Feeds:
Posts
Comments

Posts Tagged ‘Event Log Management’

Typical SIEM Dashboard

Typical Hybrid Approach for SIEM

In the field of IT, Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.

The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM). As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.

SIEM 3D visualization for complex and advance security analysis

SIEM 3D visualization for complex and advance security analysis

The term Security Information Event Management (SIEM), in general, describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.

To be truly SIEM solution, need to meet the following criteria:

  • Data Aggregation: SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  • Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
  • Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
  • Dashboards: SIEM/LM tools take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  • Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
  • Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
Pure SIEM Typical Dashboard

Pure SIEM approach, typical SIEM Dashboard

For the enterprise, corporate and government context, as the numbers of network device, security device, server, critical system and business critical applications growing, so do the need for the centralise security event log monitoring and archive is always there for the minimum. Some client will go for low cost point solution, end up with lot of manual work to get the reporting and incident investigation or auditing work to be done, while other will go for the systematic approach to get the things done in the way simplify their time and allow them to focus on get the real intrusion and act on it, as well as for other department user to get their things done (i.e. typical team work and multi user system).

Typical Point Solution for Event Log Management Interface

Typical Point Solution for Event Log Management Interface

For the coming technology session, E-SPIN will arrange series of related solution to use as the hand on and to look into the common Security Event Log Management, from set up to automatically collect, store, archive, back-up, analyse and report on Syslog, Windows events logs, or W3C logs generated by said Web Application Servers, Load Balancers, Firewalls, Proxy Servers or Content Security appliances. Add Event Log Monitoring to secure network and protect key information.

We will look into how to reduce exposure to security breaches, malware, loss or damage, and protect your organisation against costly financial penalties and legal liabilities.

In specific, we look into “how-to” aspect to run Security Operation Center (SOC) context:

  • automatically collect, store, archive and backup all log files with the intent for multi year data storage, cryptographic hashing
  • monitor windows event and syslog data in real-time to receive alerts and notification at the first sign of trouble
  • filter, analyse and report on log data to verify the success of internal security policies, and demonstrate regulatory compliance
  • generate compliance-centric reports for IT personnel, security and compliance officers, and even law enforcement agencies
  • spot check and review log files much faster to quickly respond to an emergency incident, and
    the practical matter that most vendor want to hide from you regard the following matter – how to do about it:
  • integration and share the data with Network Operation Center (NOC) / Security Command Center or other 3rd party Network Management System (NMS) / Intrusion Detection and Prevention System (IDS/IPS/IDP) System integration / Passive Real time vulnerability detection and Active Vulnerability Scan / Regulatory Compliance

Please stay tune to our newsletter and how to register for the series of events. If you have yet subscribe for E-SPIN newsletter, it is the good time to subscriber for. Non-sense and truly value added newsletter with practical information and came with event with the specific theme or area of focus your may involve and participate.

Advertisements

Read Full Post »

SIEM

Most organizations face the same inherent challenges when dealing with security information and event management (SIEM): effectively balancing limited IT resources, ever-increasing supplies of log data, dealing with regulation compliance, and keeping staff training up-to-date. There are four best challenges that organizations should consider to achieve this balance:

  • Prioritize security information and event management appropriately throughout organizations—Organizations can define requirements and goals for performing logging and monitoring logs to include applicable laws, regulations, and existing organization policies. They can then prioritize goals based on balancing risk with time and resources needed to manage logs
  • Establish policies and procedures for security information and event management—Policies and procedures are beneficial because they ensure consistent approaches throughout organizations as well as ensure that laws and regulations are observed. Periodic audits can confirm that logging standards and guidelines are followed throughout organizations. Furthermore, testing and validating can properly ensure log management policies and procedures
  • Create and maintain robust security information and event management infrastructures—Having secure log management infrastructures aids in preserving the integrity of log data from accidental or intentional modifications or deletions and in maintaining confidentiality. It is also critical for creating scalable infrastructures for handling expected volumes of log data as well as peak volumes during extreme situations (e.g. widespread malware incidents)
  • Provide proper training for all staff with security information and event management responsibilities—While defining log management schemas, organizations must provide requisite training to relevant staffers regarding their log management responsibilities as well as skilled instruction on the resources necessary to support log management. This includes providing log management tools, tool documentation, technical guidance on log management, and disseminating information to log management staffers.

Read Full Post »

SIEM SOC

Next-generation SIEM and log management:

One area where the tools can provide the most needed help is in compliance. Corporations increasingly face the challenge of staying accountable to customers, employees and shareholders, and that means protecting IT infrastructure, customer and corporate data, and complying with rules and regulations as defined by the government and industry. Log management and SIEM correlation technologies can work together to provide more comprehensive views to help companies satisfy their regulatory compliance requirements, make their IT and business processes more efficient and reduce management and technology costs in the process.
IT organizations also will expect log management and intelligence technologies to provide more value to business activity monitoring and business intelligence. Though SIEM will continue to capture security-related data, its correlation engine can be re-appropriated to correlate business processes and monitor internal events related to performance, uptime, capability utilization and service-level management. The combined solutions provide deeper insight into not just IT operations but also business processes. In short, by integrating SIEM and log management, it is easy to see how companies can save by re-duplicating efforts and functionality. The functions of collecting, archiving, indexing and correlating log data can be collapsed. That will also lead to savings in the resources required and in the maintenance of the tools.

Read Full Post »

SIEM

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security.

The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary.

At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced.

SIEM systems collect logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment — and even specialized security equipment like firewalls, antivirus or intrusion prevention systems.

In order to provide the most complete security view, SIEMs generally require data from different types of devices and platforms such as switches, firewalls, routers, servers (Windows, Unix, Linux, etc.) and applications (databases, CRMs, SAP, Exchange, etc.). To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.

SIEM systems are typically expensive to deploy and complex to operate and manage. While Payment Card Industry Data Security Standard (PCI DSS) compliance has traditionally driven SIEM adoption in large enterprises, concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer.

Read Full Post »

Siem_System

ImmuneSecurity (now called Logpoint) proudly presents LogInspect™ version 5.1.1. This version contains numerous enhancements as well as some bug fixes.

The highlights for this release are:

  • Introduction of LI Lite for distributed collection of logs from remote locations.
  • Higher availability of logs from the main LogInspect can be made by creating a copy of a repo in the remote LogInspect.
  • Introduction of tenants for effective object management between various organizational units.

Enhancements

A selection of the major enhancements of LogInspect™ v5.1.1 is listed below in detail.

Devices and Collection

  • Logs can be forwarded into the system from different platforms using the Distributed Collector. This support is available for LI Lite at the moment.
  • IPv6 support is extended to the following collectors and fetchers: SNMP fetcher, sflow collector,FileInspect collector, SNMP trap collector and the netflow collector.
  • The CIDR IP address, is supported for all of the collectors.
  • Log parser’s pattern can be validated by checking against the example message.
  • SNMP fetcher works for leaf OIDs.

Search and Queries

  • Fields in search query can now be renamed.
  • Grouping constructs support “order by” syntax.
  • Inline list now supports, using whitespace enclosed by quotes.
  • Cmd + click (Ctrl + click) opens and displays the search result on a new tab.

Dashboard and User Interface

  • Growl position setting, can now be managed from preferences page.
  • Dashboard tabs are now moveable.

User Management

  • LDAP authentication supports three different login formats: “Sam Account Name”, “UID” and “DN”. This can be configured from “Advance LDAP Settings”.
  • SSL implemented for Directory Access Protocol (LDAP Strategy).
  • Username is now made non editable.

Correlation and Alert

  • Ownership of rules can be transferred to other users.

System and Performance

  • Critical security updates for the system can be applied by uploading the tested security patch and installing them.

Backup and Storage

  • Backup scheduling is made optional.
  • For backups, its now possible to apply a retention policy.

FileInspect

  • Windows events can now be collected, by using the “Windows Event Log Reader” checkmark, while configuring the FileInspect client.
Reporting
  • Queries in reports templates are now editable.

Bug Fixes

A selection of the major bug fixes of LogInspect™ v5.1.1 is listed below.

  • Netflow v9 now contains all available fields.
  • HTTPS certificate can now be applied, without rebooting the server.
  • Problem with configuration backup has been fixed.
  • Vendor dashboard can now be used through the “use action”.

Read Full Post »

Scalability, made easy.

LogInspect 5 (now called Logpoint) can scale into any organization – big or small, locally based or operating globally.
And while all organizations have a similar need to invest in a SIEM solution, each has a unique set of operational conditions with specific requirements that dictate the scope of implementation.
A network might be highly segmented due to security policies or geographic distribution, mandating specific collection capabilities. Budget and staffing limitations can also require an incremental approach.

screen_dump_appl
LogInspect 5 is dynamic, adaptable and scalable to the specific needs of your organisation.

  • Accommodates today – and tomorrow.

IT executives can be assured that the solution they invest in today can adapt to accommodate their future organizational needs.
LogInspect 5’s dynamic enterprise architecture is flexible enough to meet multiple and changing requirements – from the easily scalable to broader collection capabilities.

  • Centralized Threat Analysis System.

Thanks to the Centralized Threat Analysis System (CTAS), LogInspect 5 can deploy any combination of hardware and software appliances on a multitude of servers.
Searching, alarming, and incident managing and reporting are consolidated on one single interface. Just apply the search or report to the suitable LogInspect 5 repositories.

  • Truly designed for Big Data.

•Based on NoSQL technologies – for ultimate performance.
•Lowered overhead thanks to tagged data rather than the indexed data of the traditional, expensive   performance of an SQL database.
•A “Document” database structure.
•Digests billions of logs on a daily basis.
•Log data is stored and normalized in one single and fast process.

  • Built-in scaling.

•Supports hardware appliances based on standard servers.
•Supports VMware and Hyper V.
•Dynamic repository architecture ensures easy scalability for multiple sites and optimised   performance.

  • Fully supports on existing infrastructures.

•SAN storage architectures.
•Existing load balancers.
•Co-exists with existing backup solutions.
•Full redundancy architecture for highest availability.

Read Full Post »

Tenable’s Unified Security Monitoring (USM) solution uniquely solves that challenge by integrating active and passive vulnerability management with SIEM capabilities –- providing a contextualized and prioritized view of events and activity. USM helps users quickly focus their attention and energies on the most pressing security issues, as well as ferreting out suspicious activity that would otherwise go undetected.

teable_LCE

New release of Tenable’s Log Correlation Engine (LCE) version 4 adds several new features that enhance its ability to support complex enterprise environments, as well as make the day-to-day jobs of users easier and more productive. Here are some of the key upgrades:

  • Much faster processing speeds. LCE v4 can process more than 30,000 events per second. That’s up to 20 times faster than version 3, made possible through multi-core support and other engine improvements.
  • ‘Smart’ load balancing. LCE v4 automatically routes tasks to new or underutilized servers when workloads increase, enhancing efficiency.
  • Enhanced event full-text search. Allows LCE users to identify specific events and network-based activity by rapidly sifting through mountains of log data, saving time and improving efficiency.
  • Easier deployment, administration, and operation; centralized administration of LCE Client systems. Existing LCE users will welcome operational enhancements, including the ability to update remote client configuration settings through changes on a central LCE server, saving time and reducing the potential for errors.

Tenable Log Correlation version 4 increases employees work efficiency by implementing easier user guide for further understanding to reduce product complexity.

For more information about Tenable LCE v4, please visit

http://e-spincorp.com/espinv3/index.php/tenable-network-security/tenable-solutions

Read Full Post »

Older Posts »