High Availability and Disaster Recovery with Novell Sentinel Log Manager

Building Highly Available Log Management and SIEM Solutions

Sesh Ramasharma, CISSPPrincipal – Identity, Access & Security ManagementNovell, Inc

© Novell, Inc. All rights reserved.2

Agenda

• Logical view of Log Management and SIEM

• Key Tenants of Security - CIA

• Availability Defined

• Know the moving parts of the solution

• Key considerations

• Tools in the Repertoire

• Summary


Log Management and SIEM

• Log Management is sometimes referred to as Security Information Management or “SIM”

• Security Event Management or “SEM” is focused on real-time monitoring, alerting, incident response

Log ManagementSEM

Event correlationRobust alertIncident responseDashboardsData enrichmentFiltering

Data collectionAd-hoc queryE-mail alertsReports

CompressionForensicsData integrityUnknown log supportData retentionRaw log forwarding


CIA Tenants of Security

• CIA tenants of security apply to SIEM / Log Management systems as well

– Confidentiality: Classification of data and ensuring data is visible to only constituencies that are authorized

– Integrity: Data cannot be tampered with and non-repudiation

– Availability: Available when and where needed


Risk based definition of High Availability• Definition of “High Availability” is subjective

– Defined by number of 9’s

• It should be driven by and be commensurate to business risk

• Primary reason it needs to be evaluated subjectively is because it comes with a cost!


Functional Sensitivity to Availability

• Break down availability by functionality

• Some functions need higher availability than others

Log ManagementSEM

Event correlationRobust alertIncident responseDashboardsData enrichmentFiltering

Data collectionAd-hoc queryE-mail alertsReports

CompressionForensicsData integrityUnknown log supportData retentionRaw log forwarding


RES

PON

SE

Logical View – SIEM Burton Reference Model

LoggingAgent

Identity Management• Access Control• Directories• Provisioning

LoggingAgent

System Management• Host and DB Configuration• Patch Management• Vulnerability Management

LoggingAgent

Perimeter Controls• Routers• Firewalls• Content Scanners

LoggingAgent

Intrusion Detection / Response• Network IDS• Network IPS• Other Sensors

INPUTS

COLLECTION / AGGREGATION / CORRELATION

REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE

OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION

Distributed Collectors

Signatures / AttackPatterns

Policies / ComplianceRules

Raw Log

Security alerts

Reports

Visualization Help Desk Ticketing Network / Security Operations

Central / Master Collector

RES

PON

SE

Source: Burton Group – Diana Kelley


Novell® Sentinel™ SIEM

Correlation SentinelControl Center

Reports Repository

PROXY

Subscribe

PublishCollector Manager

Collectors Collectors

Collector Manager

Collectors Collectors

Parse-normalize Taxonomy Business relevance Exploit detection

VPN

Host IDS

Network IDS Antivirus

Firewall

Custom Events

RDBMSBusiness Apps

DomainControllerMainframe

LaptopsWorkstations

ServerVulnerability

Mgmt

Patch MgmtAsset Mgmt

IdentityMgmt

Security Perimeter Referential IT Sources Operating Systems Application Events

External Event Sources

Channels

iTRAC

Ext

erna

lE

vent

Sou

rces


Novell® Sentinel™ RD

© Novell Inc, Confidential & Proprietary


Novell® Sentinel™ Log Manager


SIEM/Log Management Layers

Application Application

Event Source SIEM / Log Management System

SIEM LogMgmt.

AGENT

Operating System

Storage Network

Operating System

Storage Network


SIEM/Log Management Layers –Novell® Sentinel™ Suite Perspective

Application Application

Event Source SIEM / Log Management System

SIEMAGENT

Operating System

Storage Network

Operating System

Storage Network

Application

CollectorManager

Operating System

Storage Network

Collector

LogMgmt.


Event Source

Log Database


Distributed Collector

LoggingAgent

Reports

Log Database

Security alerts

Reports

Visualization

Security Alerts

Workflow Remediation

Visualization

Message Bus

Event SourceLogging

Burton Reference Novell® Sentinel™

Know the Moving Parts – A Vertical Slice – Flavor 1




Event Source

Log Database



LoggingAgent

Reports

Log Database

Security alerts

Reports

Visualization

Security Alerts

Workflow Remediation

Visualization

Message Bus



Event SourceLogging

Burton Reference

Know the Moving Parts – A Vertical Slice – Flavor 2

Control Center

Sentinel Log Manger

Raw Log

Novell® Sentinel™


Degrees of Availability

COST

99.9%0% 95% 99.5%98%

Availability

WARMSTANDBY

HOTBACKUP

COLDBACKUP


Cold Backup

• Characteristics– Backup all the components at periodic intervals

– Restore a point-in-time backup upon failure

• Implications– Economic solution

– Availability will be on the lower spectrum as recovery will take longer time

– State of the entire system has to be in synch

– High potential for data loss upon recovery


Warm Standby

• Characteristics– Backup all the components at periodic intervals– Full redundant system on stand-by – Restore a point-in-time on a redundant hardware on stand-by

mode– Activate stand-by upon primary failure

• Implications– More expensive than cold backup solution– Availability will be better– State of the entire system has to be in synch– Potential for data loss on recovery


Hot Backup

• Characteristics– Full redundant system

– Collect events redundantly from all event sources

– Activate stand-by upon primary failure

– Can be used in an Active/Active mode if correlation rules and reporting users are high

• Implications– More expensive than cold backup and warm standby solution

– Availability will be best

– Low potential for data loss on recovery


Hybrid Solutions are possible

• It is possible to have hybrid solutions to achieve varying degree of availability for different components / event sources based on business requirements and cost factors

– High Availability within a Data Center> E.g - Clustering solution with RAID

» Protects against outage of hardware or components within a data center

– High Availability Across Data Center> E.g - Warm standby across data center

» Protects against outage of entire data center

– Disaster Recovery> E.g - Cold backup every day

» Protects from total loss of service in case of failure / disaster

• Question for the audience– What else is possible to provide each of these situations?


Key Considerations for model choice

• Functional Sensitivity• Distributability of the solution

– More is better or less is better? – Depends!!!• Balance Scalability with Availability• Appliance vs Software

– Component Distributability– Component Resiliency

> Redundancy> Local Buffering

• Self-monitoring capabilities– Need a MoM or can your SIEM software monitor itself


Tools in the Repertoire

• Traditional– Vendor provided solution

> Full redundancy?

– Platform HA> E.g OHAC, HACMP

– O/S HA> E.g Veritas clusters, Linux Clusters, Solaris clusters

– Database HA> Oracle clustering, MS-SQL clustering

– Disk HA> E.g SANs, EMC, RAID

– Network HA > E.g Self healing networks

• Leading Edge / Emerging– Cloud Computing– Intelligent Workload Management


Summary – Back to Basics

Consider a Systemic View• Understand the organizational risks and costs of

these risks materializing• Know the cost / benefit of SIEM HA for your

organization• Attack HA from a functional point of view• Understand the moving parts• Leverage tools available at all layers----------------------------------------------------------------------Build the best HA solution for your organization----------------------------------------------------------------------

Section Break Text Here (32pt)

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

High Availability and Disaster Recovery with Novell Sentinel Log Manager

Documents

available log management

novell sentinel log

siem log management

novell sentinel rd

sim security event management

classification of data

cia availability

siem key tenants of