The Challenge For Log Analysis
Log Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable Intelligence
NexGen Security Operation Center For Smart Cities
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
What's Next : A Trillion Event Logs, A Million Security Threat
1.
2. Facilitator Introduction
Alan Yau Ti Dun
Alan is currently holding a senior role as Chief
Technical Officer at a Technology / Security
Operation Center organisation and has over 15
years of experience in Information Security,
Governance and Controls. He has extensive
experience in leading engagements and serving
clients inthe area of InformationSecurity.
This includes Next Generation Security Operation Center, Information Technology
Cybersecurity Infrastructure Review, Penetration Testing, IT Audit, ISO27001
Implementation, ISO27001:2013 Transition, PCI DSS Review, Security Incident
Management and Response, Managed Security Services, Business Continuity
Planning, Secure Email and other areas.
Prior to joining his current organisation, Alan was the Technology Consulting
Services Lead at a leading regional Managed Security Service Provider, where he
lead the implementation and execution of Security Operation Center projects
including the rollout of the SOCfor one of the leader in local Telco’s Market. He is
also Certified Mile2 Instructor and have conducted specific training sessions
which include Mile2 Certified Training, CISSP Readiness Workshop, Cybersecurity
Fundamental Training andSecurityAwareness Training.
Qualifications /Professional Affiliations
• Certified Information Systems Security Professional (CISSP)
• Certificate Of Cloud Security Knowledge (CCSK)
• Certified Penetration Testing Consultant (CPTC)
• Certified Penetration Testing Engineer (CPTE)
• Certified Digital Forensic Examiner (CDFE)
• Certified Network Forensic Examiner (CNFE)
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Manager (CISM)
• Certified in Governance of Enterprise IT (CGEIT)
• Certified In Risk Information System Control (CRISC)
• Cybersecurity Nexus Fundamentals Certificate (CSXF)
• Ethical Network Security Administrator (ENSA)
• ITIL Foundation V3
• Microsoft Certified Security Administrator (MCSA)
Speaker @ Recent Events
• 14th
Annual IT Governance , Assurance and Security Conference 2015,
Malaysia – Management Trackon CybersecurityAssurance
• Bursa Malaysia Cybersecurity Workshop 2015 – Threat, Vulnerabilities and
Risk
• Cloudsec 2015 – CybersecurityAssurance
• Audit World 2015 – Auditing Cloud Service Provider
WWW.ISACA.ORG/MALAYSIA
3. Agenda
The Challenge For Log Analysis
Log Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable Intelligence
NexGen Security Operation Center For Smart Cities
4. tgMonth="05" tgHour="18" tgDay="13" tgMinute="07" EC="540" C="2" CS="Logon/Logoff" L="Security" IS="LMURPHY ,TXDOT1 ,(0x15,0xE88A0488)
,3,Kerberos ,Kerberos , ,{cd7b463a-726e-1aec-4fd5-dabe7dc0231e} ,-,- ,- ,- ,- ,144.45.138.69 ,1099" SN="Security" RN="446108" XM="Successful
Network Logon: User Name: LMURPHY Domain: TXDOT1 Logon ID: (0x15,0xE88A0488) Logon Type: 3 Logon Process: Kerberos
Authentication Package: Kerberos Workstation Name: Logon GUID: {cd7b463a-726e-1aec-4fd5-dabe7dc0231e} Caller User Name: - Caller
Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 144.45.138.69 Source Port: 1099 "
tgSecond="12" U="TXDOT1LMURPHY" T="Audit Success" ET="4" this="event" CN="HOU-DC" EI="540" tgYear="2010“
1120 00000000000000000002TSV2010-06-02-12.48.43.343776QPADEV000CQSECOFR 600091 QCMD QSYS *SYSBAS 1
00000000000000000000000000000000000000000QSECOFR OMNIAS2
^@^@^@^@^@^@^@^@^@^@00000010570129150070882304AUDRCV0008QSYS *SYSBAS 1 1
^@^@^@^@^@^@^@^B000000000000000243690
361363360K361362367K365K366367@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IN090210,ESECDBA,APPLABSDLFDTAPP0803,DLFDTAPP0803,2010/04/27 18:07:34,2010/04/27 18:08:52,2010/04/27
18:08:52,101,LOGOFF,,Authenticated by: DATABASE; Client address:
(ADDRESS=(PROTOCOL=tcp)(HOST =192.168.170.11)(PORT=2788)),10187,1,1,0,,,,30553,,,,,dlfdt app2160,Oracle Database 10g Enterprise Edition
Release 10.2.0.3.0 – Prod
{"ALERT":{"MANDT":"001","MSG":"Logon Successful
(Type=U)","REPORTEDBY":"SecurityAud it","MTMCNAME":"sapserver_DM0_01","ARGTYPE2":"C","EXTINDEX":"0000000012","OBJECTNAME":"Security","
MSGARG2":"U&0","MTCLASS":"101","MSGARG1":"AU1","USERID":"SAPJSF","STATUS":"40","ARGTYPE4":"C","STATCHGDAT":"Tue Mar 24 00:00:00 PDT
2009","MTINDEX":"0000000176","VALUE":"2","MSGTEXT":"Security Audit: Logon
Event","SEVERITY":"255","STATCHGBY":"SecurityAudit","ALSYSID":"DM0","ARGTYPE3":"C","MSEGNAME":"SAP_CCM S_sapserver_DM0_01","MSCGLID":
"AU1","MTNUMRANGE":"033","ALERTDATE":"Tue Mar 24 00:00:00 PDT
2009","FIELDNAME":"Logon","ALUNIQNUM":"0000694352","MTSYSID":"DM0","ALERTTIME":"Thu Jan 01 08:19:24 PST 1970","STATCHGTIM":"Thu Jan
01 08:19:24 PST 1970","RC":"0","MSGID":"AU1","ALINDEX":"0000007340","ARGTYPE1":"C","M SGCLASS":"SAP-
YSLOG","MTUID":"0000100010"},"SYSNR":"01","HOST":"192.168.3.7"}
The Challenge For Log Analysis
Do you manage to analyze every single line from these thousand lines of log
for every minutes?
6. Customer Type Log Volume (GBs /Day) Events / Day Events / Sec
2020 > 20 Billion Devices 10,000,000,000 322,222,222….. 3,888,888…..
Cloud Provider 50,000 166,666,666,667 1,929,012
Social Media Organization 25,000 83,333,333,333 964,506
Telco’s 1,000 3,333,333,333 38,580
Enterprise > 1000 employees 300 1,000,000,000 11,574
SME 10 33,333,333 386
How Big Is The Log Size ???
7. • Who is doing what?
• What access do they have?
• Is that access appropriate?
• Where are they accessing from?
• Is this normal behavior?
• Are there other Indicators of Compromise for the
same account/host/service?
15. Next Generation Security Information and Event Management (NGSIEM) solution simplifies the deployment,
management and day-to-day use of SIEM, readily adapts to dynamic enterprise environments and delivers the true
“Actionable Intelligence" security professionals need to quickly understand their threat posture and prioritize
response.
ACTIONABLE INTELLIGENCE
16. LOG MANAGER
Threats
!
Threats Intelligence
Collect Normalize Process Correlate Report
Logging Triggered
Tools / Tactics / Techniques
Analytics
CIMC
Processes Procedures
People Skill-sets
SIEM
Core SOC Technology
NEXT GEN SOC FOR SMART CITIES
SMART CITIES NGSOC
17. SECURITY OPERATION CENTER
Team Leader
NUR SYAFIQA
Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)
Threat Analyst
(Supervisor)
OPERATION TEAM
Team Leader
NUR IMELIA
Security Analyst
Security Analyst Security Analyst Security Analyst
Security Analyst Security Analyst
NEXT GEN SOC ORG CHART
Security Analyst
Security Analyst
Incident Response
Threat Analyst
(Supervisor)
Threat Analyst
(Supervisor)
Threat Analyst
(Supervisor)
Incident Response Incident Response Incident Response
CONSULTANT
ENGINEER
R & D