2. Introduction
Types of SIEM
SIEM Vs SEM Vs SIM
Life Cycle
High level architecture
Low level design
Key Requirements
Security Log analysis
Security Log monitoring
NIST Guidelines
3. SIEM ?? Security Information and event management (Refers the process of
centralized security log management with analysis, reporting and alerting function)
Security Information An event or a record related to security devices or an event
belongs to security of the IT systems or devices
Security event A occurrence or activity in the system related to security
4. Introduction - contd
Why SIEM ???
To improve log analysis
To support Incident analysis
To improve incident response
To support forensic investigations
To support regulatory compliance
To support internal process adherence and audit requirements
5. Introduction - contd
Why Log Management is important ???
To generate logs for what is worth
To support operation maintenance & Troubleshooting
To transmit filtered logs in a secured fashion
To what and how long logs should be stored Log retention
To store logs for appropriate, in a secured fashion
To ensure relevant security metrics as triggered appropriate logs
To enhance the threat discovery
6. SIEM vs SIM vs SEM
SIM,SIEM &SEM are often interchange for its meaning…..
Are they same ?????
SEM real-time monitoring and event management to support IT security operations.
SEM requires several capabilities event and data collection, aggregation and
correlation in near real time; a dynamic monitoring/security event console for viewing
and managing events; and automated response generation for security events.
SIM historical analysis and reporting for security event data. This requires event and
data collection/correlation (but not in real time), an indexed repository for log data and
flexible query and reporting capabilities.
SIEM = SIM+SEM
7. SIEM
Agent based Plug and
collection Play
Special software need to End system can be
collect logs pushed logs to SIEM or
Collection/Filtering/Aggreg SIEM can pull logs from log
ation/Normalization sources
happened in agent Collection/Filtering/Aggreg
Implementation challenges ation/Normalization
due to different agents happened in SIEM
required to process different Performance impact
formats Near or Near real time
Near or Near real time logs
logs
10. User interface
Log Sources
Ticketing
Log Collection Data Process Analysis system
LOG
Collection
s
E-mail system
Data
Managemen
Universal t Data Analysis
device Log Intelligent event
support storage/Thi and payload
Agent rd party inspection Console
collection storage Co-relation and
Log Normalizati Alerting
Consolidati on Base-line and
on/Compre Other Reporting engine
ssion Analytics Normalization
Other Analytics
SOC
11. Log Sources
Log
Attack Collection
Log Source
Agent Collection Analysis
Context E-mail
Data Info
Process Console
Filterin Normalizati Aggregati Correlatio Alert Ticketing
g on on n system
Repor
t
Storage
12. Log Analysis Studying log entries to identify events of interest or
suppress log entries for insignificant events.
Correlation structure
Vulnerability
database & Historical events
Event correlation Alerts/reports
Security policy and observations
correlation
SMTP
SNMP
Behavior XML
Analysis Proprietar
Message y
Analysis
Statistical
Baseline of Analysis
multiple events
Structural Functional
Analysis Analysis
13. Critical Success factors - Security Log Analysis
Observe Study the logs to filter unwanted noises and to
understand the very nature of the system
Brainstorm / Mining Mining the logs leads to understand
beyond the level of good or bad. Read the logs to know the
behavior of the system in various situation
Understand the insight The objective of the log trigger
may or may not be achieve its worthiness so we need to
understand the insight of the logs
Classify Once you understand the insight you would be
able to classify the logs
Prioritize The prioritization takes vital part of detection as
you might be miss a log due to poor prioritization
14. Security Log Monitoring - Approach
•Compliance
Map Requirements •Regulatory requirements
•Scenario of the event
Declare Use case •Appropriate reaction
• Appropriate criteria to understand the reality or the
Match Criteria degree of the occurrence
•Based on pre-defined procedure or incident nature
Declare Priority
•Alert the operations team to take action
Notify
•The logs should be monitored for recurrence
Post Incident review
•Closure should be captured in KB for future reference
Closure
16. NIST Guidelines Security Log management
To establish and maintain successful log management infrastructures,
an organization should perform significant planning and other preparatory
actions for performing log management.
This is important for creating consistent, reliable, and efficient log management
practices that meet the organization’s needs and requirements and also
provide additional value
SECURITY IS PROCESS NOT PRODUCT !!!!!!!!!!!
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92