SlideShare une entreprise Scribd logo
1  sur  3
Télécharger pour lire hors ligne
Evaluating and Implementing Security
              Information Management1 Systems
              By Aurobindo Sundaram
              aurobindo_sundaram@hotmail.com

                              Introduction

    In today’s security world, with hundreds of security devices of different
types, millions of log entries per day, and the requirements of IT audit and
regulatory bodies to monitor logs regularly, it is impossible to use a man-
ual solution. Security Information Management Systems (SIMS) automate
the collection of event log data from heterogeneous security devices and
present a normalized, aggregated and correlated view of network security.
This article introduces the technology, presents different requirements that
should be fulfilled by any SIM product, discusses licensing and cost con-
siderations, and presents a template for implementing a SIM solution.
    Most security sensor devices in use today (e.g., anti-virus, firewalls, vul-
nerability assessment systems, intrusion detection systems) generate large
amounts of security events during their operation. Most of these sensors
generate these logs in their own proprietary format (often binary). In addi-
tion, they usually require dedicated consoles to view, report and analyze
this data. In a typical enterprise, this makes security information manage-
ment extremely time-consuming, inconsistent and unmanageable.
    Security Information Management Systems (SIMS) technologies are a
potential solution for this problem. SIMS products promise to gather logs
from disparate security point devices and merge them into a common,
ordered, risk-assessed interface. However, SIMS is still an emerging tech-            Figure 1: The three layers of a Security Information
nology, and the marketplace is in flux. In the following sections, we will dis-       Management system
cuss what we believe are key requirements for an enterprise-class SIMS.
Following this, we’ll discuss licensing and cost considerations that the              Native logging formats are typically better compressed, have a richness of
enterprise should be cognizant of, and finally, present a blueprint for               information that is harder and inefficient to translate into a pure text output
implementing a SIM system.                                                            such as syslog, and have built-in hooks that allow external programs to access
                                                                                      events in real-time. Where the native logging solution is syslog (e.g. Unix
                             Requirements                                             authentication logs), the point above is moot. Users are strongly encouraged
                                                                                      to verify and test the support and type of support of event collection.
Event Collection                                                                          It is desirable for some (but not all) filtering of the event data to occur
     This layer of the SIMS deals with the collection, normalization, initial fil-    at the agent that collects it. The trade-off is that the more filtering is done
tering and forwarding of security-related events to a processing entity.              at the source, the better the network performance, and the worse the cor-
     Normalization is the process of translating various vendor event logs            relation results. This is because local filtering reduces the traffic that must
into a common format that the SIMS can understand and manipulate. It is               be sent across the network to the central engine. However, correlation
important to ensure that the format of the normalized data to be extensi-             works best when access to data in its entirety is available. The communi-
ble by the end user—this ensures that company-specific fields (such as                cation between the agent and the console must be secured using an open
classification level, or handling instructions) can be added to the normal-           strong encryption standard. In addition, the agent should have local stor-
ized logs. Although there are currently no standard normalization formats,            age facilities, so it can buffer data in a store-and-forward mechanism if the
it is important to obtain a commitment to openness from the vendor.                   console is unavailable.
     The event collection layer should support the collection of data from as             The SIMS must supply an application programming interface (API) so
many different point devices as it can. In particular, collection of the data         that agents may be built to collect data from third party and esoteric
should be as close to the source as possible, and in the native format of             devices. This is important when you try to integrate home-grown applica-
the point device where allowable (e.g. Firewall-1 OPSEC rather than syslog).          tions, newer security solutions, and physical security events.

         THE ISSA JOURNAL ◆ April 2005                                   ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Event Processing                                                                         User Interface
     This is the most important portion of the SIMS. The main rationale for                  The primary user interface should be Web-based and near real-time,
SIMS is that they can process huge streams of data, aggregate similar                    although an alternate stand-alone client may be provided. As with all good
events, and perform correlation on volumes of events that would be                       security products, the ability to configure and audit the access to the inter-
impossible for a human to do. It can be split into the following functional              face, per user/role, is essential.
components.                                                                                  Administrators should be able to manage incidents entirely from the
     Aggregation is the process of combining events of a similar type into               interface, for example, by running investigative tools, changing incident
one consolidated event. The biggest problem with security systems today                  status, or adding journal notes to an incident.
is data overload. The SIMS must support aggregation with the ability to drill                The interface must allow agents to be controlled from it (e.g., to
down to individual events on demand.                                                     dynamically change rule sets, start/stop, etc.).
     Correlation is the process by which events are analyzed and entered                     Users must have the option to run predefined reports, or to define their
into a common “event thread.” Correlation goes beyond aggregation in that                own criteria for analysis. From an operational standpoint, there is value to
it can incorporate logic engines and rule sets to make sense of distributed              showing the ROI of the system by using built-in reports. However, users
and stealth attacks that a human may not catch. The SIMS must support ele-               will no doubt require their own reports, and it is important that users be
mentary correlation rules (correlate by attack type, source address, destina-            able to easily create their own.
tion address, etc.) as well as allow an administrator to define business rules,
such as multi-way correlation based on events and time.                                                          Costs and Licensing
     Correlation is particularly important because it can allow an enterprise
to correlate vulnerability assessment data against actual attacks observed                    In most cases, small companies should not attempt to use SIM tech-
by IDS and firewall devices. This allows the system to make intelligent                  nology. This is primarily because SIM has a very high initial price point
decisions (e.g. “Attacker X tried attack Y; your vulnerability assessment sys-           ($100K+ for software alone, could run to $200K if you include scalable
tem states you are not vulnerable to attack Y; ignore attack”). It is                    hardware and services). Smaller organizations are urged to consider man-
extremely important that it is possible to create arbitrary correlation rules            aged service providers, who will charge a flat fee per device monitored. In
based on attributes in the normalized database.                                          addition, there are rarely issues with hardware and software maintenance,
                                                                                         rule tuning, workflow creation, etc.
Threat Assessment                                                                             Medium to large enterprises should consider SIM if the number of
    The SIMS typically performs a threat assessment on an event before dis-              managed devices is sufficiently large as to make managed service
playing it in the user interface. The SIMS must allow the assessment to be               providers too expensive (any company that spends more than $1M on
performed using business rules defined by the enterprise, in addition to pro-            managed service providers is likely a good candidate for SIM). It is impor-
viding a pre-defined list of rules, based on best practices (e.g., Mitre CVE, or         tant to note that headcount will be required to manage the system, in par-
SANS best practices). It should also supply a modifiable knowledge base of               ticular if it is expected to run under strict SLAs (e.g. 24-hour operation,
event types. For instance, users should be able to designate a certain type of           30-minute response time, etc.).
event as critical (e.g. ANY attack against finance servers; high-severity attacks             It is important to carefully read the licensing model of the SIM ven-
against systems in the DMZ, etc.)                                                        dor. Some vendors will count aggregated devices (e.g. when multiple
                                                                                         Unix systems log to a single syslog server) as one device, which is
Response, Escalation and Integration                                                     cheaper, and others will count them as individual devices, which are
    While there are many valid designs, the following capabilities are cer-              more expensive.
tainly “must-haves” for a SIMS:                                                               It is also important to factor in the cost of additional software, in par-
                                                                                         ticular database licenses. SIMS have high hardware requirements, and
 ▲ SIMS must implement automated response workflows based on                             most database vendors will license by processors. Therefore, if the cus-
   rules defined by the enterprise. They should be able to control                       tomer picks a four-processor system, it is possible that their database cost
   common point devices natively. For instance, the SIM should be able                   will quadruple from their expectations.
   to page or e-mail a user when a certain event or sequence of events                        Finally, it is very important to adequately scale the hardware require-
   occurs.                                                                               ments. We recommend that you speak to the vendor technical contacts
 ▲ SIMS must implement escalation workflows where an incident                            about the appropriate scaling factor. While the initial price may give you
   changes in severity based on other events, time or business rules. For                sticker shock, it is far better to scale up and buy the hardware than have
   instance, a low-severity event should be escalated to medium severity                 to replace it within 6 months because it was not scaled correctly.
   if it has not been addressed for 24 hours.
 ▲ SIMS must be able to integrate with or interface otherwise with                                    Step by Step: Implementing a SIM
   existing asset and risk management systems. For instance, the
   system should be able to import comma-separated asset                                    This is not a comprehensive step by step, but it gives the reader some
   information files so that the user does not have to manually enter                    important steps to follow while considering a SIM solution:
   asset criticality information into the system individually.
 ▲ SIMS must provide APIs to interface bi-directionally with third-party                   1. Write down your requirements (both business and technical).
   ticketing and incident management systems. The third-party ticketing                       Decide carefully what you really need.
   system integration is extremely important because it allows the SIMS                    2. Create your evaluation requirements and test cases (how you
   to integrate seamlessly with the processes already in place in the                         decide if a product satisfies your criteria).
   enterprise.                                                                             3. Create and issue an RFP (pick the 4-5 most suited vendors).

 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.                   THE ISSA JOURNAL ◆ April 2005
Ensure that you invite not only security, but also operations to the
          decision meetings.
     4.   After the evaluation, pick two vendors to bring in-house and run
          against your test cases. In particular, make sure you test stress
          conditions (data overload) against the test system.
     5.   At this point, ensure that you carefully study and understand
          licensing options in your scenario.
     6.   As part of the pilot, also make sure you talk to external sources as
          well as reference customers from both vendors to judge actual level
          of effort in implementation.
     7.   Do not try to go too fast. Start slowly with a phase 1 approach
          targeting only security event logs from detection point products
          (firewalls, routers, Unix, Windows). Initial ticketing system and asset
          management integration should be built as well. Phase 2 can target
          more correlation, performance tuning, and integration with physical
          access and vulnerability assessment systems.

    Some things vendors will say to you (and what they really mean
in italics):

     1. We can work with any product. We can, but it’s often so painful
        to do that you’ll spend a fortune on consulting fees. Always
        make sure you understand exactly how easy integration with a
        product is.
     2. Our product is plug-and-play. If you require the simplest
        solution possible with no additional features. Always make sure
        you understand how long the simplest implementation and
        how long the first functional implementation will take. They’re
        not the same.
     3. We can be up and running in a week. If all you want is standard
        logging with no aggregation, correlation or integration with
        anything else. Be very careful about believing vendors on this point.
        There is no panacea to this problem. You will require several weeks
        to months to tune your system appropriately. Indeed, even after
        initial tuning, there is continuous configuration to perform on the
        system to ensure that it runs effectively.

                                    The Marketplace

    The marketplace in the SIM space is crowded with small private com-
panies jockeying for space with the larger, more established vendors. In
general, the smaller niche vendors have been able to hold their own so far.
Some private vendors are: eSecurity, ArcSight, netForensics, and
GuardedNet. Some of the larger vendors moving into the space include
Computer Associates (with eTrust Security Command Center) and
Symantec (with their Incident Manager and other products). We expressly
do not make recommendations on which vendor to use. It is strongly sug-
gested that you go through an RFP process with these vendors and create
your own requirements and judgments. ¡



Aurobindo “Robin” Sundaram, CISSP/CISM, is the Director of Network Security at
ChoicePoint Inc. Robin has worked in the information security business for over
7 years in various capacities. He also holds the CISA and CCSA technical certifi-
cations and is currently working on his MBA from the Goizueta School of
Business at Emory University.
1
    Also referred to as Security Event Management (SEM)




              THE ISSA JOURNAL ◆ April 2005                              ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

Contenu connexe

Tendances

Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone IntroductionRocco Magnotta
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesFrans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesVNU Exhibitions Europe
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)Peter Tutty
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Event log monitoring for the pci dss
Event log monitoring for the pci dssEvent log monitoring for the pci dss
Event log monitoring for the pci dssSarahLamusu
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Symantec government technology summit abstract
Symantec government technology summit abstractSymantec government technology summit abstract
Symantec government technology summit abstractCarahsoft
 
Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025Arushi00
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
 

Tendances (20)

Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone Introduction
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesFrans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud Services
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Event log monitoring for the pci dss
Event log monitoring for the pci dssEvent log monitoring for the pci dss
Event log monitoring for the pci dss
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Symantec government technology summit abstract
Symantec government technology summit abstractSymantec government technology summit abstract
Symantec government technology summit abstract
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 

En vedette

2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh ISSA
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstrationasundaram1
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-managementasundaram1
 
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012   Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012 eldercomlaw
 

En vedette (6)

2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-management
 
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012   Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
 

Similaire à 2005 issa journal-simsevaluation

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSridhar Karnam
 
Aircraft Solutions Assessment Essay
Aircraft Solutions Assessment EssayAircraft Solutions Assessment Essay
Aircraft Solutions Assessment EssayKaren Alvarez
 
Disaster Recovery For A Business
Disaster Recovery For A BusinessDisaster Recovery For A Business
Disaster Recovery For A BusinessLucy Castillo
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Mustafa Kuğu
 
The Disadvantages Of Virtualization
The Disadvantages Of VirtualizationThe Disadvantages Of Virtualization
The Disadvantages Of VirtualizationAimee Brown
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...IJIR JOURNALS IJIRUSA
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113Jim Romeo
 
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 LinkedinNMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 LinkedinJavier Guillermo, MBA, MSc, PMP
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 

Similaire à 2005 issa journal-simsevaluation (20)

Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
Correlog Overview Presentation
Correlog Overview PresentationCorrelog Overview Presentation
Correlog Overview Presentation
 
Aircraft Solutions Assessment Essay
Aircraft Solutions Assessment EssayAircraft Solutions Assessment Essay
Aircraft Solutions Assessment Essay
 
Disaster Recovery For A Business
Disaster Recovery For A BusinessDisaster Recovery For A Business
Disaster Recovery For A Business
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
 
The Disadvantages Of Virtualization
The Disadvantages Of VirtualizationThe Disadvantages Of Virtualization
The Disadvantages Of Virtualization
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Enterprise network management
Enterprise network managementEnterprise network management
Enterprise network management
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113
 
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 LinkedinNMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 

Dernier

Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 

Dernier (20)

Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 

2005 issa journal-simsevaluation

  • 1. Evaluating and Implementing Security Information Management1 Systems By Aurobindo Sundaram aurobindo_sundaram@hotmail.com Introduction In today’s security world, with hundreds of security devices of different types, millions of log entries per day, and the requirements of IT audit and regulatory bodies to monitor logs regularly, it is impossible to use a man- ual solution. Security Information Management Systems (SIMS) automate the collection of event log data from heterogeneous security devices and present a normalized, aggregated and correlated view of network security. This article introduces the technology, presents different requirements that should be fulfilled by any SIM product, discusses licensing and cost con- siderations, and presents a template for implementing a SIM solution. Most security sensor devices in use today (e.g., anti-virus, firewalls, vul- nerability assessment systems, intrusion detection systems) generate large amounts of security events during their operation. Most of these sensors generate these logs in their own proprietary format (often binary). In addi- tion, they usually require dedicated consoles to view, report and analyze this data. In a typical enterprise, this makes security information manage- ment extremely time-consuming, inconsistent and unmanageable. Security Information Management Systems (SIMS) technologies are a potential solution for this problem. SIMS products promise to gather logs from disparate security point devices and merge them into a common, ordered, risk-assessed interface. However, SIMS is still an emerging tech- Figure 1: The three layers of a Security Information nology, and the marketplace is in flux. In the following sections, we will dis- Management system cuss what we believe are key requirements for an enterprise-class SIMS. Following this, we’ll discuss licensing and cost considerations that the Native logging formats are typically better compressed, have a richness of enterprise should be cognizant of, and finally, present a blueprint for information that is harder and inefficient to translate into a pure text output implementing a SIM system. such as syslog, and have built-in hooks that allow external programs to access events in real-time. Where the native logging solution is syslog (e.g. Unix Requirements authentication logs), the point above is moot. Users are strongly encouraged to verify and test the support and type of support of event collection. Event Collection It is desirable for some (but not all) filtering of the event data to occur This layer of the SIMS deals with the collection, normalization, initial fil- at the agent that collects it. The trade-off is that the more filtering is done tering and forwarding of security-related events to a processing entity. at the source, the better the network performance, and the worse the cor- Normalization is the process of translating various vendor event logs relation results. This is because local filtering reduces the traffic that must into a common format that the SIMS can understand and manipulate. It is be sent across the network to the central engine. However, correlation important to ensure that the format of the normalized data to be extensi- works best when access to data in its entirety is available. The communi- ble by the end user—this ensures that company-specific fields (such as cation between the agent and the console must be secured using an open classification level, or handling instructions) can be added to the normal- strong encryption standard. In addition, the agent should have local stor- ized logs. Although there are currently no standard normalization formats, age facilities, so it can buffer data in a store-and-forward mechanism if the it is important to obtain a commitment to openness from the vendor. console is unavailable. The event collection layer should support the collection of data from as The SIMS must supply an application programming interface (API) so many different point devices as it can. In particular, collection of the data that agents may be built to collect data from third party and esoteric should be as close to the source as possible, and in the native format of devices. This is important when you try to integrate home-grown applica- the point device where allowable (e.g. Firewall-1 OPSEC rather than syslog). tions, newer security solutions, and physical security events. THE ISSA JOURNAL ◆ April 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  • 2. Event Processing User Interface This is the most important portion of the SIMS. The main rationale for The primary user interface should be Web-based and near real-time, SIMS is that they can process huge streams of data, aggregate similar although an alternate stand-alone client may be provided. As with all good events, and perform correlation on volumes of events that would be security products, the ability to configure and audit the access to the inter- impossible for a human to do. It can be split into the following functional face, per user/role, is essential. components. Administrators should be able to manage incidents entirely from the Aggregation is the process of combining events of a similar type into interface, for example, by running investigative tools, changing incident one consolidated event. The biggest problem with security systems today status, or adding journal notes to an incident. is data overload. The SIMS must support aggregation with the ability to drill The interface must allow agents to be controlled from it (e.g., to down to individual events on demand. dynamically change rule sets, start/stop, etc.). Correlation is the process by which events are analyzed and entered Users must have the option to run predefined reports, or to define their into a common “event thread.” Correlation goes beyond aggregation in that own criteria for analysis. From an operational standpoint, there is value to it can incorporate logic engines and rule sets to make sense of distributed showing the ROI of the system by using built-in reports. However, users and stealth attacks that a human may not catch. The SIMS must support ele- will no doubt require their own reports, and it is important that users be mentary correlation rules (correlate by attack type, source address, destina- able to easily create their own. tion address, etc.) as well as allow an administrator to define business rules, such as multi-way correlation based on events and time. Costs and Licensing Correlation is particularly important because it can allow an enterprise to correlate vulnerability assessment data against actual attacks observed In most cases, small companies should not attempt to use SIM tech- by IDS and firewall devices. This allows the system to make intelligent nology. This is primarily because SIM has a very high initial price point decisions (e.g. “Attacker X tried attack Y; your vulnerability assessment sys- ($100K+ for software alone, could run to $200K if you include scalable tem states you are not vulnerable to attack Y; ignore attack”). It is hardware and services). Smaller organizations are urged to consider man- extremely important that it is possible to create arbitrary correlation rules aged service providers, who will charge a flat fee per device monitored. In based on attributes in the normalized database. addition, there are rarely issues with hardware and software maintenance, rule tuning, workflow creation, etc. Threat Assessment Medium to large enterprises should consider SIM if the number of The SIMS typically performs a threat assessment on an event before dis- managed devices is sufficiently large as to make managed service playing it in the user interface. The SIMS must allow the assessment to be providers too expensive (any company that spends more than $1M on performed using business rules defined by the enterprise, in addition to pro- managed service providers is likely a good candidate for SIM). It is impor- viding a pre-defined list of rules, based on best practices (e.g., Mitre CVE, or tant to note that headcount will be required to manage the system, in par- SANS best practices). It should also supply a modifiable knowledge base of ticular if it is expected to run under strict SLAs (e.g. 24-hour operation, event types. For instance, users should be able to designate a certain type of 30-minute response time, etc.). event as critical (e.g. ANY attack against finance servers; high-severity attacks It is important to carefully read the licensing model of the SIM ven- against systems in the DMZ, etc.) dor. Some vendors will count aggregated devices (e.g. when multiple Unix systems log to a single syslog server) as one device, which is Response, Escalation and Integration cheaper, and others will count them as individual devices, which are While there are many valid designs, the following capabilities are cer- more expensive. tainly “must-haves” for a SIMS: It is also important to factor in the cost of additional software, in par- ticular database licenses. SIMS have high hardware requirements, and ▲ SIMS must implement automated response workflows based on most database vendors will license by processors. Therefore, if the cus- rules defined by the enterprise. They should be able to control tomer picks a four-processor system, it is possible that their database cost common point devices natively. For instance, the SIM should be able will quadruple from their expectations. to page or e-mail a user when a certain event or sequence of events Finally, it is very important to adequately scale the hardware require- occurs. ments. We recommend that you speak to the vendor technical contacts ▲ SIMS must implement escalation workflows where an incident about the appropriate scaling factor. While the initial price may give you changes in severity based on other events, time or business rules. For sticker shock, it is far better to scale up and buy the hardware than have instance, a low-severity event should be escalated to medium severity to replace it within 6 months because it was not scaled correctly. if it has not been addressed for 24 hours. ▲ SIMS must be able to integrate with or interface otherwise with Step by Step: Implementing a SIM existing asset and risk management systems. For instance, the system should be able to import comma-separated asset This is not a comprehensive step by step, but it gives the reader some information files so that the user does not have to manually enter important steps to follow while considering a SIM solution: asset criticality information into the system individually. ▲ SIMS must provide APIs to interface bi-directionally with third-party 1. Write down your requirements (both business and technical). ticketing and incident management systems. The third-party ticketing Decide carefully what you really need. system integration is extremely important because it allows the SIMS 2. Create your evaluation requirements and test cases (how you to integrate seamlessly with the processes already in place in the decide if a product satisfies your criteria). enterprise. 3. Create and issue an RFP (pick the 4-5 most suited vendors). ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ April 2005
  • 3. Ensure that you invite not only security, but also operations to the decision meetings. 4. After the evaluation, pick two vendors to bring in-house and run against your test cases. In particular, make sure you test stress conditions (data overload) against the test system. 5. At this point, ensure that you carefully study and understand licensing options in your scenario. 6. As part of the pilot, also make sure you talk to external sources as well as reference customers from both vendors to judge actual level of effort in implementation. 7. Do not try to go too fast. Start slowly with a phase 1 approach targeting only security event logs from detection point products (firewalls, routers, Unix, Windows). Initial ticketing system and asset management integration should be built as well. Phase 2 can target more correlation, performance tuning, and integration with physical access and vulnerability assessment systems. Some things vendors will say to you (and what they really mean in italics): 1. We can work with any product. We can, but it’s often so painful to do that you’ll spend a fortune on consulting fees. Always make sure you understand exactly how easy integration with a product is. 2. Our product is plug-and-play. If you require the simplest solution possible with no additional features. Always make sure you understand how long the simplest implementation and how long the first functional implementation will take. They’re not the same. 3. We can be up and running in a week. If all you want is standard logging with no aggregation, correlation or integration with anything else. Be very careful about believing vendors on this point. There is no panacea to this problem. You will require several weeks to months to tune your system appropriately. Indeed, even after initial tuning, there is continuous configuration to perform on the system to ensure that it runs effectively. The Marketplace The marketplace in the SIM space is crowded with small private com- panies jockeying for space with the larger, more established vendors. In general, the smaller niche vendors have been able to hold their own so far. Some private vendors are: eSecurity, ArcSight, netForensics, and GuardedNet. Some of the larger vendors moving into the space include Computer Associates (with eTrust Security Command Center) and Symantec (with their Incident Manager and other products). We expressly do not make recommendations on which vendor to use. It is strongly sug- gested that you go through an RFP process with these vendors and create your own requirements and judgments. ¡ Aurobindo “Robin” Sundaram, CISSP/CISM, is the Director of Network Security at ChoicePoint Inc. Robin has worked in the information security business for over 7 years in various capacities. He also holds the CISA and CCSA technical certifi- cations and is currently working on his MBA from the Goizueta School of Business at Emory University. 1 Also referred to as Security Event Management (SEM) THE ISSA JOURNAL ◆ April 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.