Security Information and Event Management (SIEM)

Similar documents
Security Information and Event Management (SIEM)

Security Information and Event Management Introduction to envision: The Information Management Platform for Security and Compliance Operations Success



We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

Clavister InSight TM. Protecting Values

Peter Dulay, CISSP Senior Architect, Security BU

H ig h L e v e l O v e r v iew. S te p h a n M a rt in. S e n io r S y s te m A rc h i te ct

Enabling Security Operations with RSA envision. August, 2009





Workload Management Services. Data Management Services. Networking. Information Service. Fabric Management


RSA Solution Brief. RSA envision. Platform. Compliance and Security Information Management. RSA Solution Brief

Put the human back in Human Resources.

RSA Solution Brief. Platform. The RSA envision. A Single, Integrated 3-in-1 Log Management Solution. RSA Solution Brief

1.- L a m e j o r o p c ió n e s c l o na r e l d i s co ( s e e x p li c a r á d es p u é s ).

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

The Comprehensive Guide to PCI Security Standards Compliance

Achieving SOX Compliance with Masergy Security Professional Services

CorreLog Alignment to PCI Security Standards Compliance

QRadar SIEM 6.3 Datasheet


SANS Top 20 Critical Controls for Effective Cyber Defense

Guideline on Auditing and Log Management

Configuration Audit & Control

Effective Use of Security Event Correlation

How To Manage Security On A Networked Computer System

Concierge SIEM Reporting Overview

FISMA / NIST REVISION 3 COMPLIANCE

INCIDENT RESPONSE CHECKLIST

w ith In fla m m a to r y B o w e l D ise a se. G a s tro in te s tin a l C lin ic, , K a s h iw a z a, A g e o C ity, S a ita m a

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

AN EVALUATION OF SHORT TERM TREATMENT PROGRAM FOR PERSONS DRIVING UNDER THE INFLUENCE OF ALCOHOL P. A. V a le s, Ph.D.

An Introduction to RSA envision The Information Log Management Platform for Security and Compliance Success. September, 2009

B R T S y s te m in S e o u l a n d In te g r a te d e -T ic k e tin g S y s te m

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

A n d r e w S P o m e r a n tz, M D

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Enterprise Database Security & Monitoring: Guardium Overview

IT Security & Compliance. On Time. On Budget. On Demand.

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Eoin Thornton Senior Security Architect Zinopy Security Ltd.

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Scalability in Log Management

How To Achieve Pca Compliance With Redhat Enterprise Linux

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist

Analyzing Logs For Security Information Event Management Whitepaper

Achieving PCI-Compliance through Cyberoam

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

University of Pittsburgh Security Assessment Questionnaire (v1.5)

The Role of Security Monitoring & SIEM in Risk Management

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

Configuring Celerra for Security Information Management with Network Intelligence s envision

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

IBM QRadar Security Intelligence April 2013

End-user Security Analytics Strengthens Protection with ArcSight


Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Analyzing Logs For Security Information Event Management

Juniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy

The SmartView Tracker

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

CyberArk Privileged Threat Analytics. Solution Brief

Service Offerings. Ensuring IT Resources are available, reliable, scalable & manageable always.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs


Analyzing Logs For Security Information Event Management Whitepaper

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

ACE-1/onearm #show service-policy client-vips

Automate PCI Compliance Monitoring, Investigation & Reporting

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

Software EMEA Performance Tour Berlin, Germany June

Top 10 SIEM Implementer s Checklist

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Network Security Guidelines. e-governance

Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

Global Partner Management Notice

TRIPWIRE NERC SOLUTION SUITE

Defining, building, and making use cases work

Transcription:

Security Information and Event Management (SIEM) D r. A n d r ej R ak ar SANS GCIH, RSA envision CSE, MCP, MCSA, ISS Expert

S ecu r ity I n for m ation an d E v en t M an ag em en t (SIEM) SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

T h e E n ter p r ise T od ay M ou n tain s of data, m an y stak eholders Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized Service Detection False Positive Reduction IP Leakage Web server activity logs User Monitoring Switch logs Web cache & proxy logs SLA Monitoring Content management logs How to collect & protect all the data necessary to build platform How to analyze and amanage allfor the compliance, and data to transform security, it into information network operations VA Scan logs Windows domain logins Windows logs IDS/IDP logs Router logs VPN logs Firewall logs Wireless access logs Oracle Financial Logs Mainframe logs Linux, Unix, Windows OS logs Client & file server logs DHCP logs San File Access Logs VLAN Access & Control logs Database Logs

C h allen g e: G r ow th of E n ter p r ise S ilos R edu n dan t I n form ation M an agem en t COMMERCIAL INTERNAL APPLICATIONS APPLICATIONS OPERATING SYSTEMS SECURITY INFORMATION NETWORK INFORMATION DATABASE SYSTEMS STORAGE

C h allen g es I n for m ation S ecu r ity Challenge to get up-to-date metrics for Security Status Countless hours spent gathering, understanding, security logs from disparate systems Incident response is ad- hoc, manual and inefficient Data overload causes reactive security measures I T C om p lian ce R ep or tin g Creating reports is time- consuming, laborintensive and error-prone Sr. management expects to cut compliance costs IT governance is reactive, not proactive

R equ ir em en ts an d O bjectiv es I m p r ov e P r oof-o f-c om p lian ce r ep or tin g of I T con tr ols S y stem m on itor in g an d su p er v ision n etw or k con tr ols, ap p lication s E fficien t m an ag em en t of secu r ity r isk s r eal-tim e secu r ity aler ts C u ttin g com p lian ce costs by r ep lacin g m an u al p r ocesses w ith h olistic solu tion for con tin u ou s secu r ity in for m ation an d ev en t m an ag em en t

S I E M for M on itor in g an d I m p r ov em en t of I S M S ISMS Information Security Management System Information security managemnt system documentation information security policy inventory of assests risk analysis report statement of applicability policies, procedures and standards SLA, contracts Review and improvement controlled by process documentation Bussiness processes SIEM EVENTS security incidents vulnerability malfunctions audit results sec. assessment results Proving documentation Analysis

S I E M for S im p lify in g C om p lian ce Compliance Environment HIPAA GLBA BASEL II FISMA PCI SarbanesOxley Compliance Objective Access Control Enforcement Configuration Control Malicious Code Detection User Monitoring & Management Policy Enforcement Environmental & Transmission Security = Critical to this compliance environment = Highly desired in compliance environment Privileged user monitoring Unauthorized user access Change control lockdown enforcement Unapproved software monitoring Anomaly monitoring against baselines Reporting of outbreaks Monitor user privileges Enforcement of account policies Verify user activity against policy Prevent information leakage Secure data transmissions Proactive security of the network Product Capabilities Log Management Asset Identification Baseline Report & Audit Alert / Correlate Forensic Analysis Incident Management

S I E M for E n h an cin g S ecu r ity O p er ation s Security Environment Internal Systems & Applications ecommerce Operations Perimeter Network Operations Security Objective Access Control Enforcement Real-time Monitoring False Positive Reduction Correlated Threat Detection Watchlist Enforcement Unauthorized Network Service Detection SLA Compliance Monitoring = Most critical = Highly desired = Desired Privileged user monitoring Corporate policy conformance Troubleshoot network & security events What is happening? Confirm IDS alerts Enable critical alert escalation Watch remote network areas Consolidate distributed IDS alerts External threat exposure Internal investigations Shutdown rogue services Intellectual property leakage Proof of delivery Monitor against baselines Product Capabilities Log Management Asset Identification Baseline Report & Audit Alert / Correlate Forensic Analysis Incident Management

How to ensure that security measures are really implemented? What and when happened, should actions be taken? P r oblem s: lengthy collection, management and understanding of security logs incident management is manual, inefficient and unsystematic large number of data prevents timely measures and actions determining current security status of information system is demanding generating reports is time consuming, demanding, and prone to mistakes

SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

A d v an tag es of R S A en V ision S olu tion R eal tim e ev en t m an ag em en t R eal tim e ev en t cor r elation A u tom atic d iscov er y of secu r ity in cid en ts S u p p or t for lar g e n u m ber of sy stem s an d p ossibility to in teg r ate u n k n ow n d ev ices >1000 p r econ fig u r ed r ep or ts com p lian t w ith B asel I I, P C I, I S O 27001, S O X, etc. lar g est m ar k et p r esen ce for S I E M

R S A en V ision S calability 300,000 30000 LS Series EPS 10000 7500 ES Series 5000 2500 1000 # DEVICES 500 100 200 400 750 1250 1500 2048 30,000

R S A en V ision A r ch itectu r e

R S A en V ision an d L og S m ar t I P D B A ll the D ata w ith C on sisten tly H igh Perform an ce Data Loss io n p Un Authenticated re Compressed bl e ts er Al Relational Database ta dic D a at s lo p Ex Parallel analysis Encrypted LogSmart IPDB

D ata C ap tu r e A g en tless D ata C ap tu r e L ow est p ossible im p act to th e en ter p r ise S m aller attack su r face by r edu cin g n u m ber of activ e elem en ts I n cr eases accu r acy by r ed u cin g /elim in atin g blin d sp ots R aw D ata C ap tu r e WORM D ata in teg r ity v ia W r ite O n ce R ead M an y ( W O R M ) desig n I n cr eases accu r acy by r ed u cin g /elim in atin g data m u n g in g P er m its data to be r e-p u r p osed as n eeded S u p p or ts both leg al an d for en sic ev id en ce d iscov er y U n iv er sal D ev ice S u p p or t ( U D S ) D eliv er s v er y br oad sou r ce dev ice su p p or t P r ov id es easy m ech an ism to k eep existin g dev ices u p to d ate A bstr acts 100K + ev en ts in to distin ct categ or ies for

A n aly sis an d E v en t M an ag em en t I n tellig en t D ata M in in g & R aw E v en t V iew in g B oth r eal-tim e an d h istor ical ev en ts can be an aly zed H ig h ly cu stom izable to m atch in div id u al con su m er r eq u ir em en ts R ole-based access con tr ol C on sisten t p er for m an ce in dep en den t of in com in g E P S r ate A dv an ced E v en t C or r elation & A ler tin g R eal-tim e an aly sis acr oss an y / all dev ice ty p e or ev en ts L ev er ag es com p r eh en siv e ev en t taxon om y S u p p or ts both an om aly an d sig n atu r e-based cor r elation log ic C on sisten t p er for m an ce in dep en den t of in com in g E P S r ate R ep or tin g E n g in e O ffer s both r u n -tim e an d sch edu led r ep or ts A n aly zes an d r ep or ts on both detail an d su m m ar y ty p e in for m ation D edicated r ep or tin g p ack ag es for sp ecific in du str y r eq u ir em en ts S O X, P C I, H I P A A, G L B A, S A S 70, etc. >1000 r ep or ts & ch ar ts sh ip w ith p r odu ct W izar d G U I for cu stom ization

S I E M R ep or tin g Gain Needed Insight Into IT Controls D iscov er tr en d s, an om alies T r ack an d r ep or t secu r ity - r elated activ ity on assets im p acted by S ar ban eso xley, oth er r eg u lation s Improve Proof-of-Compliance Reporting D em on str ate O r g an ization M on itor s Y ou r activ ity on cr itical I T assets I den tifies an d an aly zes secu r ity an d com p lian ce in cid en ts T r ack s an d r esolv es in ciden ts an d p olicy v iolation s Out-of-Box Reports, Configure Existing Reports, Create Your Own

R S A en V ision S tan d ar d R ep or ts

SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

D r iv er s for I m p lem en tin g S I E M S olu tion s M itig atin g secu r ity r isk s E n d u ser exp ectation s R eg u lator y com p lian ce A d ap tability an d bu sin ess ag ility C ost con tain m en t

S I E M I n teg r ation in I n for m ation S y stem Legislation Standards Security policy correlations Incident management incidents reporting by e-mail incidents events HELP DESK events Monitoring system events data servers web servers databases applications routers firewalls IDS/IPS

I n teg r ation of E v en ts, S y stem s an d I d en tity M an ag em en t Security Information & Event Management Systems Comprehensive Security & Compliance Identity & Access Management Management

I n teg r ation of L og s fr om N etw or k D ev ices > Syslog, Syslog NG > SNMP > Formatted log files >Comma/tab/space delimited, other > ODBC connection to remote databases > Push/pull XML files via HTTP > Windows event logging API > CheckPoint OPSEC interface > Cisco IDS POP/RDEP/SDEE B-2

I n teg r ation w ith N etw or k M an ag em en t S y stem s I n teg r ation w ith n etw or k m an ag em en t sy stem s ( S M S, M O M, etc.) M on itor in g : d efin ition an d clasification of in cid en ts C r eate in ciden t U p date in cid en t C lose in ciden t M an ag em en t: con solid ate asset d atabase S y n ch r on ization

I n teg r ation w ith I d en tity M an ag em en t S y stem s (IM) Badge readers Alerts Reports Dashboards Apps Directory Directory User Provisioning Access Control Federated SSO Roles Rules Policies Correlation Rules Pattern Discovery Risk Scoring Databases Web Unified User/Role Information Normalized Event Collection Files Directory IM System SIEM System Desktops Etc.

S I E M I m p lem en tation B est P r actices R equ ir em en ts an aly sis w ith clear ly d efin ed objectiv es an d bu sin ess p r ocesses I n v olv e r ig h t p eop le d u r in g p r oject execu tion G r ad u al im p lem en tation based on p r ocess sig n ifican ce an d cr iticality M an d ator y tr ain in g an d n otification of all in v olv ed C on tin u ou s m on itor in g an d ad ap tation to ch an g es in th e

Q u estion s? E-mail: andrej.rakar@astec.si

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information