whats next : a trillion event logs, a million security threat

Facilitator Introduction

Alan Yau Ti DunAlan is currently holding a senior role as ChiefTechnical Officer at a Technology / SecurityOperation Center organisation and has over 15years of experience in Information Security,Governance and Controls. He has extensiveexperience in leading engagements and servingclients in the area of Information Security.

This includes Next Generation Security Operation Center, Information TechnologyCybersecurity Infrastructure Review, Penetration Testing, IT Audit, ISO27001Implementation, ISO27001:2013 Transition, PCI DSS Review, Security IncidentManagement and Response, Managed Security Services, Business ContinuityPlanning, Secure Email and other areas.

Prior to joining his current organisation, Alan was the Technology ConsultingServices Lead at a leading regional Managed Security Service Provider, where helead the implementation and execution of Security Operation Center projectsincluding the rollout of the SOC for one of the leader in local Telco’s Market. He isalso Certified Mile2 Instructor and have conducted specific training sessionswhich include Mile2 Certified Training, CISSP Readiness Workshop, CybersecurityFundamental Training and Security Awareness Training.

Qualifications / Professional Affiliations

• CertifiedInformationSystemsSecurityProfessional(CISSP)• CertificateOfCloudSecurityKnowledge(CCSK)• CertifiedPenetrationTestingConsultant(CPTC)• CertifiedPenetrationTestingEngineer(CPTE)• CertifiedDigitalForensicExaminer(CDFE)• CertifiedNetworkForensicExaminer(CNFE)• CertifiedInformationSystemsAuditor(CISA)• CertifiedInformationSystemsManager(CISM)• CertifiedinGovernanceofEnterpriseIT(CGEIT)• CertifiedInRiskInformationSystemControl(CRISC)• Cybersecurity NexusFundamentalsCertificate(CSXF)• EthicalNetworkSecurityAdministrator(ENSA)• ITILFoundationV3• MicrosoftCertifiedSecurityAdministrator(MCSA)

Speaker@ Recent Events

• 14th Annual IT Governance , Assurance and Security Conference 2015,Malaysia –Management Track on Cybersecurity Assurance

• Bursa Malaysia Cybersecurity Workshop 2015 – Threat, Vulnerabilities andRisk

• Cloudsec2015– Cybersecurity Assurance• AuditWorld2015–AuditingCloudServiceProvider

WWW.ISACA.ORG/MALAYSIA

Agenda

The Challenge For Log AnalysisLog Management vs SIEM vs NextGen SIEM

Security Analytic + Storage + Actionable IntelligenceNexGen Security Operation Center For Smart Cities

tgMonth="05" tgHour="18" tgDay="13" tgMinute="07" EC="540" C="2" CS="Logon\/Logoff" L="Security" IS="LMURPHY ,TXDOT1 ,(0x15,0xE88A0488) ,3,Kerberos ,Kerberos , ,{cd7b463a-726e-1aec-4fd5-dabe7dc0231e} ,-,- ,- ,- ,- ,144.45.138.69 ,1099" SN="Security" RN="446108" XM="Successful Network Logon: User Name: LMURPHY Domain: TXDOT1 Logon ID: (0x15,0xE88A0488) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {cd7b463a-726e-1aec-4fd5-dabe7dc0231e} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 144.45.138.69 Source Port: 1099 " tgSecond="12" U="TXDOT1\\LMURPHY" T="Audit Success" ET="4" this="event" CN="HOU-DC" EI="540" tgYear="2010“1120 00000000000000000002TSV2010-06-02-12.48.43.343776QPADEV000CQSECOFR 600091 QCMD QSYS *SYSBAS 1 00000000000000000000000000000000000000000QSECOFR OMNIAS2 ^@^@^@^@^@^@^@^@^@^@00000010570129150070882304AUDRCV0008QSYS *SYSBAS 1 1 ^@^@^@^@^@^@^@^B000000000000000243690 361363360K361362367K365K366367@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IN090210,ESECDBA,APPLABS\\DLFDTAPP0803,DLFDTAPP0803,2010\/04\/27 18:07:34,2010\/04\/27 18:08:52,2010\/04\/27 18:08:52,101,LOGOFF,,Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.170.11)(PORT=2788)),10187,1,1 ,0,,,,30553,,,,,dlfdt app2160,Orac le Database 10g Enterprise Edition Release 10.2.0.3.0 – Prod{"ALERT":{"MANDT":"001","MSG":"Logon Successful (Type=U)","REPORTEDBY":"SecurityAud it","MTMCNAME":"sapserver_DM0_01","ARGTYPE2":"C","EXTINDEX":"0000000012","OBJECTNAME":"Secur ity","MSGARG2":"U&0","MTCLASS":"101","MSGARG1":"AU1","USERID":"SAPJSF","STATUS":"40","ARGTYPE4":"C","STATCHGDAT":"Tue Mar 24 00:00:00 PDT 2009","MTINDEX":"0000000176","VALUE":"2","MSGTEXT":"Secur ity Audit: Logon Event","SEVERITY":"255","STATCHGBY":"SecurityAudit","ALSYSID":"DM0","ARGTYPE3":"C","MSEGNAME":"SAP_CCMS_sapserver_DM0_01","MSCGLID":"AU1","MTNUMRANGE":"033","ALERTDATE":"Tue Mar 24 00:00:00 PDT 2009","FIELDNAME":"Logon","ALUNIQNUM":"0000694352","MTSYSID":"DM0","ALERTTIME":"Thu Jan 01 08:19:24 PST 1970","STATCHGTIM":"Thu Jan 01 08:19:24 PST 1970","RC":"0","MSGID":"AU1","ALINDEX":"0000007340","ARGTYPE1":"C","MSGCLASS":"SAP-YSLOG","MTUID":"0000100010"},"SYSNR":"01","HOST":"192.168.3.7"}

The Challenge For Log Analysis

Do you manage to analyze every single line from these thousand lines of log for every minutes?

What is inside the log???

Customer Type Log Volume (GBs /Day) Events / Day Events / Sec

2020 > 20 Billion Devices 10,000,000,000 322,222,222….. 3,888,888…..Cloud Provider 50,000 166,666,666,667 1,929,012Social Media Organization 25,000 83,333,333,333 964,506Telco’s 1,000 3,333,333,333 38,580Enterprise > 1000 employees 300 1,000,000,000 11,574SME 10 33,333,333 386

How Big Is The Log Size ???

• Who is doing what?• What access do they have?

• Is that access appropriate?• Where are they accessing from?

• Is this normal behavior?

• Are there other Indicators of Compromise for the same account/host/service?

✔

✔

✔

Who Get Breach???Who Have Log Analysis???

Log collectionCentralized aggregationLong-term log retentionLog rotationLog search and reporting.Log analysis after storage

LOGMANAGEMENT (LM)

Same functionality as “LM”Basic CorrelationAlertingDashboardsRetention (Correlated Event)Forensic Analysis

SECURITY INCIDENTANDEVENTMANAGEMENT (SIEM)

Same functionality as “SIEM” Advanced correlationIntelligence FeedAnomalies DetectionSupport CustomizationSupport Cloud DeploymentIntegration with Security Solution

NEXTGENERATIONSIEM(NGSIEM)

The Challenge• huge log-volumes • log-format diversity• proprietary log-formats • false positive log records

The Challenge• Lack of Intelligence Feed• Intensive Human Analytics• Lack of Incident Work Flow• Rigid Deployment Scale

The Challenge• Security Analytic Framework• Storage Architecture• Actionable Intelligence• Implementer Skillset• ID Management Integration

LM vs SIEM vs NGSIEM

LOGMANAGEMENT (LM)


SECURITY INCIDENTANDEVENTMANAGEMENT (SIEM)



NEXTGENERATIONSIEM(NGSIEM)

Security DevicesNetwork DevicesServers & Endpoint

Virtualization

Application

Configuration & File Integrity

Vulnerability Information

Identities

Cloud

Mobile

IOT

• Logs• Flows• Basic Rules• Intelligence Input

Event Correlation

• Baseline• Advance Rules• Fine Tune• Intelligence Input

Activity Base Line

• Network Activity• User Activity• Application Activity• Database Activity• Intelligence Input

Abnormally Detection

• Known Malware• Command & Control• Advance Threat• Intelligence Input

Indicator Of Compromise

SECURITY ANALYTIC FRAMEWORK

Incident Response

Remediation

Compliance

GOVERNANCE

Visualization

Analysis

Alert

Report

ANALYTIC

Actionable Intelligence

Nature Type DescriptionOnlineStorage

Primarystorage,formerlyknownaslocalstorage.

Optimizedforquickwritesandfastretrieval.Storesthemostrecentlycollectedeventdataandthemostfrequentlysearchedeventdata.

Secondarystorage,formerlyknownasnetworkstorageforexampleSAN.

Optimizedtoreducespaceusageonoptionallylessexpensivestoragewhilestillsupportingfastretrieval.NGSIEMautomaticallymigratesdatapartitionstothesecondarystorage.

NOTE:Dataretentionpolicies,searches,andreportsoperateoneventdatapartitionsregardlessofwhethertheyareresidingonprimaryorsecondarystorage,orboth.

OfflineStorage

Archivalstorage Baseonretentionpoliciesarchievedlogwillbebackuptoofflinestoragesuchastapeforsafekeeping.Whenisneededitcanbereimportforuseinlong-termforensicanalysis.

NGSIEM storage should be design using the Three Tier Architecture Storage to resolved thestorage challenge. By default, NGSIEM receives two separate but related data streams from theCollector Managers: the parsed event data and the raw data. The raw data is immediatelystored in protected partitions to provide a secure evidence chain.

STORAGE ARCHITECTURE

Next Generation Security Information and Event Management (NGSIEM) solution simplifies the deployment,management and day-to-day use of SIEM, readily adapts to dynamic enterprise environments and delivers the true“Actionable Intelligence" security professionals need to quickly understand their threat posture and prioritizeresponse.

ACTIONABLE INTELLIGENCE

LOG MANAGER

Threats!

Threats Intelligence

Collect Normalize Process Correlate Report

Logging TriggeredTools / Tactics / Techniques

Analytics

CIMCProcesses Procedures

People Skill-sets

SIEM

Core SOC Technology

NEXT GEN SOC FOR SMART CITIES

SMART CITIES NGSOC

SECURITY OPERATION CENTER

Team LeaderNUR SYAFIQA

Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)

Threat Analyst (Supervisor)

OPERATION TEAM

Team LeaderNUR IMELIA

Security Analyst

Security Analyst Security Analyst Security Analyst

Security Analyst Security Analyst

NEXT GEN SOC ORG CHART

Security Analyst

Security Analyst

Incident Response




Incident Response Incident Response Incident Response

CONSULTANT

ENGINEER

R & D

Access Management & Authentication

SecureUser

Monitoring

Identity Governance & Administration

An Integrated Identity, Access & Security Solution