SlideShare a Scribd company logo

Preventing The Next Data Breach Through Log Management

Novell
Novell

Preventing The Next Data Breach Through Log Management by Ben Goodman, Principal Strategist, Novell

1 of 32
Download to read offline
P reventing T he N ex t D a ta B rea c h T hro ug h L og M a na g em ent Ben Goodman Principal Strategist Novell, Inc. ben@novell.com
Agenda Why Should You Care? The Bottom Line Solutions Next Steps 22
Why Should You Care? 33
Business/IT Trends, From Security's Perspective Social Networks Economy Cloud/ SAAS Virt. Mobile 4
Infosec Trends Collide Social Networks Cyber Economy crime Cloud/ SAAS APT Virt. G2B Hacking Mobile 5
The Bottom Line 6
The Bottom Line  IT Trends exposing orgs to more risk  Strong incentives for hackers  Unsustainable and explosive situation  Security orgs are underfunded  Hard for business leaders to understand the expenses  Focus is on compliance, but compliance only protects your organization against fines  In order to do your job, must fight for mandate and budget like never before 7
Start with a Few Assumptions  No endpoint is secure  Employees will get duped into doing bad things  Not all employees have the best intentions  You will be breached, the question is just how badly  Business leaders must justify investments to a higher authority  Criminals are lazy 88
No Endpoint is Secure • Too many threat vectors to guard against them all – S ocial networking – 0-day vulnerabilities – Malware – S QL injection • Y our employees will get duped • Y our employees could even be getting paid 99
You Are Breached • R esearch suggests that a large portion of botnets comes from corporate networks – C an you guarantee every endpoint on your network is completely malware free? • S tart from the perspective that every endpoint on your network is already breached • Trust must be earned before being granted • Authentication only guarantees access • Inspect every tr 1010
“IT administrators were responsible for more data compromises than any other insider role. [However,] many will note the rather small difference between breaches caused by other employees and IT administrators. These findings are a reminder that high levels of access are not necessary in order to compromise data. – Verizon Business, 2008 Data Breach Investigations Report
Security Today • Keep “bad guys” away from the network • Build a gigantic wall around the enterprise • Deploy point technologies to guard against specific threat vectors at the edge 1212
Today's Reality • Data and workloads moving off-premise • Threats from insiders and outsiders... • Targeted attacks increasing 1313
Targeted Attacks Pose a Problem • Blurs the lines between an ins ider and outs ider • Hackers are incredibly good at covering their tracks – Heartland Data S ystems: Takes nine weeks of intense scrutiny to discover something was wrong • The evidence is there, but buried under a mountain of data! The central challenge of security is filtering the noise and finding inconsistencies in the data.
“Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon.” – Verizon Business, 2008 Data Breach Investigations Report
Solutions
The Next Generation Security Program User Activity Monitoring SIEM + IAM Security Log Management Intelligence IDS/IPS Vuln Scan Basic blocking and Firewall Anti-virus Access Controls tackling 1717
What is Log Management, anyway? • A tool for collecting and s toring large amounts of security logs, with the ability to s earch and report • Typically deployed as a response to some sort of regulatory mandate – PCI – S arbanes Oxley – HIP AA • Often takes the place of a home grown log aggregation system
Silos of Data, Manual Processes and Little Insight Security Requires: SYS • Collect • Analyze TABLES LOGS • Consolidate • Notify Network • Understand • Report Databases Infrastructure • Oracle • Routers • SQLServer • Switches Must Translate Disparate Data to • DB2 • VPN Concentrators Standard Regulatory LOGS Language LOGS Security Devices Applications • Firewalls • SAP • • IDSs IPSs Not Practical • Oracle • Home Grown • A/V with Manual LOGS Processes LOGS Workstations Mainframes and Servers • RACF • Windows • ACF2 • Unix What's Happening? • TopSecret • Netware
Basic Log Management Functions • Collecting logs from various network devices, security applications, and business applications • S toring these logs for some defined retention period – ideally at the lowest possible cost • S earching through the stored logs on an ad- hoc basis for forensics, to find anomalies, etc. • S ending Reports to analysts, managers, etc. at periodic intervals to fulfill operational or regulatory requirements
What's In a Log? • C ertain activities that take place on a system generate an event or log file – S uccessful and failed login – P orts open/close – P rivelege E scalation • S yslog is a standard for taking these log files and streaming them to a central location – Wikipedia - “S yslog ... allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate, a means to notify administrators of problems or performance.” • If syslog is just a stream of information – how to make it useful? – Not much provided by default – C an save syslog to a file, grep through it – a completely manual effort
Events Explained • S ource + Priority + Mes s age = S ys log Event • ftp + warning + failed login • lpr + notice + low on ink • auth + warning + privilege escalation failed How Ido I know if something events? Can search through these is wrong? Can I create a report to see all the failed logins last week?
Using Log Management for Prevention • Log management provides the transparency required to discover potential threats and vulnerabilities – R equires a certain amount of diligence • Use log management to discover – If devices or software are misconfigured – Who is accessing data or files – Who is changing configurations – Who has access to sensitive data and systems (and then go and limit those with access where possible) – Whether administrators are sharing passwords or abusing privileged access
Using Log Management for Detection • Log management can help determine whether a breach event has occured – Knowing that you've been breached is often extremely difficult • Diligent log management tell you – If a new user was unexpectedly created – Who has elevated permissions – If the volume of attacks increases – If a vulnerable system was targeted with an exploit – Whether a configuration was tampered with
Using Log Management for Investigation • E vent logs are the most critical footprints within the enterprise to reconstruct an actual breach – Log Management provides visibility across all your IT infrastructure – Allows root cause analysis • Use log management to determine what happened and how it happened to remediate or mitigate: – Which systems and applications were compromised – The attack vector that was used – Which security systems failed – If the attack was detected but not acted on – If the attack was external or due to an insider (malicious or otherwise)
Next Steps 2626
Building User Activity Monitoring  UAM Is the weapon against trustless computing  Inject context into security events – Identities – Asset information  Examine transactions with all available information – Determine what happened? who did it? should I care?  Mine the data for inconsistencies  Where to start? 2727
The Maturity Model User Activity Security Monitoring CISO Monitoring and “Compliance is the Driver” Remediation Log • Manage User Access Risk Management • Monitor Identity Fraud • Enterprise View • Real-time Monitoring • Historical Analysis • Automated Remediation • Audit / Compliance Reporting • Collection, Storage, Analysis • Advanced Analytics
Security Management Capabilities Security • Detect and report on security Monitoring anomalies to reduce risk and • Automate remediation to improve security Remediation Log • Collect, archive, and report on Management log data • Forward data for further analysis
The Hacker • Manually checking system logs is prone to error Intruder With so many logs The intruder hacks payment- The intruder steals to monitor, into the payment- processing systems customers’ credit administrators processing system. logs the malicious and debit card overlook the activity. numbers. activity. Payment- processing System
Real-time Monitoring and Remediation • R eal-time monitoring and remediation stops malicious activity when it occurs Intruder IT Security Team Recognizing the …like alerting the The intruder of activity as out Thesecurity team IT payment- policy, the hacks into the processing down and locking system takes payment- the payment- system logs the immediate processing processing malicious activity. action… system. system. Payment- processing System
Apply  Quantify the risks to the business  Show cost and likelihood, estimate how security investments reduce each  Survey the technology in place today  Tie each investment to the risk it is reducing, or the agility it is enabling  Build out metrics to capture the value of each piece  Establish a baseline  Compare to industry norms  Show how specific investments will impact metrics  Establish weekly or monthly cadence with cross- functional security team 32

Recommended

Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Michael Berman
 
Applying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsApplying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsNovell
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Archiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWiseArchiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWiseNovell
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 

Recommended

Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Michael Berman
 
Applying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsApplying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsNovell
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Archiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWiseArchiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWiseNovell
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateNovell
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginNovell
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data SecureReal-Time Innovations (RTI)
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
Consolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization InitiativeConsolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization InitiativeNovell
 
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Novell
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
World-class Hosting Services
World-class Hosting ServicesWorld-class Hosting Services
World-class Hosting Serviceswebhostingguy
 
Desktop as a service (daas)
Desktop as a service (daas)Desktop as a service (daas)
Desktop as a service (daas)johndorian555
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingPriyanka Aash
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threatsNetwork Intelligence India
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guardsNetwork Intelligence India
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityMicrosoft TechNet - Belgium and Luxembourg
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 

More Related Content

What's hot

IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateNovell
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginNovell
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
Consolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization InitiativeConsolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization InitiativeNovell
 
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Novell
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
World-class Hosting Services
World-class Hosting ServicesWorld-class Hosting Services
World-class Hosting Serviceswebhostingguy
 
Desktop as a service (daas)
Desktop as a service (daas)Desktop as a service (daas)
Desktop as a service (daas)johndorian555
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingPriyanka Aash
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 

What's hot (20)

IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Run Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin OrchestrateRun Book Automation with PlateSpin Orchestrate
Run Book Automation with PlateSpin Orchestrate
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLogin
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data Secure
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
 
Consolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization InitiativeConsolidation Planning: Getting the Most from Your Virtualization Initiative
Consolidation Planning: Getting the Most from Your Virtualization Initiative
 
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
Upgrading from NetWare to Novell Open Enterprise Server on Linux: The Novell ...
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC Presentation
 
World-class Hosting Services
World-class Hosting ServicesWorld-class Hosting Services
World-class Hosting Services
 
Desktop as a service (daas)
Desktop as a service (daas)Desktop as a service (daas)
Desktop as a service (daas)
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined Networking
 
SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012SolarWinds IPAM vs MS Win Server 2012
SolarWinds IPAM vs MS Win Server 2012
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud security
 

Similar to Preventing The Next Data Breach Through Log Management

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Big Events Cause Network Mayhem
Big Events Cause Network MayhemBig Events Cause Network Mayhem
Big Events Cause Network MayhemPacketTrap Msp
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineSagi Brody
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 

Similar to Preventing The Next Data Breach Through Log Management (20)

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Big Events Cause Network Mayhem
Big Events Cause Network MayhemBig Events Cause Network Mayhem
Big Events Cause Network Mayhem
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Security data deluge
Security data delugeSecurity data deluge
Security data deluge
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 

More from Novell

Filr white paper
Filr white paperFilr white paper
Filr white paperNovell
 
Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2Novell
 
Social media class 3
Social media class 3Social media class 3
Social media class 3Novell
 
Social media class 2
Social media class 2Social media class 2
Social media class 2Novell
 
Social media class 1
Social media class 1Social media class 1
Social media class 1Novell
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2Novell
 
LinkedIn training presentation
LinkedIn training presentationLinkedIn training presentation
LinkedIn training presentationNovell
 
Twitter training presentation
Twitter training presentationTwitter training presentation
Twitter training presentationNovell
 
Getting started with social media
Getting started with social mediaGetting started with social media
Getting started with social mediaNovell
 
Strategies for sharing and commenting in social media
Strategies for sharing and commenting in social mediaStrategies for sharing and commenting in social media
Strategies for sharing and commenting in social mediaNovell
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECHInformation Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECHNovell
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq finalNovell
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused EnterpriseNovell
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialNovell
 
Accelerate to the Cloud
Accelerate to the CloudAccelerate to the Cloud
Accelerate to the CloudNovell
 
The New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration TrendsThe New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration TrendsNovell
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding businessNovell
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachNovell
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Novell
 

More from Novell (20)

Filr white paper
Filr white paperFilr white paper
Filr white paper
 
Social media class 4 v2
Social media class 4 v2Social media class 4 v2
Social media class 4 v2
 
Social media class 3
Social media class 3Social media class 3
Social media class 3
 
Social media class 2
Social media class 2Social media class 2
Social media class 2
 
Social media class 1
Social media class 1Social media class 1
Social media class 1
 
Social media class 2 v2
Social media class 2 v2Social media class 2 v2
Social media class 2 v2
 
LinkedIn training presentation
LinkedIn training presentationLinkedIn training presentation
LinkedIn training presentation
 
Twitter training presentation
Twitter training presentationTwitter training presentation
Twitter training presentation
 
Getting started with social media
Getting started with social mediaGetting started with social media
Getting started with social media
 
Strategies for sharing and commenting in social media
Strategies for sharing and commenting in social mediaStrategies for sharing and commenting in social media
Strategies for sharing and commenting in social media
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECHInformation Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
 
Workload iq final
Workload iq finalWorkload iq final
Workload iq final
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused Enterprise
 
Shining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of SocialShining the Enterprise Light on Shades of Social
Shining the Enterprise Light on Shades of Social
 
Accelerate to the Cloud
Accelerate to the CloudAccelerate to the Cloud
Accelerate to the Cloud
 
The New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration TrendsThe New Business Value of Today’s Collaboration Trends
The New Business Value of Today’s Collaboration Trends
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Iaas for a demanding business
Iaas for a demanding businessIaas for a demanding business
Iaas for a demanding business
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated Approach
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
 

Preventing The Next Data Breach Through Log Management

  • 1. P reventing T he N ex t D a ta B rea c h T hro ug h L og M a na g em ent Ben Goodman Principal Strategist Novell, Inc. ben@novell.com
  • 2. Agenda Why Should You Care? The Bottom Line Solutions Next Steps 22
  • 3. Why Should You Care? 33
  • 4. Business/IT Trends, From Security's Perspective Social Networks Economy Cloud/ SAAS Virt. Mobile 4
  • 5. Infosec Trends Collide Social Networks Cyber Economy crime Cloud/ SAAS APT Virt. G2B Hacking Mobile 5
  • 7. The Bottom Line  IT Trends exposing orgs to more risk  Strong incentives for hackers  Unsustainable and explosive situation  Security orgs are underfunded  Hard for business leaders to understand the expenses  Focus is on compliance, but compliance only protects your organization against fines  In order to do your job, must fight for mandate and budget like never before 7
  • 8. Start with a Few Assumptions  No endpoint is secure  Employees will get duped into doing bad things  Not all employees have the best intentions  You will be breached, the question is just how badly  Business leaders must justify investments to a higher authority  Criminals are lazy 88
  • 9. No Endpoint is Secure • Too many threat vectors to guard against them all – S ocial networking – 0-day vulnerabilities – Malware – S QL injection • Y our employees will get duped • Y our employees could even be getting paid 99
  • 10. You Are Breached • R esearch suggests that a large portion of botnets comes from corporate networks – C an you guarantee every endpoint on your network is completely malware free? • S tart from the perspective that every endpoint on your network is already breached • Trust must be earned before being granted • Authentication only guarantees access • Inspect every tr 1010
  • 11. “IT administrators were responsible for more data compromises than any other insider role. [However,] many will note the rather small difference between breaches caused by other employees and IT administrators. These findings are a reminder that high levels of access are not necessary in order to compromise data. – Verizon Business, 2008 Data Breach Investigations Report
  • 12. Security Today • Keep “bad guys” away from the network • Build a gigantic wall around the enterprise • Deploy point technologies to guard against specific threat vectors at the edge 1212
  • 13. Today's Reality • Data and workloads moving off-premise • Threats from insiders and outsiders... • Targeted attacks increasing 1313
  • 14. Targeted Attacks Pose a Problem • Blurs the lines between an ins ider and outs ider • Hackers are incredibly good at covering their tracks – Heartland Data S ystems: Takes nine weeks of intense scrutiny to discover something was wrong • The evidence is there, but buried under a mountain of data! The central challenge of security is filtering the noise and finding inconsistencies in the data.
  • 15. “Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon.” – Verizon Business, 2008 Data Breach Investigations Report
  • 17. The Next Generation Security Program User Activity Monitoring SIEM + IAM Security Log Management Intelligence IDS/IPS Vuln Scan Basic blocking and Firewall Anti-virus Access Controls tackling 1717
  • 18. What is Log Management, anyway? • A tool for collecting and s toring large amounts of security logs, with the ability to s earch and report • Typically deployed as a response to some sort of regulatory mandate – PCI – S arbanes Oxley – HIP AA • Often takes the place of a home grown log aggregation system
  • 19. Silos of Data, Manual Processes and Little Insight Security Requires: SYS • Collect • Analyze TABLES LOGS • Consolidate • Notify Network • Understand • Report Databases Infrastructure • Oracle • Routers • SQLServer • Switches Must Translate Disparate Data to • DB2 • VPN Concentrators Standard Regulatory LOGS Language LOGS Security Devices Applications • Firewalls • SAP • • IDSs IPSs Not Practical • Oracle • Home Grown • A/V with Manual LOGS Processes LOGS Workstations Mainframes and Servers • RACF • Windows • ACF2 • Unix What's Happening? • TopSecret • Netware
  • 20. Basic Log Management Functions • Collecting logs from various network devices, security applications, and business applications • S toring these logs for some defined retention period – ideally at the lowest possible cost • S earching through the stored logs on an ad- hoc basis for forensics, to find anomalies, etc. • S ending Reports to analysts, managers, etc. at periodic intervals to fulfill operational or regulatory requirements
  • 21. What's In a Log? • C ertain activities that take place on a system generate an event or log file – S uccessful and failed login – P orts open/close – P rivelege E scalation • S yslog is a standard for taking these log files and streaming them to a central location – Wikipedia - “S yslog ... allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate, a means to notify administrators of problems or performance.” • If syslog is just a stream of information – how to make it useful? – Not much provided by default – C an save syslog to a file, grep through it – a completely manual effort
  • 22. Events Explained • S ource + Priority + Mes s age = S ys log Event • ftp + warning + failed login • lpr + notice + low on ink • auth + warning + privilege escalation failed How Ido I know if something events? Can search through these is wrong? Can I create a report to see all the failed logins last week?
  • 23. Using Log Management for Prevention • Log management provides the transparency required to discover potential threats and vulnerabilities – R equires a certain amount of diligence • Use log management to discover – If devices or software are misconfigured – Who is accessing data or files – Who is changing configurations – Who has access to sensitive data and systems (and then go and limit those with access where possible) – Whether administrators are sharing passwords or abusing privileged access
  • 24. Using Log Management for Detection • Log management can help determine whether a breach event has occured – Knowing that you've been breached is often extremely difficult • Diligent log management tell you – If a new user was unexpectedly created – Who has elevated permissions – If the volume of attacks increases – If a vulnerable system was targeted with an exploit – Whether a configuration was tampered with
  • 25. Using Log Management for Investigation • E vent logs are the most critical footprints within the enterprise to reconstruct an actual breach – Log Management provides visibility across all your IT infrastructure – Allows root cause analysis • Use log management to determine what happened and how it happened to remediate or mitigate: – Which systems and applications were compromised – The attack vector that was used – Which security systems failed – If the attack was detected but not acted on – If the attack was external or due to an insider (malicious or otherwise)
  • 26. Next Steps 2626
  • 27. Building User Activity Monitoring  UAM Is the weapon against trustless computing  Inject context into security events – Identities – Asset information  Examine transactions with all available information – Determine what happened? who did it? should I care?  Mine the data for inconsistencies  Where to start? 2727
  • 28. The Maturity Model User Activity Security Monitoring CISO Monitoring and “Compliance is the Driver” Remediation Log • Manage User Access Risk Management • Monitor Identity Fraud • Enterprise View • Real-time Monitoring • Historical Analysis • Automated Remediation • Audit / Compliance Reporting • Collection, Storage, Analysis • Advanced Analytics
  • 29. Security Management Capabilities Security • Detect and report on security Monitoring anomalies to reduce risk and • Automate remediation to improve security Remediation Log • Collect, archive, and report on Management log data • Forward data for further analysis
  • 30. The Hacker • Manually checking system logs is prone to error Intruder With so many logs The intruder hacks payment- The intruder steals to monitor, into the payment- processing systems customers’ credit administrators processing system. logs the malicious and debit card overlook the activity. numbers. activity. Payment- processing System
  • 31. Real-time Monitoring and Remediation • R eal-time monitoring and remediation stops malicious activity when it occurs Intruder IT Security Team Recognizing the …like alerting the The intruder of activity as out Thesecurity team IT payment- policy, the hacks into the processing down and locking system takes payment- the payment- system logs the immediate processing processing malicious activity. action… system. system. Payment- processing System
  • 32. Apply  Quantify the risks to the business  Show cost and likelihood, estimate how security investments reduce each  Survey the technology in place today  Tie each investment to the risk it is reducing, or the agility it is enabling  Build out metrics to capture the value of each piece  Establish a baseline  Compare to industry norms  Show how specific investments will impact metrics  Establish weekly or monthly cadence with cross- functional security team 32