© Loop Technology

SECURITY EVENT LOG MANAGEMENT- What to consider when looking at SIEM Technology

© Loop Technology

OVERVIEW

• LOGS

• VALUE IN COLLECTING LOGS

• SIEM – EVENT LOG MANAGEMENT

• TECHNOLOGY DIFFERENCES

• GARTNER ANALYSIS

• IDENTITY MANAGEMENT COMBINED WITH LOG

MANAGEMENT

• BENEFITS OF USING SIEM TECHNOLOGIES

• HOW LOOP TECHNOLOGY CAN HELP YOU

© Loop Technology

WHAT ARE LOGS?

• Messages generated by computer systems

• It is a record of an event that has occurred

• Different formats for each application and system

• Commonly use Syslog port 514

• They all contain common information:

Date and timeSource (IP Address, Computer name, UserID)DestinationType of event

© Loop Technology

LOG DATA

• Types of Log data: Audit logs

Transaction logs

Connection logs

System performance

records

User activity

Intrusion detection and

Alerts

• These can come from any

source that generates logs,

including: Firewalls

Routers, switches

Operating systems

Content filtering programs

Anti virus

Physical alarm systems

VoIP phone systems

© Loop Technology

WHY ANALYSE LOGS?

• Gain an understanding of what is going

on

• Discover new threats before they happen

• Measure security and IT performance

• Compliance

• Incident investigation

© Loop Technology

RISK OF IP THEFT OR DATA LEAKAGE

• Could be malicious or profit motivated

• Perimeter security not always effective

• Attacks attempting to collect sensitive

organisational data are flexible enough to

deploy against applications, databases or

unstructured data (e.g. Excel)

• Impacts on data integrity

• Focus by the industry on either forensic

investigation, or restrictive point solutions

© Loop Technology

ANALYSING AND MONITORING LOGS

• Real-time? Hourly? Weekly?

• Collect some or all logs?

• False Positives

• How much data do you need to correlate

events?

• Duplication of Logging

• Ensuring Data Integrity

• Size and diversity of environment considerations

How do these items affect your monitoring

strategy?

© Loop Technology

VALUE IN VIEWING LOGS

Logging AuditIncident responseCompliance

Monitoring Incident detectionLoss preventionCompliance

Analysis Identifying trendsFault predictionPotential to identify internal attack

© Loop Technology

MONITORING SAMPLES

“Real-time” Viral outbreakLoss of service on critical assetsRAID devices starting to crashExternal attackSerious internal network abuse

Daily / Weekly tasks

Unauthorised access evidence collectionSuspicious logon failuresPrivilege revalidationChanges on host and network systemsActivity summary

© Loop Technology

VIEWING LOG SAMPLES - Do you recognise these?

Feb 12 15:47:40 localhost su[29149]: - pts/5 dcid:root

Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilegeFeb 12 15:11:41 enigma su[2936]: failed: ttyq4 changing from xx to root

ACCESS,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32 was unable to obtain permission for connecting to the Internet (169.254.207.118:Port 7000); access was denied.,N/A,N/A

PE,2006/09/26,13:14:36 -5:00 GMT,RogueScannerWin32,C:\Program Files\Network Chemistry\RogueScanner GUI\RogueScannerGUI.exe,169.254.207.118:7001,N/A

100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] "POST /blog/xmlrpc.php HTTP/1.0" 404 288

© Loop Technology

USING TOOLS WE CAN VIEW LOGS INSTANTLY TO FIND OUT

• Who – was it a userID, system event, automated

process?

• When - Out of hours? Another time zone?

• Where from - Source IP address, computer

name, operating system, program?

• Where to - Application? Database? Sensitive file?

• What - What actually happened?

• How - Can you trace all activity relating to the

incident?

© Loop Technology

AUTOMATED METHOD OF VIEWING LOGS

Source – RSA Envision Dashboard

© Loop Technology

GRAPHICAL REPRESENTATION OF LOG EVENTS

Source – Tier3 Huntsman Dashboard

© Loop Technology

AUTOMATED METHOD FOR VIEWING LOGS- NETWORK TRAFFIC DASHBOARD

© Loop Technology

AUTOMATED REPORT- PASSWORD CHARACTERISTICS

© Loop Technology

USING SIEM TECHNOLOGY

“The effective way to manage all your events is through the use of an automated solution, allowing you to automate the analysis and review of your logs from a central location”

Your solution depends on what your requirements are

What is important to your organisation?

© Loop Technology

DO YOUR HOMEWORK

• Do your homework – identify every requirement

you have

• Be as granular as you can

• ‘ We want forensics’ or ‘ we have compliance

issues’ is not a good answer

Loop Technology can help you identify what you need, then match your requirements to a solution that will best work for you

© Loop Technology

WHY DO YOUR HOMEWORK?

• SIEM technologies vary quite differently from one

to another

• If you are not clear in what you want to monitor

you risk purchasing a solution that will not do what

you want it to

Many organisations have made this mistake – don’t let yours be next!

© Loop Technology

EXAMPLE- TYPES OF WINDOWS XP WORKSTATION LOGS

• Logon / logoff• Access to sensitive files and directories• Process start / process stop• User access rights• Account administration• Changes to the security policy• Shutdown and startup events• System events

What else could there be? What about network logs? Proxy logs? Email server logs? Content management logs?

© Loop Technology

SIEM COMMON FEATURES

• Many types of ‘out of the box’ reporting

• Use of a back end database for storing

data – may normalise data – BEWARE!!!

• Large number of defined rules provide a

base for standard reports

• Support many technologies but not always

all of your technologies

• Provide a way to parse any logs that are

not recognised ‘out of the box’

• Dashboard display, accessed by web

browser

• Multiple reporting options

© Loop Technology

SIEM TECHNOLOGY DIFFERENCES

• In November 2007, the number of fully integrated

SIEM solutions in the marketplace is ZERO

• Every SIEM solution today is historically either a

SIM or a SEM solution – not both

• Many of these solutions are implementing short

cuts to satisfy the marketing side of things, but

will give you a lot of headaches

© Loop Technology

SIM VERSUS SEM

SIM- Security Information Management

SEM- Security Event Management

Audit- ideal for host based events

Geared toward monitoring network traffic

End user centric- good for archive and reporting

Network centric – geared towards monitoring ‘real-time’ traffic

Long term storage and analysis

Threat orientated to immediate support incident response

Monitoring of policy violations Monitoring of external attacks

Correlation of many logs Consolidation of many events

© Loop Technology

AGENT VERSUS AGENTLESS

Agent Monitoring Agentless monitoring

Allows rule definition remotely Rule definition is performed at a central server

Reduces traffic sent to a central reporting server

Collects all traffic at a central server

Higher configuration maintenance on remote systems

Higher volume maintenance at the server

Higher remote system resources consumption. More maintenance required

All maintenance is at the server- use of WMI and SNMP is common

Useful for a specific system or audit requirement

Useful when general policy enforcement applies for all systems

Agents monitor in near ‘real-time’ Agentless cannot monitor in ‘real-time;

Agents may cost more for security features Security features are either with the product or depend on the security of the network

Agents may cost more to transmit data via TCP

TCP is generally a standard offering with most agentless systems

© Loop Technology

SYSLOG AND EVENT LOG PARSING

RSA authentication manager (all except 1) Clearswift SMTP and Clearswift Web Aventail VPN Various Linux versions VAX Tru64

•This is not unusual and you may find yourself in a situation where you need to parse and filter logs such as these. Most products offer a form of ‘universal log parsing’ where a few lines of code will provide a means to filter these logs. Make sure you check to see how each vendor performs this task, and compare each method.

•Examples of technologies rarely with ‘out of the box’ recognition by event log management technologies:

© Loop Technology

USING OPEN SOURCE TECHNOLOGIES TO BOLSTER CAPABILITIES

•There are a wide range of syslog tools on the internet that can be used to provide rudimentary forms of monitoring. They serve a specific task and perform their task well

•Many so-called ‘enterprise’ SIEM solutions utilise open-source tools to complement areas which their tools were not designed to work – many SEM products will use these to provide basic SIM capabilities

•The use of open-source tools are not supported by the large vendors. If you use a product that relies on open source tools, don’t expect these tools to be supported

© Loop Technology

GARTNER MAGIC QUADRANT 1Q07

© Loop Technology

THE IDENTITY MANAGEMENT CONUNDRUM

The userID is then permitted to access your systems

Identity management checks to ensure the userID requesting

access is valid. It authenticates against the userID, then

authorises access

© Loop Technology

• 80 percent of all IT security breaches are internal – these are by people who already have userID’s and passwords. *

• Can you be sure the person authorised to use that userID is using it? Example: Common practice in enquiries and help desk areas is to allow new people the use of other people’s userID’s that are already set up

THE IDENTITY MANAGEMENT CONUNDRUM

IDM authorises access – log management tracks the access once authorised – these two technologies are designed to work together

* zdnet.com.au report – inside intrusion statistics Feb 2005

© Loop Technology

ISSUES THAT CAN BE SOLVED BY USING AUTOMATED LOG MANAGEMENT SOLUTIONS

• Costly to manage users and access to assets

• Difficult to know who has access to what

• Helpdesk costs continue to grow

• Difficult to manage users across different systems and applications

• Too many vulnerabilities & viruses , and patching is costly

• Unwanted emails and access to inappropriate websites is reducing productivity

• Blocking and tackling isn’t enough

• Compliance for various regulations – ISO27001, ACSI33, Basel II, SOX 404, EU directive, GLBA, HIPAA

© Loop Technology

USING LOG MANAGEMENT TO REDUCE COSTS- AT A GLANCE

• Secures ICT system integrity against known and unknown threats

• Proactive protection against asset misuse, loss of IP or sensitive data and stakeholder confidence

• Reduces Costs: Remediation and business continuity – eliminate downtime

by preventing events occurring Automated ICT compliance – replace expensive non-

systematic manual processes Automated process controls – real time audit capability Audit and automate transaction processing – non-

repudiation capabilities Turn risk management & compliance costs into business

value

© Loop Technology

CRITERIA LOOP TECHNOLOGY HAS USED TO SELECT ITS LOG MANAGEMENT PRODUCT SET

Trusted partnerships with leading vendors in the security space

Products are best of breed

Products that are easy to deploy and configure (you want to be able to make your evaluation after 1 week)

Products using flexible web based access

Secure protocols for protection of data

No normalisation of logs

100 percent fully supported – either agent or agentless or both

Local support for all product sets

Multiple reporting options i.e – SMS, email, CSV, PDF, HTML

© Loop Technology

Information Security….. It’s what we do