Most organizations capture log data that could indicate a breach occurred. Yet not a single breach investigated in the Verizon 2011 Data Breach Investigation Report was detected through log analysis or review. Learn how adding Tripwire Enterprise change and configuration data makes all the difference in detecting critical events.
4. Change is Needed!
Existing technology
isn’t providing
expected ROI,
is too expensive and
complex, and only
delivers data
Log analysis/review discovered
0% no breaches
2011
9. 0%: Log analysis/review discovered no breaches
Capturing Data….
Is Not The Same As Knowing When
Something Bad Just Happened!
10. “Context of Change”
Windows event log cleared
Were undesired changes made?
Who made them?
Was compliance level lowered?
Did changes enable SIEM events?
Or enable other events?
Login successful
FTP Enabled
10 failed logins
Host not generating events
11. “Context of Change”
Windows event log cleared
Were undesired changes made?
Who made them?
Was compliance level lowered? Logging turned off
Did changes enable SIEM events?
Or enable other events?
Login successful
Policy test fails
FTP Enabled
10 failed logins
Host not generating events
12. Raw Log Data
Detect Change
Good & Bad
No Intelligence
No Context
No Security
Just Data!
Report Change
Good & Bad
13. “Context”
Raw Log Data
Detect Change
Good & Bad
Configuration Policy Failures
Change Policy Failures
Dynamic Analysis Change Authorization Failures
Changes of Interest
= Changes of Interest!
Report & Alert
14. 10 failed logins
Login successful
Changes of Interest
Windows event log cleared
correlated with
Log Events of Interest Logging turned off
turn Raw Data into FTP Enabled
timely, actionable Information
Host not generating events
Policy test fails
15.
16. • File ‘Sales_Forecast_2011.xls’ was changed on node ‘PROD_FINANCE’ by Ed Rarick.
• There were 15 Medium Severity Changes on node ‘PROD_DC1’.
• Node ‘PROD_DC1’ had an additional 2 tests fail from policy ‘PCI 2.1’ after the last
scan. 15 tests passed and 30 failed.
• Node ‘PROD_DC1’ decreased its score by 2.53 on policy ‘PCI 2.1’ after the last scan.
17. Maintain
Desired State
Non-stop monitoring & collection
Dynamic analysis to find suspicious activities
Assess &
Achieve Alert on impact to policy
Remediate options to speed remedy
Time
More organizations have deployed more compliance and security tools and are capturing and analyzing more data than ever.Unfortunately, they are not getting stellar results as noted in the Verizon 2011 Data Breach Report.Each year we learn that—even with more data being captured—the number of attacks increases, most organizations had to have a 3rd party tell them they had been hacked, and the resulting breaches were avoidable through simple controls.What was so interesting and new in the 2011 report was the fact that “ZERO” breaches were discovered through log analysis or review!!!
In other words, Log management and SIEM solutions did not deliver on the promise of
TZ: Ed, what exactly is this “data deluge problem?’Ed: Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and caused damage.TZ (to transition to next): and this here is some data to show what the “deluge” actually means in terms of volume.
ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
Having tools in place that just capture the things that are changing does not help close the time gap problem.Capturing data is NOT the same as knowing when something BAD is happening.And isolating the bad from the good is what is needed to make it possible to find and fix bad events within minutes of them happening.
Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)
Event Integration Framework benefits:Aggregate change data based on criticalityCan integrate a single criticality level into a single log messageEIF reports “who” made the changeReports on patterns of compliance (change reduces compliance level of a box then report it – not just in or out of a compliant state)