Download Security - Best IT Documents

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Security
Information
Management
Leveraging Security Event Information
 Thesis
Managing security event information is a difficult task
Most successful deployments start with a clear understanding
of business needs
 And plans for what to do with the information
Security event information management tools are maturing
and moving from the outside – in
 But there are limitations regarding what the products can accomplish
Leveraging Security Event Information
 Agenda
 Why managing security event information is a difficult task
 Solutions and technology
 Emerging trends
 Recommendations
Leveraging Security Event Information
 Agenda
Why managing security event information is a difficult task
Solutions and technology
Emerging trends
Recommendations
Why Managing Security Event Information is…
 Even finding a name for it is hard!
Security Information Management (SIM)
Security Event Management (SEM)
Security Intelligence Management (SIM)
Enterprise Security Management (ESM)
Defense Information Management/Security Operations
Management (DIM/SOM)
 Just kidding about that last one…
 This is: Security Event Information Management
(SEIM)
Why Managing Security Event Information is…
 “Billions and Billions” of events
Firewalls, IDS,IPS, Anti-Virus,
Databases, Operating Systems,
Content filters
Information overload
 Lack of standards
 Difficult correlation
Making sense of event sequences that appear unrelated
False positives and validation issues
Why Managing Security Event Information is…
 Business Objectives of SEIM –
 Increase overall security posture of an organization
 Turn chaos into order
 Aggregate log file data from disparate sources
 Create holistic security views for compliance reporting
 Identify and track causal relationships in the network
in near real-time
 Build a historical forensic foundation
Why Managing Security Event Information is…
 Things SEIMs can look for
Internal policy compliance on hosts and systems
Track usage throughout the enterprise
 Access to strategic applications and servers
Password change events
Path of a worm or virus through the network
 What does your company want to look for with the
SEIM?
Leveraging Security Event Information
 Agenda
 Why managing security event information is a difficult task
 Solutions and technology
 Emerging trends
 Recommendations
OPERATIONS INTEGRATION
VISUALIZATION / ADMINISTRATION
Security alerts
Reports
Visualization
LONG-TERM STORAGE / AUDIT / INVESTIGATION
raw log
Policies /
compliance rules
Signatures /
attack
patterns
COLLECTION / AGGREGATION / CORRELATION
RESPONSE
1010100010
11100110
Central /
master
collector
Distribute
d
collectors
INPUTS
Agent
Logging
Identity Management
• Access control
• Directories
• Provisioning
Agent
Logging
System Management
• Host & DB
configuration
• Patch management
• Vulnerability
management
Agent
Logging
Perimeter Controls
• Routers
• Firewalls
• Content
scanners
Agent
RESPONSE
Help desk ticketing
Network / security operations
REAL-TIME ANALYSIS / RESPONSE
Logging
IDS / Response
• Network IDS
• Network IPS
• Other sensors
Solutions and Technology
 How the Products Work
 Collect
 Inputs from target sources
 Agent and agentless methods
 Aggregate
 Bring all the information to a central point
 Normalize
 Translate disparate syntax into a standardized one
 Correlate
 If A and B then C
 Report
 State of health
 Policy conformance
 Archive
Collect
Aggregate
Normalize
Correlate
Report
Archive
Solutions and Technology
 Understand the business case for the product
Build a strong set of requirements
What will it do?
How will it add business value?
 Understand the assets
Prioritize value
It’s critical, but few products do this successfully today
 Understand Policies
What are the technical security policies?
Data lifecycle considerations
Policies /
compliance
rules
Solutions and Technology
 Consideration–Requirements for visualization?
The Big Red Button
Tailoring views
 Geographic
 Configurability
 Drill down options
Hierarchical views
 Cross-cutting data sharing
 CIO view, auditor view
VISUALIZATION / ADMINISTRATION
Security alerts
Reports
Visualization
Solutions and Technology
 Consideration – What are the life cycle and storage needs?
 Internal policies
 Archive everything? Best have a robust SAN!
 What information is critical to the business?
 What’s in those audit logs?
 Regulatory requirements
 Normalization questions
LONG-TERM STORAGE / AUDIT / INVESTIGATION
 Is the original log data still available?
 Has it been “normalized”?
raw log
1010100010
11100110
 Know where the backups will go
 Understand lifecycle and mining needs
 Filters and searching- Can’t sift through petabytes of data manually
Solutions and Technology
 Consideration–How the data will be used after its
collected?
Will the data be used for
 Historical “forensics”?
 Track back and replay
LONG-TERM STORAGE / AUDIT / INVESTIGATION
 Legal forensics?
Legal Matters
 Chain of custody
 Tamper proof/evident
 Original audit/log data (not normalized)
 Integrity or “garbage in garbage out”
raw log
101010001
011100110
Leveraging Security Event Information
 Agenda
 Why managing security information is a difficult task
 Solutions and technology
 Emerging trends
 Recommendations
Emerging Trends
 “The Manager of Managers”
Automated remediation, change and compliance management
But will it break the separation of duties model?
May be viable with larger vendors, but market longevity may
be a concern with smaller, niche vendors
 Identity Management and Security Event Information
Management
 Wireless LAN Security Information
 Voice Over IP Security Management
 Sharing Security Operations Center data with the Network
Operations Center
Emerging Trends
 Early SEMs focused on gathering logs from the
perimeter security devices
Firewalls, routers
Evolution is toward a more comprehensive integration
Take in more input for greater vision
Monitoring activity both inside the organization as well as on
the perimeter
Additional intelligence can lead to more precise correlation
Emerging Trends
 Monitoring for Abuse
As the focus is turned inward
User behavior can be captured
Links back to Identity Management synch with SEIM
Emerging Trends
 SEIM is not currently a standards-based approach
 Vendor proprietary approach to
 Logging/Event reporting
 Normalization techniques
 CVE – Common Vulnerabilities and Exposures
 “A dictionary, not a database”
 Creates standardized names for vulnerabilities
 CVSS – Common Vulnerability Scoring System
 Standard ratings of vulnerabilities
 Very early stage
Leveraging Security Event Information
 Agenda
 Why managing security information is a difficult task
 Solutions and technology
 Emerging trends
 Recommendations
Recommendations
 Understand the business goals for the SEIM
 Determine which systems must be covered
 What level of data gathering is required
 Appropriate storage mechanisms
 Make some friends!
 Talk to others who have deployed SEIMs in environments similar to yours
 Since the SEIM may touch cross-enterprise systems, making friends inside
the organization is import too
 Build solid RFPs before speaking to vendors
 Vendors like their products best (understandably)
 Make the SEIM work for your company, don’t compromise your business
requirements to fit into the SEIM vendor’s framework
Recommendations
 Weigh vendor claims carefully
Scalability can affect utility of the product
Throughput, events per second (EPS) numbers may be
apples to oranges
 Take an architectural approach
Incorporate the SEIM into the network architecture
Consider ability to integrate with existing network
systems managers consoles
Don’t forget separation of duties requirements
Flexibility of solution for
 Views, privacy, lifecycle and storage control
Recommendations
 Remember you don’t need to
solve world hunger, yet
 Consider phased
implementations
 Cover a smaller subset of systems,
perhaps on the perimeter
 Before moving to more comprehensive,
whole-enterprise, event information
management deployments
Agent
Logging
Perimeter Controls
• Routers
• Firewalls
• Content scanners
Agent
Logging
Intrusion Detection / Response
• Network IDS
• Network IPS
• Other sensors
Leveraging Security Information
 Conclusion
Managing information security is a difficult task
SEIM is an emerging technology
 With emerging capabilities and uses
 Not all products work the same way
 Or do the same things
To leverage security information
 Understand your needs before speaking to vendors
 The technology decision will be much easier if you know your
requirements up front
Related documents
Emerging Economies Emerging Economy
Emerging Economies Emerging Economy
Link tp presentation - Illegal Logging Portal
Link tp presentation - Illegal Logging Portal
Job description Trusted Sources Emerging Markets Research and
Job description Trusted Sources Emerging Markets Research and
MS in Finance Learning Goals and Objectives
MS in Finance Learning Goals and Objectives
Discussion Forum 4– Emerging Technology
Discussion Forum 4– Emerging Technology
Main Function of GSCM
Main Function of GSCM
Emerging Economies Introduction to Business & Marketing
Emerging Economies Introduction to Business & Marketing
diamonds in details
diamonds in details
STRATEGIC MARKETING IN EMERGING ECONOMIES The
STRATEGIC MARKETING IN EMERGING ECONOMIES The
Presentation
Presentation
Consumer Behavior
Consumer Behavior
Document
Document