High Availability and Disaster Recovery with Novell Sentinel Log Manager

Building Highly Available Log
Management and SIEM Solutions

Sesh Ramasharma, CISSP
Principal – Identity, Access & Security Management
Novell, Inc

Agenda

• Logical view of Log Management and SIEM
• Key Tenants of Security - CIA
• Availability Defined
• Know the moving parts of the solution
• Key considerations
• Tools in the Repertoire
• Summary

2 © Novell, Inc. All rights reserved.

Log Management and SIEM

• Log Management is sometimes referred to as
Security Information Management or “SIM”
• Security Event Management or “SEM” is focused
on real-time monitoring, alerting, incident response

SEM Log Management

Event correlation Data collection Compression
Robust alert Ad-hoc query Forensics
Incident response E-mail alerts Data integrity
Dashboards Reports Unknown log support
Data enrichment Data retention
Filtering Raw log forwarding


CIA Tenants of Security

• CIA tenants of security apply to SIEM / Log
Management systems as well
– Confidentiality: Classification of data and ensuring data is visible
to only constituencies that are authorized

– Integrity: Data cannot be tampered with and non-repudiation

– Availability: Available when and where needed


Risk based definition of High
Availability
• Definition of “High Availability” is subjective
– Defined by number of 9’s

• It should be driven by
and be commensurate
to business risk

• Primary reason it needs
to be evaluated
subjectively is because
it comes with a cost!


Functional Sensitivity to Availability

• Break down availability by functionality

• Some functions need higher availability than others

SEM Log Management

Event correlation Data collection Compression
Robust alert Ad-hoc query Forensics
Incident response E-mail alerts Data integrity
Dashboards Reports Unknown log support
Data enrichment Data retention
Filtering Raw log forwarding


Logical View – SIEM
Burton Reference Model

OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION

Security alerts

Reports

Visualization
Network / Security Operations Help Desk Ticketing
REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE

Raw
Log
Policies / Compliance Signatures / Attack
Rules Patterns
COLLECTION / AGGREGATION / CORRELATION
RESPONSE

RESPONSE
Central / Master Collector

Distributed Collectors

INPUTS

Agent Logging Agent Logging Agent Logging Agent Logging

Identity Management System Management Perimeter Controls Intrusion Detection / Response
• Access Control • Host and DB Configuration • Routers • Network IDS
• Directories • Patch Management • Firewalls • Network IPS
• Provisioning • Vulnerability Management • Content Scanners • Other Sensors

Source: Burton Group – Diana Kelley

Novell Sentinel SIEM ®
™

Correlation iTRAC Sentinel Reports Repository
Control Center

Subscribe

Channels PROXY

Parse-normalize
Collector Manager Collector Manager Taxonomy
Publish Business relevance
Exploit detection
Collectors Collectors Collectors Collectors
External
Event Sources
Event Sources

VPN
External

Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS

Host IDS

Identity Vulnerability Domain Custom
Antivirus Server Mainframe
Network IDS Mgmt Mgmt Controller Events
Security Perimeter Referential IT Sources Operating Systems Application Events

Novell Sentinel RD ®
™

9 © Novell, Inc. All rights reserved. © Novell Inc, Confidential & Proprietary

Novell Sentinel Log Manager
®
™


SIEM/Log Management Layers

AGENT SIEM Log
Mgmt.
Application Application
Operating System Operating System
Storage Network Storage Network
Event Source SIEM / Log Management System


SIEM/Log Management Layers –
Novell Sentinel Suite Perspective
®
™

AGENT SIEM Log
Mgmt.
Application Application
Operating System Operating System
Storage Network Storage Network
Event Source SIEM / Log Management System

Collector
Collector
Manager
Application
Operating System
Storage Network

Know the Moving Parts – A Vertical Slice – Flavor 1
Burton Reference Novell Sentinel
®
™

Security alerts Security Alerts

Reports Workflow Remediation

Visualization Visualization

Reports

Log Database
Log Database

Message Bus


Distributed Collector Central / Master Collector

Distributed Collector

Event Source Event Source
Agent Logging Logging


Know the Moving Parts – A Vertical Slice – Flavor 2
Burton Reference Novell Sentinel
®
™

Security alerts Security Alerts

Reports Workflow Remediation

Visualization Visualization

Reports Control Center
Log Database
Log Database

Message Bus

Sentinel Log Raw
Manger Log

Distributed Collector Central / Master Collector

Distributed Collector

Event Source Event Source
Agent Logging Logging


Degrees of Availability

HOT
BACKUP

WARM
STANDBY

COST

COLD
BACKUP

0% 95% 98% 99.5% 99.9%
Availability


Cold Backup

• Characteristics
– Backup all the components at periodic intervals
– Restore a point-in-time backup upon failure

• Implications
– Economic solution
– Availability will be on the lower spectrum as recovery will take
longer time
– State of the entire system has to be in synch
– High potential for data loss upon recovery


Warm Standby

• Characteristics
– Backup all the components at periodic intervals
– Full redundant system on stand-by
– Restore a point-in-time on a redundant hardware on stand-by
mode
– Activate stand-by upon primary failure
• Implications
– More expensive than cold backup solution
– Availability will be better
– State of the entire system has to be in synch
– Potential for data loss on recovery


Hot Backup

• Characteristics
– Full redundant system
– Collect events redundantly from all event sources
– Activate stand-by upon primary failure
– Can be used in an Active/Active mode if correlation rules and
reporting users are high
• Implications
– More expensive than cold backup and warm standby solution
– Availability will be best
– Low potential for data loss on recovery


Hybrid Solutions are possible

• It is possible to have hybrid solutions to achieve varying degree
of availability for different components / event sources based on
business requirements and cost factors
– High Availability within a Data Center
> E.g - Clustering solution with RAID
» Protects against outage of hardware or components within a data center
– High Availability Across Data Center
> E.g - Warm standby across data center
» Protects against outage of entire data center

– Disaster Recovery
> E.g - Cold backup every day
» Protects from total loss of service in case of failure / disaster

• Question for the audience
– What else is possible to provide each of these situations?


Key Considerations for model choice

• Functional Sensitivity
• Distributability of the solution
– More is better or less is better? – Depends!!!
• Balance Scalability with Availability
• Appliance vs Software
– Component Distributability
– Component Resiliency
> Redundancy
> Local Buffering

• Self-monitoring capabilities
– Need a MoM or can your SIEM software monitor itself


Tools in the Repertoire

• Traditional
– Vendor provided solution
> Full redundancy?
– Platform HA
> E.g OHAC, HACMP
– O/S HA
> E.g Veritas clusters, Linux Clusters, Solaris clusters
– Database HA
> Oracle clustering, MS-SQL clustering
– Disk HA
> E.g SANs, EMC, RAID
– Network HA
> E.g Self healing networks
• Leading Edge / Emerging
– Cloud Computing
– Intelligent Workload Management

Summary – Back to Basics

Consider a Systemic View
• Understand the organizational risks and costs of
these risks materializing
• Know the cost / benefit of SIEM HA for your
organization
• Attack HA from a functional point of view
• Understand the moving parts
• Leverage tools available at all layers
----------------------------------------------------------------------
Build the best HA solution for your organization
----------------------------------------------------------------------

Section Break Text Here (32pt)

High Availability and Disaster Recovery with Novell Sentinel Log Manager

Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

High Availability and Disaster Recovery with Novell Sentinel Log Manager

More Related Content

What's hot (11)

Similar to High Availability and Disaster Recovery with Novell Sentinel Log Manager (20)

More from Novell (20)

High Availability and Disaster Recovery with Novell Sentinel Log Manager