ALERT LOGIC ACTIVEWATCH FOR LOG MANAGER



Similar documents
CONTINUOUS LOG MANAGEMENT & MONITORING

PCI DSS Reporting WHITEPAPER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Alert Logic Log Manager

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

ALERT LOGIC LOG MANAGER & LOGREVIEW

Kaseya Traverse. Kaseya Product Brief. Predictive SLA Management and Monitoring. Kaseya Traverse. Service Containers and Views

Symantec Security Information Manager Version 4.7

Full version is >>> HERE <<<

ACL Compliance Director FAQ

PCI DSS Top 10 Reports March 2011

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

Security Event and Log Management Service:

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Enterprise SysLog Manager (ESM)

Managed Security Service Providers vs. SIEM Product Solutions

Network Monitoring Comparison

QRadar SIEM 6.3 Datasheet

End Your Data Center Logging Chaos with VMware vcenter Log Insight

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Security Event and Log Management Service:

Proactive Performance Management for Enterprise Databases

Detecting a Hacking Attempt

With Cloud Defender, Alert Logic combines products to deliver outcome-based security

Zenoss for Cisco ACI: Application-Centric Operations

Datasheet FUJITSU Cloud Monitoring Service

Meeting the Challenges of Virtualization Security

Scalability in Log Management

How To Improve Your Business Performance With Centerity

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Secospace elog. Secospace elog

iphouse has chosen LogicMonitor to offer a Software as a Service (SaaS) monitoring solution.

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

LOG MANAGEMENT: BEST PRACTICES

FIRN Secure Internet Bundled Services:

Keeping your VPN protected

_Firewall. Palo Alto. How Logtrust works with Palo Alto Networks

ALERT LOGIC FOR HIPAA COMPLIANCE

The Leader in Security Policy Orchestration

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

TIBCO LogLogic. HIPAA Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

Harnessing the Power of Big Data for Real-Time IT: Sumo Logic Log Management and Analytics Service

TIBCO LogLogic. SOX and COBIT Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

McAfee Security Information Event Management (SIEM) Administration Course 101

CloudPassage Halo Technical Overview

SIEM just another acronym? What is it Why Advanced Persistent Threats (APTs) Audit Objectives Audit Program

IBM WebSphere Cast Iron Cloud integration

Where every interaction matters.

Service Offerings. Ensuring IT Resources are available, reliable, scalable & manageable always.

Data Center. Business Intelligence. Enterprise Computing Solutions North America. Remote Monitoring & Management Solutions. arrow.

The Purview Solution Integration With Splunk

Annual Firewall Survey Report. Insights on the state of firewall management

Monitoring Microsoft Exchange Server in the Context of the Entire Network

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

CHOOSE CONNECTRIA CLOUD AND MANAGED HOSTING

Continuous Monitoring for the New IT Landscape. July 14, 2014 (Revision 1)

Rashmi Knowles Chief Security Architect EMEA

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

Tripwire Log Center PRODUCT BRIEF HIGH PERFORMANCE LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Securing and protecting the organization s most sensitive data

Running VirtualCenter in a Virtual Machine

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

REQUEST FOR PROPOSAL ACQUISITION & IMPLEMENTATION OF CENTRALIZED LOG MANAGEMENT SYSTEM

Contents. Platform Compatibility. GMS SonicWALL Global Management System 5.0

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

EMC Data Protection Advisor 6.0

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

WildFire. Preparing for Modern Network Attacks

Sygate Secure Enterprise and Alcatel

BES10 Cloud architecture and data flows

Demonstrating the ROI for SIEM: Tales from the Trenches

Data Backup and Restore (DBR) Overview Detailed Description Pricing... 5 SLAs... 5 Service Matrix Service Description

Tivoli Security Information and Event Manager V1.0

Find the needle in the security haystack

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Log Management Solution for IT Big Data

TECHNOLOGY INTEGRATION GUIDE

Lab Testing Summary Report

AANVAL SUCCESS STORIES

Reference Guide. Skybox View Revision: 11

High End Information Security Services

MCNC Webinar Series. Syslog

BeyondInsight Version 5.6 New and Updated Features

V1.4. Spambrella Continuity SaaS. August 2

Boosting enterprise security with integrated log management

How To Buy Nitro Security

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

access convergence management performance security

MySQL ENTEPRISE EDITION

How To Prevent Hacker Attacks With Network Behavior Analysis

CloudPassage Halo Technical Overview

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

IBM WebSphere Cast Iron Cloud integration

mbits Network Operations Centrec

Transcription:

QUICKSTART GUIDE: ALERT LOGIC ACTIVEWATCH FOR LOG MANAGER TABLE OF CONTENTS Introduction...2 Getting Started...4 Configuring Log Sources...4 Common Log Sources...5

INTRODUCTION A FRESH APPROACH TO IDENTIFYING SECURITY AND THREAT ISSUES QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 2 Each day your IT infrastructure is generating an enormous amount of log messages. The messages, when analyzed on a regular basis, can provide valuable information, not only into the health of your environment, but also into potential security, compliance, and threat issues that can put your sensitive data at risk. The key to unlocking this information begins with defining and implementing a log management process that: Enables you to capture relevant log messages from across your IT infrastructure. Is built to handle enormous amounts of data with no impact on the performance or output of the solution. Provides a means for those messages to be normalized and analyzed in a short time frame. Feeds a correlation engine that can identify security and threat issues from log messages, including those that on the surface seem unrelated. Collects and analyzes log messages continuously. For many organizations, adopting a comprehensive approach to log management is a daunting task that they do not have budget or time to tackle. With Alert Logic Log Manager and Alert Logic ActiveWatch for Log Manager, we provide a better approach to log management and security issue identification that provides deep insight and continuous protection at a cost that organizations of any size can afford. Our cloud-based, fully managed log management service provides organizations with the ability to: Identify hard to detect security issues across all environments. Reduce the time and cost associated with incident response. With purpose-built security content, Alert Logic ActiveAnalytics can process unlimited amounts of log data to uncover events of interest that can indicate a threat or security issue. Once identified, Alert Logic ActiveWatch, a team of security experts, will contact you with the information you need to respond to the incident. Our unique approach to handling large volumes of data means that we can guarantee that within 15 minutes of identifying an issue in your environment, you will be notified. All day. Every day. SCALABILITY DRIVES INNOVATION In order to meet the demands of over 3,000 customers, we had to take a close look at how log messages and issue identification could be optimized. To that end, we made substantial investments in the underlying cloud infrastructure that supports the Alert Logic Security-as-a-Service platform. With over 1,000 processing cores, we currently process terabytes of data daily, and have built the platform to handle ever-increasing volumes of data. With our infrastructure future-proofed, we next invested significant cycles in devising a better way to identify issues from this enormous, growing data set. Unlike other solution providers who deliver standalone products, we provide a fully managed service for our customers. This means that we, not the customer, take on the burden of managing data and identifying issues. The end result of this effort is an extensible, flexible, and adaptable security taxonomy that

QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 3 enables the Alert Logic solution to efficiently support any number of operating systems, databases, network devices, security controls, and the like. By investing time and effort into defining this common language, the Alert Logic solution continuously protects your environment as it evolves to support your business needs. MOVING BEYOND RULES TO IDENTIFY INCIDENTS To understand how the Alert Logic solution identifies security issues, you must first understand how incidents are typically generated by other solutions. Generally most products take the following approach to identifying incidents: 1. Organization XYZ wants to collect and analyze logs from their network firewall 2. Organization XYZ looks for a log parser that works with their log management solution. This may be available from the manufacturer. If unavailable, Organization XYZ must write the log parser themselves. 3. Assuming Organization XYZ gets the log parser in place, the organization must then look at a library of correlation rules to see if the manufacturer has a pre-built correlation rule for their specific firewall. If a pre-built correlation rules exists, Organization XYZ will enable it. If a pre-built parser does not exist, Organization XYZ from the manufacturer or build one themselves. These rules must specify which log messages will generate what incidents. 4. Once the rules are written, Organization XYZ must test the rule. If the results are as expected, the rule will be activated. Organization XYZ must follow this same process for each and every log source they intend to analyze with their log management solution. It is easy to see that, in a short amount of time, this organization could end up with hundreds, if not thousands, of individual correlation rules that they must manage. To compound the complexity, when this organization decides to replace their network firewall with one from another manufacturer, for example, they will need to deactivate their existing correlation rules and write new rules and/or update existing rules for their new firewall. This process is not only inefficient, but it has the potential to cause major issues with their entire log management solution, negatively impacting the solution s ability to identify issues. Alert Logic developed a radically different, more efficient approach to solve this problem. Instead of starting with the assumption that there must be individual correlation rules for every specific log source, we developed what we call the security taxonomy. The security taxonomy is a common language that allows the solution to interpret logs from any source type in the same manner. For instance, in the case of a network firewall, the Alert Logic solution is completely agnostic as to the manufacturer of the firewall. The solution can analyze logs from any firewall manufacturer by simply creating a log parser that maps to the common language of the security taxonomy. At that point, any firewall, from any manufacturer, can be analyzed for security issues. For example, with the security taxonomy in place, the following simple two-line rule equates to literally 100s of the individual rules needed to cover SQL injection attacks in other solutions. Category/Outcome = Failure Category/Technique = SQLi This process is inherently more flexible than the old rule-based approach to incident identification, and dramatically

QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 4 increases our ability to identify incidents impacting your organization. It is this strategy that makes Alert Logic s approach to incident identification more efficient and effective than any other solution on the market today. GETTING STARTED Assuming your Alert Logic Log Manager account is active and licensed and your Log Manager appliance (if using) is installed and functioning properly, to use Alert Logic ActiveWatch for Alert Logic Log Manager you need to complete the set up instructions outlined in the Alert Logic Log Manager documentation. To access this documentation visit: http://docs.alertlogic.com. On an ongoing basis you will need to: Incorporate Log Manager configurations into your change management process Ensure you update notification and escalation rules for personnel changes. Add new log sources when your applications change. Generally this means adding/updating your flat file collection sources. When servers are upgraded and/or new servers deployed ensure to install the log manager agent. CONFIGURING LOG SOURCES The Alert Logic approach to incident identification will increase your organizations ability to respond to incidents faster than ever before. However, to gain this benefit you must ensure that the right information is being fed into the solution. This begins with you defining the systems, applications, databases, security controls, and ALL IT assets as log sources. When configuring your log sources keep these tips in mind. Incident creation is based on your log sources. The mantra of garbage in, garbage out applies here. The incidents generated will only be as relevant and informative as the log data dictates. To that end, Alert Logic recommends creating log sources for not only firewalls and security controls, but also configure your servers and applications to transmit logs to Alert Logic. Having this broad set of log sources will help identify indicators of compromise (IOCs) that may only surface when analyzing multiple log sources. After log collection the fundamental building block is a log parser. Make sure that all of your devices are generating parsed logs. To check this search for log messages that have no type and review them within the Alert Logic web interface. Contact the SOC and create a support case to review any unparsed messages. Configure your operating system logs sources first. These configurations are typically very straightforward and will help you test the flow of data to the Alert Logic Log Manager as well as validate your personal preferences. For Microsoft Windows servers all event logs are collected by default after the local Alert Logic agent installation. For LINUX servers change the local syslog settings to forward the logs to the Alert Logic agent.

QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 5 The following section lists the common log sources that typically contain security data. This list is by no means comprehensive of all possible log sources in your environment. For more information about these and other log sources contact your Alert Logic Solutions Consultant. COMMON LOG SOURCES Microsoft Active Directory Microsoft Windows Servers Microsoft Internet Information Services Microsoft SQL Server Oracle Database MySQL Cisco network devices (ASA, IOS routers & switches, etc.) Juniper firewalls and network devices Fortinet network devices NetScreen network devices SonicWall FireEye security products Imperva security products Linux/Unix operating systems Apache web servers Mcafee Symantec Sophos Palo Alto Checkpoint Firewalls 2015 Alert Logic, Inc. All rights reserved. Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or servicemarks of Alert Logic, Inc. All other trademarks listed in this document are the property of their respective owners. 0615US

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information