how to leverage log data for effective threat detection
DESCRIPTION
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data. Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn : *What log data you always need to collect and why *Best practices for network, perimeter and host monitoring *Key capabilities to ensure easy, reliable access to logs for incident response efforts *How to use event correlation to detect threats and add valuable context to your logsTRANSCRIPT
![Page 1: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/1.jpg)
Tom D’Aquino – Sr. Security Engineer
HOW TO LEVERAGE LOG DATA FOR EFFECTIVE THREAT DETECTION
![Page 2: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/2.jpg)
AGENDAThe Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the keyThe Wrap Up• Unified Security Management• AlienVault’s Threat Intelligence LabsQuestions & Answers as time permits
![Page 3: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/3.jpg)
HUMANS MEET TECHNOLOGY
![Page 4: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/4.jpg)
HUMANS MEET TECHNOLOGYSomething is down?
YouTube is up though.
![Page 5: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/5.jpg)
THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything
![Page 6: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/6.jpg)
BUT AT WHAT HARDWARE COST?
How much storage, CPU and RAM will you need to collect, correlate and store all of this data?
• High-performance storage is not cheap
How effective is the automated analysis, i.e. correlation really going to be?
• Correlation is CPU and memory intensive• This is a case of garbage in, garbage out
![Page 7: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/7.jpg)
AND AT WHAT HUMAN RESOURCE COST?
How effective is your team really going to be?
• Can one person realistically review 10,000 alerts in a day
![Page 8: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/8.jpg)
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
Why
What if we took a more strategic approach by identifying the problem more effectively?
![Page 9: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/9.jpg)
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
WhatWhy
What if we took a more strategic approach by identifying the problem more effectively?
![Page 10: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/10.jpg)
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
Who will the logs you collect pertain to?• Is there a specific user group/community
you should be focused on?
What
Who
Why
What if we took a more strategic approach by identifying the problem more effectively?
![Page 11: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/11.jpg)
LET’S LOOK AT SOME EXAMPLES
Why do you need Firewall logs?• I need to see what is getting in to my
network
What logs will you need to get that result?• Firewall permit logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
blacklisted IPs/domains
![Page 12: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/12.jpg)
EXAMPLE ILLUSTRATEDYou are probably only seeing these:
When you should be looking for this:
![Page 13: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/13.jpg)
EXAMPLES CONTINUED
Why do you need OS logs?• I need to detect unauthorized access
attempts and account lockouts
What logs will you need to get that result?• OS authentication failure and account
lockout logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
admin level accounts
![Page 14: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/14.jpg)
EXAMPLE ILLUSTRATEDMultiple events to indicate a single login:
![Page 15: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/15.jpg)
ONE MORE EXAMPLE
Why do you need Switch/Router logs?• I need to see when someone logs in to
my network gear and makes config changes
What logs will you need to get that result?• Authentication and authorization logs
from my TACACS server would do the job
Who will the logs you collect pertain to?• Anyone connecting to my network gear
![Page 16: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/16.jpg)
EXAMPLE ILLUSTRATEDYou may have to process thousands of these:
Just to get one or two of these:
![Page 17: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/17.jpg)
UNIFIED SECURITY MANAGEMENT
“VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU”
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
Security Intelligence• SIEM Correlation• Incident Response
![Page 18: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/18.jpg)
AlienVault Labs Threat Intelligence:Coordinated Analysis, actionable Guidance
• Updates every 30 minutes• 200-350,000 IP validated daily• 8,000 Collection points• 140 Countries
![Page 19: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/19.jpg)
ALIENVAULT LABS THREAT INTELLIGENCE:COORDINATED ANALYSIS, ACTIONABLE GUIDANCE
Weekly updates that cover all your coordinated rule sets: Network-based IDS signatures Host-based IDS signatures Asset discovery and inventory database updates Vulnerability database updates Event correlation rules Report modules and templates Incident response templates / “how to” guidance for each alarm Plug-ins to accommodate new data sources
Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)
![Page 20: How to Leverage Log Data for Effective Threat Detection](https://reader033.vdocument.in/reader033/viewer/2022061218/54b6f3e24a7959fd608b45e1/html5/thumbnails/20.jpg)
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http
://www.alienvault.com/marketing/alienvault-u
sm-live-
demo
Questions? [email protected]