whats next : a trillion event logs, a million security threat
TRANSCRIPT
Facilitator Introduction
Alan Yau Ti DunAlan is currently holding a senior role as ChiefTechnical Officer at a Technology / SecurityOperation Center organisation and has over 15years of experience in Information Security,Governance and Controls. He has extensiveexperience in leading engagements and servingclients in the area of Information Security.
This includes Next Generation Security Operation Center, Information TechnologyCybersecurity Infrastructure Review, Penetration Testing, IT Audit, ISO27001Implementation, ISO27001:2013 Transition, PCI DSS Review, Security IncidentManagement and Response, Managed Security Services, Business ContinuityPlanning, Secure Email and other areas.
Prior to joining his current organisation, Alan was the Technology ConsultingServices Lead at a leading regional Managed Security Service Provider, where helead the implementation and execution of Security Operation Center projectsincluding the rollout of the SOC for one of the leader in local Telco’s Market. He isalso Certified Mile2 Instructor and have conducted specific training sessionswhich include Mile2 Certified Training, CISSP Readiness Workshop, CybersecurityFundamental Training and Security Awareness Training.
Qualifications / Professional Affiliations
• CertifiedInformationSystemsSecurityProfessional(CISSP)• CertificateOfCloudSecurityKnowledge(CCSK)• CertifiedPenetrationTestingConsultant(CPTC)• CertifiedPenetrationTestingEngineer(CPTE)• CertifiedDigitalForensicExaminer(CDFE)• CertifiedNetworkForensicExaminer(CNFE)• CertifiedInformationSystemsAuditor(CISA)• CertifiedInformationSystemsManager(CISM)• CertifiedinGovernanceofEnterpriseIT(CGEIT)• CertifiedInRiskInformationSystemControl(CRISC)• Cybersecurity NexusFundamentalsCertificate(CSXF)• EthicalNetworkSecurityAdministrator(ENSA)• ITILFoundationV3• MicrosoftCertifiedSecurityAdministrator(MCSA)
Speaker@ Recent Events
• 14th Annual IT Governance , Assurance and Security Conference 2015,Malaysia –Management Track on Cybersecurity Assurance
• Bursa Malaysia Cybersecurity Workshop 2015 – Threat, Vulnerabilities andRisk
• Cloudsec2015– Cybersecurity Assurance• AuditWorld2015–AuditingCloudServiceProvider
WWW.ISACA.ORG/MALAYSIA
Agenda
The Challenge For Log AnalysisLog Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable IntelligenceNexGen Security Operation Center For Smart Cities
tgMonth="05" tgHour="18" tgDay="13" tgMinute="07" EC="540" C="2" CS="Logon\/Logoff" L="Security" IS="LMURPHY ,TXDOT1 ,(0x15,0xE88A0488) ,3,Kerberos ,Kerberos , ,{cd7b463a-726e-1aec-4fd5-dabe7dc0231e} ,-,- ,- ,- ,- ,144.45.138.69 ,1099" SN="Security" RN="446108" XM="Successful Network Logon: User Name: LMURPHY Domain: TXDOT1 Logon ID: (0x15,0xE88A0488) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {cd7b463a-726e-1aec-4fd5-dabe7dc0231e} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 144.45.138.69 Source Port: 1099 " tgSecond="12" U="TXDOT1\\LMURPHY" T="Audit Success" ET="4" this="event" CN="HOU-DC" EI="540" tgYear="2010“1120 00000000000000000002TSV2010-06-02-12.48.43.343776QPADEV000CQSECOFR 600091 QCMD QSYS *SYSBAS 1 00000000000000000000000000000000000000000QSECOFR OMNIAS2 ^@^@^@^@^@^@^@^@^@^@00000010570129150070882304AUDRCV0008QSYS *SYSBAS 1 1 ^@^@^@^@^@^@^@^B000000000000000243690 361363360K361362367K365K366367@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IN090210,ESECDBA,APPLABS\\DLFDTAPP0803,DLFDTAPP0803,2010\/04\/27 18:07:34,2010\/04\/27 18:08:52,2010\/04\/27 18:08:52,101,LOGOFF,,Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.170.11)(PORT=2788)),10187,1,1 ,0,,,,30553,,,,,dlfdt app2160,Orac le Database 10g Enterprise Edition Release 10.2.0.3.0 – Prod{"ALERT":{"MANDT":"001","MSG":"Logon Successful (Type=U)","REPORTEDBY":"SecurityAud it","MTMCNAME":"sapserver_DM0_01","ARGTYPE2":"C","EXTINDEX":"0000000012","OBJECTNAME":"Secur ity","MSGARG2":"U&0","MTCLASS":"101","MSGARG1":"AU1","USERID":"SAPJSF","STATUS":"40","ARGTYPE4":"C","STATCHGDAT":"Tue Mar 24 00:00:00 PDT 2009","MTINDEX":"0000000176","VALUE":"2","MSGTEXT":"Secur ity Audit: Logon Event","SEVERITY":"255","STATCHGBY":"SecurityAudit","ALSYSID":"DM0","ARGTYPE3":"C","MSEGNAME":"SAP_CCMS_sapserver_DM0_01","MSCGLID":"AU1","MTNUMRANGE":"033","ALERTDATE":"Tue Mar 24 00:00:00 PDT 2009","FIELDNAME":"Logon","ALUNIQNUM":"0000694352","MTSYSID":"DM0","ALERTTIME":"Thu Jan 01 08:19:24 PST 1970","STATCHGTIM":"Thu Jan 01 08:19:24 PST 1970","RC":"0","MSGID":"AU1","ALINDEX":"0000007340","ARGTYPE1":"C","MSGCLASS":"SAP-YSLOG","MTUID":"0000100010"},"SYSNR":"01","HOST":"192.168.3.7"}
The Challenge For Log Analysis
Do you manage to analyze every single line from these thousand lines of log for every minutes?
What is inside the log???
Customer Type Log Volume (GBs /Day) Events / Day Events / Sec
2020 > 20 Billion Devices 10,000,000,000 322,222,222….. 3,888,888…..Cloud Provider 50,000 166,666,666,667 1,929,012Social Media Organization 25,000 83,333,333,333 964,506Telco’s 1,000 3,333,333,333 38,580Enterprise > 1000 employees 300 1,000,000,000 11,574SME 10 33,333,333 386
How Big Is The Log Size ???
• Who is doing what?• What access do they have?
• Is that access appropriate?• Where are they accessing from?
• Is this normal behavior?
• Are there other Indicators of Compromise for the same account/host/service?
✔
✔
✔
Who Get Breach???Who Have Log Analysis???
Log collectionCentralized aggregationLong-term log retentionLog rotationLog search and reporting.Log analysis after storage
LOGMANAGEMENT (LM)
Same functionality as “LM”Basic CorrelationAlertingDashboardsRetention (Correlated Event)Forensic Analysis
SECURITY INCIDENTANDEVENTMANAGEMENT (SIEM)
Same functionality as “SIEM” Advanced correlationIntelligence FeedAnomalies DetectionSupport CustomizationSupport Cloud DeploymentIntegration with Security Solution
NEXTGENERATIONSIEM(NGSIEM)
The Challenge• huge log-volumes • log-format diversity• proprietary log-formats • false positive log records
The Challenge• Lack of Intelligence Feed• Intensive Human Analytics• Lack of Incident Work Flow• Rigid Deployment Scale
The Challenge• Security Analytic Framework• Storage Architecture• Actionable Intelligence• Implementer Skillset• ID Management Integration
LM vs SIEM vs NGSIEM
LOGMANAGEMENT (LM)
LM vs SIEM vs NGSIEM
SECURITY INCIDENTANDEVENTMANAGEMENT (SIEM)
LM vs SIEM vs NGSIEM
LM vs SIEM vs NGSIEM
NEXTGENERATIONSIEM(NGSIEM)
Security DevicesNetwork DevicesServers & Endpoint
Virtualization
Application
Configuration & File Integrity
Vulnerability Information
Identities
Cloud
Mobile
IOT
• Logs• Flows• Basic Rules• Intelligence Input
Event Correlation
• Baseline• Advance Rules• Fine Tune• Intelligence Input
Activity Base Line
• Network Activity• User Activity• Application Activity• Database Activity• Intelligence Input
Abnormally Detection
• Known Malware• Command & Control• Advance Threat• Intelligence Input
Indicator Of Compromise
SECURITY ANALYTIC FRAMEWORK
Incident Response
Remediation
Compliance
GOVERNANCE
Visualization
Analysis
Alert
Report
ANALYTIC
Actionable Intelligence
Nature Type DescriptionOnlineStorage
Primarystorage,formerlyknownaslocalstorage.
Optimizedforquickwritesandfastretrieval.Storesthemostrecentlycollectedeventdataandthemostfrequentlysearchedeventdata.
Secondarystorage,formerlyknownasnetworkstorageforexampleSAN.
Optimizedtoreducespaceusageonoptionallylessexpensivestoragewhilestillsupportingfastretrieval.NGSIEMautomaticallymigratesdatapartitionstothesecondarystorage.
NOTE:Dataretentionpolicies,searches,andreportsoperateoneventdatapartitionsregardlessofwhethertheyareresidingonprimaryorsecondarystorage,orboth.
OfflineStorage
Archivalstorage Baseonretentionpoliciesarchievedlogwillbebackuptoofflinestoragesuchastapeforsafekeeping.Whenisneededitcanbereimportforuseinlong-termforensicanalysis.
NGSIEM storage should be design using the Three Tier Architecture Storage to resolved thestorage challenge. By default, NGSIEM receives two separate but related data streams from theCollector Managers: the parsed event data and the raw data. The raw data is immediatelystored in protected partitions to provide a secure evidence chain.
STORAGE ARCHITECTURE
Next Generation Security Information and Event Management (NGSIEM) solution simplifies the deployment,management and day-to-day use of SIEM, readily adapts to dynamic enterprise environments and delivers the true“Actionable Intelligence" security professionals need to quickly understand their threat posture and prioritizeresponse.
ACTIONABLE INTELLIGENCE
LOG MANAGER
Threats!
Threats Intelligence
Collect Normalize Process Correlate Report
Logging TriggeredTools / Tactics / Techniques
Analytics
CIMCProcesses Procedures
People Skill-sets
SIEM
Core SOC Technology
NEXT GEN SOC FOR SMART CITIES
SMART CITIES NGSOC
SECURITY OPERATION CENTER
Team LeaderNUR SYAFIQA
Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)
Threat Analyst (Supervisor)
OPERATION TEAM
Team LeaderNUR IMELIA
Security Analyst
Security Analyst Security Analyst Security Analyst
Security Analyst Security Analyst
NEXT GEN SOC ORG CHART
Security Analyst
Security Analyst
Incident Response
Threat Analyst (Supervisor)
Threat Analyst (Supervisor)
Threat Analyst (Supervisor)
Incident Response Incident Response Incident Response
CONSULTANT
ENGINEER
R & D
Access Management & Authentication
SecureUser
Monitoring
Identity Governance & Administration
An Integrated Identity, Access & Security Solution