whose logs, what logs, why logs - your quickest path to security visibility

Tom D’Aquino – Sr. SIEM Engineer

WHOSE LOGS, WHAT LOGS, WHY LOGS:YOUR QUICKEST PATH TO SECURITY VISIBILITY

AGENDAThe Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the keyThe Wrap Up• Unified Security Management• AlienVault’s Threat Intelligence LabsQuestions & Answers as time permits

HUMANS MEET TECHNOLOGY

HUMANS MEET TECHNOLOGYSomething is down?

YouTube is up though.

THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything

BUT AT WHAT HARDWARE COST?

How much storage, CPU and RAM will you need to collect, correlate and store all of this data?

• High-performance storage is not cheap

How effective is the automated analysis, i.e. correlation really going to be?

• Correlation is CPU and memory intensive

AND AT WHAT HUMAN RESOURCE COST?

How effective is your team really going to be?

• Can one person realistically review 10,000 alerts in a day

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

Why

What if we took a more strategic approach by identifying the problem more effectively?

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

WhatWhy

What if we took a more strategic approach by identifying the problem more effectively?

IS THERE A BETTER WAY?

Why do you need the logs?• Do you have an intended result in mind?

What logs will you need to get that result?• i.e., will authentication logs suffice?

Who will the logs you collect pertain to?• Is there a specific user group/community

you should be focused on?

What

Who

Why

What if we took a more strategic approach by identifying the problem more effectively?

LET’S LOOK AT SOME EXAMPLES

Why do you need Firewall logs?• I need to see what is getting in to my

network

What logs will you need to get that result?• Firewall permit logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

blacklisted IPs/domains

EXAMPLE ILLUSTRATEDYou are probably only seeing these:

When you should be looking for this:

EXAMPLES CONTINUED

Why do you need OS logs?• I need to detect unauthorized access

attempts and account lockouts

What logs will you need to get that result?• OS authentication failure and account

lockout logs

Who will the logs you collect pertain to?• I’m most significantly concerned with

admin level accounts

EXAMPLE ILLUSTRATEDMultiple events to indicate a single login:

ONE MORE EXAMPLE

Why do you need Switch/Router logs?• I need to see when someone logs in to

my network gear and makes config changes

What logs will you need to get that result?• Authentication and authorization logs

from my TACACS server would do the job

Who will the logs you collect pertain to?• Anyone connecting to my network gear

EXAMPLE ILLUSTRATEDYou may have to process thousands of these:

Just to get one or two of these:

UNIFIED SECURITY MANAGEMENT

“VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU”

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

ALIENVAULT’S THREAT INTELLIGENCE LABS

AlienVault experts monitor, analyze, reverse engineer and report on sophisticated zero-day threats including malware, bots, phishing campaigns and more.

AlienVault publishes our findings in our threat blog and include all the latest intelligence as correlation rules, policies, and reputation data in the AlienVault Threat feed.

500,000Malware Samples Analyzed per day

100,000Malicious IPs Validated per day

8,000+Global Collection Points in 140+ countries

> 7 MillionURLs Analyzed

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Questions? hello@alienvault.com

VIEW THIS WEBINAR ON-DEMAND

A recorded version of this webinar is available

to be viewed on demand. Click here