Feeds:
Posts
Comments

Posts Tagged ‘SIEM’

A proactive approach to SIEM

As the old adage goes “the best defense is a strong offense”, McAfee Risk Advisor seeks to replicate that through a proactive approach to risk management. With the goal to reduce the grab in the dark approach organizations take to procuring and deploying security measures, Risk Advisor pinpoints critical assets which require immediate attention. Leveraging McAfee Lab’s ability to gather threat data from millions of collection points, it is kept up to date with thread analysis and any potential remedies.

Risk Advisor has an inbuilt scoring system which quantifies an organization’s risk mitigation efforts. It uses the vulnerability and threat status, criticality of an asset, and any pre-existing countermeasures to generate a current risk score. This allows managers to look at what effect their risk mitigation efforts has had on their asset.

MRA2

Risk Advisor is designed to work out of box with a multitude of other McAfee products such as McAfee’s Virus Scanner, Host Intrusion Prevention, Vulnerability Manager, Policy Auditor and Network Security Manager to provide countermeasure information across various functions. It has even been integrated into non-McAfee products such as SAP BusinessObjects to extend its risk analysis to business decisions.

MRA1

Advertisements

Read Full Post »

E-SPIN SIEM Solution

E-SPIN SIEM Solution

E-SPIN offers some practical tips on choosing a Security Information and Event Management (SIEM) system solution and addresses the question of whether you need one or alternative solution.

Enterprise, particular large enterprise will have the log management, archive, correlation, consolidation, forward security incident for further security investigation or practive action requirement.

Before we go further on the subject, let us define some key terms here first.

Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). In general, it need to possess cerain key capabilities before we can classify them as SIEM system solution. The solution must have component or subsystem capable to provide the below listed capabilities or functionality:

Data Aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.

Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution

Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.

Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.

Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.

Retention: employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.

Forensic Analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.

In general all the vendor package solution will be good at one particular capability and weak on another. Not all the scenario you need to have a full scale full suite package solution. For some scenario, you may even just pick the component you need or low cost alternative event log management (ELM) solution to fulfill the operation or regulatory requirement. On another scenario, it may make sense to subscribe SIEM-as-a-service rather than own it.

Do you need a SIEM solution?

Not all enterprise and organization require full scale solution, the operation and regulatory requirement from your industry and context may provide some guideline what really needed or what is nice to have features.

If you want no sure what really need and want to discuss with the solution vendor, please feel free to contact us solution consultant for your requirement.

Read Full Post »

Typical SIEM Dashboard

Typical Hybrid Approach for SIEM

In the field of IT, Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.

The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM). As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.

SIEM 3D visualization for complex and advance security analysis

SIEM 3D visualization for complex and advance security analysis

The term Security Information Event Management (SIEM), in general, describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.

To be truly SIEM solution, need to meet the following criteria:

  • Data Aggregation: SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  • Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
  • Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
  • Dashboards: SIEM/LM tools take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  • Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
  • Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
Pure SIEM Typical Dashboard

Pure SIEM approach, typical SIEM Dashboard

For the enterprise, corporate and government context, as the numbers of network device, security device, server, critical system and business critical applications growing, so do the need for the centralise security event log monitoring and archive is always there for the minimum. Some client will go for low cost point solution, end up with lot of manual work to get the reporting and incident investigation or auditing work to be done, while other will go for the systematic approach to get the things done in the way simplify their time and allow them to focus on get the real intrusion and act on it, as well as for other department user to get their things done (i.e. typical team work and multi user system).

Typical Point Solution for Event Log Management Interface

Typical Point Solution for Event Log Management Interface

For the coming technology session, E-SPIN will arrange series of related solution to use as the hand on and to look into the common Security Event Log Management, from set up to automatically collect, store, archive, back-up, analyse and report on Syslog, Windows events logs, or W3C logs generated by said Web Application Servers, Load Balancers, Firewalls, Proxy Servers or Content Security appliances. Add Event Log Monitoring to secure network and protect key information.

We will look into how to reduce exposure to security breaches, malware, loss or damage, and protect your organisation against costly financial penalties and legal liabilities.

In specific, we look into “how-to” aspect to run Security Operation Center (SOC) context:

  • automatically collect, store, archive and backup all log files with the intent for multi year data storage, cryptographic hashing
  • monitor windows event and syslog data in real-time to receive alerts and notification at the first sign of trouble
  • filter, analyse and report on log data to verify the success of internal security policies, and demonstrate regulatory compliance
  • generate compliance-centric reports for IT personnel, security and compliance officers, and even law enforcement agencies
  • spot check and review log files much faster to quickly respond to an emergency incident, and
    the practical matter that most vendor want to hide from you regard the following matter – how to do about it:
  • integration and share the data with Network Operation Center (NOC) / Security Command Center or other 3rd party Network Management System (NMS) / Intrusion Detection and Prevention System (IDS/IPS/IDP) System integration / Passive Real time vulnerability detection and Active Vulnerability Scan / Regulatory Compliance

Please stay tune to our newsletter and how to register for the series of events. If you have yet subscribe for E-SPIN newsletter, it is the good time to subscriber for. Non-sense and truly value added newsletter with practical information and came with event with the specific theme or area of focus your may involve and participate.

Read Full Post »

SIEM

Most organizations face the same inherent challenges when dealing with security information and event management (SIEM): effectively balancing limited IT resources, ever-increasing supplies of log data, dealing with regulation compliance, and keeping staff training up-to-date. There are four best challenges that organizations should consider to achieve this balance:

  • Prioritize security information and event management appropriately throughout organizations—Organizations can define requirements and goals for performing logging and monitoring logs to include applicable laws, regulations, and existing organization policies. They can then prioritize goals based on balancing risk with time and resources needed to manage logs
  • Establish policies and procedures for security information and event management—Policies and procedures are beneficial because they ensure consistent approaches throughout organizations as well as ensure that laws and regulations are observed. Periodic audits can confirm that logging standards and guidelines are followed throughout organizations. Furthermore, testing and validating can properly ensure log management policies and procedures
  • Create and maintain robust security information and event management infrastructures—Having secure log management infrastructures aids in preserving the integrity of log data from accidental or intentional modifications or deletions and in maintaining confidentiality. It is also critical for creating scalable infrastructures for handling expected volumes of log data as well as peak volumes during extreme situations (e.g. widespread malware incidents)
  • Provide proper training for all staff with security information and event management responsibilities—While defining log management schemas, organizations must provide requisite training to relevant staffers regarding their log management responsibilities as well as skilled instruction on the resources necessary to support log management. This includes providing log management tools, tool documentation, technical guidance on log management, and disseminating information to log management staffers.

Read Full Post »

SIEM SOC

Next-generation SIEM and log management:

One area where the tools can provide the most needed help is in compliance. Corporations increasingly face the challenge of staying accountable to customers, employees and shareholders, and that means protecting IT infrastructure, customer and corporate data, and complying with rules and regulations as defined by the government and industry. Log management and SIEM correlation technologies can work together to provide more comprehensive views to help companies satisfy their regulatory compliance requirements, make their IT and business processes more efficient and reduce management and technology costs in the process.
IT organizations also will expect log management and intelligence technologies to provide more value to business activity monitoring and business intelligence. Though SIEM will continue to capture security-related data, its correlation engine can be re-appropriated to correlate business processes and monitor internal events related to performance, uptime, capability utilization and service-level management. The combined solutions provide deeper insight into not just IT operations but also business processes. In short, by integrating SIEM and log management, it is easy to see how companies can save by re-duplicating efforts and functionality. The functions of collecting, archiving, indexing and correlating log data can be collapsed. That will also lead to savings in the resources required and in the maintenance of the tools.

Read Full Post »

SIEM

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security.

The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary.

At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced.

SIEM systems collect logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment — and even specialized security equipment like firewalls, antivirus or intrusion prevention systems.

In order to provide the most complete security view, SIEMs generally require data from different types of devices and platforms such as switches, firewalls, routers, servers (Windows, Unix, Linux, etc.) and applications (databases, CRMs, SAP, Exchange, etc.). To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.

SIEM systems are typically expensive to deploy and complex to operate and manage. While Payment Card Industry Data Security Standard (PCI DSS) compliance has traditionally driven SIEM adoption in large enterprises, concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer.

Read Full Post »

Siem_System

ImmuneSecurity (now called Logpoint) proudly presents LogInspect™ version 5.1.1. This version contains numerous enhancements as well as some bug fixes.

The highlights for this release are:

  • Introduction of LI Lite for distributed collection of logs from remote locations.
  • Higher availability of logs from the main LogInspect can be made by creating a copy of a repo in the remote LogInspect.
  • Introduction of tenants for effective object management between various organizational units.

Enhancements

A selection of the major enhancements of LogInspect™ v5.1.1 is listed below in detail.

Devices and Collection

  • Logs can be forwarded into the system from different platforms using the Distributed Collector. This support is available for LI Lite at the moment.
  • IPv6 support is extended to the following collectors and fetchers: SNMP fetcher, sflow collector,FileInspect collector, SNMP trap collector and the netflow collector.
  • The CIDR IP address, is supported for all of the collectors.
  • Log parser’s pattern can be validated by checking against the example message.
  • SNMP fetcher works for leaf OIDs.

Search and Queries

  • Fields in search query can now be renamed.
  • Grouping constructs support “order by” syntax.
  • Inline list now supports, using whitespace enclosed by quotes.
  • Cmd + click (Ctrl + click) opens and displays the search result on a new tab.

Dashboard and User Interface

  • Growl position setting, can now be managed from preferences page.
  • Dashboard tabs are now moveable.

User Management

  • LDAP authentication supports three different login formats: “Sam Account Name”, “UID” and “DN”. This can be configured from “Advance LDAP Settings”.
  • SSL implemented for Directory Access Protocol (LDAP Strategy).
  • Username is now made non editable.

Correlation and Alert

  • Ownership of rules can be transferred to other users.

System and Performance

  • Critical security updates for the system can be applied by uploading the tested security patch and installing them.

Backup and Storage

  • Backup scheduling is made optional.
  • For backups, its now possible to apply a retention policy.

FileInspect

  • Windows events can now be collected, by using the “Windows Event Log Reader” checkmark, while configuring the FileInspect client.
Reporting
  • Queries in reports templates are now editable.

Bug Fixes

A selection of the major bug fixes of LogInspect™ v5.1.1 is listed below.

  • Netflow v9 now contains all available fields.
  • HTTPS certificate can now be applied, without rebooting the server.
  • Problem with configuration backup has been fixed.
  • Vendor dashboard can now be used through the “use action”.

Read Full Post »

Older Posts »