Post on 15-Jan-2015
description
Tom D’Aquino Senior Security Engineer
AlienVault
WHOSE LOGS, WHAT LOGS, WHY LOGS:YOUR QUICKEST PATH TO SECURITY VISIBILITY
AGENDA
The Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the key• Unified Security Management• AlienVault’s Threat Intelligence LabsComing Soon to SpiceWorks: AlienVault Threat Alerts
HUMANS MEET TECHNOLOGY
HUMANS MEET TECHNOLOGY Something is down?
YouTube is up though.
THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything
BUT AT WHAT HARDWARE COST?
How much storage, CPU and RAM will you need to collect, correlate and store all of this data?
• High-performance storage is not cheap
How effective is the automated analysis, i.e. correlation really going to be?
• Correlation is CPU and memory intensive
AND AT WHAT HUMAN RESOURCE COST?
How effective is your team really going to be?
• Can one person realistically review 10,000 alerts in a day
IS THERE A BETTER APPROACH TO LOG MANAGEMENT?
Why do you need the logs?• Do you have an intended result in mind?
Why
What if we took a more strategic approach by identifying the problem more effectively?
IS THERE A BETTER APPROACH TO LOG MANAGEMENT?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
WhatWhy
What if we took a more strategic approach by identifying the problem more effectively?
IS THERE A BETTER APPROACH TO LOG MANAGEMENT?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
Who will the logs you collect pertain to?• Is there a specific user group/community
you should be focused on?
What
Who
Why
What if we took a more strategic approach by identifying the problem more effectively?
LET’S LOOK AT SOME EXAMPLES
What log sources should you start with?
EVERYONE COLLECTS FIREWALL LOGS, RIGHT?Why do you need Firewall logs?• I need to see what is getting in to my
network
What logs will you need to get that result?• Firewall permit logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
blacklisted IPs/domains
WHAT’S GETTING IN YOUR WAY?
You are probably only seeing these:
When you should be looking for this:
WHAT ABOUT OS LOGS?
Why do you need OS logs?• I need to detect unauthorized access
attempts and account lockouts
What logs will you need to get that result?• OS authentication failure and account
lockout logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
admin level accounts
WHAT’S GETTING IN YOUR WAY HERE?
Multiple events to indicate a single login:
No login failure events to be found…
WHAT ABOUT YOUR NETWORK GEAR?
Why do you need Switch/Router logs?• I need to see when someone logs in to
my network gear and makes config changes
What logs will you need to get that result?• Syslog data from my Routers and
Switches
Who will the logs you collect pertain to?• Anyone connecting to my network gear
MORE NOISE IN YOUR WAY…
You may have to process 10’s of thousands of these:
Just to get one or two of these:
HOW CAN ALIENVAULT HELP WITH FIREWALL LOGS?
Managing Firewall logs is all about context:
HOW CAN ALIENVAULT HELP WITH OS LOGS?Use policy filters to eliminate repetitive data:
HOW CAN ALIENVAULT HELP WITH OS LOGS?Use correlation to detect mischievous activity:
HOW CAN ALIENVAULT HELP WITH DEVICE LOGS?
Use policy filters to eliminate the noise:
Or use policy filters to explicitly include the interesting stuff:
HOW CAN ALIENVAULT HELP WITH DEVICE LOGS?
UNIFIED SECURITY MANAGEMENT
“SECURITY VISIBILITY THROUGH OPEN SOURCE INTEGRATION”
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
Security Intelligence• SIEM Correlation• Incident Response
BENEFITS OF UNIFIED SECURITY CONTROLS
Accelerated time to value• Go from install to insight quickly
Reduce cost and complexity• At deployment time: Focus on integrating the infrastructure event data
only• Over the long term: Manage all through the same console, better
workflow, etc.
More coordinated detection for accurate alarms• Built-in event correlation rules• Attacker intelligence provides more accurate correlation
UNIFYING BEST-IN-BREED TECHNOLOGY WITH SHARED INTELLIGENCE
AlienVault Labs monitor, analyze, reverse engineer and report on sophisticated zero-day threats including malware, bots, phishing campaigns and more.
Findings are published in the Open Threat Exchange (OTX), pushing the latest threat intelligence including correlation rules, policies, and reputation data directly to AlienVault USM.
AlienVault OTX
500,000Malware Samples Analyzed per day
100,000Malicious IPs Validated per day
8,000+Global Collection Points in 140+ countries
> 7 MillionURLs Analyzed
CROWD-SOURCED THREAT DATA IN ACTION
Since March 2012, OSSIM & USM users have flagged 196 million malicious events that were contributed to the OTX database
Average of ~11 million per month (365,000 a day)
3/1/12 4/1/12 5/1/12 6/1/12 7/1/12 8/1/12 9/1/12 10/1/12 11/1/12 12/1/12 1/1/13 2/1/13 3/1/13 4/1/13 5/1/13 6/1/13 7/1/13 8/1/13 9/1/13
0
50000000
100000000
150000000
200000000
250000000
SpiceHead Benefits:Identify compromised hosts in a monitored network without having to deploy Anti-Virus or any other agentRemediation advice from world’s largest crowd sourced threat intelligence database
ALIENVAULT THREAT ALERTS FOR SPICEWORKS
HOW IT WORKS – THREAT MONITORING
Internet
Customers’ Internal Assets In SpiceWorks
Search for connections with known malicious hosts
HOW IT WORKS – ALERT TRIGGERED
Customers’ Internal Assets In SpiceWorks
Alert on connection with known malicious host
THREAT ALERTS IN SPICEWORKS:DASHBOARD & DEVICE DETAILS PAGE
“SpiceWorks has found a connection with a potentially suspicious IP Address 77.240.191.89 on device tmg-mbh.
“
AlienVault Threat Analysis for suspicious IP
ALIENVAULT THREAT ANALYSIS - SUMMARY
ALIENVAULT THREAT ANALYSIS - REMEDIATION
NOW FOR SOME Q&A…
Follow us on SpiceWorks
http://community.spiceworks.com/pages/
AlienVault
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienva
ult-usm-live-
demo
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Questions? Ping me (Tomdaq) in the SpiceWorks community