Sentors frukostseminarium om SIEM - LogPoints del
-
Upload
sentormss -
Category
Technology
-
view
132 -
download
4
Transcript of Sentors frukostseminarium om SIEM - LogPoints del
![Page 1: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/1.jpg)
Enterprise Log Management / SIEM
Christian HaveVice President
Products and Innovation
![Page 2: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/2.jpg)
2
- Founded in 2001; doing Security consulting- Focus on Security Analytics from 2008 – Bought Immune APS
- Danish company- 250+ Customers- 75 employees – 45 developers (!)- Offices in Denmark, Sweden,
Germany, France and the UK- 100% Year over Year growth
Vision:Creating the worlds greatest
SIEM platform
![Page 3: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/3.jpg)
3http://www.logpoint.com/images/Articles/Borsen_ImmuneSecurity_LogPoint_Boeing.pdf
![Page 4: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/4.jpg)
4
Decentralized logging – Problem areas
Separate logging of different systemsSearching in AD requires manual search of X logs
Some logs/systems are not handled todayDifficult and time consuming to search information
Up to X working days for basic reports
No overview of the entire environmentHighly dependent on individual employees(Way) too short retention times on some systems
![Page 5: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/5.jpg)
Decentralized logging - Consequences
Limited traceabilityDecreased security for customers AND staff
Lacking in compliance in various areasTime consuming reporting, search and forensicsLimited information for troubleshooting and supportReactive incident handling, no statistics, no trendsExpensive management of many local log archives
![Page 6: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/6.jpg)
What should you log?
”Everything” – you don’t know what you will need!
Changes in system configurationsChanges in critical system filesChanges and access in critical databasesAccess and use of business applicationsActions by privileged users and administratorsUser and Device management
Creations, Changes, Deletions
Session logging from network devices
![Page 7: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/7.jpg)
Where should you log?
Operating systems Infrastructure components
Switches, RoutersNetwork security - Firewalls, Proxy, IPS, VPN…Wireless
User AuthenticationActive Directory, IDM systems, Policy Servers
Device ManagementMDM, Software Deployment, Antivirus, Asset Management
Applications!
![Page 8: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/8.jpg)
How do you identify security incidents without a SIEM?
Manual log review and log analysisHost and Network-based IDS AntimalwareStructured observations, monitoring etc.
But it is typically unorganized:External parties, customers, users, administratorsPost-incident / leaked to the press
![Page 9: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/9.jpg)
Log Analysis
That which is strange, unusual, unknownEverything not uninteresting is interesting
The common item to look for when reviewing log files is
anything that appears out of the ordinary. CERT Coordination Center, Intrusion
Detection Checklist
If the statistics are boring, then you've got the wrong numbers.Edward Tufte on analysis and visualization
![Page 10: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/10.jpg)
Log Analysis - Baseline
Typically security incidents make out less than 0.001% of the total amount of log dataBaseline, thresholding, what’s interestingFalse positives
Trends, different types of data – historical informationKnown badUnknowns
Look at the baseline:What is strange?How many times have a given event occurred in a given timeframe – frequency thresholdingMessage if a log source stops sending logs.
10
![Page 11: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/11.jpg)
Log Analysis - investigationHow is an investigation initiated?
As standard a set of rule based alerts are usedFollowed by periodic manual review collected and analyzed data and dashboards
The ”can you tell me” scenarioSpecific investigations of events on
TimeUserIPetc
All based on the collected and analyzed data
Everything that looks unusual
11
![Page 12: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/12.jpg)
Identifying the unusual
Statistical eventsHigh response times / LatencyDeviating session-length: time / frequency
Chronological eventsInstallation of kernel-drivers during the nightLogins with service-accounts on day-time systems
Machine Learning / Advanced AlgorithmsIdentifying clusters or groups of similar patternsPredictive “what’s next” analytics
ApplicationsNetwork
![Page 13: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/13.jpg)
13
Technology development and maturity
No log-management
Log-Management
Classical SIEM tools
“Next Generation” SIEM
Decentralized loggingSilo and competence-orientedNo utilization of collected dataNo structured retention of dataOpportunistic search and samples based
Ontology (Greek on, = ”the being", logi = ”learning of") describes the study of the being, the study of what exists and how it exists.
Centralized (network) loggingNo analysis layer, no intelligenceCollecting log-data, nothing else
Centralized LoggingAnalysis LayerStatic data and concepts modelCorrelation of defined events
Deep application integrationDynamic ontology“Big Data”Wide enterprise integration
TechnicalOrganizational
![Page 14: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/14.jpg)
14
Next Generation SIEM
![Page 15: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/15.jpg)
![Page 16: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/16.jpg)
16
Example of contextual analysis
![Page 17: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/17.jpg)
17
Another example
Public Danish organization to implement trust based managementLogs from firewallsClassification of firewall traffic (context)Filter searches on job-sitesCorrelate user-names (context) from ADCorrelation organizational associationCorrelate the manager of the given employee
Dashboard with KPI:Percentual share of employees looking for new jobsBracketing middle-managers– Red/Yellow/Green
![Page 18: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/18.jpg)
18
Business-driven (ERP) use-cases
Detect invoices without purchase ordersIdentify vendors where alternate payee names have been changed before paymentMultiple use of one-time vendorsDetection of payments more than the threshold value to one time vendorsIdentify transactions where the purchase approver is equal to the goods receipt creatorIdentify transactions where the order approver is equal to the invoice creatorIdentify transactions where the order creator is equal to the payment creatorIdentify purchase orders that were created on or after the date the invoice was issuedInvoice receipt is more than goods receipt documentDetect value increases for purchases orders over a certain thresholdCheck for bank accounts bookings not processed with one of the known transactionsCheck suspicious manual bookings at unusual timesDetect split invoices to avoid increasing certain threshold
![Page 19: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/19.jpg)
Identifying Botnets
Inbound accepted connections
Outbound DNS Requests (+35.000): Searching forCommand&Control Servers
![Page 20: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/20.jpg)
Botnet identification:
Accept inbound to (172.28.160.122)threat category=ZeroAccess.Gen Command and Control Traffic threat severity=criticalIdentify activity through DNS requests
Find MAC address and correlate physical location:mac-addr: 00:1e:0b:31:18:b7Correlate MAC With AV-oplysninger(Trend Micro) to get name and actions: M4986GE
IP Reptutation - router
Next-Gen Firewall
Next-Gen DNS/DHCP
Correlate switch-inf
Correlate AV-Inf
![Page 21: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/21.jpg)
21
Security Operations Center View
![Page 22: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/22.jpg)
Security Operations Center View
22
![Page 23: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/23.jpg)
Health Care data – structured, readable, easily accessible
![Page 24: Sentors frukostseminarium om SIEM - LogPoints del](https://reader036.fdocuments.net/reader036/viewer/2022062515/55c34745bb61eb0c088b4576/html5/thumbnails/24.jpg)