Transcript Slide 1
Improving Efficiencies Through the Convergence of Log Management and Security Event Management Todd Cernetic – Regional Sales Mgr Southwest U.S. & Hawaii J.F. Roy – Senior System Engineer Unleash Log Power. Comply, Protect, and Save. A New Approach… October 2009 Visibility and Control Log and Security Management You Cannot Control What You Cannot See Visibility Understanding Control What’s in a Log? Failed Logon Security Breach File Up/Download User and System Activity Privileges Assigned/ Changed Runaway Application Credit Card Data Access Customer Transaction Information Leak Email BCC A New Architecture is Needed Log Management Applications Identity IT & Network Management Operational Operations Governance Security & Compliance Open API LOG Compliance, operations, and security while reducing labor and audit costs Ease of management and ease of integration through open web services APIs Log Data Warehouse WAREHOUSE Network Applications Servers Databases Replace homegrown solutions and log silos with central warehouse Immutable, centralized retention enhances forensic value From Operations, to SOX, PCI, HIPPA and More… • • Regulation • SOX GLBA J-SOX • • • • FISMA JPA PCI HIPAA Industry Mandate • Requirement for Security Operations and Controls Validation • • • • ISO NIST • jCoBit ITIL CoBit Information Asset Protection • • Foundation of IT Operations and Business Process Management • • • SLA Validation Troubleshooting Investigations Forensics Log Data Warehouse Comprehensive Analysis = Indexing + Parsing PCI SOX ITIL HIPAA Compliance Content FISMA LOG WAREHOUSE Indexed Log Data • Google-like search • Universal for 100% logs • Un-structured results Parsed Log Data • Saves time and effort • Uniform data presentation • Known logs only Visibility Central Activity. Log Data Warehouse. Log Base Network Server Application Database Visibility Understanding Control LogLogic Log Analysis Deep Parsing. Ad-Hoc Analysis. Visibility Understanding Control LogLogic Log Base #1 Log Management. Scalable Collection, Archival, Trending, Search. Gartner 2009 Magic Quadrant Critical Capabilities More than 500 Alerts and Reports Category Examples Identity and Access Management • Accounts added/ deleted/modified • Groups added/ deleted/modified • Privilege escalations • Login success/failures User Activity Monitoring • E-mails sent/received • Web surfing activities • Files/programs accesses • Database queries execution • Log report reviews • Log file rotations/removal Change and Configuration Management • Configuration changes • Policies changes • Permission changes • Database schema changes • Routing table changes • Software updates/patches Security and Threat Management • Accepted connections • Denied connections • VPN connections • IDS alerts Continuity and Availability Management • Failover events • System/services restarts/resets • Web cache statistics • Backup success/failure • Configuration/policy synchronization • E-mails bounced/delayed • Web page errors • Restore success/failure Capacity and Performance • Disk utilization • CPU utilization Open Log Architecture (OLA) 15+ Partner & Customer Applications Custom Device Analysis Web Services API LogLogic Log Base Visibility Compliance Reporting Security Correlation Network Understanding Fraud Detection Server Database Monitoring Forensic Analysis Application Trouble Shooting Database Understanding Policy Enforcement Incident Response Network Control Database Configuration Intrusion Management Prevention Server Network Access Control Application User Provisioning Database Visibility Understanding Control LogLogic Security Event Manager Threat Detection. Fraud Detection. Incident Response. Visibility Understanding Control LogLogic Security Change Manager Security Policy Configuration. Incident Response Plans. Visibility Understanding Control LogLogic Compliance Manager #1 Compliance: Reports, Dashboards, Workflow. Gartner 2009 Magic Quadrant Critical Capabilities Example Reports—PCI Compliance Suite PCI Requirement Sample Reports and Alerts 8.5.1—Control User ID Management • • • Account Activities on Servers Permission Modified on Windows Servers Accounts Created/Deleted 8.5.5—Do Not Use Shared Accounts • Root/Administrator Logins 8.5.9—Change User Access at Least Every 90 Days • Password Changes on Windows Servers • Password Changes on Microsoft SQL Server 8.5.13—Account lockouts • Windows Accounts Locked • Oracle Database Logins DB2 Database Logins 10.2.3—Log Access to Audit Trails • • • • Escalated Privilege Activities on Servers Failed Logins Files accessed on Servers Periodic Review of Log Reports 11.4—Use IDS/IPS • • Applications Under Attack Attack Origins 11.5—Use File Integrity Monitoring • Tripwire Modifications, Additions, Deletions 8.5.16—Authenticate Database Visibility Understanding Control LogLogic Database Security Manager Database Monitoring. Real-Time Blocking. Virtual Patches. Example Report: HIPAA Compliance Suite HIPAA Requirement Sample Reports and Alerts 164.308(a)(3)(ii)(C)—Termination procedure 164.308(a)(4)(ii)(B)—Access Authorization • • • 164.308(a)(4)(ii)(B)—Access Authorization • Permission Modified on Windows Servers • Policies Modified on Servers 164.308(a)(5)(ii)(C)—Log-in Mentoring 164.308(a)(5)(ii)(D)—Password Management • • Logins Succeeded, Failed logins Password Changed on Servers 164.308(a)(6)(ii)—Response and Reporting • • Firewall Connections Denied Log Sources Status 164.308(a)(7)(ii)(A)/(B)—Data Backup/Disaster Recovery Plan • Backup Errors on NetApp Filers 164.312(a)(2)(i)—Unique User Identification • • Administrative Login Logins Succeeded, Failed logins 164.312(b)—Audit Controls • • • Log Sources Status Periodic Review of Log Reports Windows Audit Logs Cleared Accounts Deleted on Servers Logins Succeeded, Failed logins Account Activities on Servers Example Report: COBIT/SOX Compliance Suite COBIT Control Objective Sample Reports and Alerts PO7.8—Job Change and Termination • • • • Accounts Deleted/Added on Windows Servers Accounts Activities on Servers Permissions Modified on Windows Servers Successful Logins AI6.1—Change Standards and Procedures • • • • Windows Servers Restart System Restarted Database Configuration Changes Cisco PIX Failover Performed DS5.3—Identity Management DS5.4—User Account Management • • • • Accounts Activities on UNIX Servers Periodic Review of User Access Logs Failed Logins Password Changes on Windows Servers DS5.10—Network Security • • • Application Under Attack Hosts Denied Access by Port (Firewall) Firewall Traffic Considered Risky DS11.5—Backup and Restoration • Backup Errors on NetApp Filers Example Report: ISO Compliance Suite ISO Requirement Sample Reports and Alerts 8.3.3—Removal of Access Rights (Identity Management) • • Accounts Deleted on Servers Logins Succeeded, Failed logins 10.1.2—Change Management • • • System Restarted Database Configuration Changes Cisco PIX Policy Changed 10.4.1—Controls Against Malicious Code • • Firewall Connections Denied IDS attacks Detected 10.10.1—Audit Logging • • Log Source Status Windows Audit Logs cleared 10.10.2—Monitoring System Use • • • • • • Escalated Privileged Activities Logins Succeeded, Failed logins Files Accessed on Servers VPN User Accessing Corporate Network Windows Permission modified Periodic Review of Log Reports 10.10.4—Administrative and Operator Logs • • • Administrator activities on Servers Escalated Privileged Activities Administrative Login Example Report: FISMA Compliance Suite FISMA Requirement Sample Reports and Alerts AC2—Account Management • • Accounts Created/Deleted on Servers Logins Succeeded, Failed logins AC-3—Access Enforcement • • Firewall Policy Changes Logins Succeeded, Failed logins AC-6—Least Privilege • • Files Accessed on Servers Escalated Privileged Activities AC-7—Unsuccessful Login Attempts IA-2—User Identification • • Logins Succeeded, Failed logins Administrative Logins AC-13—Supervision and Review/Access Control • • Accounts Created/Deleted on Servers Windows Permission modified AC17—Remote Access • VPN User Accessing Corporate Network AU-2/3—Auditable Events/Content of Audit Records • • Log Sources Status Windows Audit Logs Cleared AU-5/6/7—Audit Monitoring and Reporting • • Periodic Review of Log Reports Files Accessed on Servers CM-3/4—Configuration Change Control/ Monitoring Configuration Changes • • Firewall Policy Changes Windows Policy Modified SC-7—Boundary Protection • Firewall Traffic Considered Risky Example Report: ITIL/ITSM Compliance Suite FISMA Requirement Sample Reports and Alerts Service Level Management • • Cisco PIX Failover Errors Cisco Switch Interface Down IT Service Continuity Management • • Windows AD Backup Error NetApp Filer Backup Errors Availability Management • • Email Domains Experiencing Delay Server Re-Started Incident Management Problem Management • • • Windows AD Exceptions Errors Cisco Routers and Switches Restarts Cisco PIX Re-started Configuration Management & Change Management • • • Windows New Services Installed Windows Software Update Activities Cisco PIX Policy Changed Identity & Access Management (Review of User Activity) • Periodic Review of Log Reports • Files Accessed on Servers • Accounts Added on Windows Servers • Permissions Modified on Windows Servers • Successful Logins, Failed Logins Example Report: NERC CIP Compliance CIP Requirement Sample Reports and Alerts CIP003 R6: Change and configuration management • • Database configuration change System restarted CIP005 R3: Monitoring electronic access (logging access to access points) • • • • Users accessing corporate VPN Failed logins Collection of all log data Periodic log review CIP007 R2: Ports and services CIP007 R4: Malicious software • • Suspicious firewall activity Applications under attack CIP007 R5: Identity/account management • • • Permission modified on Windows servers Accounts created, accounts deleted Windows Permission modified CIP007 R6: Security status monitoring (reports and alerts) • • • • • Escalated privilege activities on servers Suspicious firewall activity Files accessed on Servers Application denied access Periodic review of log reports <6 Months Pay Back One Vendor = Low TCO LogLogic Traditional SIEM As Much or Little as You Need Security Event Management Log Management Visibility Control Log management records login activity Security event management flags suspicious + Security Event Management Configuration Management Visibility Control Security event management flags incidents Security change management adjusts policies + Database Monitoring Database Security Visibility Control Unauthorized access to database Real-time session termination + Database Monitoring Security Event Management Visibility Control Database security management finds threats Analyze in context of other user activities + About LogLogic • 1,000+ customers • Award-winning products • 200+ partners • Gartner Magic Quadrant leader • Global Reach • Acquired Exaprotect in 2009 Headquarters Offices Five-Star Review 2007 2006 Industry 2007 Innovators Magic Quadrant Leader What Gartner is Saying About Us Gartner Magic Quadrant Leader Security Information Event Management 2009 Gartner Critical Capabilities Assessment #1 Compliance ● # 1 Log Management ● #1 Ease of Deployment (4.1 out of 5.0) (5.0 out of 5.0) (4.5 out of 5.0) Mahalo [email protected] 310-308-4666