SlideShare una empresa de Scribd logo

SANS Log Management 1

L
laurenfortune

SANS Sixth Annual Log Management Survey Part I More Log Data, More Uses

1 de 32
Descargar para leer sin conexión
SANS Sixth Annual Log Management Survey Part I More Log Data, More Uses Jerry Shenk, Senior SANS Analyst © 2010 The SANS™ Institute - www.sans.org
6th Annual Log Management Survey –  Goals of Survey •  Track progress of log management industry •  Identify problems users are having –  More Log Data •  Log server increases •  Log source increases –  More Uses •  More people are finding logs useful 2 © 2010 The SANS™ Institute - www.sans.org
3 © 2010 The SANS™ Institute - www.sans.org
4 © 2010 The SANS™ Institute - www.sans.org
5 © 2010 The SANS™ Institute - www.sans.org
6 © 2010 The SANS™ Institute - www.sans.org
7 © 2010 The SANS™ Institute - www.sans.org
8 © 2010 The SANS™ Institute - www.sans.org
What Logs are Being Collected •  Firewalls, routers, switches, IDS/ IPS, etc. •  Servers •  Applications •  Databases •  Identity Sources (directories, etc.) •  Desktops •  Physical devices – HVAC, badge access, plant control 9 © 2010 The SANS™ Institute - www.sans.org
Log Management Challenges •  Searching and reporting •  Analysis •  Automation of important event alerting •  What vendors need to do •  What users need to do 10 © 2010 The SANS™ Institute - www.sans.org
Trustwave SIEM: Solutions for any Organization Sunil Bhargava, VP Product Management, Trustwave (Formerly Intellitactics) © 2010 The SANS™ Institute - www.sans.org
Trustwave: The leader in compliance and data security Found in 1995; 500+ employees; 23 locations on 6 continents Market leading solutions for NAC, DLP, SIEM, IDS, IPS, UTM, Encryption and Vulnerability scanning Top 10 global Certificate Authority with more than 60,000 SSL certificates issued Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40% of Payment Applications Performed more than 4,000 network and application penetration tests and 740 forensic investigations Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005) 2009 Frost & Sullivan 2009 NAC Best Practices Forrester 9 out of 10 rating 2010 SC Magazine “Recommended” NAC solution SC Magazine “Finalist” Managed Security Services Encryption 2 © 2009 The SANS™ Institute - www.sans.org
What’s New in Log Collection •  Some great news on collection –  10% biggest problem –  27% least challenging •  Implications –  Today’s challenges… •  Making sense of logs we already receive •  Getting logs from non-traditional sources •  Finding more value in them all 3 © 2010 The SANS™ Institute - www.sans.org
Making Sense of the Logs We Have Moving on up: Collection to Analysis •  Extracting value –  Automated analysis –  Actionable reporting –  Auto-detect •  Control violations •  Deviation from normal activity •  Consolidating –  Logs –  Use cases –  Budgets •  Are all disparate solutions required? 4 © 2010 The SANS™ Institute - www.sans.org
Getting Logs from New Sources The Insider Threat and Risk •  The NEW questions in the survey –  49% from desktops –  48% from physical devices •  New challenges for finding values –  Cross-correlation across disparate types –  If MS-Windows server analysis is already found challenging; how will desktops fare? •  Application logs: question of value re-surfaces –  Are applications auditing requisite details? –  Can your solution analyze those logs? 5 © 2010 The SANS™ Institute - www.sans.org
Extracting more Value Doing more with logs •  Evolving SIEM technologies are making it happen •  Blended threats require blended solutions •  Making advanced SIEM capabilities available to everyone 6 © 2010 The SANS™ Institute - www.sans.org
Technology Advancements •  SIEM advancements –  Continuous processing •  From parsing to detecting control violations –  Embedded data store •  Compressed and indexed •  Embedded knowledge and analytics –  Directly addressing secondary users •  HR, Legal, and Asset owners •  For user activity and asset exposure status –  Analytical Modules: searches, correlations, actionable reports and alerting •  Includes Data Modules: acquisition, parsing, normalization and event taxonomy assignment 7 © 2010 The SANS™ Institute - www.sans.org
Blended Solutions •  Unified Approach –  Preventive monitoring •  Control violations indicating surveillance –  Reactive monitoring •  Enrich alerts with context and history –  Forensic research •  Efficient searching •  Integrated Approach –  Protection technologies •  DLP, Asset Discovery and Encryption –  Access control technologies •  IDM, NAC, VPN and Physical access 8 © 2010 The SANS™ Institute - www.sans.org
Solutions for any Organization •  Complete SIEM on premise –  Automate a SOC –  Outsource monitoring and administration •  Only collect and store on premise –  Send events to MSS for continuous, daily or weekly review •  Completely outsource –  Forward all logs to MSS –  Get reports and alerts as outcomes 9 © 2010 The SANS™ Institute - www.sans.org
Trustwave: Building the Right Formula Call us: 888.878.7817 Learn more at: www.trustwave.com Contact us at: info@trustwave.com 10 © 2009 The SANS™ Institute - www.sans.org
2010 Annual Log Management Survey Varun Kohli Sr. Product Manager ArcSight © 2010 The SANS™ Institute - www.sans.org
ArcSight Highlights Company Background Analyst Recognition • ONLY Pure play SIEM public company SIEM Leader’s Quadrant - (NASD:ARST) SIX years running • 2000+ Customers in 70+ Countries #1 in Market Share – • 30% Fortune 100 companies; 37% of DJ Last three reports Index companies; 6 out of Top 10 World Banks #1 In-use for both SIEM and Log Management Industry Recognition
Gartner MQ: Six Years of Leadership www.arcsight.com
Top Use Cases # 2008 2009 2010 1 Security / system User activity Detect/prevent event detection monitoring unauthorized access 2 Monitoring IT Forensics analysis / IT Operations controls / forensics correlation 3 Regulatory Forensics analysis / Regulatory compliance correlation compliance 4 Regulatory IT operations IT Operations compliance From reactive to proactive Advanced user/asset management
Top Logs Being Collected # 2008 2009 2010 1 Switch/Router/ OS OS Firewall 2 Switch/Router/ Switch/Router/ Servers Firewall Firewall 3 Applications and Databases Databases Identity data Diverse and advanced use cases
Evolving use cases bring new challenges # 2008 2009 2010 1 Collection IT Operations Searching 2 Analysis and Search Normalization Reporting 3 Multiple Reporting Search vendors/formats 4 Entire Reporting Normalization Lifecycle Analysis across all data – Structured and Unstructured Enrichment of data for smarter analysis
Why existing solutions cannot meet these challenges? –  Designed for different purpose Solution 1 Solution 2 Ideal Solution Security and IT Operations One solution does all Compliance Long-term Short-term Automatic retention retention enforcement Structured data Unstructured data Capture Everything Search Anything –  SIEM and LM are not different –  Missing context on assets/users
How to select the ideal solution? Log Management Solution is NOT IDEAL if it: •  CANNOT simultaneously handle Security, Compliance, and IT Ops •  CANNOT collect from everything •  CANNOT analyze across structured and unstructured data •  HAS tradeoff between fast collection, fast analysis and efficient storage •  DOES NOT normalize events to make them easy to understand •  DOES NOT offer audit-quality log collection •  DOES NOT have pre-packaged content •  DOES NOT offer flexible, economic and long term storage •  DOES NOT have real-time correlation (user model, asset model, etc.)
Integrated Growth Path ArcSight ESM Databases Users Sensitive Data User Activity Security ArcSight Express Monitoring ArcSight Logger ArcSight Transactions Connector Infrastructure Application Transaction Security Fraud Detection www.arcsight.com 9
Summary •  Validation –  Growing space, increasing adoption •  Use Case Expansion –  Beyond security and compliance to identity management and IT operations •  Searching and Reporting –  Normalization and device coverage
Thank You! Next Steps •  Website: www.arcsight.com/logger •  Questions: info@arcsight.com •  Telephone: +1 (888) 415-ARST •  Future webinars: http://www.arcsight.com/webinars/
Q@SANS.org www.SANS.org/reading_room/analysts_program

Recomendados

Как автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCКак автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCDenis Batrankov, CISSP
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 

Recomendados

Как автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCКак автоматизировать, то что находит аналитик SOC
Как автоматизировать, то что находит аналитик SOCDenis Batrankov, CISSP
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA Cyber Security
 
ITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust - Cybersecurity as a Service
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco Canada
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons Computer Learning Centers / 5PE
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Symantec
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Moving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospitalMoving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospitalZscaler
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS OverviewGuardEra Access Solutions, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Ariel Martin Beliera
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the UnionCloudera, Inc.
 

Más contenido relacionado

La actualidad más candente

Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA Cyber Security
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco Canada
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Symantec
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Moving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospitalMoving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospitalZscaler
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 

La actualidad más candente (20)

Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
ITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet EN
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14Introducing Data Loss Prevention 14
Introducing Data Loss Prevention 14
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security report
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Moving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospitalMoving from appliances to cloud security with phoenix children's hospital
Moving from appliances to cloud security with phoenix children's hospital
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 

Similar a SANS Log Management 1

Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the UnionCloudera, Inc.
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Splunk
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsReal-Time Innovations (RTI)
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsSplunk
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Implementing Big Data at the Speed of Business
Implementing Big Data at the Speed of BusinessImplementing Big Data at the Speed of Business
Implementing Big Data at the Speed of BusinessDataWorks Summit
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 

Similar a SANS Log Management 1 (20)

Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union2016 Cybersecurity Analytics State of the Union
2016 Cybersecurity Analytics State of the Union
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and Solutions
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
Implementing Big Data at the Speed of Business
Implementing Big Data at the Speed of BusinessImplementing Big Data at the Speed of Business
Implementing Big Data at the Speed of Business
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 

SANS Log Management 1

  • 1. SANS Sixth Annual Log Management Survey Part I More Log Data, More Uses Jerry Shenk, Senior SANS Analyst © 2010 The SANS™ Institute - www.sans.org
  • 2. 6th Annual Log Management Survey –  Goals of Survey •  Track progress of log management industry •  Identify problems users are having –  More Log Data •  Log server increases •  Log source increases –  More Uses •  More people are finding logs useful 2 © 2010 The SANS™ Institute - www.sans.org
  • 3. 3 © 2010 The SANS™ Institute - www.sans.org
  • 4. 4 © 2010 The SANS™ Institute - www.sans.org
  • 5. 5 © 2010 The SANS™ Institute - www.sans.org
  • 6. 6 © 2010 The SANS™ Institute - www.sans.org
  • 7. 7 © 2010 The SANS™ Institute - www.sans.org
  • 8. 8 © 2010 The SANS™ Institute - www.sans.org
  • 9. What Logs are Being Collected •  Firewalls, routers, switches, IDS/ IPS, etc. •  Servers •  Applications •  Databases •  Identity Sources (directories, etc.) •  Desktops •  Physical devices – HVAC, badge access, plant control 9 © 2010 The SANS™ Institute - www.sans.org
  • 10. Log Management Challenges •  Searching and reporting •  Analysis •  Automation of important event alerting •  What vendors need to do •  What users need to do 10 © 2010 The SANS™ Institute - www.sans.org
  • 11. Trustwave SIEM: Solutions for any Organization Sunil Bhargava, VP Product Management, Trustwave (Formerly Intellitactics) © 2010 The SANS™ Institute - www.sans.org
  • 12. Trustwave: The leader in compliance and data security Found in 1995; 500+ employees; 23 locations on 6 continents Market leading solutions for NAC, DLP, SIEM, IDS, IPS, UTM, Encryption and Vulnerability scanning Top 10 global Certificate Authority with more than 60,000 SSL certificates issued Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40% of Payment Applications Performed more than 4,000 network and application penetration tests and 740 forensic investigations Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005) 2009 Frost & Sullivan 2009 NAC Best Practices Forrester 9 out of 10 rating 2010 SC Magazine “Recommended” NAC solution SC Magazine “Finalist” Managed Security Services Encryption 2 © 2009 The SANS™ Institute - www.sans.org
  • 13. What’s New in Log Collection •  Some great news on collection –  10% biggest problem –  27% least challenging •  Implications –  Today’s challenges… •  Making sense of logs we already receive •  Getting logs from non-traditional sources •  Finding more value in them all 3 © 2010 The SANS™ Institute - www.sans.org
  • 14. Making Sense of the Logs We Have Moving on up: Collection to Analysis •  Extracting value –  Automated analysis –  Actionable reporting –  Auto-detect •  Control violations •  Deviation from normal activity •  Consolidating –  Logs –  Use cases –  Budgets •  Are all disparate solutions required? 4 © 2010 The SANS™ Institute - www.sans.org
  • 15. Getting Logs from New Sources The Insider Threat and Risk •  The NEW questions in the survey –  49% from desktops –  48% from physical devices •  New challenges for finding values –  Cross-correlation across disparate types –  If MS-Windows server analysis is already found challenging; how will desktops fare? •  Application logs: question of value re-surfaces –  Are applications auditing requisite details? –  Can your solution analyze those logs? 5 © 2010 The SANS™ Institute - www.sans.org
  • 16. Extracting more Value Doing more with logs •  Evolving SIEM technologies are making it happen •  Blended threats require blended solutions •  Making advanced SIEM capabilities available to everyone 6 © 2010 The SANS™ Institute - www.sans.org
  • 17. Technology Advancements •  SIEM advancements –  Continuous processing •  From parsing to detecting control violations –  Embedded data store •  Compressed and indexed •  Embedded knowledge and analytics –  Directly addressing secondary users •  HR, Legal, and Asset owners •  For user activity and asset exposure status –  Analytical Modules: searches, correlations, actionable reports and alerting •  Includes Data Modules: acquisition, parsing, normalization and event taxonomy assignment 7 © 2010 The SANS™ Institute - www.sans.org
  • 18. Blended Solutions •  Unified Approach –  Preventive monitoring •  Control violations indicating surveillance –  Reactive monitoring •  Enrich alerts with context and history –  Forensic research •  Efficient searching •  Integrated Approach –  Protection technologies •  DLP, Asset Discovery and Encryption –  Access control technologies •  IDM, NAC, VPN and Physical access 8 © 2010 The SANS™ Institute - www.sans.org
  • 19. Solutions for any Organization •  Complete SIEM on premise –  Automate a SOC –  Outsource monitoring and administration •  Only collect and store on premise –  Send events to MSS for continuous, daily or weekly review •  Completely outsource –  Forward all logs to MSS –  Get reports and alerts as outcomes 9 © 2010 The SANS™ Institute - www.sans.org
  • 20. Trustwave: Building the Right Formula Call us: 888.878.7817 Learn more at: www.trustwave.com Contact us at: info@trustwave.com 10 © 2009 The SANS™ Institute - www.sans.org
  • 21. 2010 Annual Log Management Survey Varun Kohli Sr. Product Manager ArcSight © 2010 The SANS™ Institute - www.sans.org
  • 22. ArcSight Highlights Company Background Analyst Recognition • ONLY Pure play SIEM public company SIEM Leader’s Quadrant - (NASD:ARST) SIX years running • 2000+ Customers in 70+ Countries #1 in Market Share – • 30% Fortune 100 companies; 37% of DJ Last three reports Index companies; 6 out of Top 10 World Banks #1 In-use for both SIEM and Log Management Industry Recognition
  • 23. Gartner MQ: Six Years of Leadership www.arcsight.com
  • 24. Top Use Cases # 2008 2009 2010 1 Security / system User activity Detect/prevent event detection monitoring unauthorized access 2 Monitoring IT Forensics analysis / IT Operations controls / forensics correlation 3 Regulatory Forensics analysis / Regulatory compliance correlation compliance 4 Regulatory IT operations IT Operations compliance From reactive to proactive Advanced user/asset management
  • 25. Top Logs Being Collected # 2008 2009 2010 1 Switch/Router/ OS OS Firewall 2 Switch/Router/ Switch/Router/ Servers Firewall Firewall 3 Applications and Databases Databases Identity data Diverse and advanced use cases
  • 26. Evolving use cases bring new challenges # 2008 2009 2010 1 Collection IT Operations Searching 2 Analysis and Search Normalization Reporting 3 Multiple Reporting Search vendors/formats 4 Entire Reporting Normalization Lifecycle Analysis across all data – Structured and Unstructured Enrichment of data for smarter analysis
  • 27. Why existing solutions cannot meet these challenges? –  Designed for different purpose Solution 1 Solution 2 Ideal Solution Security and IT Operations One solution does all Compliance Long-term Short-term Automatic retention retention enforcement Structured data Unstructured data Capture Everything Search Anything –  SIEM and LM are not different –  Missing context on assets/users
  • 28. How to select the ideal solution? Log Management Solution is NOT IDEAL if it: •  CANNOT simultaneously handle Security, Compliance, and IT Ops •  CANNOT collect from everything •  CANNOT analyze across structured and unstructured data •  HAS tradeoff between fast collection, fast analysis and efficient storage •  DOES NOT normalize events to make them easy to understand •  DOES NOT offer audit-quality log collection •  DOES NOT have pre-packaged content •  DOES NOT offer flexible, economic and long term storage •  DOES NOT have real-time correlation (user model, asset model, etc.)
  • 29. Integrated Growth Path ArcSight ESM Databases Users Sensitive Data User Activity Security ArcSight Express Monitoring ArcSight Logger ArcSight Transactions Connector Infrastructure Application Transaction Security Fraud Detection www.arcsight.com 9
  • 30. Summary •  Validation –  Growing space, increasing adoption •  Use Case Expansion –  Beyond security and compliance to identity management and IT operations •  Searching and Reporting –  Normalization and device coverage
  • 31. Thank You! Next Steps •  Website: www.arcsight.com/logger •  Questions: info@arcsight.com •  Telephone: +1 (888) 415-ARST •  Future webinars: http://www.arcsight.com/webinars/