SIEM and Eventia A practical demo of what event monitoring can do for you

1
SIEM and Eventia(A practical demo of what event
monitoring can do for you)
A CPUG Event Robert Mitchell PureSecurity Septem
ber 2009
2
Who am I?

• Owner and Lead Consultant of PureSecurity,
  CP-focused integrator and reseller based in
  Australia.
• Over 10 years direct experience with Check Point
• Ex-CP employee (4 yrs), CISSP, CCSE
• On CPUG as Thorpuse

3
Agenda

• Brief(!) discussion on the importance of logs
• Brief(!) Eventia Overview
• Kill the Powerpoint, on with the Demo!

4
Logs are Important!

• Architecture and Design is the beginning of
  security, not the end of it
• The real work for a security design begins
  after its implementation
• A secure design is only ever going to be as
  good as the operational procedures that follow it

5
Log Analysis is too hard

• Too much work
• Reactive Security Processes and Project work
  dominates
• Too little time
• Perception that review/audit work is not valuable
  or important
• Too much effort
• Sheer volume of data defeats us
• Requirement for custom tools and data
• Too expensive
• Difficult to justify the ROI for time/effort in
  this space

6
Solution Eventia Suite!

• Firewall-specific SIEM solution
• Built to work with Check Point, so DB and
  functions are optimised for firewall analysis
• Analyser has expanded correlation roles to work
  as a collector for other logs as well
• Reporter vs Analyser
• Reporter generates canned reports, limited
  customisation allowed.
• Analyser watches logs and generates real-time
  events and alerts, that can be dynamically
  managed and monitored.

7
DIY Eventia Evaluation

• You need
• A server (or VMWare)
• R65/R70 Splat Eventia CD (or iso)
• About an hour

8
DIY Eventia Eval

• Install SPLAT
• Select Log Server, Eventia Suite and Eventia
  Correlation Unit for install
• Use WebUI (first time config Wizard) to complete
  OS and product install

9
DIY Eventia Eval

• Create Check Point host object, select Eventia
  Suite, Correlation Unit and Log Server as
  installed
• Establish SIC trust.
• Install Database (not Policy!) on SmartCentre and
  Eventia host

10
DIY Eventia Eval

• Open Eventia Analyser GUI
• Configure Correlation Unit
• Policy Tab, General Settings, Initial Settings,
  Correlation Unit
• Configure Internal Networks
• Update Event Definitions
• Actions Menu, Dynamic Update
• Log into UserCenter
• Install Event Policy
• Action Menu, Install Event Policy
• Check that logs are being processed in Overview
  Tab

11
Lets Explore!

• Enough with the slides, lets demo!

12
Summary

• Logs are important!
• Eventia provides a relatively easy insight into
  log and event analysis
• Setup and Evaluation of Eventia is much, much
  simpler than most SIEMs

13
QA? Almost done for CPUG 2009!