Data Center is our focus

We help to build, access and manage your datacenter and server rooms

Structure Cabling

We help structure your cabling, Fiber Optic, UTP, STP and Electrical.

Get ready to the #Cloud

Start your Hyper Converged Infrastructure.

Monitor your infrastructures

Monitor your hardware, software, network (ITOM), maintain your ITSM service .

Our Great People

Great team to support happy customers.

Thursday, April 27, 2017

Use Central Log Management for Security Event Monitoring Use Cases

Use Central Log Management for Security Event Monitoring Use Cases

Published: 12 October 2016 ID: G00299625
Analyst(s):
 

Summary

Security and risk management leaders seek to improve threat monitoring and detection capabilities, regardless if they are starting from scratch or already have capabilities in place. The use of central log management tools can address these cases, in addition to traditional compliance use cases.

Overview

Key Challenges

  • Fragmented or incomplete log collection hampers security monitoring and incident response. Examination and analysis of log data from multiple sources is critical in quickly determining whether a suspected security incident has occurred (and is mandated by many compliance regimes).
  • Midsize organizations often lack the staff and training to support the deployment and operation of a security information and event management (SIEM) product to support security log management and investigation activities.
  • SIEM tool licensing approaches are causing friction and increasing frustration for organizations, as they must tailor log and event collection to maximize existing license capacity and budgetary constraints.
  • Use cases beyond foundational security capabilities are driving increasing interest and use of central log management (CLM) tools, but many clients are not aware of these new use cases.

Recommendations

Security and risk management leaders responsible for security monitoring and operations should:
  • Use a CLM tool to address security monitoring and compliance use cases where there are insufficient resources or budget for a SIEM or for managed security services.
  • For midsize organizations, look to use existing IT and network operations log management tools to collect and manage security event logs.
  • Consider a multitier approach using a CLM tool when planning a SIEM deployment to avoid overutilization, and overlicensing, from the start.
  • Use a CLM tool to better manage your existing SIEM tool investment if your organization has an existing SIEM solution that cannot scale its collection and analysis capabilities due to budget constraints.

Introduction

The use of CLM — the collection, aggregation and retention of event data from security technologies and other related IT log sources — to support security use cases (i.e., threat detection and compliance) is not new. However, it fell out of favor as increasingly capable SIEM products offered real-time correlation, alerting and reporting capabilities (especially for compliance requirements), in addition to log collection and management. As midsize organizations and resource-constrained enterprises have discovered, SIEMs come with budget and expertise requirements that present challenges to successful deployment and ongoing operations. At the other end of the spectrum, enterprises that have started their SIEM journey usually end up in one of two places: underinvested in their initial implementation and having to find budget to increase capacity to meet their use cases, or overlicensed and being stuck paying higher maintenance costs to the SIEM vendor for years for that unused capacity.
Given these scenarios, centralized log management for security event monitoring is having a renaissance. Several factors have raised the visibility of CLM as a stand-alone capability across both enterprises and midsize organizations:
  • Threat detection and response. Organizations are increasingly concerned with detecting and responding to threats, but lack the resources (budgets, dedicated security teams) that can take advantage of resource-intensive SIEM tools, or afford a managed security service provider (MSSP) or managed detection and response (MDR) provider.
  • Compliance. Compliance mandates, such as PCI DSS, HIPAA, FISMA and Sarbanes-Oxley Act, have not disappeared. Other regions may see an increasing need for security log collection and monitoring in the future. Many organizations are also finally acknowledging the need to address these regulations, whether or not they were ignored in the past, or entry into new lines of business, activities and markets is driving adoption.
  • New log collection tools and services. There are new entrants offering log collection and analysis for IT operations, typically deployed on customer premises, but increasingly delivered "as a service" from public cloud service providers leveraging open-source big data tools. In many organizations, these tools are also being used to collect security events and logs, in addition to operational logs from servers, network devices and applications.
  • SIEM costs. Licensing models for many SIEM tools often dissuade customers from collecting all relevant security events and logs. SIEM tools that are licensed according to a volumetric (for example, the number of events or amount of data collected per some time period [seconds, minutes or days]) result in greater costs as data volumes increase. As organizations with SIEM solutions identify additional use cases, this may require adding new log sources, which may require the organization to spend more money to add additional license capacity. This is creating friction for many organizations that may not have sufficient budgets to expand their SIEM tool licenses, leaving them to choose between deprioritizing existing use cases, forgoing adding new use cases or decreasing the scope of monitoring. All of that equates to increasing the chances of not detecting a breach and/or affecting the ability to respond to one.
  • Managed service costs. MSSPs have traditionally focused their monitoring services on network-based security controls. These threat-facing controls offered a combination of factors that made use of an external service provider desirable: a limited number of devices, generating a large volume of alerts with a high percentage of false-positive indications. MSSPs could monitor those alerts and, based on their expertise and knowledge of the threat environment, assess them at lower costs than a customer could do. As customers seek to include more user context, servers and applications in the scope of security monitoring, the benefits of using an external provider may not be as compelling. The events involve activities of systems and users where an external provider has little insight, and the number and different types of event sources increase the costs to deliver services. This compounds some existing client perceptions that MSSPs provide alerts with little to no value due to this lack of adequate knowledge about the customer's environment.
  • Open-source log management . Open-source tools, like Elasticsearch, typically combined with Logstash and Kibana to form the ELK Stack; big data platforms like Hadoop; and NoSQL databases, are gaining visibility, acceptance and use by many forward-leaning organizations as low-cost alternatives to purchasing commercial tools. Increasing adoption by organizations is leading to better documentation and community support, in addition to expanding pay-for-support options provided by the vendors maintaining the tools, which reduces the cost and risk of implementing and maintaining these tools.
In conversations with Gartner clients, a variety of use cases for CLM have emerged. Two use cases are most frequently mentioned: improving foundational security capabilities in the absence of other means, and augmenting new or existing SIEM deployments or service engagements. Both approaches seek to leverage CLM, but from different starting points (see Figure 1). The pool of tools and services tends to overlap across the use cases, indicating that due diligence in selecting the appropriate approach and tools is important.
Figure 1. How Organizations Get to CLM
Research image courtesy of Gartner, Inc.
Source: Gartner (October 2016)

Analysis

Improve Basic Threat Detection and Incident Response Capabilities

Many organizations, especially midsize and small enterprises, have deficiencies in their threat detection and incident response capabilities. The decentralized approach to log management in their IT environments makes detecting threats nearly impossible. Gartner's adaptive security architecture (see "Top 10 Strategic Technology Trends for 2016: Adaptive Security Architecture" ) emphasizes the use detection and response capabilities, in addition to the use of preventative security controls. The best case an organization can hope for is when a system administrator, who is likely intimately knowledgeable about the events generated by his or her systems, notices anomalous activities and investigates. Once a suspected incident is identified then the harder part occurs — trying to validate the incident, and determine the scope and severity across an organization. Without CLM, incident response activities associated with reviewing events in system logs becomes a multiweek effort, as logs are manually reviewed by administrators and analysts, and manual correlation of events is attempted. During this time, attackers may continue to operate inside an organization, or may have already stolen critical information and are long gone.
Increasingly, security and risk management leaders who have not invested in security event monitoring tools and capabilities are seeking the minimum floor to have a basic capability in place, especially when they understand the benefits that can be achieved (e.g., when a potential security incident is being investigated, demonstrating basic security controls to third parties or auditors).

Recommendations and Cautions

  • Before looking at technology, determine all the event sources you plan to consolidate into a CLM tool. These event sources should be prioritized into at least two buckets — mandatory and secondary. Mandatory sources should include security controls (firewalls, unified threat management [UTM], intrusion detection, endpoint protection), network security devices (VPNs, core routers and switches), identity and access tools, user directories (Active Directory), and critical platforms and applications (externally facing web applications, Windows domain controllers, business-critical internal apps). Secondary sources may include all other network devices (routers/switches), OS and platform logs, and less critical application logs.
  • Use the buckets described above to understand the potential amount of storage required over the three implementation phases, and establish a plan to retain logs for at least one year (or 366 days). Some Gartner clients report that 90 days is commonly retained, but there may be specific log sources that require longer retention periods due to compliance and regulatory mandates (such as PCI DSS, which requires one year). Additionally, industry reports on time to detect a breach indicate that 90 days is not sufficient if the logs are needed for investigation purposes. 3One of the benefits of using a log management tool is that they all generally offer log compression and warm archiving, such that logs can be stored much more efficiently in a dedicated tool, compared to how they are stored on the hosts or devices where they are generated.
  • Determine where most security logs are being generated, including those related to wider IT sources — on-premises or cloud (public and private). Increasingly, as organizations adopt and move workload to cloud environments, it may be preferable to use a cloud-based log management service rather than deploy an on-premises solution. Consideration has to be made for where the bulk of the data collection will occur in order to minimize the associated costs with sending data into or out of a cloud environment. For example, Amazon Web Services (AWS) does not charge for data sent in, but will charge for data sent out of the environment.
  • Consider commercial log management solutions and services before looking at open-source solutions depending on the use cases. Commercial log management solutions are available from a variety of vendors, either as stand-alone products or as the logging tier of commercial SIEM tools. Commercial tools will be more expensive than open source, but they are typically quicker to install and configure, offer flexible deployment options (either hardware, virtual appliances or SaaS), come with event parsers for most common products and platforms, have reporting capabilities and default report templates for compliance purposes, and will have dedicated support options if issues arise.
  • Organizations (typically midsize and smaller enterprises) with existing tools that collect logs across the IT environment should consider adding security events into these tools before pursuing a dedicated security log management tool. Many of these tools also support SIEM capabilities as an add-on, such as ManageEngine, Micro Focus, SolarWinds and Splunk.
  • Consider open-source tools, like the Elastic Stack (also known as the ELK stack ) when your organization has the resources and expertise to dedicate to implementing, customizing and administering these tools. Security teams that have available staff who are looking for development opportunities are strong candidates to assign to this type of activity. Interested security staff will view the opportunity as a skills and career development effort, and the security team will also benefit. Cloud-based options are also increasingly available, either directly from Elastic or through third parties using Elasticsearch and other open-source tools with their own UI and custom capabilities.
  • Log management tools that offer reporting capabilities may need to parse and normalize log data, so data source content and structure must be understood by the CLM tool or the person implementing it. If custom apps or specialized systems exist in an organization, then custom parsers may have to be written (requiring internal expertise) or provided by the vendor at additional cost and time. If normalization is required, seek out vendors that can make this process as simple as possible (for example, automatic detection of formats or visual interfaces to aid in constructing a parser). Tools that collect raw machine logs and will be used for log retention, search and log forwarding capabilities may not require normalization activities.

Use Central Log Management to Maximize SIEM Tool Investments

An increasingly popular question from Gartner clients that are planning to or already have deployed a SIEM tool is how to maximize their existing investment. Many clients face the need to expand their security monitoring use cases, but lack the budgets to purchase additional licenses for their SIEM tools. Other clients investing in a SIEM tool raise concerns about how to achieve an optimal balance of purchasing enough capacity without overinvesting in license capacity that may not be used, thus leading to misallocation of existing budget and a future "tax" on that unused capacity. Clients in this position report frustration with their vendors due to being constrained by their licensing inflexibility.
A number of clients have reported successfully implementing a log collection and management tier leveraging commercial and open-source log tools, as well as big data platforms where organizations have already deployed those technologies and have internal expertise available to the security team. This is the proverbial security data lake (see "Three Architecture Styles for a Useful Data Lake" ) that many mature, lean-forward enterprises are implementing. Client interest has increased in the past year regarding industry acceptance and feasibility of this approach.
The goal is to gain better incident response capabilities by capturing all security-related event logs into a single log collection and management platform, with the ability to selectively forward the raw logs needed to achieve the use cases in SIEM tools. The approach does not replace the need for a SIEM, as it still provides the event normalization, real-time threat detection, workflow and incident response management, and reporting capabilities (see Figure 2 for a sample architecture).
Figure 2. Representative Log and Event Management Tier Use Case
Research image courtesy of Gartner, Inc.
Source: Gartner (October 2016)

Recommendations and Cautions

  • Purchase a commercial solution if your organization, including the security team, does not have the internal capabilities and expertise with large data acquisition and management platforms, such as data lakes . Many commercial log and event management products can provide similar features as a data lake (for example, ingestion of raw machine data and horizontal scaling to grow as performance and storage needs increase).
  • Ensure that there is a clear life cycle management plan in place for security event monitoring use cases to manage the flow of events and log data from the central log collection tier to the downstream SIEM tool (see "How to Develop and Maintain Security Monitoring Use Cases" ). Identify data that will not be sent to a SIEM tool initially, but may be useful to support investigation, and plan integrations that make that data available on demand.
  • Organizations that do not yet have this capability and are budget-challenged should review open-source applications first before pursuing commercial tools. Commercial Hadoop vendors are moving into the security log and event management and analytics market. These developments should be monitored for future use opportunities by organizations already using these vendors. However, many of these offerings are in development and new, so a cautious approach is warranted depending on the maturity of the offering.
  • The addition of a central log collection and management tier needs to be considered as yet another platform to manage, either for the security team or IT. The addition of another technology requires evaluating the costs and risks to be weighed against the impact and benefits, appropriate resources allocated, and sufficient management support, or else it will be another failed security project.

Representative Vendors and Providers

  • Open-Source Tools— Balabit (syslog-ng), Elastic, Graylog
  • Commercial Tools — Balabit (syslog-ng Store Box), TIBCO LogLogic, Tripwire Log Center
  • SIEM Log Tier Tools — see "Magic Quadrant for Security Information and Event Management" and "Critical Capabilities for Security Information and Event Management"
  • Cloud-Based Services — Logentries, Loggly, Splunk Cloud, Sumo Logic
  • On-Premises Big Data Platforms — Cloudera, Elastic, Hortonworks, MapR (for additional insights, see "Market Guide for Hadoop Distributions" )

Evidence

The EU Directive on Security of Network and Information Systems states: "Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority."
Mandiant's M-Trends 2016 report indicates the median time to detect a breach in 2015 was 142 days.
Hortonworks is providing support for Metron via the Apache incubation model .
Elastic has announced that it acquired Prelert , which offers security analytics capabilities.
Cloudera supports the Open Network Insight (ONI) project , which is applying big data analytics to threat detection use cases.
MapR offers functionality for security log analytics .

Temukan dan perhatikan SUHU - TEGANGAN data center Anda

Dalam menjalani layanan perawatan AC, terutama AC Presisi, kami memperhatikan 2 hal ini sebagai faktor utama dalam memastikan ruang server / data center berjalan normal.

1. Suhu / Kelembaban.

Perangkat apapun yang ada di data center dan ruang server kita memiliki batas / ambang kerja normal berdasarkan suhu. Kecuali perangkat yang memang didesain dari awal untuk bertahan di ruangan yang bersuhu tinggi, maka perangkat umumnya memiliki suhu kerja.

Hal ini bisa kita amati dari spesifikasi perangkat yang kita pasang, seperti ini:

General recommendations suggest that you should not go below 10°C (50°F) or above 28°C (82°F). Although this seems a wide range these are the extremes and it is far more common to keep the ambient temperature around 20-21°C (68-71°F). For a variety of reasons this can sometimes be a tall order.

Maka tentu kita harus memperhatikan suhu ini, tentu di lingkungan Jakarta dan Indonesia pada umumnya suhu ambang 28 derajat sering kami set di dalam perangkat monitoring lingkungan data center yang kami sediakan.

Apabila dibawah, atau khususnya di atas dari tegangan ini, umumnya kita bisa curiga ada masalah dengan perangkat pendingin kita. Dalam beberapa customer, malah ada yang menempatkan sensor suhu, humidity dalam tiap rak, terutama rak kritikal.

2. Tegangan kerja.

Dalam berbagai data center besar, kita menggunakan tegangan 3 phase. Sedangkan untuk ruang server umumnya menggunakan 1 phase. Tegangan kerja yang kita harapkan tentu sesuai dengan tegangan kerja perangkat kita. Umumnya 230-250 volt. Apabila di luar dari ini, lebih rendah, dan lebih tinggi, tentu membuat perangkat rusak dan terganggu.

Kedua hal ini bisa dimonitor dengan menggunakan Environment Monitoring System (EMS). Dalam hal ini, kami selaku distributor dari AKCP, kami banyak menggunakan produk AKCP. Dan produk minimal yang bisa digunakan adalah AKCP SP2.

Silahkan kontak kami  untuk mendapatkan layanan perawatan AC Presisi anda, dan kami akan berikan AKCP SP2 dalam paket layanan kami.

Monday, April 24, 2017

AKCP POWER MONITORING semakin mudah untuk Data Center Anda

AKCP baru saja merelease solusi terbaru mereka, yaitu Power Monitoring. Dalam solusi Power Monitoring ini menggunakan Smart Power Controller (SPC+) dan Power Strip (PS+).

SPC+ dapat digunakan pada existing power strip / PDU dan ini sangat sesuai karena :

  1. Tersedia opsi dalam bentuk 1U (horisontal) atau 0U (vertical) dipasang di rak.
  2. Dapat digunakan sebagai monitoring 8 rack dengan menggunakan Basic Expansion Bus (BEB).
  3. Memiliki kemampuan Power switching sehingga dapat digunakan untuk mematikan power di rak terkait dengan adanya bahaya Fire atau UPS yang kehabisan daya.
  4. Dapat dipasang Thermal map sensors untuk memonitor titik panas dalam rak (hotspots)
  5. Suhu dan tegangan digunakan untuk melakukan pengaturan yang tepat mencapai optimal pembacaan PUE

Dengan mudah AKCP SPC+ dimasukkan ke dalam existing Rak. Tinggal memilih type yang 1U atau 0U.


Type 1U


Type 0U.

SPC+ juga digunakan dalam kombinasi hingga 8 rak dengan menggunakan BEB.


Dan tinggal menambahkan jenis sensor lain dari AKCP untuk melengkapi kemampuan SPC+



Berikut detail spesifikasinya :



Kontak kami segera untuk kebutuhan monitoring power Anda, dan temukan kemudahan implementasi dan pengukuran PUE data center Anda.





Mengapa semakin banyak perusahaan melirik Vcloudpoint ?


Semakin banyak perusahaan mensiasati kebutuhan komputer di lingkungan perusahaan. Hal ini dikarenakan banyak faktor eksternal yang semakin menekan, diantaranya :


  1. Kenaikan Harga Tarif Listrik
  2. Pelemahan Nilai Mata Uang Rupiah
  3. Penurunan Daya Beli Masyarakat
Semua ini memutar otak para pebisnis yang semakin lama semakin tergantung untuk menggunakan komputer dan laptop dalam mendukung kegiatan bisnisnya. Sehingga sangat diperlukan adanya workstation powerfull yang dapat mendukung kegiatan bisnis perusahaan. Meskipun harga laptop semakin menurun, tapi penggunaan banyak laptop juga menimbulkan permasalahan baru, seperti harus ada aplikasi yang dipasang di tiap laptop, termasuk aplikasi office dan antivirus.

Maka semua ini dijawab oleh VCloudPoint, solusi zero client menggantikan fungsi desktop yang selama ini dikenal. Dan ini sangat menghemat biaya operasional perusahaan.



Dengan satu device VCloudPoin :
- 2 dedicated USB mouse and keyboard ports
- Stereo speaker or headphone and microphone ports
- 1 port 100 Mbps Ethernet port
- 1 port - VGA port supporting monitor resolutions as high as 1920x1080
- 2 USB 2.0 ports for attaching USB peripherals

Dan dapat dengan mudah dipasang di belakang layar LCD.

Bandingkan harganya :
- 1 Unit VCloudPoint = Rp. 1.750.000,-
- 1 Unit Layar LCD = Rp. 1.100.000,-
Total - Rp. 2.850.000,- / unit.

VCloudPoint juga sangat mendukung aplikasi grafis, ini yang seringkali menjadi kendala, karena di VCloudPoint digunakan protokol Dynamic Desktop Protocol (DDP) yang sangat mendukung rich media support.



Adapun type S100 adalah type yang paling banyak digunakan saat ini.





Penghematan maksimal bisa dirasakan oleh perusahaan Anda, segera gunakan Vcloudpoint sekarang juga.



Berikut sizing untuk kebutuhan Vcloudpoint:


Kontak kami segera untuk kebutuhan perusahaan / instansi anda.