Security Information and



Similar documents
ArcSight Express Administration and Operations Course

Management. Oracle Fusion Middleware. 11 g Architecture and. Oracle Press ORACLE. Stephen Lee Gangadhar Konduri. Mc Grauu Hill.

WebLogic Server 11g Administration Handbook

Contents. Assessing Social Media Security. Chapter! The Social Media Security Process 3

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

QRadar SIEM 6.3 Datasheet

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Applications. Oracle WebCenter 11 g Handbook: Build Rich, Customizable Enterprise 2.0. Oracle Press ORACLE. Philipp Weckerle.

VISUALIZING DATA POWER VIEW. with MICROSOFT. Brian Larson. Mark Davis Dan English Paui Purington. Mc Grauu. Sydney Toronto

Understanding the Pros and Cons of Combination Networks 7. Acknowledgments Introduction. Establishing the Numbers of Clients and Servers 4

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Tuning Tips & Techniques

Compensating the Sales Force

Master Data Management and Data Governance Second Edition

Scalability in Log Management

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Building and Managing

Defining, building, and making use cases work

CONTINUOUS LOG MANAGEMENT & MONITORING

Study Guide. Professional vsphere 4. VCP VMware Certified. (ExamVCP4IO) Robert Schmidt. IVIC GratAf Hill

ALERT LOGIC LOG MANAGER & LOGREVIEW

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Manager 10g Grid Control Handbook

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Boosting enterprise security with integrated log management

The SIEM Evaluator s Guide

How To Achieve Pca Compliance With Redhat Enterprise Linux

QRadar SIEM and FireEye MPS Integration

Development Effort & Duration

Clavister InSight TM. Protecting Values

Caretower s SIEM Managed Security Services

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

IBM Security QRadar SIEM Product Overview

Log management & SIEM: QRadar Security Intelligence Platform

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

for Hundreds of Ready-to-Use Phrases to Set the Stage for Productive Conversations, Meetings, and Events Meryl Runion with Diane Windingland

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

IBM Security IBM Corporation IBM Corporation

IBM QRadar Security Intelligence April 2013

Symantec Security Information Manager Administrator Guide

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

How To Buy Nitro Security

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Oracle Big Data Handbook

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Enterprise SysLog Manager (ESM)

Enterprise Security Solutions

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

End-user Security Analytics Strengthens Protection with ArcSight

Implementation & Administration

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

McAfee Security Information Event Management (SIEM) Administration Course 101

Secret Server Splunk Integration Guide

Implementing Cisco Intrusion Prevention System 7.0 (IPS)

Cisco. A Beginner's Guide Fifth Edition ANTHONY T. VELTE TOBY J. VELTE. City Milan New Delhi Singapore Sydney Toronto. Mc Graw Hill Education

Integration in Practice

Trend Micro. Advanced Security Built for the Cloud

Networking. Sixth Edition. A Beginner's Guide BRUCE HALLBERG

Average annual cost of security incidents

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Protecting Communication in SIEM systems

nfx Cinxi One SIEM Partner Guide Revision: H2CY10

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

QRadar SIEM and Zscaler Nanolog Streaming Service

CALNET 3 Category 7 Network Based Management Security. Table of Contents

High End Information Security Services

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP. Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

MANAGED SECURITY SERVICES (MSS)

Computer Security Log Files as Evidence

AlienVault for Regulatory Compliance

Maximizing Configuration Management IT Security Benefits with Puppet

Official Cert Guide. CCNP Security IPS Odunayo Adesina, CCIE No Keith Barker, CCIE No Cisco Press.

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

What is Security Intelligence?

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Q1 Labs Corporate Overview

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

THE FIRST UNIFIED DATABASE SECURITY SOLUTION. Product Overview Security. Auditing. Caching. Masking.

Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

Demonstrating the ROI for SIEM: Tales from the Trenches

Security Operations Metrics Definitions for Management and Operations Teams

How to Implement Lean Manufacturing

Managing Enterprise Devices and Apps using System Center Configuration Manager

IBM Security QRadar SIEM Version (MR1) Tuning Guide

From the Bottom to the Top: The Evolution of Application Monitoring

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Transcription:

Security Information and Event Management (SIEM) Implementation DAVID R. MILLER SHON HARRIS I ALLEN A. HARPER STEPHEN VANDYKE CHRIS BLASK Mc Graw Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

i Tm : Contents Foreword i xxi Acknowledgments Introduction xxiii xxv 1 Business Models 3 What Are IT Business Models? 4 What You Have to Worry About.. 5 Overview of CIA 9 Government 10 Military 10 ThreeLetter Agencies 12 Social Services Infrastructure 13 Commercial Entities 14 Retail Services 14 Manufacturing/Production 15 Banking 15 Universities 16 How Does Your Company's... Business Model Affect You? 18 Xlil

PCI HIPAA SOX GLBA xiv Security Information and Event Management (SIEM) Implementation 2 Threat Models 19 The Bad Things That Could Happen 21 Vulnerabilities 21 Malicious Intent 23 Recognizing Attacks on the IT. Systems 25 Scanning or Reconnaissance 26 Exploits 26 Entrenchment 29 Phoning Home 30 Control 31 After That 32 Summary 33 3 Regulatory Compliance 35 Compliance Regulations 38 SarbanesOxley Act (2002) 38 GrammLeachBliley Act (1999) 38 Healthcare Insurance Portability and Accountability Act (1996) 39 Payment Card Industry Data Security Standard DSS 39 California Senate Bill 1386 (2003) CA SB1386 40 Federal Information Security Management Act (2002) FISMA 40 Cyber Security Act of 2009 (SB 773) 40 Recommended Best Practices 41 Prudent Security 42 Summary 49 4 SIEM Concepts: Components for Small and Mediumsize Businesses 53 The Homegrown SIEM 54 Log Management 55 Syslog 56 Alerts 56 Flow Data 56 Vulnerability Assessment Data 57 Let the Collection Begin 57 Logging Solutions 60

Contents XV Event Correlation 63 Event Normalization 64 Correlation Rules 65 Commercial SIEM for SME 65 Endpoint Security 67 Securing the Endpoints 67 Protecting the Network from the Endpoints 70 IT Regulatory Compliance 71 Compliance Tools 73 Implementation Methodology 74 Tools Reference 75 Summary 76 5 The Anatomy of a SIEM 77 Source Device 78 Operating Systems 79 Appliances 79 Applications 79 Determining Needed Logs 80 Determining Needed SIEM Resources 80 Log Collection 81 Push Log Collection 82 Pull Log Collection 82 Prebuilt Log Collection 83 Custom Log Collection 83 Mixed Environments 83 Parsing/Normalization of Logs 84 Rule Engine/Correlation Engine i 86 Correlation Engine 1 87 Log Storage 90 Database 90 Flat Text File 90 Binary File 91, Monitoring 91 Summary 92 6 Incident Response 93 What Is an Incident Response Program? 94 Grown from the Security Program 94 Where the IR Program Fits In 96 How to Build an Incident Response Program 97 The IR Team 97 Useful Tools for the IR Team 99

xvi Security Information and Event Management (SIEM) Implementation Socio/Political Aspects 100 The Price Tag 100 Security Incidents and a Guide to Incident Response 101 A Typical Escalation Flow to Security Incident 101 Finally! An Incident 102 Incident Response Procedures 104 Automated Response Automated Response a Good Thing 112 Automated Response a Bad Thing 113 Summary 114 Ill 7 Using SIEM for Business Intelligence 115 What Is Business Intelligence 116 Business Intelligence Terminology 117 Common Business Intelligence Questions 119 Answers to the Common Business Intelligence Questions 119 Developing Business Intelligence Strategies Using SIEM 130 How to Utilize SIEM for Your BI Objectives 131 Using the Data that Your Organization Currently Possesses 132 What Other Companies Are Doing with SIEM and BI 134 Summary 135 Part III 8 AlienVault OSSIM Implementation 139 Background 140 Concept 140 Open Source Tools 140 Functionality 142 Commercial Version 146 Design 147 Architecture 147 Deployment Considerations 149 Implementation 149 Requirements 150 Installation Process 151 Profiles 165 Modifications After Installation 165 Web Console 166 Dashboards 166

Contents XVll Incidents 166 Analysis 167 Reports 167 Assets 167 Monitors 167 Intelligence 167 Configuration 168 Tools 168 Summary 168 9 AlienVault OSSIM Operation 169 Interface 170 Dashboards 170 Incidents 174 Analysis 178 Assets 181 Intelligence 182 Monitors 184 Analysis of a Basic Attack 185 Analysis of a Sophisticated Attack 190 Summary 195 10 Cisco Security: MARS Implementation 197 Introduction to MARS 198 Topology, Sessions, and Incidents 199 Scaling a MARS Deployment 201 Analyze Requirements 202 Objectives 202 Unique Threat Concerns 203 Infrastructure Inventory 204 Design 205 Resources and Requirements 205 Roles and Responsibilities 206 Deployment 206 Installing the Device and Connect to Network 206 Configuring the Web Interface 208 Assigning MARS User Accounts 208 Adding Monitored Devices 209 Integrating Flow Data 212 Generating Topology 212 Operation: Queries, Rules, and Reports 216 Queries 217 System Rules 218

xvlll Security Information and Evont Management (SIEM) Implementation User Inspection Rules 220 Reports 221 Limitations 223 Summary 223 11 Cisco MARS Advanced Techniques 225 Using the MARS Dashboard 226 Summary Page 228 Incidents Page 233 Query/Reports Page 234 Rules Page 235 Management Page 238 Admin Page 240 Adding Unsupported Devices to MARS 243 Importing Device Support Packages 244 Building Your Own Custom Parsers 246 A Typical Day in the Life of a MARS Operator 252 Limitations 259 Summary 259 12 Ql Labs QRadar Implementation 261 QRadar Architecture Overview 262 Ql Labs Terms to Know 266 Planning 267 Know Your Network 267 Plan Your QRadar SIEM Deployment 268 Initial Installation 270 Configuring the Underlying CentOS System 270 The QRadar Administrative Interface 271 Getting Flow and Event Data into QRadar 285 Event Sources and Data 286 Flow Sources and Data 287 Summary 287 13 Ql Labs QRadar Advanced Techniques 289 Using the QRadar Dashboard 291 QRadar Dashboard Default Views 292 QRadar Views 292 Custom Views 295 The Equation Editor 296 QRadar Sentries 299 QRadar Sentry Components 300 QRadar Sentry Types 300

... \., Contents XlX QRadar Rules 301 QRadar Rule Types 302 QRadar Rule Components 302 QRadar Custom Rules Wizard 303 The Offense Manager 307 Searching QRadar Offenses 308 QRadar Tuning 309 QRadar False Positive Wizard 309 QRadar DSMs and Custom DSMs 311 Replacing the QRadar SSL Certificates 314 Stepping Through the Process 317 Analyzing Events 317 Summary 327 14 ArcSight ESM v4.5 Implementation 329 ArcSight Terminology and Concepts 330 Overview of ArcSight Products 331 ArcSight ESM v4.5 332 ArcSight SmartConnectors 335 ArcSight Express 336 ArcSight Logger 336 ArcSight ESM v4.5 Architecture Overview 337 Planning Your Deployment 340 Determine Goals 340 Manage Assets 341 Determine ArcSight Hardware Requirements 341 Initial Installation 342 Mount and Cable Servers 343 Install and. Configure Operating System 343 Install ArcSight ESM v4.5 Database Software and Oracle Database 344 Install ArcSight ESM v4.5 Manager 348 Configure ArcSight Partition Archiver 350 Install ArcSight SmartConnector 351 Install ArcSight Console 353 Summary 354 15 ArcSight ESM v4.5 Advanced Techniques 355 Operations: Dealing with Data 356 Filters 356 Rules 357 Lists 360 Trending 360

XX Security Information and Event Management (SIEM) Implementation Active Channels 361 Notifications 363 Cases 364 Exporting Information 364 Managing Assets and Networks 365 The ArcSight SmartConnector 365 The ArcSight Asset Model 366 The ArcSight Network Model 367 Management and Troubleshooting 368 Log and Configuration Files 368 Database 373 System Patching and Upgrades 376 Tips and Tricks 379 Summary 381 Appendix: The Ways and Means of the Security Analyst... 383 Index 415

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information