The Challenge For Log Analysis Log Management vs SIEM vs NextGen SIEM Security Analytic + Storage + Actionable Intelligence NexGen Security Operation Center For Smart Cities

2. Facilitator Introduction
Alan Yau Ti Dun
Alan is currently holding a senior role as Chief
Technical Officer at a Technology / Security
Operation Center organisation and has over 15
years of experience in Information Security,
Governance and Controls. He has extensive
experience in leading engagements and serving
clients inthe area of InformationSecurity.
This includes Next Generation Security Operation Center, Information Technology
Cybersecurity Infrastructure Review, Penetration Testing, IT Audit, ISO27001
Implementation, ISO27001:2013 Transition, PCI DSS Review, Security Incident
Management and Response, Managed Security Services, Business Continuity
Planning, Secure Email and other areas.
Prior to joining his current organisation, Alan was the Technology Consulting
Services Lead at a leading regional Managed Security Service Provider, where he
lead the implementation and execution of Security Operation Center projects
including the rollout of the SOCfor one of the leader in local Telco’s Market. He is
also Certified Mile2 Instructor and have conducted specific training sessions
which include Mile2 Certified Training, CISSP Readiness Workshop, Cybersecurity
Fundamental Training andSecurityAwareness Training.
Qualifications /Professional Affiliations
• Certified Information Systems Security Professional (CISSP)
• Certificate Of Cloud Security Knowledge (CCSK)
• Certified Penetration Testing Consultant (CPTC)
• Certified Penetration Testing Engineer (CPTE)
• Certified Digital Forensic Examiner (CDFE)
• Certified Network Forensic Examiner (CNFE)
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Manager (CISM)
• Certified in Governance of Enterprise IT (CGEIT)
• Certified In Risk Information System Control (CRISC)
• Cybersecurity Nexus Fundamentals Certificate (CSXF)
• Ethical Network Security Administrator (ENSA)
• ITIL Foundation V3
• Microsoft Certified Security Administrator (MCSA)
Speaker @ Recent Events
• 14th
Annual IT Governance , Assurance and Security Conference 2015,
Malaysia – Management Trackon CybersecurityAssurance
• Bursa Malaysia Cybersecurity Workshop 2015 – Threat, Vulnerabilities and
Risk
• Cloudsec 2015 – CybersecurityAssurance
• Audit World 2015 – Auditing Cloud Service Provider
WWW.ISACA.ORG/MALAYSIA

3. Agenda
The Challenge For Log Analysis
Log Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable Intelligence
NexGen Security Operation Center For Smart Cities

4. tgMonth="05" tgHour="18" tgDay="13" tgMinute="07" EC="540" C="2" CS="Logon/Logoff" L="Security" IS="LMURPHY ,TXDOT1 ,(0x15,0xE88A0488)
,3,Kerberos ,Kerberos , ,{cd7b463a-726e-1aec-4fd5-dabe7dc0231e} ,-,- ,- ,- ,- ,144.45.138.69 ,1099" SN="Security" RN="446108" XM="Successful
Network Logon: User Name: LMURPHY Domain: TXDOT1 Logon ID: (0x15,0xE88A0488) Logon Type: 3 Logon Process: Kerberos
Authentication Package: Kerberos Workstation Name: Logon GUID: {cd7b463a-726e-1aec-4fd5-dabe7dc0231e} Caller User Name: - Caller
Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 144.45.138.69 Source Port: 1099 "
tgSecond="12" U="TXDOT1LMURPHY" T="Audit Success" ET="4" this="event" CN="HOU-DC" EI="540" tgYear="2010“
1120 00000000000000000002TSV2010-06-02-12.48.43.343776QPADEV000CQSECOFR 600091 QCMD QSYS *SYSBAS 1
00000000000000000000000000000000000000000QSECOFR OMNIAS2
^@^@^@^@^@^@^@^@^@^@00000010570129150070882304AUDRCV0008QSYS *SYSBAS 1 1
^@^@^@^@^@^@^@^B000000000000000243690
361363360K361362367K365K366367@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IN090210,ESECDBA,APPLABSDLFDTAPP0803,DLFDTAPP0803,2010/04/27 18:07:34,2010/04/27 18:08:52,2010/04/27
18:08:52,101,LOGOFF,,Authenticated by: DATABASE; Client address:
(ADDRESS=(PROTOCOL=tcp)(HOST =192.168.170.11)(PORT=2788)),10187,1,1,0,,,,30553,,,,,dlfdt app2160,Oracle Database 10g Enterprise Edition
Release 10.2.0.3.0 – Prod
{"ALERT":{"MANDT":"001","MSG":"Logon Successful
(Type=U)","REPORTEDBY":"SecurityAud it","MTMCNAME":"sapserver_DM0_01","ARGTYPE2":"C","EXTINDEX":"0000000012","OBJECTNAME":"Security","
MSGARG2":"U&0","MTCLASS":"101","MSGARG1":"AU1","USERID":"SAPJSF","STATUS":"40","ARGTYPE4":"C","STATCHGDAT":"Tue Mar 24 00:00:00 PDT
2009","MTINDEX":"0000000176","VALUE":"2","MSGTEXT":"Security Audit: Logon
Event","SEVERITY":"255","STATCHGBY":"SecurityAudit","ALSYSID":"DM0","ARGTYPE3":"C","MSEGNAME":"SAP_CCM S_sapserver_DM0_01","MSCGLID":
"AU1","MTNUMRANGE":"033","ALERTDATE":"Tue Mar 24 00:00:00 PDT
2009","FIELDNAME":"Logon","ALUNIQNUM":"0000694352","MTSYSID":"DM0","ALERTTIME":"Thu Jan 01 08:19:24 PST 1970","STATCHGTIM":"Thu Jan
01 08:19:24 PST 1970","RC":"0","MSGID":"AU1","ALINDEX":"0000007340","ARGTYPE1":"C","M SGCLASS":"SAP-
YSLOG","MTUID":"0000100010"},"SYSNR":"01","HOST":"192.168.3.7"}
The Challenge For Log Analysis
Do you manage to analyze every single line from these thousand lines of log
for every minutes?

5. What is inside the log???

6. Customer Type Log Volume (GBs /Day) Events / Day Events / Sec
2020 > 20 Billion Devices 10,000,000,000 322,222,222….. 3,888,888…..
Cloud Provider 50,000 166,666,666,667 1,929,012
Social Media Organization 25,000 83,333,333,333 964,506
Telco’s 1,000 3,333,333,333 38,580
Enterprise > 1000 employees 300 1,000,000,000 11,574
SME 10 33,333,333 386
How Big Is The Log Size ???

7. • Who is doing what?
• What access do they have?
• Is that access appropriate?
• Where are they accessing from?
• Is this normal behavior?
• Are there other Indicators of Compromise for the
same account/host/service?

8. ✔
✔
✔
Who Get Breach???
Who Have Log Analysis???

9. Log collection
Centralized aggregation
Long-term log retention
Log rotation
Log search and reporting.
Log analysis after storage
LOG MANAGEMENT (LM)
Same functionality as “LM”
Basic Correlation
Alerting
Dashboards
Retention (Correlated Event)
Forensic Analysis
SECURITY INCIDENT AND EVENT
MANAGEMENT (SIEM)
Same functionality as “SIEM”
Advanced correlation
Intelligence Feed
Anomalies Detection
Support Customization
Support Cloud Deployment
Integration with Security Solution
NEXT GENERATION SIEM (NGSIEM)
The Challenge
• huge log-volumes
• log-format diversity
• proprietary log-formats
• false positive log records
The Challenge
• Lack of Intelligence Feed
• Intensive Human Analytics
• Lack of Incident Work Flow
• Rigid Deployment Scale
The Challenge
• Security Analytic Framework
• Storage Architecture
• Actionable Intelligence
• Implementer Skillset
• ID Management Integration
LM vs SIEM vs NGSIEM

10. LOG MANAGEMENT (LM)
LM vs SIEM vs NGSIEM

11. SECURITY INCIDENT AND EVENT MANAGEMENT (SIEM)
LM vs SIEM vs NGSIEM

12. LM vs SIEM vs NGSIEM
NEXT GENERATION SIEM (NGSIEM)

13. Security
Devices
Network
Devices
Servers &
Endpoint
Virtualization
Application
Configuration & File Integrity
VulnerabilityInformation
Identities
Cloud
Mobile
IOT
• Logs
• Flows
• Basic Rules
• Intelligence Input
Event
Correlation
• Baseline
• Advance Rules
• Fine Tune
• Intelligence Input
Activity Base
Line
• Network Activity
• User Activity
• Application Activity
• Database Activity
• Intelligence Input
Abnormally
Detection
• Known Malware
• Command & Control
• Advance Threat
• Intelligence Input
Indicator Of
Compromise
SECURITY ANALYTIC FRAMEWORK
Incident
Response
Remediation
Compliance
GOVERNANCE
Visualization
Analysis
Alert
Report
ANALYTIC
Actionable Intelligence

14. Nature Type Description
Online
Storage
Primary storage,
formerly known as local
storage.
Optimized for quick writes and fast retrieval. Stores the
most recently collected event data and the most
frequently searched event data.
Secondary storage,
formerly known as
network storage for
example SAN.
Optimized to reduce space usage on optionally less
expensive storage while still supporting fast retrieval.
NGSIEM automatically migrates data
partitions to the secondary storage.
NOTE: Data retention policies, searches, and reports operate on event data partitions
regardless of whether they are residing on primary or secondary storage, or both.
Offline
Storage
Archival storage Base on retention policies archieved log will be back up to
offline storage such as tapefor safe keeping. When is
needed it can be reimport
for use in long-term forensic analysis.
NGSIEM storage should be design using the Three Tier Architecture Storage to resolved the
storage challenge. By default, NGSIEM receives two separate but related data streams from the
Collector Managers: the parsed event data and the raw data. The raw data is immediately
stored in protected partitions to provide a secure evidence chain.
STORAGE ARCHITECTURE

15. Next Generation Security Information and Event Management (NGSIEM) solution simplifies the deployment,
management and day-to-day use of SIEM, readily adapts to dynamic enterprise environments and delivers the true
“Actionable Intelligence" security professionals need to quickly understand their threat posture and prioritize
response.
ACTIONABLE INTELLIGENCE

16. LOG MANAGER
Threats
!
Threats Intelligence
Collect Normalize Process Correlate Report
Logging Triggered
Tools / Tactics / Techniques
Analytics
CIMC
Processes Procedures
People Skill-sets
SIEM
Core SOC Technology
NEXT GEN SOC FOR SMART CITIES
SMART CITIES NGSOC

17. SECURITY OPERATION CENTER
Team Leader
NUR SYAFIQA
Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)
Threat Analyst
(Supervisor)
OPERATION TEAM
Team Leader
NUR IMELIA
Security Analyst
Security Analyst Security Analyst Security Analyst
Security Analyst Security Analyst
NEXT GEN SOC ORG CHART
Security Analyst
Security Analyst
Incident Response
Threat Analyst
(Supervisor)
Threat Analyst
(Supervisor)
Threat Analyst
(Supervisor)
Incident Response Incident Response Incident Response
CONSULTANT
ENGINEER
R & D

18. Access
Management &
Authentication
Secure
User
Monitoring
Identity Governance &
Administration
An Integrated Identity, Access & Security Solution