Building Highly Available Log Management and SIEM Solutions
Sesh Ramasharma, CISSPPrincipal – Identity, Access & Security ManagementNovell, Inc
© Novell, Inc. All rights reserved.2
Agenda
• Logical view of Log Management and SIEM
• Key Tenants of Security - CIA
• Availability Defined
• Know the moving parts of the solution
• Key considerations
• Tools in the Repertoire
• Summary
© Novell, Inc. All rights reserved.3
Log Management and SIEM
• Log Management is sometimes referred to as Security Information Management or “SIM”
• Security Event Management or “SEM” is focused on real-time monitoring, alerting, incident response
Log ManagementSEM
Event correlationRobust alertIncident responseDashboardsData enrichmentFiltering
Data collectionAd-hoc queryE-mail alertsReports
CompressionForensicsData integrityUnknown log supportData retentionRaw log forwarding
© Novell, Inc. All rights reserved.4
CIA Tenants of Security
• CIA tenants of security apply to SIEM / Log Management systems as well
– Confidentiality: Classification of data and ensuring data is visible to only constituencies that are authorized
– Integrity: Data cannot be tampered with and non-repudiation
– Availability: Available when and where needed
© Novell, Inc. All rights reserved.5
Risk based definition of High Availability• Definition of “High Availability” is subjective
– Defined by number of 9’s
• It should be driven by and be commensurate to business risk
• Primary reason it needs to be evaluated subjectively is because it comes with a cost!
© Novell, Inc. All rights reserved.6
Functional Sensitivity to Availability
• Break down availability by functionality
• Some functions need higher availability than others
Log ManagementSEM
Event correlationRobust alertIncident responseDashboardsData enrichmentFiltering
Data collectionAd-hoc queryE-mail alertsReports
CompressionForensicsData integrityUnknown log supportData retentionRaw log forwarding
© Novell, Inc. All rights reserved.7
RES
PON
SE
Logical View – SIEM Burton Reference Model
LoggingAgent
Identity Management• Access Control• Directories• Provisioning
LoggingAgent
System Management• Host and DB Configuration• Patch Management• Vulnerability Management
LoggingAgent
Perimeter Controls• Routers• Firewalls• Content Scanners
LoggingAgent
Intrusion Detection / Response• Network IDS• Network IPS• Other Sensors
INPUTS
COLLECTION / AGGREGATION / CORRELATION
REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE
OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION
Distributed Collectors
Signatures / AttackPatterns
Policies / ComplianceRules
Raw Log
Security alerts
Reports
Visualization Help Desk Ticketing Network / Security Operations
Central / Master Collector
RES
PON
SE
Source: Burton Group – Diana Kelley
© Novell, Inc. All rights reserved.8
Novell® Sentinel™ SIEM
Correlation SentinelControl Center
Reports Repository
PROXY
Subscribe
PublishCollector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalize Taxonomy Business relevance Exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
Channels
iTRAC
Ext
erna
lE
vent
Sou
rces
© Novell, Inc. All rights reserved.9
Novell® Sentinel™ RD
© Novell Inc, Confidential & Proprietary
© Novell, Inc. All rights reserved.10
Novell® Sentinel™ Log Manager
© Novell, Inc. All rights reserved.11
SIEM/Log Management Layers
Application Application
Event Source SIEM / Log Management System
SIEM LogMgmt.
AGENT
Operating System
Storage Network
Operating System
Storage Network
© Novell, Inc. All rights reserved.12
SIEM/Log Management Layers –Novell® Sentinel™ Suite Perspective
Application Application
Event Source SIEM / Log Management System
SIEMAGENT
Operating System
Storage Network
Operating System
Storage Network
Application
CollectorManager
Operating System
Storage Network
Collector
LogMgmt.
© Novell, Inc. All rights reserved.13
Event Source
Log Database
Central / Master Collector
Distributed Collector
LoggingAgent
Reports
Log Database
Security alerts
Reports
Visualization
Security Alerts
Workflow Remediation
Visualization
Message Bus
Event SourceLogging
Burton Reference Novell® Sentinel™
Know the Moving Parts – A Vertical Slice – Flavor 1
Central / Master Collector
Distributed Collector
© Novell, Inc. All rights reserved.14
Event Source
Log Database
Central / Master Collector
Distributed Collector
LoggingAgent
Reports
Log Database
Security alerts
Reports
Visualization
Security Alerts
Workflow Remediation
Visualization
Message Bus
Central / Master Collector
Distributed Collector
Event SourceLogging
Burton Reference
Know the Moving Parts – A Vertical Slice – Flavor 2
Control Center
Sentinel Log Manger
Raw Log
Novell® Sentinel™
© Novell, Inc. All rights reserved.15
Degrees of Availability
COST
99.9%0% 95% 99.5%98%
Availability
WARMSTANDBY
HOTBACKUP
COLDBACKUP
© Novell, Inc. All rights reserved.16
Cold Backup
• Characteristics– Backup all the components at periodic intervals
– Restore a point-in-time backup upon failure
• Implications– Economic solution
– Availability will be on the lower spectrum as recovery will take longer time
– State of the entire system has to be in synch
– High potential for data loss upon recovery
© Novell, Inc. All rights reserved.17
Warm Standby
• Characteristics– Backup all the components at periodic intervals– Full redundant system on stand-by – Restore a point-in-time on a redundant hardware on stand-by
mode– Activate stand-by upon primary failure
• Implications– More expensive than cold backup solution– Availability will be better– State of the entire system has to be in synch– Potential for data loss on recovery
© Novell, Inc. All rights reserved.18
Hot Backup
• Characteristics– Full redundant system
– Collect events redundantly from all event sources
– Activate stand-by upon primary failure
– Can be used in an Active/Active mode if correlation rules and reporting users are high
• Implications– More expensive than cold backup and warm standby solution
– Availability will be best
– Low potential for data loss on recovery
© Novell, Inc. All rights reserved.19
Hybrid Solutions are possible
• It is possible to have hybrid solutions to achieve varying degree of availability for different components / event sources based on business requirements and cost factors
– High Availability within a Data Center> E.g - Clustering solution with RAID
» Protects against outage of hardware or components within a data center
– High Availability Across Data Center> E.g - Warm standby across data center
» Protects against outage of entire data center
– Disaster Recovery> E.g - Cold backup every day
» Protects from total loss of service in case of failure / disaster
• Question for the audience– What else is possible to provide each of these situations?
© Novell, Inc. All rights reserved.20
Key Considerations for model choice
• Functional Sensitivity• Distributability of the solution
– More is better or less is better? – Depends!!!• Balance Scalability with Availability• Appliance vs Software
– Component Distributability– Component Resiliency
> Redundancy> Local Buffering
• Self-monitoring capabilities– Need a MoM or can your SIEM software monitor itself
© Novell, Inc. All rights reserved.21
Tools in the Repertoire
• Traditional– Vendor provided solution
> Full redundancy?
– Platform HA> E.g OHAC, HACMP
– O/S HA> E.g Veritas clusters, Linux Clusters, Solaris clusters
– Database HA> Oracle clustering, MS-SQL clustering
– Disk HA> E.g SANs, EMC, RAID
– Network HA > E.g Self healing networks
• Leading Edge / Emerging– Cloud Computing– Intelligent Workload Management
© Novell, Inc. All rights reserved.22
Summary – Back to Basics
Consider a Systemic View• Understand the organizational risks and costs of
these risks materializing• Know the cost / benefit of SIEM HA for your
organization• Attack HA from a functional point of view• Understand the moving parts• Leverage tools available at all layers----------------------------------------------------------------------Build the best HA solution for your organization----------------------------------------------------------------------
Section Break Text Here (32pt)
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.