25
Security Event and Information Management: Управление безопасностью. Трудности и решения. Рамиль Яфизов Symantec Corporation

Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

  • Upload
    vuanh

  • View
    222

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

Security Event and Information Management:

Управление безопасностью. Трудности и решения.

Рамиль Яфизов

Symantec Corporation

Page 2: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

2

Трудности заказчика

Security Information Manager, обзор продукта

Архитектура SIM

Заключение

1

2

3

4

СОДЕРЖАНИЕ

Page 3: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

3

Security Information Management• Security Intelligence• Correlation• Prioritization• Workflow

ДанныеДанные изиз сетисети, , отот хостовхостовии устройствустройств

СобытияСобытия

ИнцидентыИнциденты

Event Management• IDS/IPS, IDM, Firewall,

Antivirus• Policy Compliance• Vulnerability Assessment

Log Consolidation• IDS/IPS, IDM, Firewall,

Antivirus• Policy Compliance• Vulnerability Assessment

10,000,000

100,000

100s

Что я должен делать, чтобыисправить положение?

Какие бизнес активы наиболееуязвимы?

Трудности обработки событий ИБ:Огромный объем поступающей информации

Help Desk

Legal Dept

Compliance

Page 4: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

4

Symantec Security Information Manager

Page 5: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

5

Symantec Security Information Manager, обзор продукта

Symantec™ Security Information Manager (SSIM) это готовыйпрограммно-аппаратный комплекс, выполняющий:

Сбор информации ИБ, ее классификацию и приоритетностьКорреляцию и определение истинных причин инцидентовПостоянный мониторинг и управление безопасностью, Измерение эффективности ресурсов и элементов контролябезопасности

Page 6: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

6

Централизованный сбор событий и логов безопасности

Централизованный сбор ихранение данных (в исходныхформатах)…

Для forensic анализаДля соответствия политикам

Поддержка долговременногохранения

Архивное сжатие до 20%-50%Гибкая поддержка устройствхранения (SAN/NAS/DAS)

Не требуется DBA!Своя система архива и бэкапаВозможность online доступа кнужным файлам, для поиска, проверок и восстановленияНе требуется обслуживание базыданных

Общая база событийОбщая база событий

SQLQueries

ИОтчеты

Сжатый файловый архив событийСжатый файловый архив событий

Входящие событияВходящие события

Повышает ROI и снижает затраты наобслуживание

Page 7: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

7

Активы и приоритеты

Автоматическая расстановкаприоритетов, основываясь на:

Критичность для бизнесаПолитики и соответствияСостояние уязвимостиОткрытые порты/сервисы

Изменение расстановкиприоритетов через «тонкие»настройки

Интуитивный редактор правилТест эффективности спомощью архивных событий

Минимизация ложныхсрабатываний

Например критичен лиWindows RPC exploit направленный на Unix server?

Привлечение внимания только на действительноважные события

Page 8: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

8

Определение и Корреляция (выявление важных причин)

Легкость использования –графический редакторправил«Нормирование» событий– события автоматическиклассифицируются икоррелируются длявыявления истинных причинМониторинг контента -анализ IP и URL используялисты DeepSight и Symantec MSSПроверенныепредопределенныеправила корреляции -worms propagations, viruses, DoS, malicious attacks идругие типы деструктивнойактивности

Выявление истинных причин

Page 9: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

9

Идентификация – Identity Management и User Activity Monitoring

Поиск по действиямпользователей:

Разбор действийпользователей на основесобытий полученных отразличных источников(VPN, OS, Firewall, IDS)Поиск и анализ пособытиям из архивов.

Корреляция и оповещениео действияхпользователей:

Создание таблицпользователей дляиспользования вправилахСоздание правилоснованных надействияхпользователей

Выявления аномальных действий

Page 10: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

10

Мощное обслуживание инцидентов

Мощная системаоповещений

Оповещения черезemail, pager и SNMPВстроенная системаHelpDesk, возможностьинтеграции с другимиАвтоматическоеназначение инцидентовна пользователей

Рекомендации поисправлению (дляобслуживающегоперсонала)

Содержит пошаговыеинструкции поисправлению(постояннообновляются) Мост между безопасностью и обслуживанием

Page 11: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

11

Система отчетов – Меряет эффективность элементов контроля ИБ

Perform forensics searchesSimplify and accelerate log reviewProduce reports for auditors Customize queries

Automate review of key reportsCustomize user dashboardsIdentify trends over timeSchedule automatic report distribution

Customize with query wizardImport company logo, customize headers, footers, legends, etc.Generate multi-page, multi-query reportsExport to multiple file formats (CSV, pdf, html, xml)

Измерение эффективности и отчет

Page 12: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

Спасибо!!! Ваши вопросы…

Page 13: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

13

Security Information Manager Architecture

Page 14: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

14

Symantec Security Information Manager Appliance Models

Correlation Model 9650Required to normalize, filter, aggregate, correlate, store, monitor, and manage all tiers of the network infrastructure

Collection Model 9630Optional model to normalize, filter, aggregate firewall, IDS, integrated security events Both models include agent-less

collectors for CheckPoint, Cisco PIX, Juniper NetScreen, SNORT, Generic Syslog and more.Flexible Options and Easy Deployment

Page 15: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

15

Symantec Security Information Manager Example Deployment

Page 16: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

16

Symantec Security Information Manager Model 9650 (Correlation Appliance)

Symantec SecurityInformation Manager 9630(Collection Appliance)

Symantec Security Information Manager 9630 (Collection Appliance)

Firewall events Antivirus events

IDS events Vulnerability events

FW AVNIDS VulnerabilityHeadquarters

Management console

Regional office ASymantec SecurityInformation Manager 9630(Collection Appliance)

Regional office B

Firewall events Antivirus events

IDS events Vulnerability events

Deployment scenario 2: Regional Deployments

Flexible Role-based Access Control and Data Management

Page 17: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

17

Agent

Collector

File Sensor

Database Sensor

Syslog Sensor

Custom Sensor

Collector

File Sensor

Database Sensor

Syslog Sensor

Custom Sensor

Symantec Security Information Manager (Correlation or Collection Appliance)

Syslog Sensor Examples:Unix/Linux Servers, Switches/Hubs, Firewalls and IDS capable of syslog.

Collector Architecture: Syslog and Database Sensor Examples

(SSL)Database Sensor Examples:HIDS, AV, Vulnerability Scanners are examples of some of the types of products where logs are typically stored in relational databases.

(JDBC)

(syslog – tcp/udp)

Page 18: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

18

Agent

Collector

File Sensor

Database Sensor

Syslog Sensor

Custom Sensor

Collector

File Sensor

Database Sensor

Syslog Sensor

Custom Sensor

Symantec Security Information Manager (Correlation or Collection Appliance)

Custom Sensor Examples:Windows Event Log Sensor andCheckpoint LEA sensors

Collector Architecture: Custom and File Sensor Examples

(SSL)

File Sensor Examples:Custom Applications, HIDS, AV, Vulnerability Scanners are examples of some of the types ofproducts where logs are sometimes stored in flatfiles.

(C:\path\to\log.txt)

Symantec slkdjflaskdjflsakdjfalskdjfalskdjflsakdjflaskdjfalskdfjalskdfjlsakdjflaskdjflsakdjfasdfaAppliance)

(Windows RPC)

(OPSEC LEA)

Page 19: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

19

Intrusion Detection/PreventionSymantec Network Security (SNS) Symantec HIDSSymantec ITASnortSymantec Sygate Symantec Critical System Protection Cisco IDSCisco Security Agents TippingPoint NIPSEnterasys Network DragoneEye Retina JuniperIDPISS SiteprotectorMcAfee IntrushieldSourceFire

Enterprise AV SolutionsSymantec AntiVirus Symantec Client SecuritySymantec Mail Security for ExchangeSymantec Mail Security for Lotus DominoSymantec Mail Security for SMTPMcAfee EPOMcAfee GroupShieldMcAfee VirusScanTrend Micro Control Manager (TMCM)Trend Micro OfficeScanTrend Server Protect Information ServerTrend Interscan Messaging Security SuiteTrend Scanmail for ExchangeTrend Scanmail for NotesTrend Interscan ViruswallTrend Interscan Web Security Suite

Identifty ManagementMicrosoft Windows DHCPMicrosoft Operations ManagerMicrosoft Active DirectoryRSA SecurIDCisco ACS

Routers, Switches and VPNCisco IOS Juniper VPNCyberGuardCisco VPN 3000 Concentrator

Vulnerability/Policy ScannersSymantec ESMSymantec BindviewNessusnCircle Qualys QualysGuardStillSecure VAM

Operating systemsMicrosoft Windows Event Log Solaris OS CollectorSun BSMSUSE LinuxDebian LinuxRedHat LinuxIBM AIXHP/UXTandemSELinuxIPTables

FirewallsSymantec Gateway SecurityCisco PIXCisco FWSMNokia FWJuniper NetScreen FirewallCheckpoint Firewall-1Nortel ContivityFortinet FortigateSunScreenMicrosoft Windows FirewallMicrosoft ISA

OtherCisco NetflowFox Server ControlBlue Lance LT AuditorPassGo UPMKiwi SyslogGeneric SyslogSymantec CyberwolfSymantec Wholesecurity

DatabasesOracle Security Logs (9i & 10g)MS SQL Server Logs

Web servers, Filters and ProxiesApache Web Server IBM WebsphereBluecoat ProxyMicrosoft ISAMicrosoft IISSun One WebServer

Коллекторы Событий - Более 100 поддерживаемых продуктов

Page 20: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

20

Appliance Hardware Layout (needs updating for 4.5)

9550

Dual 3.4 GHz Processor8 GB of RAMRedundant power supply6 drives total2 mirrored for OS4 Raid 5 for storage• 600 Gig for data storage• 300 Gig for backup and logs

9500

Dual 3.0 GHz Processor6 GB of RAM2 drives mirroredNot to be used for storing events

Page 21: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

21

Key Competitive PointsSSIM does not require a database for storing security & compliance data

Other solutions are very costly to purchase and require constant maintenance• Arcsight, Netforencis, ESecurity

SSIM’s integration of the Global Intelligent Network (GIN) provides detailed security knowledge updates in real-time

None of the competitors do thisSSIM’s correlation performance is unmatchedSSIM’s correlation method is unique in the way we classify events and tie them back to the GIN security knowledgeSSIM provides comprehensive AV reportingSSIM’s administration model is much more scalable from a distributed enterprise perspectiveSSIM enables delegated administration across multiple domainsSSIM is much easier to deploy

Arcsight

Page 22: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

22

What’s New in SSIM 4.5

Long term log and event archivingEnables long term retention of raw and normalized event logs for forensic and compliance mandatesNumerous new storage options now available including DAS, SAN, NAS and NetBackup certificationIncreased event capacity and higher performance data queries

Improved Compliance, Risk and Security Management ReportingHundreds of pre-canned reports for specific reporting mandates which can be customized to fit your needsReports can be automatically scheduled and distributed to stakeholders

Stronger manageability for enterprise deploymentsRicher granular and role based access controlsImproved performance through improved archiving and hardware platformRule grouping to simplify management of correlation rulesWeb Service API to securely access and update the data that is stored on an appliance

• Use the API to publish asset, incident, and ticket information, or to integrate SIM with help desk, inventory, and notification applications

Improved threat identificationAnomaly detection through custom rules scriptRicher information from Symantec’s Global Intelligence Network

Page 23: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

23

Key Benefits of AntiVirus Integration

Enhanced Threat and Virus mitigation contentProvides AntiVirus administrators with the near real-time, vulnerability, outbreak, and safeguard information needed to minimize the risks and costs associated with malicious code

Workflow allows you to manage outbreaks Automates & bridges the gap between IT security, and AV Desktop administrators for faster remediation of threats

Proactive notification of virus and spyware infections and outbreaksProvides near real-time email, pager and SNMP based alerting

Monitoring for Expanded Threats with multiple attack vectorsCorrelates information from multiple AV and Client protection technologies to provide a threat based view of the customer’s environment

Page 24: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

24

FY07 Product Goals

Satisfy important regulatory compliance requirementsLog retention/archive (including raw events)Incident/event forensics

Improve usability for large-scale deploymentsAutomated report scheduling and distributionEnhanced incident, ticket, and asset management

Lower total cost of ownershipCost-effective storage options (DAS; NAS)Self-management capabilitiesImprove system and reporting performance

Build library of supported event collectors

Page 25: Security Event and Information Management - КРОК · Security Event and Information Management: ... (CSV, pdf, html, xml) ... Arcsight. 22 What’s New in SSIM 4.5

25

Security Management Workflow

ReviewRespondPrioritizeIdentify

SIM 4.0 WWSMC Demo Board 10Symantec Confidential