View
1.144
Download
0
Embed Size (px)
Citation preview
SIEM
Brief history of SIEM!!! 1996 – Birth of SIEM 2000 – SIEM winner: ArcSight launches Big players in the market
ArcSight-HPQRadar-IBMNitro-McAfeeSecureVue–EiQSplunk, RSA envision and so on….
What is a SIEM??
SIEM - Security Information Event Management Logging and Event Aggregation
Network (Routers, Switches, Firewall ,etc.) System (Server ,workstation ,etc.) Application (Web, DB, etc.)
Correlation Engine 2+ related events = higher alarm
SIEM Advantages Correlation of data from multiple systems Prioritization based on risk of threat to assets Alerting and monitoring on events of interest to
escalate priority Monitor and log the access and use of sensitive data Limits exposure to breach Allows organizations to demonstrate adherence to
polices and controls
Present world !!!
Attackers are more sophisticated in their attacks. Defenders need systems which help provide
visibility and altering across numerous security systems.
SIEM adoption driven by compliance Gartner says “more than 80%”
Put “Security” back into SIEM using real world examples.
5 reasons why SIEM is important…ComplianceOperations SupportZero-day & APTForensics
FIM
What does it do
Directory PolicyFile PolicyRegistry PolicyUSB Policy
SIEM – It’s usage
How is SIEM helpful in the following Security concerns??
Countermeasures to detect attempts to infect internal system
Identification of infected systems Mitigation of risk for infected systems Detection of outbound sensitive information ( DLP)
"Sep 01 2015 01:52:37: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x8C623E78, sequence number= 0x193D) from xxx.xxx.xxx.xxx (user= ezvpn2) to xxx.xxx.xxx.xxx that failed anti-replay checking. "
uid=asa1.int.xnxx.edu ip=10.1.9.55extip=10.1.9.55 sev=local6.warnec=402119 et=3 sip= xxx.xxx.xxx.xxxdip=xxx.xxx.xxx.xxx npri=4 dir=1sgrp=Extranet dgrp=Extranet proto=IPSECact=1 family=Others user=ezvpn2 cnt=1msg="Invalid sequence number in the recvd. IPSEC packet." seq=0x193D ecat=Systemecatsubcat=Error ecatresult=Attemp
RAW log Parsed logRAW log
Architecture
Screens
Dashboard
Creating Alert
Triggered Alerts
Forensic Search
Asset Configuration
Alarms
Generated Events
Ticketing System for Customers
Reports