CiscoWorks SIMS(Netforensics)

Transcription

1 Managing Logs and Security Events CiscoWorks SIMS(Netforensics) Georg Bommer, Inter-Networking AG (Switzerland)

2 Table of Content Challenges/Problems Main Functionality Product Tour Report Examples Architecture and Implementations Summary

3 Challenges Complexity of environment Many different data formats Volume of information Problem of consolidation Correlation and comparing in realtime and for forensics

4 Requirements for SIM Normalize Synchronisation of time, Event ID, Event Priority, Event Category Aggregate Reduce duplicate information and False/Positives Correlate Identify real threat Visualize Provide multiple views of real-time and historical data

5 Normalization

6 Normalization

7 Aggregation

8 Aggregation

9 Aggregation

10 Correlation Rule based and Statistical

11 Rule based Correlation

12 Visualization

13 Product Tour

14 Device Map

15 Realtime Trends

16 Event Console

17 Notification

18 Alert Customization

19 Knowledge Base

20 Event Status

21 Reporting 250 Pre-defined reports Role/User specific report view PDF, HTML, CSV Format Automatic scheduling

22 Report Generation

23 Report Scheduling

24 Activity Assessment by Category

25 Activity Assessment by Severity

26 Threat Assessment

27 Risk Assessment Risk = Threat x Vulnerability x Asset Value

28 Architecture

29 Central Office with Branch Office Branch Office Central Office NIDS Firewall Real Time Consoles Firewall Router (n) Server Agent Router NIDS Server Provider Agent Master DB Engine

30 Central Office with 30 Branches 6 Branches 6 Branches 6 Branches 6 Branches 6 Branches Server Server Server Server Server Agent Agent Agent Agent Agent Central Office Real Time Consoles Engine Server (n) Master Router Server DB Provider NIDS Firewall Engine Engine Agent Fault Tolerant Solution Secondary Location Server Engine Real Time Consoles Master Server DB (n) Provider

31 Central Data Center Server Farm Central Office Engine Server Real Time Consoles Master (n) 20 Servers + Win Agents 20 Servers + Win Agents Engine 20 Servers + Win Agents Server Engine DB Provider Routers NIDS Blades FW Blade Engine Agent 20 Servers + Win Agents

32 Supported Devices Supported Devices - SIM Agents or Universal Agents Access Control and Authentication Antivirus Databases Policy + Configuration Management Firewall + VPN Host based IDS Network based IDS Operation System SIM Solution Web Server

33 Supported Devices Access Control and Authentication Cisco ACS Cisco IOS ACL Antivirus CA InoculateIT McAfee Virus Scan Symantec Norten Antivirus Databases Informix Microsoft SQL-Server My SQL Oracle Sybase

34 Supported Devices Firewall / VPN Checkpoint Cisco Firewal Service Module Cisco IOS Firewall Cisco VPN Concentrator Cisco Pix CyberGuard Secure Computing Sidewinder Symantec Enterprise Firewall Firewall Borderware CA etrust Gauntlet GNAT Box Lucent Brick Netguard Gaurdian Pro NetScreen Nokia Sonic Wall Sygate WatchGuard ZoneLabs

35 Supported Devices Host Based IDS Cisco Secure Agent Enterasys Dragen Quire Entercept HIDS ISS RealSecure SS Arbor Peakflow CA etrust Cybercop Monitor PentaSafe Symantec ITA Tripwire Network Based IDS Enterasys Dragon ISS RealSecure Snort NIDS Sourcefire Tripwire NIDS Cisco PIX IDS Cisco IOS IDS CypberCop Net IDS Network Flight Recorder

36 Supported Devices Policy and Configuration-Management Symantec ESM Cisco Works HP OpenView Micromuse Optivity Solsoft Tivoli Unicenter Websense

37 Supported Devices Operating Systems SUN Solaris Red Hat Linux Microsoft Win NT Events IBM AIX HP-UX Silcon Graphics IRIX Open BSD SuSE SIM Solution ISS Site Protector

38 Supported Devices Web Server Apache Microsoft IIS Netscape Enterprise IPlanet

39 Summary Event monitoring Real-time event correlation Integrated threat assessment Advanced visualization Comprehensive reporting & forensics Support for multivendor devices and systems

40 Benefit Eliminates manual device monitoring Resolves security event management in realtime from a single console Simplifies notification and alert management Transparent view on security and related problems => Increase in productivity => Lower operational cost => Better Security over all

41 Applications Operating Systems Intrusion Detection Encryption/PKI Content Security Authentication Access Control + VPN Conclusion Management Log + Event Consolidation, Correlation

42 Vielen Dank! Georg Bommer Inter-Networking AG (Switzerland)

43 CiscoWorks SIMS Appliance