CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP. Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

Transcription

1 CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

2 Agenda 1. About CorreLog 2. Log Management vs. SIEM 3. The Enterprise Challenge 4. The CorreLog Solution: SIEM Maturity on Day One 5. Breaking Down the Mainframe Silo 6. Holistic Security Controls Compliance 7. The Value Proposition: SC Magazine Five Star 8. Questions/Comments

3 About CorreLog Founded in 2001 Corporate Headquarters in Naples, FL Operations: North America, South America, EMEA, APAC Only Focus is on SIEM More than 300 customers worldwide Strategic Technology Partnerships with McAfee, IBM, HP ArcSight, CA, ASG, NNT, Solutionary, Total Device and Fixmo.

4 Security Information & Event Management is all we do!

5 Log Management vs. SIEM Log Management Collecting and centrally storing syslog events for forensic analysis SIEM (Security Information & Event Management) Log Management + Correlation and Analysis + Alerts + Tickets+ Reports+ Goal: Actionable Intelligence

6 What is SIEM? Security Information & Event Management Real-time event log collection Syslog Compliant RFC 3164 Long-term Storage Archiving Analysis and Reporting Correlation of Event Logs Alerts & Help-desk Tickets

7 The Enterprise Compliance Challenge Compliance Regulations PCI DSS, FISMA, HIPAA,SOX, ISO 27001, GLBA, etc. Threats Identification Insiders/Outsiders Security Management: Proactive Alerts, Forensic Analysis, and Audit Trails Where are the REAL threats and vulnerabilities? What is needed? Actionable Intelligence!

8 The Enterprise Challenge GBs of Event data What is important? What is not? How do I correlate events across platforms/devices? What is actionable vs. just interesting?

9 Why CorreLog? Enables Organization to become Gartner SIEM Maturity Stage 5 on Day One as documented by DoD Ease of install, ease of use, effective Day One Preconfigured Rules, Alerts, and Reports IBM Mainframe z/os and SMF Data Support Most cost effective SC Magazine 5 Star Product

10 The CorreLog Solution ISOLATED EVENTS LOGGED GROUPED CATALOGUED CORRELATED Real-Time Analysis Session Monitoring Anomaly Detection File Integrity Monitoring (FIM) GEO Location Alerts Help Desk Tickets

11 CorreLog Architecture - Addressing the Enterprise Challenge

12 Anomaly Detection Behavior Analysis Principles Basic Principles Predefined Counters Message Rate Thresholds Automatic Threshold Configuration Average Message Counts Per Interval Standard Deviation of Message Counts Per Interval Out-of-the-Box Effectiveness Auto Learning of Baselines Reducing the Probability of a Ticket Message Rate Assumptions Trigger Facility allows messages to be based on content, time of day, previous messages, or alerts

13 Anomaly Detection Behavior Analysis One Standard Deviation

14 We Reference Gartner SIEM Maturity Model Defines Five Stages of and Organization s SIEM Maturity Deployment Ranges from Collects Logs to Threat Intelligence and Content Research and Development We make the argument that a default CorreLog installation can be Stage 5 plus on Day One CorreLog believes there is a 6 th stage: Mainframe

15 SIEM Maturity Model Stage 1 Gartner Maturity Stage 1: SIEM deployed and collecting some log data Key Processes SIEM infrastructure monitoring process Log Collection monitoring Process CorreLog Default Installation CorreLog Server will begin collecting and monitoring immediately after devices are pointed to it

16 How CorreLog Achieves Stage 1 Easy install, detailed quick installation notes. No message normalizers required.

17 SIEM Maturity Model Stage 2 Gartner Maturity Stage 2: Periodic SIEM usage, dashboard/report review Key Processes Incident Response Process Report Review Process CorreLog Default Installation CorreLog Server built in Dashboards and Reports are immediately available on installation Customer only has to review them

18 How CorreLog Achieves Stage 2 Embedded ticket facility, default filters, rules, dashboard suitable for generic environments.

19 SIEM Maturity Model Stage 3 Gartner Maturity Stage 3: SIEM Alerts and Correlation Rules Enabled Key Processes Alert Triage CorreLog Default Installation CorreLog Server has 1,000s of pre-configured Correlation Rules enabled on installation Customer only has to review them

20 How CorreLog Achieves Stage 3 Default correlation rules and alerts run out-ofthe-box. Flexible notification facility.

21 SIEM Maturity Model Stage 4 Gartner Maturity Stage 4: SIEM Tuned with customized filters, rules, alerts, and reports Key Processes Real Time Alert Triage Process CorreLog Default Installation CorreLog Server has twenty built in predefined built in rules filtering: User &Privileged User activity Device & Critical device activity Perimeter activity Account Management Activity, PCI and HIPAA Scorecards Customer only has review and act on triage data

22 How CorreLog Achieves Stage 4 Auto-learning functions, easy customization and augmentation of rules

23 SIEM Maturity Model Stage 5 Gartner Maturity Stage 5: Advanced monitoring use cases, custom SIEM content, niche use cases (such as fraud or threat discovery) Key Processes Threat Intelligence Process Content research and development CorreLog Default Installation CorreLog Server incorporates Threat Intelligence and Content Research as well as anomaly detection by default Common Threats, Irregular System Messages, Virus Scanner Events, Black Listed User Messages, as well as easily designed custom filters are installed immediately on deployment

24 How CorreLog Achieves Stage 5 Multiple integration services, API, command line and scriptable components Neural Network Monitoring Association Correlation Monitor Session Correlation Monitor A Large Collection of Adapters and Plug ins, including Active Directory, Exchange, SAP, and more

25 Department of Defense Experiment Defense Advanced Research Projects Agency DARPA experiment on behalf of USCYBERCOM as a lessons learned experiment Use case to detect insider abuses, including false positives, resulting from a recent rogue SYSADMIN Created 23 data exfiltration's scenarios as it related to anomalous behavior that were not detected by installed DoD SIEM tools CorreLog alerted on 20 out of 23 anomalous events OUT OF THE BOX, and not pre-tuned for DoD environment

26 Vulnerable to Insider Threats The mainframe is the most securable platform Mark Wilson, RSM Partners, SHARE 2014 Insider threats are the leading cause of data breaches in the last 12 months Understand The State Of Data Security And Source: Wikimedia Privacy: 2013 To 2014, Forrester Research

27 The CorreLog z/os Mainframe Agent Agent and Syslog Console plug together via RFC 3164 (UDP) or RFC 6587 (TCP/IP)

28 Syslog On Mainframe Syslog in z/os is not RFC 3164 but SMF z/os SYSLOG: a data set residing in the primary job entry subsystem's spool space used by application and system programmers to record communications about problem programs and system functions. MVS Planning: Operations SMF: System Management Facility

29 DB2 Dashboards

30 DB2 Dashboards

31 DB2 Dashboards

32 Distributed Deployment

33 CorreLog SyslogDefender Addresses Unreliability of UDP Extends CorreLog s Capabilities to TCP/IP and IPv6 TLS Encryption over Public Networks

34 Archiving Security Data into a Database with the CorreLog Normalizer Standardized Reporting External Reporting Tools

35 CorreLog Framework Adapters and Plugins Powerful Framework to Support the Enterprise Challenge: Apache TLS / Crypto Enhanced Encryption Software Association Correlation Monitor CorreLog McAfee epo Adapter File Transfer Queue Message Adapter Global User Alert Plug-in Software IPv6 Adapter LDAP Interface Toolkit Software Ping Message Adapter SAP Adapter Session Correlation Monitor Plug-in SNMP Message Adapter SNMP Trap Message Adapter SQL Table Monitor Adapter WMI Message Adapter

36 CorreLog Value Proposition Summary Completely Web-based solution Simple installation and configuration No additional software requirements No special hardware Quick Learning Curve Powerful framework Variety of Adapter plug-ins Unique anomaly detection capabilities Flexible licensing/deployment

37 Thank you. Any Questions? Paul Gozaloff, CISSP Phone: X409