0
So You Got That SIEM.NOW What Do You Do?       Dr. Anton Chuvakin        SecurityWarrior LLC  www.securitywarriorconsultin...
DIRE WARNING:  This presentation does   NOT mention PCI DSS…                             …oh wait www.pcicompliancebook.i...
Outline•   Brief: What is SIEM?•   “You got it!”•   SIEM Pitfalls and Challenges•   Useful SIEM Practices    – From Deploy...
About Anton: SIEM Builder and            User• Former employee of SIEM and log  management vendors• Now consulting for SIE...
SIEM?Security Information and Event          Management!  (sometimes: SIM or SEM)                       Security Warrior C...
SIEM and Log ManagementSIEM:                LM:Security Information Log Managementand Event ManagementFocus on security us...
What SIEM MUST Have?1.   Log and Context Data Collection2.   Normalization3.   Correlation (“SEM”)4.   Notification/alerti...
What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User ant...
What SIEM Eats: Context                                                           Security Warrior Consulting             ...
How SIEM Got Here!?• 1996-2002 IDS and Firewall  – Worms, alert overflow, etc  – Sold as “SOC in the box”• 2003 – 2007 Abo...
Thinking Aloud Here…What do we know about SIEM?Ties to many technologies, analyzes data, requires process around it, overh...
I will tell you how to do SIEM        RIGHT!Useless Consultant Advice Alert!!                         Security Warrior Con...
The Right Way to SIEM1.    Figure out what problems you want to solve with SIEM2.    Confirm that SIEM is the best way to ...
The Popular Way to SIEM…1. Buy a SIEM appliance                          Security Warrior Consulting                      ...
… Backed by Online “Research”              15      Security Warrior Consulting                      Dr. Anton Chuvakin
Got Difference?What people        What people NEED to know       WANT to know and have before    and have before they depl...
Got SIEM?Have you inherited it?Now what?                         Security Warrior Consulting                         Dr. A...
Popular #SIEM_FAIL… in descending order by frequency:1.   Misplaced expectations (“SOC-in-a-box”)2.   Missing requirements...
What is a “Best Practice”?• A process or practice that  –The leaders in the field    are doing today  –Generally leads to ...
BP0 How to Plan Your Project?1.Goals and requirements (WHY)2.Functionality / features (HOW)3.Scope of data collection (WHA...
BP1 LM before SIEM!If you remember one thing from this, let it   be:     Deploy Log Management          BEFORE SIEM!Q: Why...
SIEM/LM Maturity Curve                  Security Warrior Consulting                  Dr. Anton Chuvakin
Graduating from LM to SIEMAre you ready? Well, do you have…1. Response capability and process  – Prepared to response to a...
BP2 Initial SIEM UseSteps of a journey …1. Establish response process2. Deploy a SIEM3. Think “use cases”4. Start filterin...
Example LM->SIEM Filtering3D: Devices / Network topology / Events• Devices: NIDS/NIPS, WAF, servers• Network: DMZ, payment...
BP3 Expanding SIEM UseFirst step, next BABY steps!1. Compliance monitoring often first2. “Traditional” SIEM uses  – Authen...
Example: Use CaseExample: cross-system authentication tracking• Scope: all systems with authentication• Purpose: detect un...
“Quick Wins” for Phased ApproachPhased                Phasedapproach #1           approach #2• Collect problems    • Focus...
10 minutes or 10 months?                         A typical largeOur log                  customer takesmanagement         ...
What is a “Worst Practice”?• As opposed to the “best  practice” it is …  –What the losers in the    field are doing today ...
WP for SIEM Planning• WP1: Skip this step altogether – just buy  something   – “John said that we need a correlation engin...
Case Study: “We Use‟em All”At SANS Log Management Summit …• Vendors X, Y and Z claim “Big Finance” as  a customer• How can...
WPs for Deployment• WP3: Expect The Vendor To Write Your  Logging Policy OR Ignore Vendor  Recommendations  – “Tell us wha...
Misc Useful SIEM Tips          34      Security Warrior Consulting                  Dr. Anton Chuvakin
On SIEM ResourcingNEWSFLASH! SIEM costs money.But …Or…                        Security Warrior Consulting                 ...
“Hard” Costs - Money• Initial  – SIEM license, hardware, 3rd party software  – Deployment and integration services• Ongoin...
“Soft” Costs - Time• Initial  – Deployment time  – Log source configuration and integration (BIG!)  – Initial tuning, cont...
Secret to SIEM Magic!“Operationalizing” SIEM(e.g. SOC building)Deployment ServiceSIEM Software/Appliance                  ...
On Replacing a SIEM         39      Security Warrior Consulting                 Dr. Anton Chuvakin
How to Do It?1. Prepare to run both products for some   time2. Draft the new vendor to help you migrate   the data3. Be pr...
Tip: When To AVOID A SIEMIn some cases, the best “SIEM strategy” is  NOT to buy one:1. Log retention focus2. Investigation...
Conclusions• SIEM will work and has value … but  BOTH initial and ongoing time/focus  commitment is required• FOCUS on wha...
SIEM RemindersCost countless sleepless night and boatloads  of pain….• No SIEM before IR plans/procedures• No SIEM before ...
And If You Only …… learn one thing from this….             … then let it be….                        Security Warrior Cons...
Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirement...
Questions?Dr. Anton ChuvakinEmail: anton@chuvakin.orgSite: http://www.chuvakin.orgBlog: http://www.securitywarrior.orgTwit...
More Resources•   Blog: www.securitywarrior.org•   Podcast: look for “LogChat” on iTunes•   Slides: http://www.slideshare....
More on Anton• Consultant: http://www.securitywarriorconsulting.com• Book author: “Security Warrior”, “PCI Compliance”,  “...
Security Warrior Consulting•                 Services   Logging and log management / SIEM strategy, procedures and practic...
Misc Resource Slides         50       Security Warrior Consulting                  Dr. Anton Chuvakin
Best Reports? SANS Top 7DRAFT “SANS Top 7 Log Reports”1.   Authentication2.   Changes3.   Network activity4.   Resource ac...
Best Correlation Rules? Nada• Vendor default rules?• IDS/IPS + vulnerability  scan?Anton fave rules:1. Authentication2. Ou...
Upcoming SlideShare
Loading in...5
×

Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?

1,918

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,918
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
108
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?"

  1. 1. So You Got That SIEM.NOW What Do You Do? Dr. Anton Chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com
  2. 2. DIRE WARNING: This presentation does NOT mention PCI DSS… …oh wait www.pcicompliancebook.info Security Warrior Consulting Dr. Anton Chuvakin
  3. 3. Outline• Brief: What is SIEM?• “You got it!”• SIEM Pitfalls and Challenges• Useful SIEM Practices – From Deployment Onwards• SIEM “Worst Practices”• Replacing a SIEM and Other Tips• Conclusions Security Warrior Consulting Dr. Anton Chuvakin
  4. 4. About Anton: SIEM Builder and User• Former employee of SIEM and log management vendors• Now consulting for SIEM vendors and SIEM users• SANS Log Management SEC434 class author• Author, speaker, blogger, podcaster (on logs, naturally ) Security Warrior Consulting Dr. Anton Chuvakin
  5. 5. SIEM?Security Information and Event Management! (sometimes: SIM or SEM) Security Warrior Consulting Dr. Anton Chuvakin
  6. 6. SIEM and Log ManagementSIEM: LM:Security Information Log Managementand Event ManagementFocus on security use Focus on all uses of logs and other data for logs Security Warrior Consulting Dr. Anton Chuvakin
  7. 7. What SIEM MUST Have?1. Log and Context Data Collection2. Normalization3. Correlation (“SEM”)4. Notification/alerting (“SEM”)5. Prioritization (“SEM”)6. Reporting and report delivery (“SIM”)7. Security role workflow (IR, SOC, etc) Security Warrior Consulting Dr. Anton Chuvakin
  8. 8. What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure AuditENTERPRISE Account LogonLogon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE ErrorCode: 0xC000006A 4574
  9. 9. What SIEM Eats: Context Security Warrior Consulting Dr. Anton Chuvakinhttp://chuvakin.blogspot.com/2010/01/on-log-context.html
  10. 10. How SIEM Got Here!?• 1996-2002 IDS and Firewall – Worms, alert overflow, etc – Sold as “SOC in the box”• 2003 – 2007 Above + Server + Context – PCI DSS, SOX, users – Sold as “SOC in the box”++• 2008+ Above + Applications + … – Fraud, insiders, cybercrime – Sold as “SOC in the box”+++++ Security Warrior Consulting Dr. Anton Chuvakin
  11. 11. Thinking Aloud Here…What do we know about SIEM?Ties to many technologies, analyzes data, requires process around it, overhypedWhat does it actually mean?Many people think “SIEM is complex” Security Warrior Consulting Dr. Anton Chuvakin
  12. 12. I will tell you how to do SIEM RIGHT!Useless Consultant Advice Alert!! Security Warrior Consulting Dr. Anton Chuvakin
  13. 13. The Right Way to SIEM1. Figure out what problems you want to solve with SIEM2. Confirm that SIEM is the best way to solve them3. Define and analyze your use cases4. Gather stakeholders and analyze their use cases5. Research SIEM functionality6. Create requirements for your tool, including process requirements7. Choose scope for SIEM coverage (with phases)8. Assess data volume over all Phase 1 log sources and plan ahead9. Perform product research, vendor interviews, references, peer groups10. Create a tool shortlist11. Pilot top 2-3 products in your environment12. Test the products for features, usability and scalability vs requirements13. Select a product for deployment and #2 product for backup14. Update or create procedures, IR plans, etc15. Create SIEM operational procedures Security Warrior Consulting16. Deploy the tool (phase 1) Dr. Anton Chuvakin
  14. 14. The Popular Way to SIEM…1. Buy a SIEM appliance Security Warrior Consulting Dr. Anton Chuvakin
  15. 15. … Backed by Online “Research” 15 Security Warrior Consulting Dr. Anton Chuvakin
  16. 16. Got Difference?What people What people NEED to know WANT to know and have before and have before they deploy a they deploy a SIEM? SIEM? Security Warrior Consulting Dr. Anton Chuvakin
  17. 17. Got SIEM?Have you inherited it?Now what? Security Warrior Consulting Dr. Anton Chuvakin
  18. 18. Popular #SIEM_FAIL… in descending order by frequency:1. Misplaced expectations (“SOC-in-a-box”)2. Missing requirements (“SIEM…huh?”)3. Wrong project sizing4. Political challenges with integration5. Vendor deception6. And only then: product not working  Security Warrior Consulting Dr. Anton Chuvakin
  19. 19. What is a “Best Practice”?• A process or practice that –The leaders in the field are doing today –Generally leads to useful results with cost effectivenessP.S. If you still hate it – say“useful practices” Security Warrior Consulting Dr. Anton Chuvakin
  20. 20. BP0 How to Plan Your Project?1.Goals and requirements (WHY)2.Functionality / features (HOW)3.Scope of data collection (WHAT)4.Sizing (HOW MUCH)5.Architecting (WHERE) Security Warrior Consulting Dr. Anton Chuvakin
  21. 21. BP1 LM before SIEM!If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM!Q: Why do you think MOST 1990s SIEM deployments FAILED?A: There was no log management! Security Warrior Consulting Dr. Anton Chuvakin
  22. 22. SIEM/LM Maturity Curve Security Warrior Consulting Dr. Anton Chuvakin
  23. 23. Graduating from LM to SIEMAre you ready? Well, do you have…1. Response capability and process – Prepared to response to alerts2. Monitoring capability – Has an operational process to monitor3. Tuning and customization ability – Can customize the tools and content Security Warrior Consulting Dr. Anton Chuvakin
  24. 24. BP2 Initial SIEM UseSteps of a journey …1. Establish response process2. Deploy a SIEM3. Think “use cases”4. Start filtering logs from LM to SIEM – Phases: features and information sourcesPrepare for the initial increase in workload Security Warrior Consulting Dr. Anton Chuvakin
  25. 25. Example LM->SIEM Filtering3D: Devices / Network topology / Events• Devices: NIDS/NIPS, WAF, servers• Network: DMZ, payment network, other “key domains”• Events: authentication, outbound firewall access, IPSLater: proxies, more firewall data, web servers Security Warrior Consulting Dr. Anton Chuvakin
  26. 26. BP3 Expanding SIEM UseFirst step, next BABY steps!1. Compliance monitoring often first2. “Traditional” SIEM uses – Authentication tracking – IPS/IDS + firewall correlation – Web application hacking3. Your simple use cases – What problems do YOU want solved? Security Warrior Consulting Dr. Anton Chuvakin
  27. 27. Example: Use CaseExample: cross-system authentication tracking• Scope: all systems with authentication• Purpose: detect unauthorized access to systems• Method: track login failures and successes• Rule details: multiple login failures followed by login success• Response plan: user account investigation, suspension, communication with suspect user Security Warrior Consulting Dr. Anton Chuvakin
  28. 28. “Quick Wins” for Phased ApproachPhased Phasedapproach #1 approach #2• Collect problems • Focus on 1 problem• Plan architecture • Plan architecture• Start collecting • Start collecting• Start reviewing • Start reviewing• Solve problem 1 • Solve problem 1• Solve problem n • Plan again Security Warrior Consulting Dr. Anton Chuvakin
  29. 29. 10 minutes or 10 months? A typical largeOur log customer takesmanagement ? 10 months toappliance can deploy a logbe racked, managementconfigured and architecturecollecting logs in based on our10 minutes technology Security Warrior Consulting Dr. Anton Chuvakin
  30. 30. What is a “Worst Practice”?• As opposed to the “best practice” it is … –What the losers in the field are doing today –A practice that generally leads to disastrous results, despite its popularity Security Warrior Consulting Dr. Anton Chuvakin
  31. 31. WP for SIEM Planning• WP1: Skip this step altogether – just buy something – “John said that we need a correlation engine” – “I know this guy who sells log management tools”• WP2: Postpone scope until after the purchase – “The vendor says „it scales‟ so we will just feed ALL our logs” – Windows, Linux, i5/OS, OS/390, Cisco – send‟em in! Security Warrior Consulting Dr. Anton Chuvakin
  32. 32. Case Study: “We Use‟em All”At SANS Log Management Summit …• Vendors X, Y and Z claim “Big Finance” as a customer• How can that be?• Well, different teams purchased different products …• About $2.3m wasted on toolsthat do the same! Security Warrior Consulting Dr. Anton Chuvakin
  33. 33. WPs for Deployment• WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations – “Tell us what we need – tell us what you have” forever…• WP4: Don’t prepare the infrastructure – “Time synchronization? Pah, who needs it” Security Warrior Consulting Dr. Anton Chuvakin
  34. 34. Misc Useful SIEM Tips 34 Security Warrior Consulting Dr. Anton Chuvakin
  35. 35. On SIEM ResourcingNEWSFLASH! SIEM costs money.But …Or… Security Warrior Consulting Dr. Anton Chuvakin
  36. 36. “Hard” Costs - Money• Initial – SIEM license, hardware, 3rd party software – Deployment and integration services• Ongoing – Support and ongoing services – Operations personnel (0.5 - any FTEs)• Periodic – Vendor services – Specialty personnel (DBA, sysadmin) – Deployment expansion costs Security Warrior Consulting Dr. Anton Chuvakin
  37. 37. “Soft” Costs - Time• Initial – Deployment time – Log source configuration and integration (BIG!) – Initial tuning, content creation• Ongoing – Report and log review – Alert response and escalation• Periodic – Tuning and content creation – Expansion: same as initial Security Warrior Consulting Dr. Anton Chuvakin
  38. 38. Secret to SIEM Magic!“Operationalizing” SIEM(e.g. SOC building)Deployment ServiceSIEM Software/Appliance Security Warrior Consulting Dr. Anton Chuvakin
  39. 39. On Replacing a SIEM 39 Security Warrior Consulting Dr. Anton Chuvakin
  40. 40. How to Do It?1. Prepare to run both products for some time2. Draft the new vendor to help you migrate the data3. Be prepared to keep the old SIEM or keep the data backups4. BIG! Migrate SIEM content: reports, rules, views, alerts, etc 40 Security Warrior Consulting Dr. Anton Chuvakin
  41. 41. Tip: When To AVOID A SIEMIn some cases, the best “SIEM strategy” is NOT to buy one:1. Log retention focus2. Investigation focus (log search)If you only plan to look BACKWARDS – no need for a SIEM! Security Warrior Consulting Dr. Anton Chuvakin
  42. 42. Conclusions• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required• FOCUS on what problems you are trying to solve with SIEM: requirements!• Phased approach WITH “quick wins” is the easiest way to go• Operationalize!!! Security Warrior Consulting Dr. Anton Chuvakin
  43. 43. SIEM RemindersCost countless sleepless night and boatloads of pain….• No SIEM before IR plans/procedures• No SIEM before basic log management• Think "quick wins", not "OMG ...that SIEM boondoggle"• Tech matters! But practices matter more• Things will get worse before better. Invest time before collecting value! Security Warrior Consulting Dr. Anton Chuvakin
  44. 44. And If You Only …… learn one thing from this…. … then let it be…. Security Warrior Consulting Dr. Anton Chuvakin
  45. 45. Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! RequirvementsRequirements! Requirements! Requirements! Requirements! Requirements!Requirements! Requirements! Requirements! Requirements! Requirements! Consulting Security WarriorRequirements! Requirements! Requirements! Requirements! Requirements! Dr. Anton Chuvakin
  46. 46. Questions?Dr. Anton ChuvakinEmail: anton@chuvakin.orgSite: http://www.chuvakin.orgBlog: http://www.securitywarrior.orgTwitter: @anton_chuvakinConsulting: http://www.securitywarriorconsulting.com Security Warrior Consulting Dr. Anton Chuvakin
  47. 47. More Resources• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin• Consulting: http://www.securitywarriorconsulting.com/ Security Warrior Consulting Dr. Anton Chuvakin
  48. 48. More on Anton• Consultant: http://www.securitywarriorconsulting.com• Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker‟s Challenge 3”, etc• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager Security Warrior Consulting Dr. Anton Chuvakin
  49. 49. Security Warrior Consulting• Services Logging and log management / SIEM strategy, procedures and practices – Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation – Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations – Help integrate logging tools and processes into IT and business operations• SIEM and log management content development – Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs – Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsOthers at www.SecurityWarriorConsulting.com Security Warrior Consulting Dr. Anton Chuvakin
  50. 50. Misc Resource Slides 50 Security Warrior Consulting Dr. Anton Chuvakin
  51. 51. Best Reports? SANS Top 7DRAFT “SANS Top 7 Log Reports”1. Authentication2. Changes3. Network activity4. Resource access5. Malware activity6. Failures7. Analytic reports Security Warrior Consulting Dr. Anton Chuvakin
  52. 52. Best Correlation Rules? Nada• Vendor default rules?• IDS/IPS + vulnerability scan?Anton fave rules:1. Authentication2. Outbound access3. Safeguard failure Security Warrior Consulting Dr. Anton Chuvakin
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×