Published on February 19, 2014
HOW TO LEVERAGE LOG DATA FOR EFFECTIVE THREAT DETECTION Tom D’Aquino – Sr. Security Engineer
AGENDA The Challenge • Getting adequate security visibility for your small or medium business The Widely Pursued Solution • The traditional approach to Log Management/SIEM • The cost/benefit analysis An Alternative Approach • Who, What and Why is the key The Wrap Up • Unified Security Management • AlienVault’s Threat Intelligence Labs Questions & Answers as time permits
HUMANS MEET TECHNOLOGY
HUMANS MEET TECHNOLOGY Something is down? YouTube is up though.
THE WIDELY PURSUED SOLUTION The traditional approach to Log Management/SIEM: • Collect Everything • Analyze everything • Correlate everything • Store everything
BUT AT WHAT HARDWARE COST? How much storage, CPU and RAM will you need to collect, correlate and store all of this data? • High-performance storage is not cheap How effective is the automated analysis, i.e. correlation really going to be? • • Correlation is CPU and memory intensive This is a case of garbage in, garbage out
AND AT WHAT HUMAN RESOURCE COST? How effective is your team really going to be? • Can one person realistically review 10,000 alerts in a day
IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? Why
IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Why What
IS THERE A BETTER WAY? What if we took a more strategic approach by identifying the problem more effectively? Why do you need the logs? • Do you have an intended result in mind? What logs will you need to get that result? • i.e., will authentication logs suffice? Who will the logs you collect pertain to? • Is there a specific user group/community you should be focused on? Why What Who
LET’S LOOK AT SOME EXAMPLES Why do you need Firewall logs? • I need to see what is getting in to my network What logs will you need to get that result? • Firewall permit logs Who will the logs you collect pertain to? • I’m most significantly concerned with blacklisted IPs/domains
EXAMPLE ILLUSTRATED You are probably only seeing these: When you should be looking for this:
EXAMPLES CONTINUED Why do you need OS logs? • I need to detect unauthorized access attempts and account lockouts What logs will you need to get that result? • OS authentication failure and account lockout logs Who will the logs you collect pertain to? • I’m most significantly concerned with admin level accounts
EXAMPLE ILLUSTRATED Multiple events to indicate a single login:
ONE MORE EXAMPLE Why do you need Switch/Router logs? • I need to see when someone logs in to my network gear and makes config changes What logs will you need to get that result? • Authentication and authorization logs from my TACACS server would do the job Who will the logs you collect pertain to? • Anyone connecting to my network gear
EXAMPLE ILLUSTRATED You may have to process thousands of these: Just to get one or two of these:
UNIFIED SECURITY MANAGEMENT “VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU” Asset Discovery Threat Detection Behavioral Monitoring • • • • • • • • • Log Collection • Netflow Analysis • Service Availability Monitoring Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Network IDS Host IDS Wireless IDS File Integrity Monitoring Security Intelligence Vulnerability Assessment • Network Vulnerability Testing • SIEM Correlation • Incident Response
AlienVault Labs Threat Intelligence: Coordinated Analysis, actionable Guidance • Updates every 30 minutes • 200-350,000 IP validated daily • 8,000 Collection points • 140 Countries
ALIENVAULT LABS THREAT INTELLIGENCE: COORDINATED ANALYSIS, ACTIONABLE GUIDANCE Weekly updates that cover all your coordinated rule sets: Network-based IDS signatures Host-based IDS signatures Asset discovery and inventory database updates Vulnerability database updates Event correlation rules Report modules and templates Incident response templates / “how to” guidance for each alarm Plug-ins to accommodate new data sources Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)
NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Questions? firstname.lastname@example.org
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread ...
Learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response.
Information Technology . Application Development; Application Management; Big Data and Data Management; Business Continuity / Disaster Recovery; Business ...
... without having a person who can dig into your log data to find ... with more effective ways to protect their ... to cyber threat detection.
Searching Log Data for Network Security Intelligence. ... Your Log Data. ... tool that makes your Log Search simpler and more effective.Tagging tool ...
RSA Leverages Big Data to Detect ... security operations to optimize threat detection and ... security detection through more effective ...
AlienVault Unified Security Management™: Better Threat ... event data from across your network. Log ... approach to threat detection and ...
Gartner explains how to leverage effective ... threat, and risk data together to ... quickly retrieve data and analysis. McAfee Enterprise Log ...
... proactive detection of unknown threats can be further extended ... the malware logs in to a Gmail ... Detecting APT Activity with Network Traffic ...
Our Threat Prevention subscription protects the ... We leverage global threat intelligence through ... analyzes threat data amassed by our global ...