SIEM just another acronym? What is it Why Advanced Persistent Threats (APTs) Audit Objectives Audit Program



Similar documents
FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Caretower s SIEM Managed Security Services

Compliance Guide: PCI DSS

Evaluating, choosing and implementing a SIEM solution. Dan Han, Virginia Commonwealth University

SIEM Implementation Approach Discussion. April 2012

Information Technology Policy

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

FIVE PRACTICAL STEPS

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

Overcoming PCI Compliance Challenges

GE Measurement & Control. Cyber Security for NEI 08-09

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

PCI Compliance for Cloud Applications

QRadar SIEM 6.3 Datasheet

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

How To Manage Security On A Networked Computer System

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Critical Controls for Cyber Security.

Vendor Audit Questionnaire

Defining, building, and making use cases work

Sarbanes-Oxley Compliance for Cloud Applications

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Extreme Networks Security Analytics G2 Risk Manager

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Fight the Noise with SIEM

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

HIPAA and HITECH Compliance for Cloud Applications

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Security Management. Keeping the IT Security Administrator Busy

USM IT Security Council Guide for Security Event Logging. Version 1.1

PCI Requirements Coverage Summary Table

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

White Paper Integrating The CorreLog Security Correlation Server with BMC Software

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CyberArk Privileged Threat Analytics. Solution Brief

INCIDENT RESPONSE CHECKLIST

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

FairWarning Mapping to PCI DSS 3.0, Requirement 10

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Concierge SIEM Reporting Overview

Payment Card Industry Data Security Standard

Clavister InSight TM. Protecting Values

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Security Information & Event Management (SIEM)

The Comprehensive Guide to PCI Security Standards Compliance

Tivoli Security Information and Event Manager V1.0

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

THE EVOLUTION OF SIEM

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Cyber Security for NERC CIP Version 5 Compliance

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Network and Security Controls

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

LogRhythm and NERC CIP Compliance

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Network & Information Security Policy

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Using SolarWinds Log and Event Manager (LEM) Filters and Alerts

Controlling and Managing Security with Performance Tools

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Key USP s. Multiple PCI level GRC tool

A Case for Managed Security

Server Monitoring: Centralize and Win

End-user Security Analytics Strengthens Protection with ArcSight

The Role of Security Monitoring & SIEM in Risk Management

Evolution Of Cyber Threats & Defense Approaches

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

CorreLog Alignment to PCI Security Standards Compliance

Automate your IT Security Services

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

ALERT LOGIC ACTIVEWATCH FOR LOG MANAGER

Transcription:

Security Information and Event Management (SIEM) Audit Kevin Savoy Audit Director Strategic Risk Management SIEM just another acronym? What is it Why Advanced Persistent Threats (APTs) Audit Objectives Audit Program 1

Depends on who you talk to but usually defined as a holistic approach to security management. Security event management was the world of real time monitoring (Firewalls, IDS, etc.), detection, notification, and action. Security information management was the world of log retention, analysis, and reporting. Some have the two terms flipped. But put both together and you have SIEM! Used to be good enough to put the fire out then worry as an afterthought about what went wrong or was prevented. Controls were always either preventive, detective, or corrective. Compliance with laws such as notification of affected parties, E-discovery and the related preservation of data, and due diligence requires a strong SIEM as well. 2

Preserved Data Legal/Audit/IT Security Firewall Routers IDS Correlation Engine Mgmt. Console Warnings Unix App Database Syslogs Personal Devices Think of every step that should be performed in managing events: Determining risks Blocking or Quarantining Detecting issue or anomaly or pattern Event Correlation Logging Alerting Analysis Data integrity Correcting or recovery Reporting and debriefing 3

If we don t catch or properly handle attacks or other issues we may mess up the end game such as correcting, and notifying affected parties. Just as bad is if we have the tools and logs and other devices but fail to use them. The laws and courts may say that we failed in our due diligence to our citizens, employees, and other stakeholders. Should not be thought of as just appliances and software, although that is certainly what makes it easier. SIEM should be thought of as the total process. From detection (or prevention) all the way to providing enough information for lawyers, courts, stakeholders, law enforcement, and ourselves (auditors). 4

Vendors are creating new appliances and software to do log parsing, correlation and anomaly analysis, continuous monitoring, and spot file integrity issues and more. The systems take input from firewalls, IDS, routers, operating system, databases, applications, authentication servers and on and on to check for issues and collect and store information for later processing. Most SIEM systems are a myriad of components that feed into others. For instance a dashboard may be presented through a central SIEM console. However analyzing may take place within other servers and the saving of log information in other servers. Its like anything in life you can go piece meal or big bang! 5

We have automated payroll, AR, EMR, manufacturing, insurance claims and on and on. Why not security management. (Don t worry there will still be security folks). One day your console may blink that a risky Internet Protocol based on known patterns got through your router, firewall, and a Unix server directory permissions are now different, and that all e-backups have been locked down for secure restoration. Definition of an APT is a concerted effort with the resources to attack you often and in force (manpower and brainpower). Often foreign governments or criminal entities. Banking and defense were initial targets. Now everyone is fair game including State and Local Government, Universities and Health Care.. 6

Larger state agencies and higher ed may be Fort Knox, so those performing APTs often are going after smaller entities. They know that defenses may have had been implemented to a lesser degree at smaller operations. (think smaller higher education, outpatient clinics, local government and state agencies) College at Wise story (lesson learned-harden all wire transfer processes ) Think of all the data that is present every second that can be a potential signal that something is amiss. SIEMs attempt to take that overwhelming information and make sense of it in addition to preservation. 7

Cost Standardization Myriad of protocols to deal with from appliances feeding information What data to keep and where to keep it To misquote a recently deceased dictator: the audit of SIEM could be the mother of all audits You are in essence doing an audit of an automated IT audit function.. May want to attack it piece meal or swallow it whole. It depends on how much time you have. 8

Two main audit objectives: NUMBER 1 Objective - An audit of the SIEM automation itself and what it provides and is it useful to the organization Policies Procurement of SIEM infrastructure (cost/benefit of control) Configuration diagram (what s talking to what and how) Prevention (the usual, do you stop, allow with warning etc.) Warnings (how soon, who receives, what technology) Response Follow-up Legal and operational log retention (does it meet legal obligations) Legal actions Two main audit objectives: NUMBER 2 Objective - An audit of the Security of the SIEM automation Access to electronic and paper logs Security over audit tripwires (what causes logging or alarm) Security over interfaces between component appliances (who controls, encrypted?) Security of the component appliances (physical and logical). Some of these may be covered in some of your other audits such as database, operating system, network audits. 9

Objective 1 Determine the effectiveness of the SIEM automation Step 1. Obtain policies and procedures to gain an understanding of the SIEM strategy of your organization. Step 2. Determine that procurement of appliances are in line with organization strategy and that costs do not exceed benefit of the control either singularly or in combination with other controls. (Use NPV etc.) Step 3. Obtain a diagram of all components with their functions labeled (prevention, warning, logging, retention). Also diagram should show all data flows between components. Manual processes should be noted as well. Step 4. Determine that all components and data flows are used efficiently to attain prevention (if possible), logging, warning, response, and preservation of data. 10

Step 5. Determine that warning tripwires have been planned ahead of time and escalation procedures are appropriate. What technology is used and is it appropriate: email, text message, phone call etc. and at what level is authority given to stop the alarm from being reported higher and is that appropriate based on risk. Step 6. Determine that events are acted upon (could be part of another audit such as incident response). Determine that responses to events were appropriate. Step 7. Determine that legal actions were sufficient for any incident (again could be part of another audit such as incident response). Affected parties should have been notified if your organization was responsible for doing so. 11

Step 8. Determine that any SIEM generated data that must be preserved by law has been stored appropriately. Objective 2 Determine the security over the SIEM automation Step 9. Determine that access to paper and electronic logs is well thought out and that procedures exist for the granting, provisioning and removal of access to logs. Step 10. Determine the appropriateness of who determines what protocols and events are logged and acted upon. Usually this is a group effort as firewall administrators have their concerns, a Unix administrator would have concerns, an application owner would have their concerns etc Step 11. Determine that access to audit tripwire configuration is controlled by proper access procedures. 12

Step 12. Determine what interfaces move data between components. Be vigilant of data that can be modified or read in clear text. Step 13. Determine that security over warning transmissions is appropriate and that high risk messages can not be read or stopped during the escalation process. Step 14. Determine that individual appliances are secure at the operating system, database level, network level, and application level. This may be done in other audits. 13

SIEM may be old thinking in new packaging, but technology has advanced where audit needs to take advantage of any components that have been installed. In the past we have looked at IDS, Firewalls, Routers, Servers, Interfaces, but the more SIEM appliances that coordinate these functions exist we need to stay on top of the extra control our organizations may be achieving without our knowledge. So ask is the first step!!! kevin.savoy@apa.virginia.gov 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information