Transcription
Navigating the Log JamLog Management, SIEMs, and Your OrganizationCory Cavanagh
Who I am UMFK 2012 SAM Conference Dartmouth College Fidelity Investments Financial Industry 3 years
What I do Information Security Coordinator at Bangor Savings Bank SIEM, DLP, Vulnerability Management, Auditing systems Create, tune, review activity/auditing reports
Why log management? Various Requirements HIPAAFFIEC GuidancePCISarbanes-OxleyGLBAFISMA
Why log management? Detect Intrusions
Why log management? Monitor Activity
Planning your deployment Determine your log sources
Planning your deployment Consider your volume and storagerequirements Log retention requirements Hardware and networkrequirements Encryption
Planning your deployment Reporting Activity Reports – “Operational”reports such as application logs Audit Reports – changes toconfigurations or settings
Planning your deployment Alerts
Planning your deployment Staff Requirements Setup and Configuration Tuning and Report Setup Report Review and Investigations
The Tools(Thanks Gartner)
McAfee EnterpriseSecurity ManagerPhysical, virtual, software appliance (AWSsupport) Extensive third party device support Support for monitoring industrial controlsystem (ICS) and supervisory control anddata acquisition (SCADA) systems Advanced SIEM features and capabilitiesrequire further investment in Intelproducts Stability/performance issues
AlienVault UnifiedSecurity ManagementPhysical appliance, software, virtualappliance (AWS support) Incorporates SIEM, file integritymonitoring, vulnerability assessment,asset discovery, and host/network IDSs. Affordable Simplified licensing model based onutilized appliances Open-source software, not necessarilybest of breed
IBM QRadarPhysical appliance, virtual appliance,SaaS/IaaS. Integrated view of log/event data,network flow/packets, vulnerability andasset data, and threat intel Easy to deploy and maintain Provides behavior analysis for NetFlowand log events Expensive Some of the product’s workflowcapabilities are limited in comparison toother SIEMs
SolarWinds Log &Event ManagerVirtual appliance Easy to deploy Well suited for current SolarWinds shops Has “Active Responses” which can performactions such as disable an endpoint’snetwork connection or disable anunauthorized USB device No integration with user behavior analysistools Customers requiring extensive user,application, or web monitoring must acquireother SolarWinds products Flow data is not available for realtimecorrelation in LEM
SplunkSoftware, public/private cloud Highly recommended analyticalcapabilities built in Built in support for a large number ofthreat intel feeds (commercial and open) Expensive when dealing with large logstores Limited built in correlation rules Workflow functions lag behindcompetition
RSA Security AnalyticsPhysical or virtual appliance Combines analytics, event monitoring,investigation, threat intelligence, networkpackets, NetFlow, endpoint and log data Modular deployment The out of box interface is basic Basic incident management capabilitiesw/o also purchasing additional RSAproducts
HP ArcSightSoftware, physical appliance Complete SIEM including full incidentinvestigation and management workflow Provides true user behavior analytics Large selection of 3rd partyconnectors/integrations Fat client is outdated and slow Deployment may require extensive HPprofessional services Complex
Further References NIST SP 800-92 – Guide to Computer Security Log Management FFIEC IT Booklet on Information Security, Security Monitoring Section 2015 Gartner Magic Quadrant on Security Information and EventManagement “Successful SIEM and Log Management Strategies for Audit andCompliance” – David Swift, SANS InfoSec Reading Room
Q&A
other SolarWinds products Flow data is not available for realtime correlation in LEM. Splunk Software, public/private cloud Highly recommended analytical capabilities built in . connectors/integrations Fat client is outdated and slow Deployment may require extensive HP