Security Information Event Management { IT Search } Pongsawat Payungwong CISSP,MCSE,ACSA Business Development Manager Sysware(Thailand) Co., Ltd.
IT Search Company
About Me ประสบการณ (ท เก ยวข อง) - ร วมงาน SIEM User Conference 2007-2008: The world s largest gathering of SIEM users!,washington, USA. - ประช มเช งปฎ บ ต การ Search Engine for IT Management, SPLUNK is Next General IT Search Engine, San Francisco, USA. - ประช มเช งปฎ บ ต การ เร องการจ ดการระบบ SIEM for National Security Operation Center: NSOC, Acer edc. Taipei. - ร วมประช ม SIEM, Critical Information Infrastructure: Project LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security),SCADA System, Department of Homeland Security, Arcsight USA, Washington DC, USA. - ประช มเช งปฎ บ ต การ SPLUNK-SYSTEX, IT Search Business in ASIA, Taipei, Taiwan. - ท ปร กษา ออกแบบระบบ ท เก ยวข อง IT Security Certification: CISSP,MCSE, ACSA,CCNP
Log Management Challenge > Regulations Industry Mandates Security Operations IT Operations Compliance Reporting Compliance Posture? Audit & Risk IT Governance System Health?? Infrastructure Network Availability Networking? User Monitoring?? Applications Change Management Uncontrolled Log Infrastructure Manual & Expensive Audits Inefficient IT Operations Configuration Monitoring Security Perimeter & Insider Threats SLA Monitoring? IT Operations Logs
What s Needed IT Operations Security Operations Regulations & Industry Mandates PCI HIPAA SOX FISMA System Health Network Avail SLA ITIL Insider Threat Perimeter Threat Forensics SANS IT & Security Controls NIST ISO CobiT
Enterprise Event Management Services Event Correlation Response Management Log Aggregation SIEM Advanced Analysis Real-Time Correlation Event Management Services Storage Lifecycle Management Universal Event Collection Enterprise Event Warehouse Event Analysis Search Alert Report Search Alert Report Deployment Challenge Event Source Architecture Bandwidth Integrity/Auditable Time Sync Log Format/Type Normalization Correlation/Use Case
What is IT Search? A New Approach to Enterprise IT Monitoring
What is IT Search?
Defense in Depth Console Console Console Console Console Console Console VM Manager Virtualization/Cloud Computing Guest Apps Guest OS Hypervisor Host OS Systems & Application Web Java.NET Solaris Linux Windows Database Network IDS/IPS Firewalls Router Storage Proxies VPNs ACS
Anatomy of Security Investigation Application activity Log Web server access log dhcp log asset db Single sign-on logs User Joe completed a suspicious transaction Came from IP 10.1.1.57 Was leased to MAC Address 00:0B:86:C5:5F:F4 MAC Address belongs to Sue Joe s logins usually come from other MAC Addresses
Just one example Customer calls start coming in about a specific transaction failing. Search for user id and time of one report Get transaction ID Application and access logs ESB events Find message ID in triggered ESB events for transaction ID Find failed JDBC database connection for message ID Message queues Database error logs Find locking problem in same time window related to permissions problem Find change preceding start of authentication failures Directory server administrative log Change tickets Change was not authorized
Cycle of Using IT Search Users start with ad hoc search to investigate problems in a specific area and add new data, knowledge and automation over time. Proactive search for change execution and impact Validate Changes Investigate Problems Fast, interactive search across all activity and status continuously indexed in real time Report, chart and trend Review Trends on any dimension based on the results of any search Automate Monitoring Save and schedule searches as alerts Capture Knowledge Name, tag and describe types and fields in your data as you search
How is IT Search applied? Operations Troubleshoot problems Security Investigate attacks Compliance Reporting and Controls Business Intelligence Analyze transactions
One Platform. Many Applications.
How does IT Search work?
Universal Indexing Universal algorithms interpret any data without specific parsers or adapters.
Multi-dimensional Search Turn volumes of raw data into information with powerful searches.
Knowledge Management Types create a late binding common knowledge model. Types are pieces of knowledge defined by a search or expression, applied at search time
Security & Authentication Control and audit access to all your IT data.
What can Splunk do?
Search Time search with interactive results Keyword search with quoted strings, wild cards, booleans and nesting Targeted field search - Host, sources, events -Custom fields Summary and statistical search Transaction search Right click integration with other applications
Alert Save any search and run it on a schedule to create an alert Alerts can trigger notifications and/or actions based on the search results Notifications can be sent via email, SMS, RSS or SNMP and integrated with other management consoles Actions can trigger scripts to perform activities like restarting a server
Report One click reports from search results Any field can be used to plot series Flexible chart outputs and formats Interactive charts provide one click drill down Select multiple fields to plot several series together
Visualize Connect visualization apps to the Splunk API Feed business intelligence and reporting applications with IT data using the Splunk API Create dynamic visualizations of data with using one of the Splunk SDKs -Flash - Python -C, C++ -Java -.Net
Open Platform and API
Package Your Own Application
Splunk for Server Virtualization Search and navigate across the complete virtual and physical stack.
Splunk for Network Security Move from event and alert overload to Situational Awareness
Google Search for IT Professional
THANK YOU