PowerPoint Presentation - PDF Free Download

RSA envision 통합로그관리분석및보안

로그관리 - 정의 로그 (Log) 조직의시스템또는네트워크에서일어난이벤트또는행위에대한기록 방화벽 -allow, deny 로그 네트웍 - configuration change 로그 Operating System - system shutdown, startup 로그 어플리케이션 - user login, logout 로그 DB - 주요자원 query 로그 등등 로그관리 (Log Management) 기업전반에서발생하는로그의수집 / 저장 / 분석 / 관리하는총체적인프로세스 보안시스템 네트워크장비 Operating System 어플리케이션 / DB 스토리지 보안운영네트웍운영시스템운영리스크관리 상관관계분석 (Correlation Analysis) 2

시장동향 ESM (Enterprise Security Management) 보안장비대상, 단순보안분석시스템 IT 인프라스트럭쳐총체적인관리에는한계 시그니처, 룰기반탐지기법 => 정확도는높지만, 새로운보안위협대응력은떨어짐 RMS (Risk Management System) 관리대상시스템의위협분석 정보시스템의취약성및손실분석 ( 위험도종합지표마련 ) 주요자산의중요도평가기능 ESM 기반 RMS // 스캐너기반 RMS 제품 TMS (Threat Management System 보안위협조기예 / 경보시스템 ESM // FW // IDS // IPS 의솔루션기반제품 트래픽중심 ( 유해 / 정상 ) 으로공격탐지 ( 보안장비 / 시스템자체의로그기반이아님 ) ESM 과보완관계로이용 3 SIEM (Security Information and Event Management) - 전체시스템아키텍쳐에대한접근방법론제시 - 기업전사적인이벤트수집및상관관계분석 ( 보안, 네트웍, 시스템, 어플리케이션, DB, 스토리지 ) - 보안운영, IT/NW 운영, 컴플라이언스규제대응 - 규정화 (Normalization), 필터링 (Filtering) 없는원본로그저장및분석 - 고정된경보 (Alert), 고정된레포팅 (Report) 이외에, 수시로변화하는상황에맞는 Dynamic Alert, Dynamic Report 생성 - 전사적인시스템의원본로그저장및장기간보관등의 ILM (Information Lifecycle Management) 관리 차세대보안정보이벤트관리솔루션

기업로그관리현실수많은로그데이터 / 저장소의산재 / 개별로그관리 접근제어적용 Privileged User Management 악성코드감지 Spyware detection 실시간모니터링 Troubleshooting 설정관리 Lockdown enforcement 사용자모니터링 인가되지않은서비스감지 IP Leakage Web server activity logs Switch logs Web cache & proxy logs Content management logs IDS/IDP logs False Positive 감쇄 서비스레벨준수모니터링 VA Scan logs Router logs Windows domain logins Wireless access logs Oracle Financial Logs Mainframe logs Windows logs DHCP logs VPN logs Firewall logs Client & file server logs Linux, Unix, Windows OS logs San File Access Logs VLAN Access & Control logs 어떻게모든로그를수집 / 분석 / 관리해서기업의효율적인운영에필요한정보로변환할것인가? 4 Database Logs

RSA envision 통합로그관리 = 보안정보. 이벤트관리 (SIEM) 보안 운영 컴플라이언스 운영 IT/NW 운영 ALL THE DATA TM 로그관리 R S A 5

# of Changes RSA envision Raw Data 를중요한정보로변환 Saturday, January 01, 2005 Sunday, January 02, 2005 Monday, January 03, 2005 Tuesday, January 04, 2005 Wednesday, January 05, 2005 Thursday, January 06, 2005 Friday, January 07, 2005 Saturday, January 08, 2005 Sunday, January 09, 2005 Monday, January 10, 2005 Tuesday, January 11, 2005 Wednesday, January 12, 2005 Thursday, January 13, 2005 Friday, January 14, 2005 Saturday, January 15, 2005 Sunday, January 16, 2005 Monday, January 17, 2005 Tuesday, January 18, 2005 Wednesday, January 19, 2005 Thursday, January 20, 2005 Friday, January 21, 2005 Saturday, January 22, 2005 Sunday, January 23, 2005 Monday, January 24, 2005 Tuesday, January 25, 2005 Wednesday, January 26, 2005 Thursday, January 27, 2005 Friday, January 28, 2005 Saturday, January 29, 2005 Sunday, January 30, 2005 Monday, January 31, 2005 Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_verify.dev. Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\issmsg.xml. Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] Configuration - Deleted Changes Windows file \\wa1-clearcase\pub\iss_verify.dev. Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\issmsg.xml. Juniper: 142005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_verify.dev. Juniper: 2005-01-02 02:00:01 - ive - [210.4.75.60] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\nfrnids_verify.dev. Juniper: 122005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_15806. Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_2005. Juniper: 102005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\issmsg.xml. Juniper: 2005-01-02 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_verify.dev. Juniper: 82005-01-02 02:00:01 - ive - [210.4.75.60] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\nfrnids_verify.dev. Juniper: 2005-01-09 02:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushieldmsg.xml. Juniper: 62005-01-09 02:00:04 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_readme.txt. Juniper: 2005-01-09 02:00:05 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_verify.dev. Juniper: 42005-01-09 02:00:06 - ive - [203.82.192.226] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushieldmsg-12-15-05-04-57.xml. Juniper: 2005-01-09 02:00:06 - ive - [203.82.192.226] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_readme-12-15-05-04-57.txt. Juniper: 22005-01-09 02:00:07 - ive - [203.82.192.226] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_verify-12-15-05-04-57.dev. Juniper: 2005-01-09 02:00:07 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushieldmsg.xml. Juniper: 2005-01-09 02:00:08 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_readme.txt. 0 Juniper: 2005-01-13 13:00:01 - ive - [203.82.192.226] ntoss\buddin(array)[array] - Deleted Windows file \\wa1-clearcase\pub\intrushield_verify.dev. Juniper: 2005-01-13 13:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\ciscoidsxmlmsg.xml. Juniper: 2005-01-16 02:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\ciscoidsxml_readme-12-16-05-14-25.txt. Juniper: 2005-01-16 02:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\ciscoidsxml_verify-12-16-05-14-25.dev. Juniper: 2005-01-16 02:00:03 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\ciscoidsxml_verify.dev. Juniper: 2005-01-16 02:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\issmsg.xml. Juniper: 2005-01-16 02:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_readme.txt. Juniper: 2005-01-16 02:00:01 - ive - [10.10.30.42] ntoss\jhart(array)[array] - Deleted Windows file \\wa1-clearcase\pub\iss_verify.dev. Juniper: 2005-01-16 02:00:04 - ive - [203.82.192.226] ntoss\aislam(array)[array] - Deleted Windows file \\wa1-clearcase\pub\ciscopixmsg-12-14-05-06-25.xml. Juniper: 2005-01-16 02:00:01 - ive - [207.190.229.140] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\tippingpointmsg.xml. Juniper: 2005-01-16 02:00:05 - ive - [207.190.229.140] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\tippingpoint_readme.txt. Juniper: 2005-01-16 02:00:06 - ive - [207.190.229.140] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\tippingpoint_verify.dev. Juniper: 2005-01-16 02:00:07 - ive - [207.190.229.140] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\tippingpointmsg.xml. Juniper: 2005-01-16 02:00:07 - ive - [207.190.229.140] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\tippingpoint_verify.dev. Juniper: 2005-01-23 02:00:01 - ive - [10.10.30.32] ntoss\dolsen(array)[array] - Deleted Windows file \\wa1-clearcase\pub\sonicwallmsg.xml. 6

RSA envision 개요 Vision Market Presence Technology Technology Partners 전사적인통합로그관리및보안운영을위한정보관리플랫폼 800 개이상의엔터프라이즈및공공기관고객 Internet Protocol Database (IPDB) 특허출원 필터링없이모든로그데이터수집가능 Network Security Operating System Application Other - Cisco - Juniper - Nortel - Foundry - Symantec - ISS - McAfee - Check Point - RSA - Microsoft - Linux / Unix - Sun / HP - IBM AS400/Main - MS Exchange - Oracle - MS SQL - Websense - Bluecoat - Apache - EMC / NetApp 수상경력 Leader, 3 rd Year in a Row Only vendor with all the data Excellent 2005 Appliance bake-off winner Leader Largest Market Presence 7

RSA envision The Best Solution in the market place [ Gartner 자료 ] 8

RSA envision 주요기능유연하고효과적인로그데이터수집 뛰어난데이터수집성능 로그수집을위한전용 DB 사용 - LogSmart IPDB 최대초당 300,000 개의로그데이터수집가능 필터링, 정규화, 데이터감소없이모든데이터수집 LogSmart IPDB 원시데이터수집 필요에따라다양한목적으로데이터활용 Write Once Read Many (WORM) 디자인을통해데이터무결성확보 법적인증거및포렌식의증거자료로사용 Universal Device Support (UDS) 모든장비를폭넓게지원 기존장비를손쉽게업데이트할수있는방법을제공 알려지지않은장비로부터도정확한데이터를수집 9

RSA envision 원본로그통합및상관관계분석 (1) Event Event Event Event Event Event Event Event Event 공격 (Attack) 은일반적으로, 기업의여러시스템을경유하면서, 모든시스템에복합로그를생성시키고, 흔적을남긴다. 상관관계 분석 Time Stamps IP addresss Event Types Boolean logic-driven correlation Anomaly-based correlation Vulnerability Asset Management 10 - 경보의 False-Positive 감소 - 즉각적인사고대응가능 ------------------------------------------- 개별시스템의로그를통합하여, 가치있고유용한정보로제공

RSA envision 원본로그통합및상관관계분석 (2) 모든타입의디바이스로그를받을준비가되었는가? Legacy Device / Custom Application 로그의쉬운연동성? Network Security Operating System Application Storage/Other 모든 타입의 디바이스 - Cisco - Juniper - Nortel - Foundry - Symantec - ISS - McAfee - Check Point - RSA - Microsoft - Linux / Unix - Sun / HP - IBM AS400/Main - MS Exchange - Oracle - MS SQL - Websense - Bluecoat - Apache - EMC / NetApp 신규 디바이스추가 또는 - Agent 필요한가 // R&D 레벨에서개발과정을거친다면, (???) : 개발시간문제 / 임베디드 Agent 구현문제 => 언제까지벤더사개발에의존? - 사용자레벨에서디바이스구분및로그메세지타입정의가가능하다면, Custom Application 추가 : 원본로그수집후, : 사용자레벨의디바이스및메세지구분 : 이후부터, 로그자동분류 11 OK

RSA envision 통합로그수집및캡쳐부문 대용량로그수집에대한고려사항 데이터저장공간 GBs Per Day 데이터수집성능 (EPS) 250 10,000 9,000 200 8,000 7,000 150 6,000 5,000 100 4,000 3,000 50 2,000 1,000 0 1000 EPS 5000 EPS 10,000 EPS Events Per Second (EPS) 0 System Performance RDBMS LogSmart IPDB RDBMS LogSmart IPDB 원본로그 + 압축수행 (75%~90%) Storage 비용절감고려 필터링, 정규화, 데이터감소없이 원본로그수집성능최대화고려 12

RSA envision 통합원본로그정보수명주기관리 로그정보수명주기정책적용가능여부확인 (ILM Information Lifecycle Management) [ 로그저장및보존정책설정필요 컴플라이언스이슈 ] 로그관리온라인정책 (1 년 ) 보존정책 온라인수집압축보호보존폐기저장 - Frequent Access - Ready Access - Real-time Monitoring - Production Log Data On-line Storage Near-line Storage 13 - Active Archive Data - Backup Data

RSA envision 제품라이센스정책고객환경에적합한다양한모델지원 300,000 30000 EPS 10000 7500 5000 2500 1000 500 # DEVICES 100 200 400 750 1250 1500 2048 30,000 14

RSA envision 활용방안 3-in-1 log management platform 보안운영 (Security) 규제대응 (Compliance) IT & Network 운영 접근권한통제 SLA 준수여부모니터링 실시간경보 오탐방지 특수사용자모니터링 비인가네트워크서비스감지 접근통제 시스템구성통제 악의적인소프트웨어탐지 보안정책적용 사용자모니터링및관리 시스템환경및전송보안 PCI, SOX, HIPPA, FISMA 등에대응하는다양한리포트제공 네트워크문제해결 Helpdesk 운영지원 특정사용자행동모니터링 시스템구성관리 네트워크자산모니터링 네트워크운영최적화 보안팀과 IT팀의협업지원 문제분석시간단축 Simplify Compliance Enhance Security & Mitigate Risk Optimize IT & Network Operations 15

New Title Head of Security event management 16

RSA envision 국내 S 대학교 도입배경 20 Gbps 인터넷관문 방화벽운영 모든이벤트원시로그형태보관시스템부재 대량의트래픽실시간분석시스템부재 도입 과부하트래픽긴급상황발생 과거특정시간의이벤트과부하탐지불가능 긴급상황발생시원인파악및긴급조치불가능 수집저장 분석관리 경보레포팅 배경 이기종 / 임베디드장비운영에의한이슈 이기종이벤트취합및상호연관성분석시스템부재 임베디드장비 II 로그수집 Agent 설치불가능 모든장비 고성능 모든로그 로그 / 이벤트수집 성능이슈 대량의이벤트처리성능필요성대두 초당이벤트수 10,000 ~ 30,000 EPS 처리필요 17

RSA envision 국내 S 대학교 - 도입효과및향후계획 도입효과 향후계획 보안사고발생시, 분석자료로활용 비인가자의시스템접속인지후, 경보발생및관리자의신속한접속차단및예방조치근거제시 시스템별접근기록점검및비인가자의동향분석 위협정보분석기능강화로, 학내정보자산의안정성확보 손실없는원시로그장기간보관 주요서버로그수집계획 보안장비및주요서버로그의상관분석계획 정보통신망이용정보및이력관리의체계화계획 학내망전체시스템에대한로그수집로드맵수립 envision 확장로드맵수립 Application 서버 Data 서버 Storage 확장의편리성확보 최대성능확보및편리한시스템확장가능 Local Collector Local Collector Local Collector 18

RSA envision 국내 S 화재보험사 도입효과 Application 서버 Agentless 방식의로그수집!!! Data 서버 NAS 스토리지 전체 4,700 여대의이기종시스템원본로그의 중앙집중수집및상호 Correlation 분석!! Local Collector UDS(Universal Device Support) 기능제공으로 별도의연동관련개발이슈 Zero!!! NW / Security 통합운영및 TCO 절감!!! 조건별 Dynamic Custom Reporting 생성!!! 19

Thank you! 20