Mais conteúdo relacionado Semelhante a High Availability and Disaster Recovery with Novell Sentinel Log Manager (20) High Availability and Disaster Recovery with Novell Sentinel Log Manager1. Building Highly Available Log
Management and SIEM Solutions
Sesh Ramasharma, CISSP
Principal – Identity, Access & Security Management
Novell, Inc
2. Agenda
• Logical view of Log Management and SIEM
• Key Tenants of Security - CIA
• Availability Defined
• Know the moving parts of the solution
• Key considerations
• Tools in the Repertoire
• Summary
2 © Novell, Inc. All rights reserved.
3. Log Management and SIEM
• Log Management is sometimes referred to as
Security Information Management or “SIM”
• Security Event Management or “SEM” is focused
on real-time monitoring, alerting, incident response
SEM Log Management
Event correlation Data collection Compression
Robust alert Ad-hoc query Forensics
Incident response E-mail alerts Data integrity
Dashboards Reports Unknown log support
Data enrichment Data retention
Filtering Raw log forwarding
3 © Novell, Inc. All rights reserved.
4. CIA Tenants of Security
• CIA tenants of security apply to SIEM / Log
Management systems as well
– Confidentiality: Classification of data and ensuring data is visible
to only constituencies that are authorized
– Integrity: Data cannot be tampered with and non-repudiation
– Availability: Available when and where needed
4 © Novell, Inc. All rights reserved.
5. Risk based definition of High
Availability
• Definition of “High Availability” is subjective
– Defined by number of 9’s
• It should be driven by
and be commensurate
to business risk
• Primary reason it needs
to be evaluated
subjectively is because
it comes with a cost!
5 © Novell, Inc. All rights reserved.
6. Functional Sensitivity to Availability
• Break down availability by functionality
• Some functions need higher availability than others
SEM Log Management
Event correlation Data collection Compression
Robust alert Ad-hoc query Forensics
Incident response E-mail alerts Data integrity
Dashboards Reports Unknown log support
Data enrichment Data retention
Filtering Raw log forwarding
6 © Novell, Inc. All rights reserved.
7. Logical View – SIEM
Burton Reference Model
OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION
Security alerts
Reports
Visualization
Network / Security Operations Help Desk Ticketing
REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE
Raw
Log
Policies / Compliance Signatures / Attack
Rules Patterns
COLLECTION / AGGREGATION / CORRELATION
RESPONSE
RESPONSE
Central / Master Collector
Distributed Collectors
INPUTS
Agent Logging Agent Logging Agent Logging Agent Logging
Identity Management System Management Perimeter Controls Intrusion Detection / Response
• Access Control • Host and DB Configuration • Routers • Network IDS
• Directories • Patch Management • Firewalls • Network IPS
• Provisioning • Vulnerability Management • Content Scanners • Other Sensors
Source: Burton Group – Diana Kelley
7 © Novell, Inc. All rights reserved.
8. Novell Sentinel SIEM ®
™
Correlation iTRAC Sentinel Reports Repository
Control Center
Subscribe
Channels PROXY
Parse-normalize
Collector Manager Collector Manager Taxonomy
Publish Business relevance
Exploit detection
Collectors Collectors Collectors Collectors
External
Event Sources
Event Sources
VPN
External
Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS
Host IDS
Identity Vulnerability Domain Custom
Antivirus Server Mainframe
Network IDS Mgmt Mgmt Controller Events
Security Perimeter Referential IT Sources Operating Systems Application Events
8 © Novell, Inc. All rights reserved.
9. Novell Sentinel RD ®
™
9 © Novell, Inc. All rights reserved. © Novell Inc, Confidential & Proprietary
11. SIEM/Log Management Layers
AGENT SIEM Log
Mgmt.
Application Application
Operating System Operating System
Storage Network Storage Network
Event Source SIEM / Log Management System
11 © Novell, Inc. All rights reserved.
12. SIEM/Log Management Layers –
Novell Sentinel Suite Perspective
®
™
AGENT SIEM Log
Mgmt.
Application Application
Operating System Operating System
Storage Network Storage Network
Event Source SIEM / Log Management System
Collector
Collector
Manager
Application
Operating System
Storage Network
12 © Novell, Inc. All rights reserved.
13. Know the Moving Parts – A Vertical Slice – Flavor 1
Burton Reference Novell Sentinel
®
™
Security alerts Security Alerts
Reports Workflow Remediation
Visualization Visualization
Reports
Log Database
Log Database
Message Bus
Central / Master Collector
Distributed Collector Central / Master Collector
Distributed Collector
Event Source Event Source
Agent Logging Logging
13 © Novell, Inc. All rights reserved.
14. Know the Moving Parts – A Vertical Slice – Flavor 2
Burton Reference Novell Sentinel
®
™
Security alerts Security Alerts
Reports Workflow Remediation
Visualization Visualization
Reports Control Center
Log Database
Log Database
Message Bus
Central / Master Collector
Sentinel Log Raw
Manger Log
Distributed Collector Central / Master Collector
Distributed Collector
Event Source Event Source
Agent Logging Logging
14 © Novell, Inc. All rights reserved.
15. Degrees of Availability
HOT
BACKUP
WARM
STANDBY
COST
COLD
BACKUP
0% 95% 98% 99.5% 99.9%
Availability
15 © Novell, Inc. All rights reserved.
16. Cold Backup
• Characteristics
– Backup all the components at periodic intervals
– Restore a point-in-time backup upon failure
• Implications
– Economic solution
– Availability will be on the lower spectrum as recovery will take
longer time
– State of the entire system has to be in synch
– High potential for data loss upon recovery
16 © Novell, Inc. All rights reserved.
17. Warm Standby
• Characteristics
– Backup all the components at periodic intervals
– Full redundant system on stand-by
– Restore a point-in-time on a redundant hardware on stand-by
mode
– Activate stand-by upon primary failure
• Implications
– More expensive than cold backup solution
– Availability will be better
– State of the entire system has to be in synch
– Potential for data loss on recovery
17 © Novell, Inc. All rights reserved.
18. Hot Backup
• Characteristics
– Full redundant system
– Collect events redundantly from all event sources
– Activate stand-by upon primary failure
– Can be used in an Active/Active mode if correlation rules and
reporting users are high
• Implications
– More expensive than cold backup and warm standby solution
– Availability will be best
– Low potential for data loss on recovery
18 © Novell, Inc. All rights reserved.
19. Hybrid Solutions are possible
• It is possible to have hybrid solutions to achieve varying degree
of availability for different components / event sources based on
business requirements and cost factors
– High Availability within a Data Center
> E.g - Clustering solution with RAID
» Protects against outage of hardware or components within a data center
– High Availability Across Data Center
> E.g - Warm standby across data center
» Protects against outage of entire data center
– Disaster Recovery
> E.g - Cold backup every day
» Protects from total loss of service in case of failure / disaster
• Question for the audience
– What else is possible to provide each of these situations?
19 © Novell, Inc. All rights reserved.
20. Key Considerations for model choice
• Functional Sensitivity
• Distributability of the solution
– More is better or less is better? – Depends!!!
• Balance Scalability with Availability
• Appliance vs Software
– Component Distributability
– Component Resiliency
> Redundancy
> Local Buffering
• Self-monitoring capabilities
– Need a MoM or can your SIEM software monitor itself
20 © Novell, Inc. All rights reserved.
21. Tools in the Repertoire
• Traditional
– Vendor provided solution
> Full redundancy?
– Platform HA
> E.g OHAC, HACMP
– O/S HA
> E.g Veritas clusters, Linux Clusters, Solaris clusters
– Database HA
> Oracle clustering, MS-SQL clustering
– Disk HA
> E.g SANs, EMC, RAID
– Network HA
> E.g Self healing networks
• Leading Edge / Emerging
– Cloud Computing
– Intelligent Workload Management
21 © Novell, Inc. All rights reserved.
22. Summary – Back to Basics
Consider a Systemic View
• Understand the organizational risks and costs of
these risks materializing
• Know the cost / benefit of SIEM HA for your
organization
• Attack HA from a functional point of view
• Understand the moving parts
• Leverage tools available at all layers
----------------------------------------------------------------------
Build the best HA solution for your organization
----------------------------------------------------------------------
22 © Novell, Inc. All rights reserved.
25. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.