AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log



Similar documents
Intrusion Detection in AlienVault

How to send s triggered by events

Deploying HIDS Client to Windows Hosts

Device Integration: Checkpoint Firewall-1

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Device Integration: CyberGuard SG565

Device Integration: Citrix NetScaler

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Device Integration: Cisco Wireless LAN Controller (WLC)

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

The SIEM Evaluator s Guide

Suricata IDS. What is it and how to enable it

Monitoring VMware ESX Virtual Switches

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

Assets, Groups & Networks

User Management Guide

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

Unified Security Management and Open Threat Exchange

OSSIM. Open Source Security Information Management. Brian E. Lavender. Sac State. CSC 250, Spring Final Project

AlienVault Unified Security Management (USM) x. Configuring High Availability (HA)

WMI Collecting Windows Logs

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

SYSTEM BACKUP AND RESTORE (AlienVault USM 4.8+)

How to enable File Integrity Monitoring (FIM)

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

How To Manage Security On A Networked Computer System

Netflow Collection with AlienVault Alienvault 2013

SonicWALL Global Management System Reporting Guide Standard Edition

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

VMware vcenter Log Insight Getting Started Guide

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SIEM FOR BEGINNERS. Or: Everything You Wanted to Know About Log Management But were Afraid to Ask

Integrate ExtraHop with Splunk

SonicWALL Global Management System Reporting Guide Standard Edition

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

AlienVault Offline Key Activation

Management, Logging and Troubleshooting

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

orrelog SNMP Trap Monitor Software Users Manual

Secret Server Splunk Integration Guide

Document version: 1.3 What's inside: Products and versions tested Important:

Configuring Security for FTP Traffic

AlienVault. Unified Security Management (USM) x Initial Setup Guide

To read more Linux Journal or start your subscription, please visit

AlienVault Unified Security Management for Government v4.12 & CyberC4:Alert v4.12 Configuration for Common Criteria

Introduction of Intrusion Detection Systems

USM IT Security Council Guide for Security Event Logging. Version 1.1

Contents Notice to Users

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

OSSIM. Correlation engine explained. Sample scenario: NETBIOS DCERPC ISystemActivator

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

State Health Repository Tool (SHRT) Testing Instructions

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

How To Manage Sourcefire From A Command Console

AppWall SIEM Integration Guide

Monitor Print Popup for Mac. Product Manual.

Discover Security That s Highly Intelligent.

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

CTS2134 Introduction to Networking. Module Network Security

nfx Cinxi One SIEM Partner Guide Revision: H2CY10

Integrating LANGuardian with Active Directory

Monitoring System Status

Integrate Websense Web Security Gateway (WSG)

VMware vcenter Log Insight Getting Started Guide

Monitoring PostgreSQL database with Verax NMS

Integrating Juniper Netscreen (ScreenOS)

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Immotec Systems, Inc. SQL Server 2005 Installation Document

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

Installing and Configuring vcenter Support Assistant

QRadar SIEM and Zscaler Nanolog Streaming Service

HP A-IMC Firewall Manager

Dynamic DNS How-To Guide

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Patch Management Integration

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

EventTracker: Integrating Imperva SecureSphere

O S S I M. Open Source Security Information Manager. User Manual

Network Security Platform 7.5

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Web Remote Access. User Guide

MANAGED SECURITY SERVICES RESPONSIBILITIES GUIDE July 2013

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Download/Install IDENTD

Adaptive Log Exporter Users Guide

How To Understand And Understand Cisco Security Specialist (For A Non-Profit)

NetFlow Analytics for Splunk

Phone Manager Application Support OCTOBER 2014 DOCUMENT RELEASE 4.1 SAGE CRM

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

TUT8173 Best Practices for Security Monitoring in Distributed Environments November 2014

SonicWALL Global Management System Reporting User Guide. Version 2.5

Transcription:

Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.

AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

CONTENTS 1. INTRODUCTION... 4 2. LOG COLLECTION... 4 2.1. Logs sent from devices to the sensor... 4 2.2. Logs parsed by the agent using plugins... 5 2.3. Security events extracted from the logs... 5 2.4. Normalization of SID s... 6 2.5. Normalized SIDs transmitted to the alienvault server... 6 3. HOW EVENTS ARE PROCESSED... 8 3.1. Events from the server to the database... 8 3.2. The server parses the event priority and reliability... 8 3.3. The server checks assets to assign a risk score... 9 3.4. Application of the event taxonomy... 9 3.5. The server crosschecks reputation data... 10 3.6. The event feeds into the correlation engine... 11 3.7. Events available for searching and browsing... 12 3.8. Correlation directives create alarm events... 12 4. EVENTS VISUALIZATION... 13 DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 3 of 15

1. INTRODUCTION The objective of this document is to show the life cycle of a log message through AlienVault from the device to the user interface. 2. LOG COLLECTION Log collection is the heart of a SIEM. AlienVault collects logs from devices, systems and software: Some logs are transmitted to AlienVault Others are retrieved by AlienVault These logs are normalized, extracting common data fields from them: IP address, host names, user names, interface names, etc. Key events are assigned a Security ID (SID). These are the events that are of interest to a Security Analyst. SIDs are correlated into alarms. Log correlation can see patterns in activity that a single device or security control cannot. 2.1. Logs sent from devices to the sensor Devices that support the Syslog protocol are configured to transmit their log events to the AlienVault Sensor over UDP port 514 or TCP port 514. Rsyslog on the AlienVault Sensor receives these events and buffers them locally into log files according to configuration. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 4 of 15

2.2. Logs parsed by the agent using plugins AlienVault-Agent. Running on the AlienVault-Sensor is configured with a series of log-parsing plugins, which read the incoming log files (and also control other event-gathering functions on the sensor, such as Intrusion Detection). 2.3. Security events extracted from the logs Each plugin parses the log file text according to a series of Security Identities (SID). The SID is the name of the log message, its meaning. Some examples of SIDs are the following: User Logged In New Connection From File matched Signature DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 15

2.4. Normalization of SID s No matter the format of a log message, certain pieces of data are common throughout all of them: User names IP Addresses MAC addresses URI s Extracting these values out of the log message text and into a field is called Normalization. Normalization is what allows us to perform queries such as: Show all events where the source IP is 192.168.1.3. 2.5. Normalized SIDs transmitted to the alienvault server The logs are broken down into the type of message, and the information from them used to populate the fields: DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 15

date sensor interface plugin_id plugin_sid priority prococol src_ip src_port dst_ip dst_port username password filename userdata1 userdata2 userdata3 userdata4 userdata5 userdata6 userdata7 userdata8 userdata9 DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 15

3. HOW EVENTS ARE PROCESSED 3.1. Events from the server to the database The event database is commonly on the same host as the AlienVault Server, but in large deployments, the database can be a separate host for increased performance capacity. Although the events are now stored to disk, the server still has several more operations to perform on them before they re ready to be searched. The database is accessed via TCP port 3306. You may need to check your firewall settings if you are deploying an AlienVault Server in different network that the AlienVault Database. 3.2. The server parses the event priority and reliability Each event type that has a SID is assigned a priority and reliability score when the plugin is created. Priority. How urgently the event should be investigated. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 8 of 15

Reliability. The chance the event is a false positive. A low-priority, the high reliability event could be: user joe@mydomain logged in from 10.53.80.3 This message is always accurate, but normal behavior. A high-priority, low reliability event could be: Authentication protocol anomaly from 10.53.80.3. This message is a best guess; detection, but highly unusual. 3.3. The server checks assets to assign a risk score The server maintains an inventory of known devices on the network, with an associated asset value for each, defining their importance to the organization. This asset score is then weighted against the event s priority and reliability score to produce a risk value. risk=asset * (reliability * priority /25) Higher Risk Scores help the analyst know what to examine first! 3.4. Application of the event taxonomy No matter the source of the event, or the format it originated in, there are types of system and network events common across many system types. A security analyst wanting to see all user logins within a certain time period, should not have to know what the specific SID for each event type for each system type is, to retrieve that information. AlienVault maintains a taxonomy of event types that SIDs can be matched to and retrieved via. Correlation directives can also correlate events via their taxonomy allowing the creation of device-independent correlation rules. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 9 of 15

The following image describes how taxonomy applies to a specific event: 3.5. The server crosschecks reputation data If Open Threat Exchange (OTX) is enabled, the server checks the IP addresses in the events against the reputation database of Internet addresses. IP addresses that match will be flagged for reference later. Later on, events that indicate attacks from external addresses will be anonymized and submitted back to OTX to corroborate what other AlienVault users are seeing from those hosts. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 10 of 15

3.6. The event feeds into the correlation engine Event Correlation is one of the great powers of SIEM being able to look for patterns and sequences of events across multiple devices and types. Events may actually go through this stage several times different correlation rules may take the same events as input. The normalization on the events performed earlier is what allows correlation directives to work with events from different device types critical fields such as usernames, IP address, etc., can be referenced without the directive being written for that particular event type. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 11 of 15

3.7. Events available for searching and browsing The events from AlienVault components and external log sources are now available in the SIEM UI and/or in the USM Logger. Events are searched via the fields normalized out from the events, pulled into reports and used to trigger policy actions. 3.8. Correlation directives create alarm events As events continue to feed into the correlation engine, conditions are met, that starts an alarm processing. Alarms may trigger on a single event matching certain conditions, or may require a specific sequence of events to trigger. Alarms may continue to process through the stages of priority over a matter of hours alarms that appear in the system may indicate they are still processing additional incoming events to further corroborate detection. Alarms are the events themselves and can feed into other correlation directives once their triggers, creating cascading levels of alarms. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 12 of 15

4. EVENTS VISUALIZATION Events can be visualized through these 2 options: 1. Analysis > Security Events (SIEM). The events can be grouped by clicking on the Grouped tab: DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 13 of 15

Events can be grouped by the following: DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 14 of 15

2. Analysis > Raw Logs. Events can be visualized by a time frame. DC-00131 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 15 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information