Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn:
• What network, system and host data you should be collecting for the quickest path to security visibility
• Best practices for network, perimeter and host monitoring
• Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
SpiceWorks Webinar: Whose logs, what logs, why logs
1. WHOSE LOGS, WHAT LOGS, WHY
LOGS:
YOUR QUICKEST PATH TO SECURITY VISIBILITY
Tom D’Aquino
Senior Security Engineer
AlienVault
2. AGENDA
The Challenge • Getting adequate security visibility for your small or medium
business
The Widely Pursued Solution • The traditional approach to Log
Management/SIEM • The cost/benefit analysis
An Alternative Approach • Who, What and Why is the key
• Unified Security Management • AlienVault’s Threat Intelligence Labs
Coming Soon to SpiceWorks: AlienVault Threat Alerts
5. THE WIDELY PURSUED SOLUTION
The traditional approach to Log
Management/SIEM:
• Collect Everything
• Analyze everything
• Correlate everything
• Store everything
6. BUT AT WHAT HARDWARE COST?
How much storage, CPU and RAM will you
need to collect, correlate and store all of this
data?
•
High-performance storage is not cheap
How effective is the automated analysis, i.e.
correlation really going to be?
•
Correlation is CPU and memory intensive
7. AND AT WHAT HUMAN RESOURCE COST?
How effective is your team really going to
be?
•
Can one person realistically review
10,000 alerts in a day
8. IS THERE A BETTER APPROACH TO LOG
MANAGEMENT?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you need the logs?
• Do you have an intended result in mind?
Why
9. IS THERE A BETTER APPROACH TO LOG
MANAGEMENT?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you need the logs?
• Do you have an intended result in mind?
What logs will you need to get that result?
• i.e., will authentication logs suffice?
Why
What
10. IS THERE A BETTER APPROACH TO LOG
MANAGEMENT?
What if we took a more strategic approach by identifying the problem more effectively?
Why do you need the logs?
• Do you have an intended result in mind?
What logs will you need to get that result?
• i.e., will authentication logs suffice?
Who will the logs you collect pertain to?
• Is there a specific user group/community
you should be focused on?
Why
What
Who
11. LET’S LOOK AT SOME EXAMPLES
What log sources should you start with?
12. EVERYONE COLLECTS FIREWALL LOGS, RIGHT?
Why do you need Firewall logs?
• I need to see what is getting in to my
network
What logs will you need to get that result?
• Firewall permit logs
Who will the logs you collect pertain to?
• I’m most significantly concerned with
blacklisted IPs/domains
13. WHAT’S GETTING IN YOUR WAY?
You are probably only seeing these:
When you should be looking for this:
14. WHAT ABOUT OS LOGS?
Why do you need OS logs?
• I need to detect unauthorized access
attempts and account lockouts
What logs will you need to get that result?
• OS authentication failure and account
lockout logs
Who will the logs you collect pertain to?
• I’m most significantly concerned with
admin level accounts
15. WHAT’S GETTING IN YOUR WAY HERE?
Multiple events to indicate a single login:
No login failure events to be found…
16. WHAT ABOUT YOUR NETWORK GEAR?
Why do you need Switch/Router logs?
• I need to see when someone logs in to
my network gear and makes config
changes
What logs will you need to get that result?
• Syslog data from my Routers and
Switches
Who will the logs you collect pertain to?
• Anyone connecting to my network gear
17. MORE NOISE IN YOUR WAY…
You may have to process 10’s of thousands of these:
Just to get one or two of these:
18. HOW CAN ALIENVAULT HELP WITH FIREWALL
LOGS?
Managing Firewall logs is all about context:
19. HOW CAN ALIENVAULT HELP WITH OS LOGS?
Use policy filters to eliminate repetitive data:
20. HOW CAN ALIENVAULT HELP WITH OS LOGS?
Use correlation to detect mischievous activity:
21. HOW CAN ALIENVAULT HELP WITH DEVICE
LOGS?
Use policy filters to eliminate the noise:
22. HOW CAN ALIENVAULT HELP WITH DEVICE
LOGS?
Or use policy filters to explicitly include the interesting stuff:
24. BENEFITS OF UNIFIED SECURITY CONTROLS
Accelerated time to value
• Go from install to insight quickly
Reduce cost and complexity
• At deployment time: Focus on integrating the infrastructure event data
only
• Over the long term: Manage all through the same console, better
workflow, etc.
More coordinated detection for accurate alarms
• Built-in event correlation rules
• Attacker intelligence provides more accurate correlation
25. UNIFYING BEST-IN-BREED TECHNOLOGY WITH SHARED
INTELLIGENCE
AlienVault Labs monitor, analyze, reverse engineer and report on sophisticated zero-day threats
including malware, bots, phishing campaigns and more.
Findings are published in the Open Threat Exchange (OTX), pushing the latest threat intelligence
including correlation rules, policies, and reputation data directly to AlienVault USM.
AlienVault OTX
500,000
Malware Samples Analyzed per day
100,000
Malicious IPs Validated per day
8,000+
Global Collection Points in 140+ countries
> 7 Million
URLs Analyzed
26. CROWD-SOURCED THREAT DATA IN ACTION
Since March 2012, OSSIM & USM users have flagged 196 million
malicious events that were contributed to the OTX database
Average of ~11 million per month (365,000 a day)
25000000
20000000
15000000
10000000
50000000
0
3/1/12
4/1/12
5/1/12
6/1/12
7/1/12
8/1/12
9/1/12
10/1/12 11/1/12 12/1/12
1/1/13
2/1/13
3/1/13
4/1/13
5/1/13
6/1/13
7/1/13
8/1/13
9/1/13
27. ALIENVAULT THREAT ALERTS FOR SPICEWORKS
SpiceHead Benefits:
Identify compromised hosts
in a monitored network
without having to deploy
Anti-Virus or any other agent
Remediation advice from
world’s largest crowd
sourced threat intelligence
database
28. HOW IT WORKS – THREAT MONITORING
Internet
Search for connections with
known malicious hosts
Customers’ Internal Assets In
SpiceWorks
29. HOW IT WORKS – ALERT TRIGGERED
Alert on connection with
known malicious host
Customers’ Internal Assets In
SpiceWorks
30. THREAT ALERTS IN SPICEWORKS:
DASHBOARD & DEVICE DETAILS PAGE
AlienVault Threat Analysis for
suspicious IP
“SpiceWorks has found a connection with a potentially suspicious IP
Address 77.240.191.89 on device tmg-mbh.
“
33. NOW FOR SOME Q&A…
Follow us on SpiceWorks
http://community.spiceworks.com/pages/AlienVault
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvault-usmlive-demo
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Questions? Ping me (Tomdaq) in the
SpiceWorks community
Notes de l'éditeur
We leverage technology in our effort to simplify things but introduce new problems in the process. And sometimes the learning curve is just too steep.Articulate the challenge and how it ties in to the overall concept more clearly… express the volume of data challenge more specifically – also emphasize the human element required for making SIEM effectiveThis slide ran too long (shorten it up)Add transitions
In the business world, we have people and technology coming together to try to meet the business objective and the human error factor mixes with technology error and suddenly we have a big mix of information that is difficult to manage. Sometimes honest mistakes appear to have malicious intent, while real malicious intent gets overlooked entirely.This slide ran too long (shorten it up)
The traditional approach to log management says “collect logs from everything connected to the network and let some back end analysis process figure out what’s important.”So how far do we take this? Should we audit and correlate print jobs? I mean, I guess there could be a use case for identifying gross misuse of printing resources.How much value are you really getting out of all these logs?Add transitions
This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
This slide was up for too much time. Break it out to three why, what and who slides – add transitions for why, what, who
This is a best practice by the way. We always recommend collecting firewall permit logs to get visibility around what is coming in to the network. If your use case were “I need to identify misconfigured systems on my network”, collecting firewall deny events would help you get there.Point out that firewall denies represent action already takenUse screenshots of the product and forego the demo…
This is a best practice by the way. We always recommend collecting firewall permit logs to get visibility around what is coming in to the network. If your use case were “I need to identify misconfigured systems on my network”, collecting firewall deny events would help you get there.Point out that firewall denies represent action already takenUse screenshots of the product and forego the demo…
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
This is also a best practice. We always recommend collecting OS audit logs to get visibility around who is accessing your assets. Paying special attention to privileged accounts is critical.Include specific references, numbers and percentages to illustrate the issue
This is also a best practice. We always recommend collecting OS audit logs to get visibility around who is accessing your assets. Paying special attention to privileged accounts is critical.
Switches and routers generate lots of information. A small percentage is security relevant. We have to make a cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
Switches generate lots of information. A small percentage is security relevant. We have to make cognizant effort to identify the relevant information.
In fact, AlienVault offers the only unified security management solution to unify the five essential security capabilities you need for complete security visibility. This translates into rapid time to value – faster and easier audits, targeted remediation, and more seamless incident response.
The AlienVault Open Threat Exchange, or OTX, compiles raw threat research from the nearly 5,500 installations of AlienVault’s unified security management technology – these are organizations who have volunteered to contribute. These installations exist across the world – in over 140 countries – and has been growing at an impressive rate. Just in the time OTX was launched in February 2012, we’ve analyzed over 7M suspicious URLs. The IP reputation data that is shared helps organizations better defend against these widespread attacks. Like we mentioned before, AlienVault believes in the power of shared intelligence and so all of this data is freely shared and accessible on our website.Researchers review and validate threat data to ensure that only the most accurate and actionable intelligence is published. The team analyzes the latest attacks, exploits, breaches, and malware strains in order to stay up-to-date with the latest threats from around the world. Understanding how the exploits work, how attacks are hidden, and what the malware is doing, is the only way to find a way to detect and protect against them. The secret to understanding what your data is trying to tell you comes from the intelligence you leverage. True visibility requires an expert team that understands the behaviors of the latest threats and helps you identify attacks, vulnerabilities, and the systems that are targeted.