Security Events Management

Next Course: 23-24 April 2012 (registration to free slots opens on 19 March)
Number of Attendees: 14 (1 granted slot per sponsoring nation; others can be assigned to the course if slots remain available)

Introduction
Depending on the size of the organization, IT Systems can be made up of dozens of servers, services, network devices, etc., and hundreds or even thousands of client computers. It is barely impossible to manually manage logs and events generated in all those assets. Moreover, security devices such as firewalls, IDS or IPS generate thousands of alarms each day, being many of them false positives.

SIM (Security Information Management) tools are used to gather events and logs from different sources, and then store them for long-term periods. SEM (Security Event Management) tools are used to correlate security events and logs from different HW/SW system devices. This is usually done in real-time and in a centralised way. SIEM is the convergence of both functionalities into the same system, and is becoming quite popular in the last few years.

SIEM systems (both technology and humans) address these issues and support Security Operations in large IT systems, being the core of CIRC capabilities such as NATO NCIRC. SIEM also helps to provide Situational Awareness, filling the gap between techies and decision makers, as well as System and Information owners.

Course objectives
- Introduce the students to SIEM systems.
- Understand the complexity of SIM/SEM projects.
- Identify the requirements and steps to achieve success developing this kind of projects. 
- Put this knowledge into practice with a hands-on exercise using OSSIM (OpenSource SIM)tool in a virtualised system scenario.

Course outline
1. Introduction to SIEM systems:
- SIM/SEM technologies overview.
- Organisation (decision-makers) value.
- Security monitoring process.
- A SIEM project planning.
2. Introduction to OSSIM
3. Hands-on exercise:
- Case study.
- OSSIM project set-up and deployment.
- Testing and tool tune-up exercise, receiving real network events and handling security issues and alerts.

Prerequisites
Students are expected to have a basic understanding of TCP/IP networking and knowledge of common network services and architectures.

This course is designed as an extension of the Cyber Defence Monitoring Solutions course, therefore attendees are expected to have a basic understanding of the inner workings of IT systems events management (e.g. Syslog) and common security and network tools (Snort, Ossec, Nmap, Nessus, Ntop, etc.).

Additional information about the course: Leo Oja (leo.oja-at-ccdcoe.org)