging Agent Agent Perimeter Controls Intrusion Detection / Response • Routers • Firewalls • Content scanners • Network IDS • Network IPS • Other sensors Recommendations • Remember you don’t need to solve world hunger, yet • Consider phased implementations • Cover a smaller subset of systems, perhaps on the perimeter • Before moving to more comprehensive, whole-enterprise, event information management deployments
Leveraging Security Information • Conclusion • Managing information security is a difficult task • SEIM is an emerging technology • With emerging capabilities and uses • Not all products work the same way • Or do the same things • To leverage security information • Understand your needs before speaking to vendors • The technology decision will be much easier if you know your requirements up front
Questions Discussion &