whose logs, what logs, why logs - your quickest path to security visibility
DESCRIPTION
Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will include a technical presentation, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. You’ll leave this session with a clear understanding of what you need to achieve real-time security visibility and protection. Watch the on-demand webinar: http://ow.ly/pQzOTTRANSCRIPT
Tom D’Aquino – Sr. SIEM Engineer
WHOSE LOGS, WHAT LOGS, WHY LOGS:YOUR QUICKEST PATH TO SECURITY VISIBILITY
AGENDAThe Challenge• Getting adequate security visibility for your small or medium businessThe Widely Pursued Solution• The traditional approach to Log Management/SIEM• The cost/benefit analysisAn Alternative Approach• Who, What and Why is the keyThe Wrap Up• Unified Security Management• AlienVault’s Threat Intelligence LabsQuestions & Answers as time permits
HUMANS MEET TECHNOLOGY
HUMANS MEET TECHNOLOGYSomething is down?
YouTube is up though.
THE WIDELY PURSUED SOLUTIONThe traditional approach to Log Management/SIEM:• Collect Everything• Analyze everything• Correlate everything• Store everything
BUT AT WHAT HARDWARE COST?
How much storage, CPU and RAM will you need to collect, correlate and store all of this data?
• High-performance storage is not cheap
How effective is the automated analysis, i.e. correlation really going to be?
• Correlation is CPU and memory intensive
AND AT WHAT HUMAN RESOURCE COST?
How effective is your team really going to be?
• Can one person realistically review 10,000 alerts in a day
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
Why
What if we took a more strategic approach by identifying the problem more effectively?
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
WhatWhy
What if we took a more strategic approach by identifying the problem more effectively?
IS THERE A BETTER WAY?
Why do you need the logs?• Do you have an intended result in mind?
What logs will you need to get that result?• i.e., will authentication logs suffice?
Who will the logs you collect pertain to?• Is there a specific user group/community
you should be focused on?
What
Who
Why
What if we took a more strategic approach by identifying the problem more effectively?
LET’S LOOK AT SOME EXAMPLES
Why do you need Firewall logs?• I need to see what is getting in to my
network
What logs will you need to get that result?• Firewall permit logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
blacklisted IPs/domains
EXAMPLE ILLUSTRATEDYou are probably only seeing these:
When you should be looking for this:
EXAMPLES CONTINUED
Why do you need OS logs?• I need to detect unauthorized access
attempts and account lockouts
What logs will you need to get that result?• OS authentication failure and account
lockout logs
Who will the logs you collect pertain to?• I’m most significantly concerned with
admin level accounts
EXAMPLE ILLUSTRATEDMultiple events to indicate a single login:
ONE MORE EXAMPLE
Why do you need Switch/Router logs?• I need to see when someone logs in to
my network gear and makes config changes
What logs will you need to get that result?• Authentication and authorization logs
from my TACACS server would do the job
Who will the logs you collect pertain to?• Anyone connecting to my network gear
EXAMPLE ILLUSTRATEDYou may have to process thousands of these:
Just to get one or two of these:
UNIFIED SECURITY MANAGEMENT
“VISIBILITY THROUGH INTEGRATION THAT WE DO, NOT YOU”
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software Inventory
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
Security Intelligence• SIEM Correlation• Incident Response
ALIENVAULT’S THREAT INTELLIGENCE LABS
AlienVault experts monitor, analyze, reverse engineer and report on sophisticated zero-day threats including malware, bots, phishing campaigns and more.
AlienVault publishes our findings in our threat blog and include all the latest intelligence as correlation rules, policies, and reputation data in the AlienVault Threat feed.
500,000Malware Samples Analyzed per day
100,000Malicious IPs Validated per day
8,000+Global Collection Points in 140+ countries
> 7 MillionURLs Analyzed
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http
://www.alienvault.com/marketing/alienvault-u
sm-live-
demo
Questions? [email protected]
VIEW THIS WEBINAR ON-DEMAND
A recorded version of this webinar is available
to be viewed on demand. Click here