Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc. brian.albrecht@logrhythm.com

Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

LogRhythm and PCI Compliance

End-user Security Analytics Strengthens Protection with ArcSight

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Clavister InSight TM. Protecting Values

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

Enabling Security Operations with RSA envision. August, 2009

The SIEM Evaluator s Guide

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Computer Security DD2395

The Comprehensive Guide to PCI Security Standards Compliance

Securing SharePoint 101. Rob Rachwald Imperva

CorreLog Alignment to PCI Security Standards Compliance

LogRhythm and NERC CIP Compliance

Concierge SIEM Reporting Overview

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

74% 96 Action Items. Compliance

Extreme Networks Security Analytics G2 Risk Manager

USM IT Security Council Guide for Security Event Logging. Version 1.1

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

MSP End User. Version 3.0. Technical Solution Guide

How To Protect A Network From Attack From A Hacker (Hbss)

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

PCI DSS Reporting WHITEPAPER

IBM Security QRadar Risk Manager

Automate PCI Compliance Monitoring, Investigation & Reporting

THE GLOBAL EVENT MANAGER

How To Manage Security On A Networked Computer System

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Secret Server Qualys Integration Guide

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Basics of Internet Security

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

RAVEN, Network Security and Health for the Enterprise

Network Management and Monitoring Software

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Security Information Management (SIM)

IBM Security IBM Corporation IBM Corporation

How To Create Situational Awareness

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

IBM Security QRadar Risk Manager

Network Segmentation

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

ObserveIT User Activity Monitoring

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Centre for the Protection of National Infrastructure Effective Log Management

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

TRIPWIRE NERC SOLUTION SUITE

CLOUD GUARD UNIFIED ENTERPRISE

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Automation Suite for. 201 CMR Compliance

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

INCIDENT RESPONSE CHECKLIST

Meeting PCI Data Security Standards with

Introduction to Network Discovery and Identity

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

SapphireIMS 4.0 BSM Feature Specification

FISMA / NIST REVISION 3 COMPLIANCE

What is Security Intelligence?

PCI and PA DSS Compliance Assurance with LogRhythm

Network Security Monitoring: Looking Beyond the Network

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

Bridging the gap between COTS tool alerting and raw data analysis

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Automation Suite for. GPG 13 Compliance

Exporting IBM i Data to Syslog

RSA Security Analytics

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Protecting Critical Infrastructure

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Q1 Labs Corporate Overview

Guideline on Auditing and Log Management

How To Manage Sourcefire From A Command Console

Cyber Security Metrics Dashboards & Analytics

Unified Security, ATP and more

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Transcription:

Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc. brian.albrecht@logrhythm.com

Case Study Disgruntled Employee Data Breach Council of Community Health Clinics (CCC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Former employee disabled the automatic backup process; later deleted patient data Consequences to the organization Significant fines if breach had occurred after January 1, 2009 (SB 541 and AB 211) Loss of patient data could have led to loss of life Patients had to wait hours to see doctors Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution Claburn, Thomas Network engineer gets five years for destroying former employer s data http://www.informationweek.com/news/security/attacks/showarticle.jhtml?articleid=208403740 June, 2008 (accessed 12 August 2009)

Introduction to SIEM Technology What is a Security Information Event Manager? Gartner s Definition: SIEM solutions analyze security event data in real time to identify threats, and analyze and report on log data for compliance monitoring. Goal: to give the user(s) the on-demand ability to utilize real time and historical records of activity for all nodes in an enterprise network. Objectives: Allow for identification of security breaches and attempts through increased awareness. Diagnostic identification and remediation of errors and critical events. Collection and reporting on data relevant to auditing of GRC requirements.

Compliance And beyond... PCI Security Standards Council Statement on Recent Data Breaches A layered approach to security is absolutely necessary to protect sensitive payment card data without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance. Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete. Reports by forensics companies suggest that this is an area of weakness among organizations.

What Happens WITHOUT Protective Monitoring?

The Process Collect Logs from Log Sources (Software, Appliances, Switches, Routers, Firewalls, etc.) Extract Meaningful Information from Logs Enrichment of Log Information (Correlation, Geo- Information, Locality, etc.) Presentation and Tools (Alarms, Reports, Investigations, Visualization, etc.)

The Challenge: Collect, Organize & Analyze Millions of these 11 28 2005 17:12:24 10.1.1.4 id=firewall sn=0006b11f3b34 time="2005-11-28 17:14:08" fw=216.160.188.116 pri=6 c=1024 m=537 msg="connection Closed" n=219550 src=10.1.1.22:138:lan dst=10.1.1.255 proto=udp/netbios-dgm sent=229 rcvd=0 PER DAY

and these 11/28/2005 5:46 PM TYPE=Warning USER= COMP=SHIRE SORC=RemoteAccess CATG=(0) EVID=20189 MESG=The user matt connected from 67.172.139.201 but failed an authentication attempt due to the following reason: %The user must change his or her password. Nov 27 18:35:19 HelmsDeep sshd[12767]: Failed password for root from 192.168.1.2 port 1298 ssh2 11 28 2005 17:12:24 10.1.1.4 id=firewall sn=0006b11f3b34 time="2005-11-28 17:14:08" fw=216.160.188.116 pri=6 c=1024 m=537 msg="connection Closed" n=219550 src=10.1.1.22:138:lan dst=10.1.1.255 proto=udp/netbios-dgm sent=229 rcvd=0 11/28/2005 11:56 AM TYPE=Information USER=SECIOUS\andy.grolnick COMP=DELL600SC SORC=Print CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA 204163) - 2005-11-28-10-58-04.PDF owned by andy.grolnick was printed on Brother HL-1250 series via port LPT1:. Size in bytes: 124988; pages printed: 1 65.240.187.181 - - [28/Nov/2005:14:48:29-0700] "GET / HTTP/1.1" 200 14544 "http://www.google.com/search?q=event+management&hl=en&lr=&start=10&sa=n" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.1.4322)" 11/28/2005 7:05 AM TYPE=Error USER= COMP=ELVIS SORC=Application Hang CATG=(0) EVID=1002 MESG=Hanging application notepad.exe, version 5.2.3790.1830, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Cryptic text records of server, application, workstation and network device activity

SIEM Philosophy Security Information Event Managers (SIEM) analyze data from multiple sources to determine problems more accurately than a single device SIEMs provide Safety in Numbers Investigations: more detail mean more accuracy Scope is possible to determine instead of just action Overall: the more sources of information, the more benefit the SIEM gives Maximizing SIEM effectiveness is determined by the SIEM Architecture and by its deployment

Where Logs are Harvested Syslog Format (Industry recognized standard) Flat Files (Apache, Bind, MS Exchange Tracking Logs, many ) Database Tables (Oracle, Web Based Applications) SNMP Generated Reports (Vulnerability, Change Logs, etc.) Web Pages, XML files (Netgear, Cisco LMS) Custom Protocols (OPSEC LEA, SDEE, Netflow, etc.) Binary Formats Audit Logs (Solaris, Linux, etc.) Misc. structured formats (SAP) API Based (Novell Netware, etc.) Integrated agent tools

Automated Interpretation The SIEM s ability to interpret log and event data is the single most important step Capturing logs is not enough they need to capture details (IP address, host name, user id, etc.) The most desirable features of log collection would be: Enterprise-Wide Visibility & Awareness Advanced Data Management Flexible Deployment & Configuration Options Comprehensive Compliance Support (Out-of-the-Box) Universal Customizable Console

Extraction of Critical Data

Process of Interpretation Classifications Audit, Security, Operations Categories Compromise, Malware, Denial of Service, Vulnerability, etc. Log Event Type Buffer Overflow Attempt, CVE #, etc. Details: IP Addresses, IDs, Ports, Traffic, etc. Risk Ratings and Handling Policies

Enrichment of Logs All about applying Context: Does the log originate from a computer inside the network or outside of the network? Add entity definition: does the log come from Engineering, Hong Kong, or 3 rd Floor, rather than 10.1.2.0/24, 10.11.14.0/24, or 10.100.0.0/16? Add geo-location: the log came from Kiev, Ukraine rather than 213.174.157.2. Use Latitude and Longitude to determine location on map. Use DNS servers to identify IP address or host name Identify proper affected application using context from log source type, port number, or based on matched rule. Providing context to logs creates new ways of identifying anomalies, such as knowing: When a very large file is transferred outside of the organization When a connection enters the organization from a foreign location where the company doesn t have employees. When a rival company is probing the web site.

Case Study Bot Detection Telecom company recently deployed a SIEM solution Soon after deployment, IDS traffic picked up internal port scans Using SIEM aggregation and investigation tools, isolated the IP address of the host performing scans Performed an investigation on the specific host, monitored traffic Noticed unusual SMTP traffic coming from host Putting all of the information together, determined that host machine had been infected by malware, was being used as a spambot

SIEM Advantage Bot Detection In the Bot Detection scenario, SIEM allowed organization to correlate events from several devices Those involved were able to analyze the data gathered and parse out useful data only Able to pull data from a previous time to create a timeline; analyze the trending of events over time

Log/Event Management Overview Data Architecture Logs Events Alerts Raw log data collected and automatically archived Logs having more immediate operational, security, or compliance relevance. Events, or combination of correlated events, requiring immediate notification & response. Effective LM/SEM functionality requires a cohesive integration accomplished only when architected as a single solution.

What is an Event? An Event is when a log is flagged as being important compared to other logs. Examples: Privileged User Login Malware discovered on a workstation Power failure SIEM 2.0 requires Events to exist in some form so that the users can identify key issues quickly. Events can be identified by meeting conditions based on extracted data or enriched data. Examples: Log Type Log Severity (Panic, Critical, Error, Warning, etc.) Location (rogue state list)

Alarming An alarm is an Event of higher note than a basic log or event, it adds the context of urgency. When an alarm condition is met, direct notification is made by e-mail, text message, pager, etc. Alarms can be considered a Call to Action and ideally happen infrequently.

Correlation Correlation is another process that identifies or creates Events and/or Alarms Provides a link between conditions For example, a potential brute force attack is detected, followed by a successful authentication from the same origin host. A user logs in after being terminated (after account disabled, after employee status changed in HRM, etc.) Many types of correlation: On multiple occurrences of an event in a time threshold. From a location, country, IP address, domain name. Involving a user account, application, or specific file. In close time proximity with a different event. When an event is not witnessed. From common sense to applied mathematics.

Case Study: Ford Espionage (Source: The Detroit News) 10-year employee (1997-2007) at Ford Motor Company copied 4,000 documents onto a portable hard drive. Documents included design specifications Employee attempted to use the documents to secure a job in a Chinese automobile company in 2005 (while still working for Ford) Employee was arrested (Oct 15 th, 2009)

Where are my logs? Once logs have been processed, they reside in a database until searched for. Some are sent to real-time systems, such as a dashboard or tail display of the most recent logs. At this point, tools are provided for the actors to use the SIEM to accomplish their goals: Stopping intrusions, malware, and internal security concerns Detecting, diagnosing and fixing problems Working within organizational procedure (ITIL, etc.) Proving compliance with GRC (Governance, Regulation and Compliance)

Dashboard The SIEM Dashboard is a major launching point for investigations Provides real-time awareness Most simplified display

Investigations Investigations are searches based on facts we know (who, when, where) and are expanded or restricted based on clues Example: Employee termination may be the trigger for the investigation, by company policy If we noticed user SMITH doing something suspicious, we might investigate what SMITH was doing for the last month, or what SMITH s computer was doing at the time of the event, or other computers SMITH accessed

Visualization

Reporting Reports allow for post-event review, in case a critical situation was missed Report collections have better visibility than the Dashboard alone Basic security and auditing summaries should be generated frequently to supplement the Dashboard Report reviews should be a part of any organizational security plan and/or policy Typically MSSPs provide weekly reviews of reports Compliance often mandates daily, weekly or monthly review

Could the Disgruntled Employee Breach have been detected and prevented? Council of Community Health Clinics (CCHC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Ex-employee disabled the automatic backup process; later deleted patient data Potential consequences to the organization Patients had to wait hours to see doctors Loss of patient data could have led to loss of life Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution

Could the Disgruntled Employee Breach have been detected and prevented? Highlights from the case study: Employee resigned following a bad review Use SIEM to instantly begin monitoring employee s user account, even if access has been terminated Accessed corporate server through RDP connection SIEM would be able to monitor and detect remote connections Server contained personally identifiable medical data Confidential and proprietary information on this server would be monitored for access attempts Ex-employee disabled the automatic backup process, later deleted patient data Process monitoring could detect the change made to the backup process; confidential patient data monitored

Conclusion SIEMs provide a way to collect and process logs Enrich logs to add meaningful context Escalates meaningful logs to Events Escalates urgent Events to Alarms SIEMs provide tools for investigating activities on a network Enhance activities involving Security, Operations and Auditing Tools include: Dashboard Reporting Investigations Visualization

Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information