security information and event managemen
DESCRIPTION
SIEM Best PracticeTRANSCRIPT
SIEM – An overview
S.Periyakaruppan
AGENDA Introduction Types of SIEM SIEM Vs SEM Vs SIM Life Cycle High level architecture Low level design Key Requirements Security Log analysis Security Log monitoring NIST Guidelines
IntroductionSIEM ?? Security Information and event management (Refers the process of
centralized security log management with analysis, reporting and alerting function)
Security Information An event or a record related to security devices or an event belongs to security of the IT systems or devices
Security event A occurrence or activity in the system related to security
Why SIEM ???
To improve log analysis
To support Incident analysis
To improve incident response
To support forensic investigations
To support regulatory compliance
To support internal process adherence and audit requirements
Introduction - contd
Introduction - contdWhy Log Management is important ???
To generate logs for what is worth
To support operation maintenance & Troubleshooting
To transmit filtered logs in a secured fashion
To what and how long logs should be stored Log retention
To store logs for appropriate, in a secured fashion
To ensure relevant security metrics as triggered appropriate logs
To enhance the threat discovery
SIEM vs SIM vs SEM
SEM real-time monitoring and event management to support IT security operations. SEM requires several capabilities event and data collection, aggregation and correlation in near real time; a dynamic monitoring/security event console for viewing and managing events; and automated response generation for security events.SIM historical analysis and reporting for security event data. This requires event and data collection/correlation (but not in real time), an indexed repository for log data and flexible query and reporting capabilities.
SIEM = SIM+SEM
SIM,SIEM &SEM are often interchange for its meaning…..
Are they same ?????
Types - SIEM
SIEM
Agent based collection Plug and Play
Special software need to collect logs
Collection/Filtering/Aggregation/Normalization happened in agent
Implementation challenges due to different agents required to process different formats
Near or Near real time logs
End system can be pushed logs to SIEM or SIEM can pull logs from log sources
Collection/Filtering/Aggregation/Normalization happened in SIEM Performance impact
Near or Near real time logs
SIEM&LM – Life-cycle
NotifyReact
Monitor
TriggerCollect
Analyze
Identify
Key Requirements - SIEM WHAT TYPE OF EVENT DO YOU WANT TO LOG FOR WHAT PURPOSE
WHAT LEVEL OF LOGS DO YOU WANT TO FILTER IN SYSTEM LEVEL
WHAT LEVEL OF LOGS ARE NECESSARY TO TRANSMIT TO CENTRALIZED INFRASTRUCTURE
HOW LONG DO YOU WANT TO RETAIN THE LOGS IN CENTRALIZED INFRASTRUCTURE
WHAT LEVEL OF LOGS NEED ALERTS IN WHAT SORT IN WHAT FREQUENCY TO WHOM
WHAT SORT OF LOGS NEED REPORTS, FOR WHAT PURPOSE TO WHOM IN WHAT WAY
HOW FREQUENT THE LOGS SHOULD TRANSMIT TO THE CENTRALIZED INFRASTRUCTURE
BASELINE FOR THE LOGS AND THE ACTION PLAN FOR THE ALERTS
SIEM – HLA(High Level Architecture)
Log Collection Data Process
Universal device support Agent collectionLog Consolidation/Compression
LOG Collection
s
Data ManagementLog storage/Third party storageNormalizationOther Analytics
Data AnalysisIntelligent event and payload inspectionCo-relation and AlertingBase-line and Reporting engineNormalizationOther Analytics
Console
SOC
Log Sources
Analysis Ticketing system
E-mail system
User interface
Log SourceAttack
Collection
Context Info
Alert
Report
Storage
Agent
SIEM
Filtering
Aggregation
Normalization
Correlation
SIEM – Low Level DesignLog Sources
Log Collection
Data Process
Analysis
Ticketing system
Console
Baseline of multiple events
Message Analysis
Behavior Analysis
Statistical Analysis
Structural Analysis
Functional Analysis
Event correlation
Vulnerability database & Security policy correlation
Historical events and observations
Alerts/reports
Security Log Analysis
SMTPSNMPXML
Proprietary
Log Analysis Studying log entries to identify events of interest or suppress log entries for insignificant events.
Correlation structure
Critical Success factors - Security Log AnalysisClassify Once you understand the insight you would be able to classify the logs
Prioritize The prioritization takes vital part of detection as you might be miss a log due to poor prioritization
Security Log Monitoring - Approach
Map Requirements •Compliance•Regulatory requirements
Declare Use case •Scenario of the event•Appropriate reaction
Match Criteria • Appropriate criteria to understand the reality or the degree of the occurrence
Declare Priority •Based on pre-defined procedure or incident nature
Notify •Alert the operations team to take action
Post Incident review •The logs should be monitored for recurrence
Closure •Closure should be captured in KB for future reference
Critical Success factors - Security Log Monitoring
Avoid only read the known logs
Capture false positives
Correlation of known events
Declare Right priority
Appropriate reaction
Timely Notification
Post analysis review
Regular updation of Knowledgebase
NIST Guidelines Security Log management
To establish and maintain successful log management infrastructures,an organization should perform significant planning and other preparatory actions for performing log management. This is important for creating consistent, reliable, and efficient log management practices that meet the organization’s needs and requirements and also provide additional value
SECURITY IS PROCESS NOT PRODUCT !!!!!!!!!!!
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92