Security Event and Information Management: ?????????? ????????? ?????????????? ???????????? ? ?????? ??????????

1
Security Event and Information Management??????
???? ????????? ?????????????? ???????????? ?
?????? ??????????
??????? ???????????? Symantec Corporation
2
??????????

• ????????? ?????????
• Security Information Manager, ????? ????????
• ??????????? SIM
• ??????????

3
????????? ????????? ??????? ?????????? ?????
??????????? ??????????

• Security Information Management
• Security Intelligence
• Correlation
• Prioritization
• Workflow

100

• Event Management
• IDS/IPS, IDM, Firewall, Antivirus
• Policy Compliance
• Vulnerability Assessment

100000

• Log Consolidation
• IDS/IPS, IDM, Firewall, Antivirus
• Policy Compliance
• Vulnerability Assessment

10000000
4
Symantec Security Information Manager
5
Symantec Security Information Manager, ?????
????????

• Symantec Security Information Manager (SSIM) ???
  ??????? ??????????-?????????? ????????,
  ???????????
• ???? ?????????? ??, ?? ????????????? ?
  ??????????????
• ?????????? ? ??????????? ???????? ??????
  ??????????
• ?????????? ?????????? ? ?????????? ?????????????,
  
• ????????? ????????????? ???????? ? ?????????
  ???????? ????????????

6
???????????????? ???? ??????? ? ?????
????????????

• ???????????????? ???? ? ???????? ?????? (?
  ???????? ????????)
• ??? forensic ???????
• ??? ???????????? ?????????
• ????????? ??????????????? ????????
• ???????? ?????? ?? 20-50
• ?????? ????????? ????????? ???????? (SAN/NAS/DAS)
• ?? ????????? DBA!
• ???? ??????? ?????? ? ??????
• ??????????? online ??????? ? ?????? ??????, ???
  ??????, ???????? ? ??????????????
• ?? ????????? ???????????? ???? ??????

SQL Queries ? ??????
????? ???? ???????
???????? ???????
?????? ???????? ????? ???????
7
?????? ? ??????????

• ?????????????? ??????????? ???????????,
  ??????????? ??
• ??????????? ??? ???????
• ???????? ? ????????????
• ????????? ??????????
• ???????? ?????/???????
• ????????? ??????????? ??????????? ????? ??????
  ?????????
• ??????????? ???????? ??????
• ???? ????????????? ? ??????? ???????? ???????
• ??????????? ?????? ????????????
• ???????? ???????? ?? Windows RPC exploit
  ???????????? ?? Unix server?

8
??????????? ? ?????????? (????????? ?????? ??????)

• ???????? ????????????? ??????????? ????????
  ??????
• ???????????? ??????? ??????? ?????????????
  ???????????????? ? ????????????? ??? ?????????
  ???????? ??????
• ?????????? ???????? - ?????? IP ? URL ?????????
  ????? DeepSight ? Symantec MSS
• ??????????? ???????????????? ??????? ?????????? -
  worms propagations, viruses, DoS, malicious
  attacks ? ?????? ???? ????????????? ??????????

9
????????????? Identity Management ? User
Activity Monitoring

• ????? ?? ????????? ?????????????
• ?????? ???????? ????????????? ?? ?????? ???????
  ?????????? ?? ????????? ?????????? (VPN, OS,
  Firewall, IDS)
• ????? ? ?????? ?? ???????? ?? ???????.
• ?????????? ? ?????????? ? ?????????
  ?????????????
• ???????? ?????? ????????????? ??? ????????????? ?
  ????????
• ???????? ?????? ?????????? ?? ?????????
  ?????????????

10
?????? ???????????? ??????????

• ?????? ??????? ??????????
• ?????????? ????? email, pager ? SNMP
• ?????????? ??????? HelpDesk, ???????????
  ?????????? ? ???????
• ?????????????? ?????????? ?????????? ??
  ?????????????
• ???????????? ?? ??????????? (??? ??????????????
  ?????????)
• ???????? ????????? ?????????? ?? ???????????
  (????????? ???????????)

11
??????? ??????? ?????? ????????????? ?????????
???????? ??

• Perform forensics searches
• Simplify and accelerate log review
• Produce reports for auditors
• Customize queries
• Automate review of key reports
• Customize user dashboards
• Identify trends over time
• Schedule automatic report distribution
• Customize with query wizard
• Import company logo, customize headers, footers,
  legends, etc.
• Generate multi-page, multi-query reports
• Export to multiple file formats (CSV, pdf, html,
  xml)

12
???????!!!
13
Security Information Manager Architecture
14
Symantec Security Information Manager Appliance
Models

• Correlation Model 9650
• Required to normalize, filter, aggregate,
  correlate, store, monitor, and manage all tiers
  of the network infrastructure
• Collection Model 9630
• Optional model to normalize, filter, aggregate
  firewall, IDS, integrated security events

• Both models include agent-less collectors for
  CheckPoint, Cisco PIX, Juniper NetScreen, SNORT,
  Generic Syslog and more.

15
Symantec Security Information Manager Example
Deployment
16
Deployment scenario 2 Regional Deployments
Symantec Security Information Manager Model 9650
(Correlation Appliance)
Symantec Security Information Manager 9630
(Collection Appliance)
Management console
AV
Vulnerability
FW
NIDS
Headquarters
Regional office A
Regional office B
Symantec SecurityInformation Manager
9630 (Collection Appliance)
Symantec SecurityInformation Manager
9630 (Collection Appliance)
Firewall events
Antivirus events
Firewall events
Antivirus events
IDS events
Vulnerability events
IDS events
Vulnerability events
17
Collector Architecture Syslog and Database
Sensor Examples
Syslog Sensor Examples Unix/Linux Servers,
Switches/Hubs, Firewalls and IDS capable of
syslog.
(syslog tcp/udp)
Symantec Security Information Manager
(Correlation or Collection Appliance)
(JDBC)
(SSL)
Database Sensor Examples HIDS, AV, Vulnerability
Scanners are examples of some of the types of
products where logs are typically stored in
relational databases.
18
Collector Architecture Custom and File Sensor
Examples
Custom Sensor Examples Windows Event Log Sensor
and Checkpoint LEA sensors
(Windows RPC)
Symantec Security Information Manager
(Correlation or Collection Appliance)
(OPSEC LEA)
File Sensor Examples Custom Applications, HIDS,
AV, Vulnerability Scanners are examples of some
of the types of products where logs are
sometimes stored in flat files.
Symantec slkdjflaskdjflsakdjfalskdjfalskdjflsakdjf
laskdjfalskdfjalskdfjlsakdjflaskdjflsakdjfasdfaApp
liance)
(SSL)
(C\path\to\log.txt)
19
?????????? ??????? - ????? 100 ??????????????
?????????
Intrusion Detection/Prevention Symantec Network
Security (SNS) Symantec HIDS Symantec
ITA Snort Symantec Sygate Symantec Critical
System Protection Cisco IDS Cisco Security
Agents TippingPoint NIPS Enterasys Network
Dragon eEye Retina JuniperIDP ISS
Siteprotector McAfee Intrushield SourceFire
Routers, Switches and VPN Cisco IOS Juniper
VPN CyberGuard Cisco VPN 3000 Concentrator
Firewalls Symantec Gateway Security Cisco
PIX Cisco FWSM Nokia FW Juniper NetScreen
Firewall Checkpoint Firewall-1 Nortel
Contivity Fortinet Fortigate SunScreen Microsoft
Windows Firewall Microsoft ISA
Enterprise AV Solutions Symantec AntiVirus
Symantec Client Security Symantec Mail Security
for Exchange Symantec Mail Security for Lotus
Domino Symantec Mail Security for SMTP  McAfee
EPOMcAfee GroupShield McAfee VirusScan Trend
Micro Control Manager (TMCM) Trend Micro
OfficeScan Trend Server Protect Information
Server Trend Interscan Messaging Security
Suite Trend Scanmail for Exchange Trend Scanmail
for Notes Trend Interscan Viruswall Trend
Interscan Web Security Suite
Operating systems Microsoft Windows Event Log
Solaris OS Collector Sun BSM SUSE Linux Debian
Linux RedHat Linux IBM AIX HP/UX Tandem SELinux IP
Tables
Web servers, Filters and Proxies Apache Web
Server IBM Websphere Bluecoat Proxy Microsoft
ISA Microsoft IIS Sun One WebServer
Other Cisco Netflow Fox Server Control Blue Lance
LT Auditor PassGo UPM Kiwi Syslog Generic
Syslog Symantec Cyberwolf Symantec Wholesecurity
Vulnerability/Policy Scanners Symantec
ESM Symantec Bindview Nessus nCircle Qualys
QualysGuard StillSecure VAM
Identifty Management Microsoft Windows
DHCP Microsoft Operations Manager Microsoft
Active DirectoryRSA SecurID Cisco ACS
Databases Oracle Security Logs (9i 10g) MS SQL
Server Logs
20
Appliance Hardware Layout (needs updating for 4.5)

• 9550
• Dual 3.4 GHz Processor
• 8 GB of RAM
• Redundant power supply
• 6 drives total
• 2 mirrored for OS
• 4 Raid 5 for storage
• 600 Gig for data storage
• 300 Gig for backup and logs

• 9500
• Dual 3.0 GHz Processor
• 6 GB of RAM
• 2 drives mirrored
• Not to be used for storing events

21
Key Competitive Points

• SSIM does not require a database for storing
  security compliance data
• Other solutions are very costly to purchase and
  require constant maintenance
• Arcsight, Netforencis, ESecurity
• SSIMs integration of the Global Intelligent
  Network (GIN) provides detailed security
  knowledge updates in real-time
• None of the competitors do this
• SSIMs correlation performance is unmatched
• SSIMs correlation method is unique in the way we
  classify events and tie them back to the GIN
  security knowledge
• SSIM provides comprehensive AV reporting
• SSIMs administration model is much more scalable
  from a distributed enterprise perspective
• SSIM enables delegated administration across
  multiple domains
• SSIM is much easier to deploy
• Arcsight

22
Whats New in SSIM 4.5

• Long term log and event archiving
• Enables long term retention of raw and normalized
  event logs for forensic and compliance mandates
• Numerous new storage options now available
  including DAS, SAN, NAS and NetBackup
  certification
• Increased event capacity and higher performance
  data queries
• Improved Compliance, Risk and Security Management
  Reporting
• Hundreds of pre-canned reports for specific
  reporting mandates which can be customized to fit
  your needs
• Reports can be automatically scheduled and
  distributed to stakeholders
• Stronger manageability for enterprise deployments
• Richer granular and role based access controls
• Improved performance through improved archiving
  and hardware platform
• Rule grouping to simplify management of
  correlation rules
• Web Service API to securely access and update the
  data that is stored on an appliance
• Use the API to publish asset, incident, and
  ticket information, or to integrate SIM with help
  desk, inventory, and notification applications
• Improved threat identification
• Anomaly detection through custom rules script
• Richer information from Symantecs Global
  Intelligence Network

23
Key Benefits of AntiVirus Integration

• Enhanced Threat and Virus mitigation content
• Provides AntiVirus administrators with the near
  real-time, vulnerability, outbreak, and safeguard
  information needed to minimize the risks and
  costs associated with malicious code
• Workflow allows you to manage outbreaks
• Automates bridges the gap between IT security,
  and AV Desktop administrators for faster
  remediation of threats
• Proactive notification of virus and spyware
  infections and outbreaks
• Provides near real-time email, pager and SNMP
  based alerting
• Monitoring for Expanded Threats with multiple
  attack vectors
• Correlates information from multiple AV and
  Client protection technologies to provide a
  threat based view of the customers environment

24
FY07 Product Goals

• Satisfy important regulatory compliance
  requirements
• Log retention/archive (including raw events)
• Incident/event forensics
• Improve usability for large-scale deployments
• Automated report scheduling and distribution
• Enhanced incident, ticket, and asset management
• Lower total cost of ownership
• Cost-effective storage options (DAS NAS)
• Self-management capabilities
• Improve system and reporting performance
• Build library of supported event collectors

25
Security Management Workflow