Den strategiske og operationelle cyber platform Jesper Zerlang, CEO 1
Agenda Introduktion til LogPoint Hvad er SIEM og Logpoint? Den forretningsmæssige værdi af SIEM Implementering af SIEM og den organisatoriske forankring Lessons Learned SIEM fremtiden 2
LogPoint History - Scandinavian company nonus - 300+ customers in Europe - 85+ employees 35+ in development - Offices in DK, SE, DACH, UK and France - 100% y/y growth 2001 2008 LogInspect 2 is launched Founded in Copenhagen, Denmark as ImmuneSecurity 2010 LogPoint 4 No-SQL +50 customers 2009 2012 European wide expansion Launch of LogPoint 3 LogPoint V5 Big Data as platform 2012 Venture Capital +100 customers 2013 +100% growth, significant international orders EAL 3 cert. process 2014 France and South EMEA 2016 Global reach Gartner positioning LogPoint 6 Vision: To create the best SIEM platform worldwide
Selected References 4
Selected References 5
Danish software company partners with Boeing Per Beith, Director, Information Security Solutions Network and Space Systems, Boeing, highlights the importance of access to the best of the best within the type of technology ImmuneSecurity [LogPoint red.] delivers even for a company like Boeing. Read more: www.logpoint.com/en/press 6
EAL 3 certification LogPoint recently received the EAL3+ certification Common Criteria Co-sponsored by The Boeing Company Enabling implementation Cyber Security units as: NATO Homeland Security organizations Police Military Intelligence Services
SIEM and LogPoint What is it really? 8
Opsamlede logs UDEN LogPoint Opsamlede logs MED LogPoint
Security Operations Center View 11
Real-tids dashboards og alarmer 12
Security Operations Center View 13
LogPoint V5 Scaling (1/4) Single Server Installation One LogPoint server can have one or multiple internal Repositories Multiple Server Installation Two or more LogPoint servers can be monitored in the same Dashboard LogPoint can be installed as: VMware or HyperV Appliance, Hardware Appliance, or Software
LogPoint V5 Scaling (2/4) Load Balancer Monitoring LogPoint Cluster Using multiple LogPoint Servers makes it possible to build a LogPoint Cluster where logs are sent through an (existing) Load Balancer. The LogPoint Cluster is easy to scale by simply adding LogPoint Server(s) when needed, and supporting Fail Over/High Availiability out of the box.
LogPoint V5 Scaling (3/4) Distributed Environment In a distributed environment it is possible to monitor all LogPoint installations via one interface and data can be aggregated and correlated across systems while respecting user rights.
LogPoint V5 Scaling (4/4) Firewall Multi Tenancy Environment Multi tenancy: Log can be collected by LogPoint collectors collectors normalize the logs before being forwarded to the central LogPoint server(s). On the central server(s) user rights can be related to the collector.
Den forretningsmæssige værdi af SIEM 18
Why SIEM and LogPoint? (1/3) Today, the majority of our communication takes place digitally travelling through various networks, and across enterprises, organisations, nations and continents. This very communication is now susceptible to crime, espionage and terrorism. Cyber security is now an essential part of our lives and business operations. So while digital communication has become our global lifeline, breakdowns and intrusions in our networks are bringing global threats to our economy and society. 19
Why SIEM and LogPoint (2/3) With racing volumes of increasingly complex data coursing through our networks, effectively monitoring such digital crimes seems an impossible task. At the same time, we all have a fundamental need for privacy. No one likes the idea that someone else may be watching our information. But our digital communication leaves a log a trail of critical information about time, place and routes. LogPoint monitors the behavior of this log traffic without invading privacy. 20
Why SIEM and LogPoint (3/3) LogPoint is a tool that collects and organises logs from activities anywhere on our networks, from applications to computers to servers to switches, routers and mobile devices. LogPoint makes log analysis and information assessment an easy, swift process to help you track and reveal security breaches in your network in real time. LogPoint constantly monitors your network's overall condition, identifying traffic bottlenecks and detecting attempts of intrusion so you can take prompt action to prevent future disruption and protect your assets. 21
Market Analytics Market size/year: Licenses: USD 1,6 billion Services: USD 1,2 billion EU = 30% Bottom Line: Enterprise architects have to plan for IT deployments of ever-increasing complexity and deal with increasing threats and risks. These and other trends create the need to expand security visibility throughout the entire stack of IT tools and technologies. Security information and event management (SIEM) is a pivotal technology that currently provides security visibility, and it is likely to hold the same role for the next two to three years. SIEM faces opportunities for growth in five core areas: new types of log and context data, shared intelligence, novel analytic algorithms, monitoring of emerging environments, and application security monitoring. Gartner Report (SIEM Futures) 22
Tool or Business Critical Application? What many enterprises think when they hear about LogPoint: We already have sufficient control of our logs! We don t want another monitoring tool! No demand from the business units consequently: nice-to-have! BUT An Enterprise without SIEM = A community without law enforcement! SIEM protects business assets SIEM creates overview SIEM discovers abnomal behaviours SIEM is the Enterprise Business Intelligence platform for IT Security at the same level as e.g. SAP og SalesForce etc 23
Data deles - forudsætningen for digitalisering lykkes Sundhedssektoren Regioner Læger Sygeplejesker SOSU Kommuner Hjemmehjælpere Sygeplejesker Læger / Behandlere i bredere forstand Legitimt at kunne lave opslag Begrænsning af legitim adgang har uacceptable konsekvenser
IT-Drift eller helpdesk? Administratorer Kan ikke installere et program der kigger efter specifikke brugere Ingen change-request Ingen kobling mellem arbejds-kontekst og adfærd Automatiseret opslag Mistænkelige frekvenser Mistænkelige tidspunkter Opslag på VIP-brugere Support-brugere Snagen i data identificeres Har kunden været i røret? Er der en sag på kunden? Eller blev den lavet bagefter? Kundens file har ingen normal aktivitet Mistænkelig frekvens Mistænkeligt mønster i valg af kunde-opslag VIP opslag 25
Log Management / SIEM Key Benefits 26
LogPoint Key Benefits Compliance Log data is consolidated, secure, and tamper proof => log data is always available and in a trusted format Rigorous and strict processes for ALL log data from all systems No retention of log data in a distributed and non-controlled environment where logs can be tampered with Compliance reports for all standards (PCI, ISO...) => automatizing procedures is cost saving Audit trails => lower costs for audits due to prefab reports Documentation of user behavior => can be used internally and in trials Monitoring all changes on the infrastructure Persondata forordning fra EU /2016 og frem! 27
LogPoint Key Benefits Business Intelligence for IT-operations Capacity analysis => optimized use of the already existing it platform Monitoring of services => better performance and lower down time Fewer incidents over time => more stabile environment Faster and more precise forensics and analysis of data => better customer service and lower down time, and less time spent on troubleshooting Finding and monitoring bottlenecks => higher performance and lower down time Automation of processes (reports, operational procedures, correlation, etc.) Monitoring of access to all data and services Monitoring hacker attacks Monitoring APTs, Malware, DDOS, Phishing Monitoring all changes on the infrastructure Monitoring of Service Level Agreement 28
LogPoint Benefits IT Security Proactive it-security Documentation of user behavior => can be used internally and in trials Unified (security) controls and processes for old and new systems, databases, applications, etc. Log data is consolidated, secure, and tamper proof => log data is always available and in a trusted format Rigorous and strict processes for ALL log data from all systems Protection of IP (Intellectual Property) Audit trails => lower costs for audits due to prefab reports Higher security level => protection of sensitive data (customers and employees) Monitoring of privilege users => securing of employees Detection of anomaly user and system behavior => higher level of security 29
LogPoint Key Benefits Cost Drivers Consolidation of different tools for firewall log management, local log management, and many other silo management systems Automation of processes (reports, operational procedures, correlation, etc.) Audit trails => lower costs for audits due to prefab reports Fewer incidents over time => more stabile environment Faster and more precise forensics and analysis of data => better customer service and lower down time, and less time spent on troubleshooting 30
LogPoint Deployment Implementering af SIEM og den organisatoriske forankring 31
Deployment Process BLUEPRINT AND LOGPOINT INSTALLATION STEP 1 LOGPOINT IMPLEMENTATION OF CRITICAL SYSTEMS IMPLEMENTATION OF REMAINING SYSTEMS AND REPORTING / CUSTOMIZATION PHASE BUSINESS-SPECIFIC VEJDIREKTORATET USE- CASE DEVELOPMENT AND ORGANIZATIONAL INTEGRATION STEP STEP 2 STEP 3 4 Collection of documentation on the infrastructure Development of project plan for STEP 2 Interview with key IT stakeholders Quick-wins workshop Hardware installation LogPoint installation Development of collectiondocumentation Implementation of critical Client system First reporting / SIEM workshop with focus on compliance and security operations: GPG13 Other compliance domains Continued installation of systems Step wise installation of custom applications Development and integration of LogPoint in terms of business processes Second workshop on Integration, Reporting Business apps. Continued installation of systems Continued installation of custom applications Third workshop: Training Sign-off Adjustments Option Business-process integration Feature-request workshop AS-IS Blueprint Plan for Step2 LogPoint Installation document Documentation: Surrey County Solution Reporting Components Plan for Step3 Reporting and compliance templates Integration documentation: Custom apps BP-integration Cust. Reporting Plan for Step 4 Reporting template Finalized report Next-step- Guidelines Documentation Project finalization document Value-creation Thorough logical documentation of the network. Stakeholder views captured First Quarter Deep system-knowledge Guidelines for implementation Quantified compliancerequirements. Integration of SIEM in the organization. Business-process integration Second Quarter Knowledge hand-over to the Client LogPoint tuned to fit the Client s needs
LOGPOINT / partner CUSTOMER Deployment Process LogPoint recommends a process where the client contributes with essential knowledge and sparring, as well as actively participates in the development. LogPoint can manage the project management activities and the process management and has the responsibility of the development of documentation. THE ROLES IN THE COLLABORATION BETWEEN LOGPOINT AND THE CLIENT 1 STEP 2 STEP 3 STEP 4 STEP Participate in workshop: 3 hours per participant Technical resources during installation: 2-3 weeks Technical resources during installation: 2-3 weeks Continued participation in installation. Interview: 1 hour per participant Providing documentation Participating in workshops: 5 hours per participant Reporting review: 2 hours per participant Participating in workshops: 5 hours per participant Documentation review: 2 hours per participant Training: 2 days per participant (superuser) Training: 1 day per participant (user) SAMARBEJDE COLLABORATION Facilitate workshop Review documentation Conduct Interview LogPoint installation Develop plan for STEP 2 Facilitates meetings Responsible for LogPoint installation Compliance and Security-Operations documentation development Develop plan for STEP3 Facilitates meetings Responsible for system-integration Development of reporting templates Develop plan for STEP4 Facilitates meetings Development of final documentation Project hand-over Optional business process integration Optional featurerequest workshop ~4 weeks ~6 weeks ~5 weeks ~4 weeks
LogPoint Lessons Learned 34
Lessons Learned Planlæg Planlæg Planlæg 35
Lessons Learned Ekstern konsulent Where to Start? Kompleksitet 35 30 25 20 15 10 5 0 Where not to Start Forretningsværdi Ressourcer Tid 36
Lessons Learned EASY WINS Active Directory/LDAP DNS/DHCP Firewalls IDS/IPS AntiVirus Use Cases Admin Behavior User Behavior Configuration Changes System Communication Performance tracking and alerting Service Level monitoring internally and externally Malware Detection Simple Analytics Simple Incident Handling 37
Lessons Learned WINS Network and General Infrastructure VM ware Standard Applications Databases Use Cases Network Communication User tracking in applications Business Intelligence for IToperation Advanced Security Analytics Operational Analytics Online Transaction Analytics Support and Helpdesk Incident Handling 38
Lessons Learned HARD WINS Home grown systems Complex Applications Transactions ICS (SCADA) RFID data GPS data Uses Cases Abnormal traffic/comm. Complex correlations between systems Complex Incident Handling including SOC/SAC approach 39
LogPoint our Vision To have the worlds best SIEM solution To have a 15% market share in Europe (=50M$) To have the most innovate working environment To attract the most skilled people in the industry To have the best management team in the industry.and to have a fun and a profitable journey! 40
Thank you
SAP Application Security - as an example
The forgotten world: Corporate Business Application Systems Security Monitoring / Tactical View Security Silos: Applications have versatile security models, interfaces, formats Network Exposure: Applications and threats pass network barriers Manual Handling: Audits are snapshots and expensive as they are done manually LogPoint After-The-Fact: Only real-time monitoring and alerting allows counter-actions Multiple ID s: Administrators, technical users, account sharing, Incomplete, undetected: SAP / Transactional data It s the blind spot of IT-Security
SAP stores the most critical business info. and you are loosing control. SECURTY patches Program vulnerabilities The number of SAP Security Notes has increased drastically over the last 3 years. Most of these issues affect the B business runtime. Architecture flaws Configuration errors 44
Why are Business Applications in Focus of Attacks? Why ERP? Espionage. Sabotage. Fraud. All business processes are generally contained in ERP systems. Any information an attacker want is stored in a company s ERP. The most critical data to be targeted in ERP are: Financial Data, Financial Planning (FI) HR data, personal, contact details (HR) Corporate Secrets (PLM) Supplier tenders (SRM) Customer Lists (CRM) SCADA and ERP systems are often connected. And prone to sabotage. Software has vulnerabilities. ERP has more issues; being different: Customization No two SAP systems are the same. Complexity kills security. - ERP systems are huge complex landscapes that contain different DBs, APP servers, middleware, frontend SW, OS, use many technologies. Risky ERP systems store and process business-critical data. Any downtime incurs significant costs. Patching is risky. Vulnerable SW lives for years. Unknown ERP systems are less researched, much less scrutinized, less targeted but often contain simple and easy to discover vulnerabilities and now get connected to the Internet. 45
Business-driven use-cases Detect invoices without purchase orders Identify vendors where alternate payee names have been changed before payment Multiple use of one-time vendors Detection of payments more than the threshold value to one time vendors Identify transactions where the purchase approver is equal to the goods receipt creator Identify transactions where the order approver is equal to the invoice creator Identify transactions where the order creator is equal to the payment creator Identify purchase orders that were created on or after the date the invoice was issued Invoice receipt is more than goods receipt document Detect value increases for purchases orders over a certain threshold Check for bank accounts bookings not processed with one of the known transactions Check suspicious manual bookings at unusual times Detect split invoices to avoid increasing certain threshold 46
Technically-driven use-cases Standard User Accounts (status and usage) Account status (locked, initial passwords) Standard user activity Data integrity/non-changeability (Debugging) Debugging activity per system System enablement and authorizations OS Command (execution and authorizations) Changes to critical data SAL is not enough (SAL does not provide sufficient information) SAL transaction monitoring Administrator priviledge use High priviledged accounts, special accounts (e.g. Firefighter usage) Changes to user master records by SAP*, DDIC* 47
Technically-driven use-cases II Change documents User Master Records Authorization Assignment (Roles, Profiles) Other changes to user master records (validity, password reset, ) Remote system access (e.g. SOAP service active) Access Control Violations (100% DSAG compliance) Active user accounts vs. Corporate Directory Failed Logins Check Transport Imports Especially Transport of authorizations and access rights Especially Transport of authorization assignments Check transports at unusual time window Scan objects by given list and check target client
LogPoint in the GRC Landscape Check for critical authorizations Assign illegitimate authorizations Use of critical authorizations Realtime- Landscape Realtime- Landscape Realtime- Landscape LogPoint agilesi Snapshot Landscape On-Demand Landscape fire fighter -only monitoring SAP GRC Snapshop Single Systems N/A N/A Manual Audit A
Visit and Download 50