• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

on

  • 2,343 views

End-User Case Study: Five Best and Five Worst Practices for SIEM...

End-User Case Study: Five Best and Five Worst Practices for SIEM

Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.
Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security
monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM
implementation will help maximize security and compliance value, and avoid costly obstacles,
inefficiencies, and risks

Statistics

Views

Total Views
2,343
Views on SlideShare
2,317
Embed Views
26

Actions

Likes
2
Downloads
84
Comments
0

2 Embeds 26

http://www.linkedin.com 23
https://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • End-User Case Study: Five Best and Five Worst Practices for SIEMImplementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of securitymonitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEMimplementation will help maximize security and compliance value, and avoid costly obstacles,inefficiencies, and risks
  • End-User Case Study: Five Best and Five Worst Practices for SIEMImplementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of securitymonitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEMimplementation will help maximize security and compliance value, and avoid costly obstacles,inefficiencies, and risks
  • Figure out what problems you want to solve with SIEMConfirm that SIEM is the best way to solve themDefine and analyze your use casesGather stakeholders and analyze their use casesCreate requirements for a toolChoose scope for SIEM coverageAssess data volume over all Phase 1 log sources and plan aheadPerform product research, vendor interviews, references, peer groupsCreate a tool shortlistPilot top 2-3 products in your environmentTest the products for features, usability and scalability vs requirementsSelect a product for deployment and #2 product for backupUpdate or create procedures, IR plans, etcCreate SIEM operational proceduresDeploy the tool (phase 1)
  • The primacy of log management was highlighted in a recent Gartner note, “How to Implement SIEM Technology” (Gartner, 2009), which unambiguously states: “Deploy log management functions before you attempt a wide-scale implementation of real-time event management.”
  • Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin Presentation Transcript

  • Five Best and Five Worst Practices for SIEM
    Dr. Anton Chuvakin
    Principal @ SecurityWarrior, LLC
    (until July 30, 2011)
    Catalyst 2011, San Diego, CA
  • Outline
    Quick SIEM Introduction
    SIEM Pitfalls and Challenges
    SIEM “Best Practices”
    SIEM “Worst Practices”
    Conclusions
  • SIEM?
    Security Information and Event Management!
    (sometimes: SIM or SEM)
  • SIEM and Log Management
    LM:
    Log Management
    Focus on all uses for logs
    SIEM:
    Security Information
    and Event Management
    Focus on security useof logs and other data
  • What SIEM MUST Have?
    Log and Context Data Collection
    Normalization
    Correlation (“SEM”)
    Notification/alerting (“SEM”)
    Prioritization (“SEM”)
    Reporting and report delivery (“SIM”)
    Security role workflow (IR, SOC, etc)
  • I can tell you how to do SIEM
    RIGHT!
  • The Right Way to SIEM
    Figure out what problems you want to solve with SIEM
    Confirm that SIEM is the best way to solve them
    Define and analyze your use cases
    Gather stakeholders and analyze their use cases
    Research SIEM functionality
    Create requirements for your tool, including process requirements
    Choose scope for SIEM coverage (with phases)
    Assess data volume over all Phase 1 log sources and plan ahead
    Perform product research, vendor interviews, references, peer groups
    Create a tool shortlist
    Pilot top 2-3 products in your environment
    Test the products for features, usability and scalability vs requirements
    Select a product for deployment and #2 product for backup
    Update or create procedures, IR plans, etc
    Create SIEM operational procedures
    Deploy the tool (phase 1)
  • The Popular Way to SIEM…
    Buy a SIEM appliance
  • Got Difference?
    What people WANT to know and have before they deploy a SIEM?
    What people NEED to know and have before they deploy a SIEM?
  • What is a “Best Practice”?
    A process or practice that
    The leaders in the field are doing today
    Generally leads to useful results with cost effectiveness
    P.S. If you still hate it – say
    “useful practices”
  • BP1 How to Plan Your Project?
    Goals and requirements (WHY)
    Functionality / features (HOW)
    Scope of data collection (WHAT)
    Sizing (HOW MUCH)
    Architecting (WHERE)
  • BP2 LM before SIEM!
    If you remember one thing from this, let it be:
    Deploy Log Management BEFORE SIEM!
    “Deploy log management functions before you attempt a wide-scale implementation of real-time event management.” (Gartner, 2009)
  • Graduating from LM to SIEM
    Are you ready? Well, do you have…
    Response capability and process
    Prepared to response to alerts
    Monitoring capability
    Has an operational process to monitor
    Tuning and customization ability
    Can customize the tools and content
  • BP3 Initial SIEM Use
    Steps of a journey …
    Establish response process
    Deploy a SIEM
    Think “use cases”
    Start filtering logs from LM to SIEM
    Phases: features and information sources
    Prepare for the initial increase in workload
  • Case Study: Good Initial SIEM Use
    Example: cross-system authentication tracking
    Scope: all systems with authentication
    Purpose: detect unauthorized access to systems
    Method: track login failures and successes
    Rule details: multiple login failures followed by login success
    Response plan: user account investigation, suspension, communication with suspect user
  • BP4 Expanding SIEM Use
    First step, next BABY steps!
    Compliance monitoring often first
    “Traditional” SIEM uses
    Authentication tracking
    IPS/IDS + firewall correlation
    Web application hacking
    Your simple use cases
    What problems do YOU want solved?
  • “Quick Wins” for Phased Approach
    Phased
    approach #1
    Collect problems
    Plan architecture
    Start collecting
    Start reviewing
    Solve problem 1
    Solve problem n
    Phased
    approach #2
    • Focus on 1 problem
    • Plan architecture
    • Start collecting
    • Start reviewing
    • Solve problem 1
    • Plan again
  • What is a “Worst Practice”?
    As opposed to the “best practice” it is …
    What the losers in the field are doing today
    A practice that generally leads to disastrous results, despite its popularity
  • WP for SIEM Planning
    WP1: Skip this step altogether – just buy something
    “John said that we need a correlation engine”
    “I know this guy who sells log management tools”
    WP2: Postpone scope until after the purchase
    “The vendor says ‘it scales’ so we will just feed ALL our logs”
    Windows, Linux, i5/OS, OS/390, Cisco – send’em in!
  • Case Study – Just Buy a SIEM!
    Medium-sized financial company
    New CSO comes in from a much larger organization
    “We need a SIEM! ASAP!”
    Can you spell “boondoggle? 
    Lessons learned: which problem did we solve? Huh!? None?
  • WPs for Deployment
    WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations
    “Tell us what we need – tell us what you have” forever…
    WP4: Don’t prepare the infrastructure
    “Time synchronization? Pah, who needs it”
  • Case Study: Shelfware Forever!
    Financial company gets a SIEM tool after many months of “evaluations”
    Vendor SEs deploy it
    One year passes by
    A new CSO comes in; looks for what is deployed
    Finds a SIEM tool – which database contains exactly 53 log records (!)
    It was never connected to a production network…
  • Summary of Practices
    “Best Practices”
    Follow a logical SIEM deployment process
    Log management before SIEM!
    Start from simple SIEM use cases
    Expand the use gradually
    “Worst Practices”
    Skip requirement determination phase
    Postpone scoping until after SIEM purchase
    Expect the vendor to tell you what to log
    Fail to prepare the infrastructure
  • SIEM Reminders
    Cost countless sleepless night and boatloads of pain….
    No SIEM before IR plans/procedures
    No SIEM before basic log management
    Think "quick wins", not "OMG ...that SIEM boondoggle"
    Tech matters! But practices matter more
    Things will get worse before better. Invest time before collecting value!
  • Conclusions
    SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
    FOCUS on what problems you are trying to solve with SIEM: requirements!
    Phased approach WITH “quick wins” is the easiest way to go
    Operationalize!!!
  • Secret to SIEM Magic!
  • Questions?
    Dr. Anton Chuvakin
    Email:anton@chuvakin.org
    Site:http://www.chuvakin.org
    Blog:http://www.securitywarrior.org
    Twitter:@anton_chuvakin
    Consulting:http://www.securitywarriorconsulting.com
  • More Resources
    Blog: www.securitywarrior.org
    Podcast: look for “LogChat” on iTunes
    Slides: http://www.slideshare.net/anton_chuvakin
    Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
    Consulting: http://www.securitywarriorconsulting.com/
  • More on Anton
    Consultant: http://www.securitywarriorconsulting.com
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager