Enviar búsqueda
Cargar
2005 issa journal-simsevaluation
•
0 recomendaciones
•
240 vistas
A
asundaram1
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 3
Descargar ahora
Descargar para leer sin conexión
Recomendados
Business Logic Monitoring Primer
Business Logic Monitoring Primer
Rocco Magnotta
Event mgt feb09
Event mgt feb09
pladott11
ITFM Business Brief
ITFM Business Brief
wdjohnson1
Understanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
Cognitive security
Cognitive security
Iqra khalil
SIEM for Beginners
SIEM for Beginners
BAKOTECH
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
Jerry Harding
Recomendados
Business Logic Monitoring Primer
Business Logic Monitoring Primer
Rocco Magnotta
Event mgt feb09
Event mgt feb09
pladott11
ITFM Business Brief
ITFM Business Brief
wdjohnson1
Understanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
Cognitive security
Cognitive security
Iqra khalil
SIEM for Beginners
SIEM for Beginners
BAKOTECH
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
Jerry Harding
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
Decision-Zone Introduction
Decision-Zone Introduction
Rocco Magnotta
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud Services
VNU Exhibitions Europe
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
Peter Tutty
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
Logging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
Event log monitoring for the pci dss
Event log monitoring for the pci dss
SarahLamusu
Strategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
Symantec government technology summit abstract
Symantec government technology summit abstract
Carahsoft
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025
Arushi00
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Ahmed Al Enizi
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
asundaram1
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
Más contenido relacionado
La actualidad más candente
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
Decision-Zone Introduction
Decision-Zone Introduction
Rocco Magnotta
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud Services
VNU Exhibitions Europe
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
Peter Tutty
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
Logging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
Event log monitoring for the pci dss
Event log monitoring for the pci dss
SarahLamusu
Strategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
Symantec government technology summit abstract
Symantec government technology summit abstract
Carahsoft
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025
Arushi00
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Ahmed Al Enizi
La actualidad más candente
(20)
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
Decision-Zone Introduction
Decision-Zone Introduction
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud Services
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Logging, monitoring and auditing
Logging, monitoring and auditing
Event log monitoring for the pci dss
Event log monitoring for the pci dss
Strategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
Symantec government technology summit abstract
Symantec government technology summit abstract
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
Data Center Security Market — Explore latest facts on networking 2025
Data Center Security Market — Explore latest facts on networking 2025
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Destacado
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
asundaram1
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh ISSA
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
asundaram1
2005 issa journal-risk-management
2005 issa journal-risk-management
asundaram1
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
eldercomlaw
Destacado
(6)
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2005 issa journal-risk-management
2005 issa journal-risk-management
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Similar a 2005 issa journal-simsevaluation
Leveraging Log Management to provide business value
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
Open service risk correlation
Open service risk correlation
frantzyv
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
Correlog Overview Presentation
Correlog Overview Presentation
Ameritech Systems Corporation
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
Mustafa Kuğu
CSEC630 individaul assign
CSEC630 individaul assign
Ronald Jackson, Jr
Cloud Computing
Cloud Computing
Commit Software Sh.p.k.
McAfee SIEM solution
McAfee SIEM solution
hashnees
Take back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
sarah david
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
IJIR JOURNALS IJIRUSA
Cloud computing
Cloud computing
Dulith Kasun
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
sarah david
Enterprise network management
Enterprise network management
ManageEngine, Zoho Corporation
br-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113
Jim Romeo
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
Javier Guillermo, MBA, MSc, PMP
The future of cyber security
The future of cyber security
Sandip Juthani
Similar a 2005 issa journal-simsevaluation
(20)
Leveraging Log Management to provide business value
Leveraging Log Management to provide business value
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Open service risk correlation
Open service risk correlation
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Correlog Overview Presentation
Correlog Overview Presentation
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
CSEC630 individaul assign
CSEC630 individaul assign
Cloud Computing
Cloud Computing
McAfee SIEM solution
McAfee SIEM solution
Take back your security infrastructure
Take back your security infrastructure
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Cloud computing
Cloud computing
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
Enterprise network management
Enterprise network management
br-security-connected-top-5-trends
br-security-connected-top-5-trends
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
NMS Projects and POCs completed and ongoing for OSS NAM v 1.5 Linkedin
The future of cyber security
The future of cyber security
Último
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Último
(20)
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
2005 issa journal-simsevaluation
1.
Evaluating and Implementing
Security Information Management1 Systems By Aurobindo Sundaram aurobindo_sundaram@hotmail.com Introduction In today’s security world, with hundreds of security devices of different types, millions of log entries per day, and the requirements of IT audit and regulatory bodies to monitor logs regularly, it is impossible to use a man- ual solution. Security Information Management Systems (SIMS) automate the collection of event log data from heterogeneous security devices and present a normalized, aggregated and correlated view of network security. This article introduces the technology, presents different requirements that should be fulfilled by any SIM product, discusses licensing and cost con- siderations, and presents a template for implementing a SIM solution. Most security sensor devices in use today (e.g., anti-virus, firewalls, vul- nerability assessment systems, intrusion detection systems) generate large amounts of security events during their operation. Most of these sensors generate these logs in their own proprietary format (often binary). In addi- tion, they usually require dedicated consoles to view, report and analyze this data. In a typical enterprise, this makes security information manage- ment extremely time-consuming, inconsistent and unmanageable. Security Information Management Systems (SIMS) technologies are a potential solution for this problem. SIMS products promise to gather logs from disparate security point devices and merge them into a common, ordered, risk-assessed interface. However, SIMS is still an emerging tech- Figure 1: The three layers of a Security Information nology, and the marketplace is in flux. In the following sections, we will dis- Management system cuss what we believe are key requirements for an enterprise-class SIMS. Following this, we’ll discuss licensing and cost considerations that the Native logging formats are typically better compressed, have a richness of enterprise should be cognizant of, and finally, present a blueprint for information that is harder and inefficient to translate into a pure text output implementing a SIM system. such as syslog, and have built-in hooks that allow external programs to access events in real-time. Where the native logging solution is syslog (e.g. Unix Requirements authentication logs), the point above is moot. Users are strongly encouraged to verify and test the support and type of support of event collection. Event Collection It is desirable for some (but not all) filtering of the event data to occur This layer of the SIMS deals with the collection, normalization, initial fil- at the agent that collects it. The trade-off is that the more filtering is done tering and forwarding of security-related events to a processing entity. at the source, the better the network performance, and the worse the cor- Normalization is the process of translating various vendor event logs relation results. This is because local filtering reduces the traffic that must into a common format that the SIMS can understand and manipulate. It is be sent across the network to the central engine. However, correlation important to ensure that the format of the normalized data to be extensi- works best when access to data in its entirety is available. The communi- ble by the end user—this ensures that company-specific fields (such as cation between the agent and the console must be secured using an open classification level, or handling instructions) can be added to the normal- strong encryption standard. In addition, the agent should have local stor- ized logs. Although there are currently no standard normalization formats, age facilities, so it can buffer data in a store-and-forward mechanism if the it is important to obtain a commitment to openness from the vendor. console is unavailable. The event collection layer should support the collection of data from as The SIMS must supply an application programming interface (API) so many different point devices as it can. In particular, collection of the data that agents may be built to collect data from third party and esoteric should be as close to the source as possible, and in the native format of devices. This is important when you try to integrate home-grown applica- the point device where allowable (e.g. Firewall-1 OPSEC rather than syslog). tions, newer security solutions, and physical security events. THE ISSA JOURNAL ◆ April 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
2.
Event Processing
User Interface This is the most important portion of the SIMS. The main rationale for The primary user interface should be Web-based and near real-time, SIMS is that they can process huge streams of data, aggregate similar although an alternate stand-alone client may be provided. As with all good events, and perform correlation on volumes of events that would be security products, the ability to configure and audit the access to the inter- impossible for a human to do. It can be split into the following functional face, per user/role, is essential. components. Administrators should be able to manage incidents entirely from the Aggregation is the process of combining events of a similar type into interface, for example, by running investigative tools, changing incident one consolidated event. The biggest problem with security systems today status, or adding journal notes to an incident. is data overload. The SIMS must support aggregation with the ability to drill The interface must allow agents to be controlled from it (e.g., to down to individual events on demand. dynamically change rule sets, start/stop, etc.). Correlation is the process by which events are analyzed and entered Users must have the option to run predefined reports, or to define their into a common “event thread.” Correlation goes beyond aggregation in that own criteria for analysis. From an operational standpoint, there is value to it can incorporate logic engines and rule sets to make sense of distributed showing the ROI of the system by using built-in reports. However, users and stealth attacks that a human may not catch. The SIMS must support ele- will no doubt require their own reports, and it is important that users be mentary correlation rules (correlate by attack type, source address, destina- able to easily create their own. tion address, etc.) as well as allow an administrator to define business rules, such as multi-way correlation based on events and time. Costs and Licensing Correlation is particularly important because it can allow an enterprise to correlate vulnerability assessment data against actual attacks observed In most cases, small companies should not attempt to use SIM tech- by IDS and firewall devices. This allows the system to make intelligent nology. This is primarily because SIM has a very high initial price point decisions (e.g. “Attacker X tried attack Y; your vulnerability assessment sys- ($100K+ for software alone, could run to $200K if you include scalable tem states you are not vulnerable to attack Y; ignore attack”). It is hardware and services). Smaller organizations are urged to consider man- extremely important that it is possible to create arbitrary correlation rules aged service providers, who will charge a flat fee per device monitored. In based on attributes in the normalized database. addition, there are rarely issues with hardware and software maintenance, rule tuning, workflow creation, etc. Threat Assessment Medium to large enterprises should consider SIM if the number of The SIMS typically performs a threat assessment on an event before dis- managed devices is sufficiently large as to make managed service playing it in the user interface. The SIMS must allow the assessment to be providers too expensive (any company that spends more than $1M on performed using business rules defined by the enterprise, in addition to pro- managed service providers is likely a good candidate for SIM). It is impor- viding a pre-defined list of rules, based on best practices (e.g., Mitre CVE, or tant to note that headcount will be required to manage the system, in par- SANS best practices). It should also supply a modifiable knowledge base of ticular if it is expected to run under strict SLAs (e.g. 24-hour operation, event types. For instance, users should be able to designate a certain type of 30-minute response time, etc.). event as critical (e.g. ANY attack against finance servers; high-severity attacks It is important to carefully read the licensing model of the SIM ven- against systems in the DMZ, etc.) dor. Some vendors will count aggregated devices (e.g. when multiple Unix systems log to a single syslog server) as one device, which is Response, Escalation and Integration cheaper, and others will count them as individual devices, which are While there are many valid designs, the following capabilities are cer- more expensive. tainly “must-haves” for a SIMS: It is also important to factor in the cost of additional software, in par- ticular database licenses. SIMS have high hardware requirements, and ▲ SIMS must implement automated response workflows based on most database vendors will license by processors. Therefore, if the cus- rules defined by the enterprise. They should be able to control tomer picks a four-processor system, it is possible that their database cost common point devices natively. For instance, the SIM should be able will quadruple from their expectations. to page or e-mail a user when a certain event or sequence of events Finally, it is very important to adequately scale the hardware require- occurs. ments. We recommend that you speak to the vendor technical contacts ▲ SIMS must implement escalation workflows where an incident about the appropriate scaling factor. While the initial price may give you changes in severity based on other events, time or business rules. For sticker shock, it is far better to scale up and buy the hardware than have instance, a low-severity event should be escalated to medium severity to replace it within 6 months because it was not scaled correctly. if it has not been addressed for 24 hours. ▲ SIMS must be able to integrate with or interface otherwise with Step by Step: Implementing a SIM existing asset and risk management systems. For instance, the system should be able to import comma-separated asset This is not a comprehensive step by step, but it gives the reader some information files so that the user does not have to manually enter important steps to follow while considering a SIM solution: asset criticality information into the system individually. ▲ SIMS must provide APIs to interface bi-directionally with third-party 1. Write down your requirements (both business and technical). ticketing and incident management systems. The third-party ticketing Decide carefully what you really need. system integration is extremely important because it allows the SIMS 2. Create your evaluation requirements and test cases (how you to integrate seamlessly with the processes already in place in the decide if a product satisfies your criteria). enterprise. 3. Create and issue an RFP (pick the 4-5 most suited vendors). ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ April 2005
3.
Ensure that you
invite not only security, but also operations to the decision meetings. 4. After the evaluation, pick two vendors to bring in-house and run against your test cases. In particular, make sure you test stress conditions (data overload) against the test system. 5. At this point, ensure that you carefully study and understand licensing options in your scenario. 6. As part of the pilot, also make sure you talk to external sources as well as reference customers from both vendors to judge actual level of effort in implementation. 7. Do not try to go too fast. Start slowly with a phase 1 approach targeting only security event logs from detection point products (firewalls, routers, Unix, Windows). Initial ticketing system and asset management integration should be built as well. Phase 2 can target more correlation, performance tuning, and integration with physical access and vulnerability assessment systems. Some things vendors will say to you (and what they really mean in italics): 1. We can work with any product. We can, but it’s often so painful to do that you’ll spend a fortune on consulting fees. Always make sure you understand exactly how easy integration with a product is. 2. Our product is plug-and-play. If you require the simplest solution possible with no additional features. Always make sure you understand how long the simplest implementation and how long the first functional implementation will take. They’re not the same. 3. We can be up and running in a week. If all you want is standard logging with no aggregation, correlation or integration with anything else. Be very careful about believing vendors on this point. There is no panacea to this problem. You will require several weeks to months to tune your system appropriately. Indeed, even after initial tuning, there is continuous configuration to perform on the system to ensure that it runs effectively. The Marketplace The marketplace in the SIM space is crowded with small private com- panies jockeying for space with the larger, more established vendors. In general, the smaller niche vendors have been able to hold their own so far. Some private vendors are: eSecurity, ArcSight, netForensics, and GuardedNet. Some of the larger vendors moving into the space include Computer Associates (with eTrust Security Command Center) and Symantec (with their Incident Manager and other products). We expressly do not make recommendations on which vendor to use. It is strongly sug- gested that you go through an RFP process with these vendors and create your own requirements and judgments. ¡ Aurobindo “Robin” Sundaram, CISSP/CISM, is the Director of Network Security at ChoicePoint Inc. Robin has worked in the information security business for over 7 years in various capacities. He also holds the CISA and CCSA technical certifi- cations and is currently working on his MBA from the Goizueta School of Business at Emory University. 1 Also referred to as Security Event Management (SEM) THE ISSA JOURNAL ◆ April 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Descargar ahora