SlideShare uma empresa Scribd logo

High Availability and Disaster Recovery with Novell Sentinel Log Manager

Novell
Novell

Novell Sentinel Log Manager can be implemented in a high availability cluster using the SUSE Linux Enterprise 11 High Availability Extension. This approach, combined with Sentinel Log Manager backup scripts can be used to provide a solution for disaster recovery. This session will explain the architecture of the high availability and disaster recovery solution available with Sentinel Log Manager as well as implementation details.

1 de 25
Baixar para ler offline
Building Highly Available Log Management and SIEM Solutions Sesh Ramasharma, CISSP Principal – Identity, Access & Security Management Novell, Inc
Agenda • Logical view of Log Management and SIEM • Key Tenants of Security - CIA • Availability Defined • Know the moving parts of the solution • Key considerations • Tools in the Repertoire • Summary 2 © Novell, Inc. All rights reserved.
Log Management and SIEM • Log Management is sometimes referred to as Security Information Management or “SIM” • Security Event Management or “SEM” is focused on real-time monitoring, alerting, incident response SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 3 © Novell, Inc. All rights reserved.
CIA Tenants of Security • CIA tenants of security apply to SIEM / Log Management systems as well – Confidentiality: Classification of data and ensuring data is visible to only constituencies that are authorized – Integrity: Data cannot be tampered with and non-repudiation – Availability: Available when and where needed 4 © Novell, Inc. All rights reserved.
Risk based definition of High Availability • Definition of “High Availability” is subjective – Defined by number of 9’s • It should be driven by and be commensurate to business risk • Primary reason it needs to be evaluated subjectively is because it comes with a cost! 5 © Novell, Inc. All rights reserved.
Functional Sensitivity to Availability • Break down availability by functionality • Some functions need higher availability than others SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 6 © Novell, Inc. All rights reserved.
Logical View – SIEM Burton Reference Model OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION Security alerts Reports Visualization Network / Security Operations Help Desk Ticketing REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE Raw Log Policies / Compliance Signatures / Attack Rules Patterns COLLECTION / AGGREGATION / CORRELATION RESPONSE RESPONSE Central / Master Collector Distributed Collectors INPUTS Agent Logging Agent Logging Agent Logging Agent Logging Identity Management System Management Perimeter Controls Intrusion Detection / Response • Access Control • Host and DB Configuration • Routers • Network IDS • Directories • Patch Management • Firewalls • Network IPS • Provisioning • Vulnerability Management • Content Scanners • Other Sensors Source: Burton Group – Diana Kelley 7 © Novell, Inc. All rights reserved.
Novell Sentinel SIEM ® ™ Correlation iTRAC Sentinel Reports Repository Control Center Subscribe Channels PROXY Parse-normalize Collector Manager Collector Manager Taxonomy Publish Business relevance Exploit detection Collectors Collectors Collectors Collectors External Event Sources Event Sources VPN External Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 8 © Novell, Inc. All rights reserved.
Novell Sentinel RD ® ™ 9 © Novell, Inc. All rights reserved. © Novell Inc, Confidential & Proprietary
Novell Sentinel Log Manager ® ™ 10 © Novell, Inc. All rights reserved.
SIEM/Log Management Layers AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System 11 © Novell, Inc. All rights reserved.
SIEM/Log Management Layers – Novell Sentinel Suite Perspective ® ™ AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System Collector Collector Manager Application Operating System Storage Network 12 © Novell, Inc. All rights reserved.
Know the Moving Parts – A Vertical Slice – Flavor 1 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Log Database Log Database Message Bus Central / Master Collector Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 13 © Novell, Inc. All rights reserved.
Know the Moving Parts – A Vertical Slice – Flavor 2 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Control Center Log Database Log Database Message Bus Central / Master Collector Sentinel Log Raw Manger Log Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 14 © Novell, Inc. All rights reserved.
Degrees of Availability HOT BACKUP WARM STANDBY COST COLD BACKUP 0% 95% 98% 99.5% 99.9% Availability 15 © Novell, Inc. All rights reserved.
Cold Backup • Characteristics – Backup all the components at periodic intervals – Restore a point-in-time backup upon failure • Implications – Economic solution – Availability will be on the lower spectrum as recovery will take longer time – State of the entire system has to be in synch – High potential for data loss upon recovery 16 © Novell, Inc. All rights reserved.
Warm Standby • Characteristics – Backup all the components at periodic intervals – Full redundant system on stand-by – Restore a point-in-time on a redundant hardware on stand-by mode – Activate stand-by upon primary failure • Implications – More expensive than cold backup solution – Availability will be better – State of the entire system has to be in synch – Potential for data loss on recovery 17 © Novell, Inc. All rights reserved.
Hot Backup • Characteristics – Full redundant system – Collect events redundantly from all event sources – Activate stand-by upon primary failure – Can be used in an Active/Active mode if correlation rules and reporting users are high • Implications – More expensive than cold backup and warm standby solution – Availability will be best – Low potential for data loss on recovery 18 © Novell, Inc. All rights reserved.
Hybrid Solutions are possible • It is possible to have hybrid solutions to achieve varying degree of availability for different components / event sources based on business requirements and cost factors – High Availability within a Data Center > E.g - Clustering solution with RAID » Protects against outage of hardware or components within a data center – High Availability Across Data Center > E.g - Warm standby across data center » Protects against outage of entire data center – Disaster Recovery > E.g - Cold backup every day » Protects from total loss of service in case of failure / disaster • Question for the audience – What else is possible to provide each of these situations? 19 © Novell, Inc. All rights reserved.
Key Considerations for model choice • Functional Sensitivity • Distributability of the solution – More is better or less is better? – Depends!!! • Balance Scalability with Availability • Appliance vs Software – Component Distributability – Component Resiliency > Redundancy > Local Buffering • Self-monitoring capabilities – Need a MoM or can your SIEM software monitor itself 20 © Novell, Inc. All rights reserved.
Tools in the Repertoire • Traditional – Vendor provided solution > Full redundancy? – Platform HA > E.g OHAC, HACMP – O/S HA > E.g Veritas clusters, Linux Clusters, Solaris clusters – Database HA > Oracle clustering, MS-SQL clustering – Disk HA > E.g SANs, EMC, RAID – Network HA > E.g Self healing networks • Leading Edge / Emerging – Cloud Computing – Intelligent Workload Management 21 © Novell, Inc. All rights reserved.
Summary – Back to Basics Consider a Systemic View • Understand the organizational risks and costs of these risks materializing • Know the cost / benefit of SIEM HA for your organization • Attack HA from a functional point of view • Understand the moving parts • Leverage tools available at all layers ---------------------------------------------------------------------- Build the best HA solution for your organization ---------------------------------------------------------------------- 22 © Novell, Inc. All rights reserved.
Section Break Text Here (32pt)
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Recomendados

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
apompliano
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overview
kevino80
 
Discovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionDiscovery, Inventory and Application Recognition
Discovery, Inventory and Application Recognition
Flexera
 
Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411
Samsung Electronics Egypt
 
Keynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmKeynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idm
Normand Sauve
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
Indu Kodukula
 
McRoberts WiFi hotel duress system
McRoberts WiFi hotel duress systemMcRoberts WiFi hotel duress system
McRoberts WiFi hotel duress system
Chuck_Harold
 

Recomendados

An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
apompliano
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overview
kevino80
 
Discovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionDiscovery, Inventory and Application Recognition
Discovery, Inventory and Application Recognition
Flexera
 
Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411
Samsung Electronics Egypt
 
Keynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmKeynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idm
Normand Sauve
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
Indu Kodukula
 
McRoberts WiFi hotel duress system
McRoberts WiFi hotel duress systemMcRoberts WiFi hotel duress system
McRoberts WiFi hotel duress system
Chuck_Harold
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Template
data brackets
 
Customer Success - A Government Organization
Customer Success - A Government OrganizationCustomer Success - A Government Organization
Customer Success - A Government Organization
Bloombase
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012
steveedgson1
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
Symantec
 
Retail Loss Prevention Summit V1.0
Retail Loss Prevention Summit V1.0Retail Loss Prevention Summit V1.0
Retail Loss Prevention Summit V1.0
chris_carter_brennan01
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
Seema Sheth-Voss
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ips
Multibyte Consultoria
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2
Michael Berman
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
Ulf Mattsson
 
Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moeshesh
Mohamed Shishtawy
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
Troy Kitch
 
Process Steps
Process StepsProcess Steps
Process Steps
mfeKEG
 
Fault Management System (OSS)
Fault Management System (OSS)Fault Management System (OSS)
Fault Management System (OSS)
Riswan
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
Pinewood
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
Prolifics
 

Mais conteúdo relacionado

Mais procurados

Customer Success - A Government Organization
Customer Success - A Government OrganizationCustomer Success - A Government Organization
Customer Success - A Government Organization
Bloombase
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012
steveedgson1
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
Seema Sheth-Voss
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 

Mais procurados (11)

HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Template
 
Customer Success - A Government Organization
Customer Success - A Government OrganizationCustomer Success - A Government Organization
Customer Success - A Government Organization
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012Condition Manager Presenation (3) Nov 2012
Condition Manager Presenation (3) Nov 2012
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
Retail Loss Prevention Summit V1.0
Retail Loss Prevention Summit V1.0Retail Loss Prevention Summit V1.0
Retail Loss Prevention Summit V1.0
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ips
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
 

Semelhante a High Availability and Disaster Recovery with Novell Sentinel Log Manager

Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moeshesh
Mohamed Shishtawy
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
Troy Kitch
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
Brendaly Marcano
 
13 monitor-analyse-system
13 monitor-analyse-system13 monitor-analyse-system
13 monitor-analyse-system
sanganiraju
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
Anindya Ghosh,
 

Semelhante a High Availability and Disaster Recovery with Novell Sentinel Log Manager (20)

Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
 
Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moeshesh
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
 
Process Steps
Process StepsProcess Steps
Process Steps
 
Fault Management System (OSS)
Fault Management System (OSS)Fault Management System (OSS)
Fault Management System (OSS)
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
13 monitor-analyse-system
13 monitor-analyse-system13 monitor-analyse-system
13 monitor-analyse-system
 
TruWest
TruWestTruWest
TruWest
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
 
TechNet Live spor 2 sesjon 4 - sc-forefront
TechNet Live spor 2 sesjon 4 - sc-forefrontTechNet Live spor 2 sesjon 4 - sc-forefront
TechNet Live spor 2 sesjon 4 - sc-forefront
 

Mais de Novell

Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2
Novell
 
Social media class 3
Social media class 3Social media class 3
Social media class 3
Novell
 
Social media class 2
Social media class 2Social media class 2
Social media class 2
Novell
 
Social media class 1
Social media class 1Social media class 1
Social media class 1
Novell
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2
Novell
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq final
Novell
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of Social
Novell
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding business
Novell
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Novell
 

Mais de Novell (20)

Filr white paper
Filr white paperFilr white paper
Filr white paper
 
Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2
 
Social media class 3
Social media class 3Social media class 3
Social media class 3
 
Social media class 2
Social media class 2Social media class 2
Social media class 2
 
Social media class 1
Social media class 1Social media class 1
Social media class 1
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2
 
LinkedIn training presentation
LinkedIn training presentationLinkedIn training presentation
LinkedIn training presentation
 
Twitter training presentation
Twitter training presentationTwitter training presentation
Twitter training presentation
 
Getting started with social media
Getting started with social mediaGetting started with social media
Getting started with social media
 
Strategies for sharing and commenting in social media
Strategies for sharing and commenting in social mediaStrategies for sharing and commenting in social media
Strategies for sharing and commenting in social media
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECHInformation Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq final
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused Enterprise
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of Social
 
Accelerate to the Cloud
Accelerate to the CloudAccelerate to the Cloud
Accelerate to the Cloud
 
The New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration TrendsThe New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration Trends
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding business
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated Approach
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
 

High Availability and Disaster Recovery with Novell Sentinel Log Manager

  • 1. Building Highly Available Log Management and SIEM Solutions Sesh Ramasharma, CISSP Principal – Identity, Access & Security Management Novell, Inc
  • 2. Agenda • Logical view of Log Management and SIEM • Key Tenants of Security - CIA • Availability Defined • Know the moving parts of the solution • Key considerations • Tools in the Repertoire • Summary 2 © Novell, Inc. All rights reserved.
  • 3. Log Management and SIEM • Log Management is sometimes referred to as Security Information Management or “SIM” • Security Event Management or “SEM” is focused on real-time monitoring, alerting, incident response SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 3 © Novell, Inc. All rights reserved.
  • 4. CIA Tenants of Security • CIA tenants of security apply to SIEM / Log Management systems as well – Confidentiality: Classification of data and ensuring data is visible to only constituencies that are authorized – Integrity: Data cannot be tampered with and non-repudiation – Availability: Available when and where needed 4 © Novell, Inc. All rights reserved.
  • 5. Risk based definition of High Availability • Definition of “High Availability” is subjective – Defined by number of 9’s • It should be driven by and be commensurate to business risk • Primary reason it needs to be evaluated subjectively is because it comes with a cost! 5 © Novell, Inc. All rights reserved.
  • 6. Functional Sensitivity to Availability • Break down availability by functionality • Some functions need higher availability than others SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 6 © Novell, Inc. All rights reserved.
  • 7. Logical View – SIEM Burton Reference Model OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION Security alerts Reports Visualization Network / Security Operations Help Desk Ticketing REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE Raw Log Policies / Compliance Signatures / Attack Rules Patterns COLLECTION / AGGREGATION / CORRELATION RESPONSE RESPONSE Central / Master Collector Distributed Collectors INPUTS Agent Logging Agent Logging Agent Logging Agent Logging Identity Management System Management Perimeter Controls Intrusion Detection / Response • Access Control • Host and DB Configuration • Routers • Network IDS • Directories • Patch Management • Firewalls • Network IPS • Provisioning • Vulnerability Management • Content Scanners • Other Sensors Source: Burton Group – Diana Kelley 7 © Novell, Inc. All rights reserved.
  • 8. Novell Sentinel SIEM ® ™ Correlation iTRAC Sentinel Reports Repository Control Center Subscribe Channels PROXY Parse-normalize Collector Manager Collector Manager Taxonomy Publish Business relevance Exploit detection Collectors Collectors Collectors Collectors External Event Sources Event Sources VPN External Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 8 © Novell, Inc. All rights reserved.
  • 9. Novell Sentinel RD ® ™ 9 © Novell, Inc. All rights reserved. © Novell Inc, Confidential & Proprietary
  • 10. Novell Sentinel Log Manager ® ™ 10 © Novell, Inc. All rights reserved.
  • 11. SIEM/Log Management Layers AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System 11 © Novell, Inc. All rights reserved.
  • 12. SIEM/Log Management Layers – Novell Sentinel Suite Perspective ® ™ AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System Collector Collector Manager Application Operating System Storage Network 12 © Novell, Inc. All rights reserved.
  • 13. Know the Moving Parts – A Vertical Slice – Flavor 1 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Log Database Log Database Message Bus Central / Master Collector Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 13 © Novell, Inc. All rights reserved.
  • 14. Know the Moving Parts – A Vertical Slice – Flavor 2 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Control Center Log Database Log Database Message Bus Central / Master Collector Sentinel Log Raw Manger Log Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 14 © Novell, Inc. All rights reserved.
  • 15. Degrees of Availability HOT BACKUP WARM STANDBY COST COLD BACKUP 0% 95% 98% 99.5% 99.9% Availability 15 © Novell, Inc. All rights reserved.
  • 16. Cold Backup • Characteristics – Backup all the components at periodic intervals – Restore a point-in-time backup upon failure • Implications – Economic solution – Availability will be on the lower spectrum as recovery will take longer time – State of the entire system has to be in synch – High potential for data loss upon recovery 16 © Novell, Inc. All rights reserved.
  • 17. Warm Standby • Characteristics – Backup all the components at periodic intervals – Full redundant system on stand-by – Restore a point-in-time on a redundant hardware on stand-by mode – Activate stand-by upon primary failure • Implications – More expensive than cold backup solution – Availability will be better – State of the entire system has to be in synch – Potential for data loss on recovery 17 © Novell, Inc. All rights reserved.
  • 18. Hot Backup • Characteristics – Full redundant system – Collect events redundantly from all event sources – Activate stand-by upon primary failure – Can be used in an Active/Active mode if correlation rules and reporting users are high • Implications – More expensive than cold backup and warm standby solution – Availability will be best – Low potential for data loss on recovery 18 © Novell, Inc. All rights reserved.
  • 19. Hybrid Solutions are possible • It is possible to have hybrid solutions to achieve varying degree of availability for different components / event sources based on business requirements and cost factors – High Availability within a Data Center > E.g - Clustering solution with RAID » Protects against outage of hardware or components within a data center – High Availability Across Data Center > E.g - Warm standby across data center » Protects against outage of entire data center – Disaster Recovery > E.g - Cold backup every day » Protects from total loss of service in case of failure / disaster • Question for the audience – What else is possible to provide each of these situations? 19 © Novell, Inc. All rights reserved.
  • 20. Key Considerations for model choice • Functional Sensitivity • Distributability of the solution – More is better or less is better? – Depends!!! • Balance Scalability with Availability • Appliance vs Software – Component Distributability – Component Resiliency > Redundancy > Local Buffering • Self-monitoring capabilities – Need a MoM or can your SIEM software monitor itself 20 © Novell, Inc. All rights reserved.
  • 21. Tools in the Repertoire • Traditional – Vendor provided solution > Full redundancy? – Platform HA > E.g OHAC, HACMP – O/S HA > E.g Veritas clusters, Linux Clusters, Solaris clusters – Database HA > Oracle clustering, MS-SQL clustering – Disk HA > E.g SANs, EMC, RAID – Network HA > E.g Self healing networks • Leading Edge / Emerging – Cloud Computing – Intelligent Workload Management 21 © Novell, Inc. All rights reserved.
  • 22. Summary – Back to Basics Consider a Systemic View • Understand the organizational risks and costs of these risks materializing • Know the cost / benefit of SIEM HA for your organization • Attack HA from a functional point of view • Understand the moving parts • Leverage tools available at all layers ---------------------------------------------------------------------- Build the best HA solution for your organization ---------------------------------------------------------------------- 22 © Novell, Inc. All rights reserved.
  • 23. Section Break Text Here (32pt)
  • 24.
  • 25. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.