Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc.
|
|
- Buck Dawson
- 8 years ago
- Views:
Transcription
1 Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc.
2 Case Study Disgruntled Employee Data Breach Council of Community Health Clinics (CCC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Former employee disabled the automatic backup process; later deleted patient data Consequences to the organization Significant fines if breach had occurred after January 1, 2009 (SB 541 and AB 211) Loss of patient data could have led to loss of life Patients had to wait hours to see doctors Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution Claburn, Thomas Network engineer gets five years for destroying former employer s data June, 2008 (accessed 12 August 2009)
3 Introduction to SIEM Technology What is a Security Information Event Manager? Gartner s Definition: SIEM solutions analyze security event data in real time to identify threats, and analyze and report on log data for compliance monitoring. Goal: to give the user(s) the on-demand ability to utilize real time and historical records of activity for all nodes in an enterprise network. Objectives: Allow for identification of security breaches and attempts through increased awareness. Diagnostic identification and remediation of errors and critical events. Collection and reporting on data relevant to auditing of GRC requirements.
4 Compliance And beyond... PCI Security Standards Council Statement on Recent Data Breaches A layered approach to security is absolutely necessary to protect sensitive payment card data without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance. Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete. Reports by forensics companies suggest that this is an area of weakness among organizations.
5 What Happens WITHOUT Protective Monitoring?
6 The Process Collect Logs from Log Sources (Software, Appliances, Switches, Routers, Firewalls, etc.) Extract Meaningful Information from Logs Enrichment of Log Information (Correlation, Geo- Information, Locality, etc.) Presentation and Tools (Alarms, Reports, Investigations, Visualization, etc.)
7 The Challenge: Collect, Organize & Analyze Millions of these :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd=0 PER DAY
8 and these 11/28/2005 5:46 PM TYPE=Warning USER= COMP=SHIRE SORC=RemoteAccess CATG=(0) EVID=20189 MESG=The user matt connected from but failed an authentication attempt due to the following reason: %The user must change his or her password. Nov 27 18:35:19 HelmsDeep sshd[12767]: Failed password for root from port 1298 ssh :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd=0 11/28/ :56 AM TYPE=Information USER=SECIOUS\andy.grolnick COMP=DELL600SC SORC=Print CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA ) PDF owned by andy.grolnick was printed on Brother HL-1250 series via port LPT1:. Size in bytes: ; pages printed: [28/Nov/2005:14:48: ] "GET / HTTP/1.1" " "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR )" 11/28/2005 7:05 AM TYPE=Error USER= COMP=ELVIS SORC=Application Hang CATG=(0) EVID=1002 MESG=Hanging application notepad.exe, version , hang module hungapp, version , hang address 0x Cryptic text records of server, application, workstation and network device activity
9
10 SIEM Philosophy Security Information Event Managers (SIEM) analyze data from multiple sources to determine problems more accurately than a single device SIEMs provide Safety in Numbers Investigations: more detail mean more accuracy Scope is possible to determine instead of just action Overall: the more sources of information, the more benefit the SIEM gives Maximizing SIEM effectiveness is determined by the SIEM Architecture and by its deployment
11 Where Logs are Harvested Syslog Format (Industry recognized standard) Flat Files (Apache, Bind, MS Exchange Tracking Logs, many ) Database Tables (Oracle, Web Based Applications) SNMP Generated Reports (Vulnerability, Change Logs, etc.) Web Pages, XML files (Netgear, Cisco LMS) Custom Protocols (OPSEC LEA, SDEE, Netflow, etc.) Binary Formats Audit Logs (Solaris, Linux, etc.) Misc. structured formats (SAP) API Based (Novell Netware, etc.) Integrated agent tools
12 Automated Interpretation The SIEM s ability to interpret log and event data is the single most important step Capturing logs is not enough they need to capture details (IP address, host name, user id, etc.) The most desirable features of log collection would be: Enterprise-Wide Visibility & Awareness Advanced Data Management Flexible Deployment & Configuration Options Comprehensive Compliance Support (Out-of-the-Box) Universal Customizable Console
13 Extraction of Critical Data
14 Process of Interpretation Classifications Audit, Security, Operations Categories Compromise, Malware, Denial of Service, Vulnerability, etc. Log Event Type Buffer Overflow Attempt, CVE #, etc. Details: IP Addresses, IDs, Ports, Traffic, etc. Risk Ratings and Handling Policies
15 Enrichment of Logs All about applying Context: Does the log originate from a computer inside the network or outside of the network? Add entity definition: does the log come from Engineering, Hong Kong, or 3 rd Floor, rather than /24, /24, or /16? Add geo-location: the log came from Kiev, Ukraine rather than Use Latitude and Longitude to determine location on map. Use DNS servers to identify IP address or host name Identify proper affected application using context from log source type, port number, or based on matched rule. Providing context to logs creates new ways of identifying anomalies, such as knowing: When a very large file is transferred outside of the organization When a connection enters the organization from a foreign location where the company doesn t have employees. When a rival company is probing the web site.
16 Case Study Bot Detection Telecom company recently deployed a SIEM solution Soon after deployment, IDS traffic picked up internal port scans Using SIEM aggregation and investigation tools, isolated the IP address of the host performing scans Performed an investigation on the specific host, monitored traffic Noticed unusual SMTP traffic coming from host Putting all of the information together, determined that host machine had been infected by malware, was being used as a spambot
17 SIEM Advantage Bot Detection In the Bot Detection scenario, SIEM allowed organization to correlate events from several devices Those involved were able to analyze the data gathered and parse out useful data only Able to pull data from a previous time to create a timeline; analyze the trending of events over time
18 Log/Event Management Overview Data Architecture Logs Events Alerts Raw log data collected and automatically archived Logs having more immediate operational, security, or compliance relevance. Events, or combination of correlated events, requiring immediate notification & response. Effective LM/SEM functionality requires a cohesive integration accomplished only when architected as a single solution.
19 What is an Event? An Event is when a log is flagged as being important compared to other logs. Examples: Privileged User Login Malware discovered on a workstation Power failure SIEM 2.0 requires Events to exist in some form so that the users can identify key issues quickly. Events can be identified by meeting conditions based on extracted data or enriched data. Examples: Log Type Log Severity (Panic, Critical, Error, Warning, etc.) Location (rogue state list)
20 Alarming An alarm is an Event of higher note than a basic log or event, it adds the context of urgency. When an alarm condition is met, direct notification is made by , text message, pager, etc. Alarms can be considered a Call to Action and ideally happen infrequently.
21 Correlation Correlation is another process that identifies or creates Events and/or Alarms Provides a link between conditions For example, a potential brute force attack is detected, followed by a successful authentication from the same origin host. A user logs in after being terminated (after account disabled, after employee status changed in HRM, etc.) Many types of correlation: On multiple occurrences of an event in a time threshold. From a location, country, IP address, domain name. Involving a user account, application, or specific file. In close time proximity with a different event. When an event is not witnessed. From common sense to applied mathematics.
22 Case Study: Ford Espionage (Source: The Detroit News) 10-year employee ( ) at Ford Motor Company copied 4,000 documents onto a portable hard drive. Documents included design specifications Employee attempted to use the documents to secure a job in a Chinese automobile company in 2005 (while still working for Ford) Employee was arrested (Oct 15 th, 2009)
23 Where are my logs? Once logs have been processed, they reside in a database until searched for. Some are sent to real-time systems, such as a dashboard or tail display of the most recent logs. At this point, tools are provided for the actors to use the SIEM to accomplish their goals: Stopping intrusions, malware, and internal security concerns Detecting, diagnosing and fixing problems Working within organizational procedure (ITIL, etc.) Proving compliance with GRC (Governance, Regulation and Compliance)
24 Dashboard The SIEM Dashboard is a major launching point for investigations Provides real-time awareness Most simplified display
25 Investigations Investigations are searches based on facts we know (who, when, where) and are expanded or restricted based on clues Example: Employee termination may be the trigger for the investigation, by company policy If we noticed user SMITH doing something suspicious, we might investigate what SMITH was doing for the last month, or what SMITH s computer was doing at the time of the event, or other computers SMITH accessed
26
27 Visualization
28 Reporting Reports allow for post-event review, in case a critical situation was missed Report collections have better visibility than the Dashboard alone Basic security and auditing summaries should be generated frequently to supplement the Dashboard Report reviews should be a part of any organizational security plan and/or policy Typically MSSPs provide weekly reviews of reports Compliance often mandates daily, weekly or monthly review
29 Could the Disgruntled Employee Breach have been detected and prevented? Council of Community Health Clinics (CCHC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Ex-employee disabled the automatic backup process; later deleted patient data Potential consequences to the organization Patients had to wait hours to see doctors Loss of patient data could have led to loss of life Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution
30 Could the Disgruntled Employee Breach have been detected and prevented? Highlights from the case study: Employee resigned following a bad review Use SIEM to instantly begin monitoring employee s user account, even if access has been terminated Accessed corporate server through RDP connection SIEM would be able to monitor and detect remote connections Server contained personally identifiable medical data Confidential and proprietary information on this server would be monitored for access attempts Ex-employee disabled the automatic backup process, later deleted patient data Process monitoring could detect the change made to the backup process; confidential patient data monitored
31 Conclusion SIEMs provide a way to collect and process logs Enrich logs to add meaningful context Escalates meaningful logs to Events Escalates urgent Events to Alarms SIEMs provide tools for investigating activities on a network Enhance activities involving Security, Operations and Auditing Tools include: Dashboard Reporting Investigations Visualization
32 Q&A
Log Management as an Early Warning System
Log Management as an Early Warning System The Edge for Compliance Presented by: Nancy Wilson, CISA, CRISC, CISSP, C CISO Vice President, Compliance and Security Cautela Labs, Inc. Agenda What is log management
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationClavister InSight TM. Protecting Values
Clavister InSight TM Clavister SSP Security Services Platform firewall VPN termination intrusion prevention anti-virus anti-spam content filtering traffic shaping authentication Protecting Values & Enterprise-wide
More informationCampus. Impact. UC Riversidee Security Tools. Security Tools. of systems
Security Tools (SecTools) UCR's implementationn of a security dashboard (nominally designated SecTools) is a wonderfully flexible and useful framework for viewing current security incidents and for gaining
More informationEnabling Security Operations with RSA envision. August, 2009
Enabling Security Operations with RSA envision August, 2009 Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products? If
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationLOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE As part of the Tripwire VIA platform, Tripwire Log Center offers out-of-the-box integration with Tripwire Enterprise to offer visibility
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 13, Dec. 6, 2010 Auditing Security Audit an independent review and examination
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationExtreme Networks Security Analytics G2 Risk Manager
DATA SHEET Extreme Networks Security Analytics G2 Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance HIGHLIGHTS Visualize current and potential
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationMSP End User. Version 3.0. Technical Solution Guide
MSP End User Version 3.0 Technical Solution Guide N-Compass Remote Networking Monitoring Architecture How Does N-Compass Help Small & Medium Businesses? Proactive IT management The ability to do predictive
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationSIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security
SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationIBM Security QRadar Risk Manager
IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationTHE GLOBAL EVENT MANAGER
The Big Data Mining Company THE GLOBAL EVENT MANAGER When data is available and reachable, it has to be processed and decrypted using multiple heterogeneous tools, if these are available. Each of these
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationPCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents
PCI DSS Best Practices with Snare Enterprise InterSect Alliance International Pty Ltd Page 1 of 9 About this document The PCI/DSS documentation provides guidance on a set of baseline security measures
More informationLOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE The Tripwire VIA platform delivers system state intelligence, a continuous approach to security that provides leading indicators of breach
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationCase Study: Security Implementation for a Non-Profit Hospital
Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital
More informationIBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationNetwork Management and Monitoring Software
Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the
More informationSolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements
SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card
More informationSecurity Information Management (SIM)
1. A few general security slides 2. What is a SIM and why is it needed 3. What are the features and functions of a SIM 4. SIM evaluation criteria 5. First Q&A 6. SIM Case Studies 7. Final Q&A Brian T.
More informationIBM Security. 2013 IBM Corporation. 2013 IBM Corporation
IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure
More informationHow To Create Situational Awareness
SIEM: The Integralis Difference January, 2013 Avoid the SIEM Pitfalls Get it right the first time Common SIEM challenges Maintaining staffing levels 24/7 Blended skills set, continuous building of rules
More informationKevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM
Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM TODAY S AGENDA Describe the need for SIEM Explore different options available for SIEM Demonstrate a few Use Cases Cover some caveats
More informationIBM Security QRadar Risk Manager
IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationLogInspect 5 Product Features Robust. Dynamic. Unparalleled.
LogInspect 5 Product Features Robust. Dynamic. Unparalleled. Enjoy ultra fast search capabilities in simple and complex modes optimized for Big Data Easily filter and display relevant topics, eg: Top 10
More informationObserveIT User Activity Monitoring
KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 ObserveIT provides a comprehensive solution for monitoring user activity across the enterprise. The product operates primarily based on
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationTake the Red Pill: Becoming One with Your Computing Environment using Security Intelligence
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
More informationCentre for the Protection of National Infrastructure Effective Log Management
Centre for the Protection of National Infrastructure Effective Log Management Tom Goldsmith, 2nd April 2014 response@contextis.com Effective Log Management / Contents Contents 1 Executive Summary 5 2 About
More informationTech Brief. Choosing the Right Log Management Product. By Michael Pastore
Choosing the Right Log Management Product By Michael Pastore Tech Brief an Log management is IT s version of the good old fashioned detective work that authorities credit for solving a lot of crimes. It
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationLogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.
LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled. LOGPOINT Enjoy ultra fast search capabilities in simple and complex modes optimized for Big Data Easily filter and display relevant topics,
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationCLOUD GUARD UNIFIED ENTERPRISE
Unified Security Anywhere CLOUD SECURITY CLOUD GUARD UNIFIED ENTERPRISE CLOUD SECURITY UNIFIED CLOUD SECURITY Cloudy with a 90% Chance of Attacks How secure is your cloud computing environment? If you
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide
AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationNavigate Your Way to PCI DSS Compliance
Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder
More informationAutomation Suite for. 201 CMR 17.00 Compliance
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
More informationSERVICE LEVEL MONITORING WITH DORADO SOFTWARE S REDCELL SUITE. Scaling IT for the Front Office
SERVICE LEVEL MONITORING WITH DORADO SOFTWARE S REDCELL SUITE Scaling IT for the Front Office Whitepaper November 2008 Introduction Adopting a Service Level Agreement (SLA) model for IT offers many benefits
More informationNiara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined
Niara Security Intelligence Threat Discovery and Incident Investigation Reimagined Niara enables Compromised user discovery Malicious insider discovery Threat hunting Incident investigation Overview In
More informationMeeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)
White Paper Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM) When It Comes To Monitoring and Validation It Takes More Than Just Collecting Logs Juniper
More informationBottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationCHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics
CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics TRADITIONAL SIEMS ARE SHOWING THEIR AGE Security Information and Event Management (SIEM) tools have been a
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationMeeting PCI Data Security Standards with
WHITE PAPER Meeting PCI Data Security Standards with Juniper Networks STRM Series Security Threat Response Managers When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationNitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring
NitroView Unified Security and Compliance Unmatched Speed and Scale Application Data Monitoring Database Monitoring Log Management Content Aware SIEM TM IPS Today s security challenges demand a new approach
More informationSapphireIMS 4.0 BSM Feature Specification
SapphireIMS 4.0 BSM Feature Specification v1.4 All rights reserved. COPYRIGHT NOTICE AND DISCLAIMER No parts of this document may be reproduced in any form without the express written permission of Tecknodreams
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationWhat is Security Intelligence?
2 What is Security Intelligence? Security Intelligence --noun 1. the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the
More informationPCI and PA DSS Compliance Assurance with LogRhythm
WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security
More informationNetwork Security Monitoring: Looking Beyond the Network
1 Network Security Monitoring: Looking Beyond the Network Ian R. J. Burke: GCIH, GCFA, EC/SA, CEH, LPT iburke@headwallsecurity.com iburke@middlebury.edu February 8, 2011 2 Abstract Network security monitoring
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationWhen it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs
White Paper Meeting PCI Data Security Standards with Juniper Networks SECURE ANALYTICS When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright 2013, Juniper Networks,
More informationBridging the gap between COTS tool alerting and raw data analysis
Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationAutomation Suite for. GPG 13 Compliance
WHITEPAPER GPG 13 Compliance Automation Suite for GPG 13 Compliance GPG 13 Compliance Assurance with LogRhythm Protective Monitoring for HMG ICT Systems is based on CESG s Good Practice Guide no.13 (GPG
More informationExporting IBM i Data to Syslog
Exporting IBM i Data to Syslog A White Paper from Safestone Technologies By Nick Blattner, System Engineer www.safestone.com Contents Overview... 2 Safestone... 2 SIEM consoles... 2 Parts and Pieces...
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationPresentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM
LISA 10 Speaking Proposal Category: Practice and Experience Reports Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM Proposed by/speaker: Wyman Stocks Information Security
More informationProtecting Critical Infrastructure
Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationSecuring Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More informationInsider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center
Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage CERT Insider Threat Center April 2011 NOTICE: THIS TECHNICAL DATA IS PROVIDED PURSUANT TO GOVERNMENT CONTRACT
More informationQ1 Labs Corporate Overview
Q1 Labs Corporate Overview The Security Intelligence Leader Who we are: Innovative Security Intelligence software company One of the largest and most successful SIEM vendors Leader in Gartner 2011, 2010,
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationHow To Manage Sourcefire From A Command Console
Sourcefire TM Sourcefire Capabilities Store up to 100,000,000 security & host events, including packet data Centralized policy & sensor management Centralized audit logging of configuration & security
More informationOverview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015
Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Tripwire Evolution 18+ Years of Innovation 1997 Tripwire File System Monitoring from open source
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationRSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief
RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with
More informationHow To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More information