Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

9,651 views
9,545 views

Published on

End-User Case Study: Five Best and Five Worst Practices for SIEM

Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.
Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security
monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM
implementation will help maximize security and compliance value, and avoid costly obstacles,
inefficiencies, and risks

Published in: Technology
0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,651
On SlideShare
0
From Embeds
0
Number of Embeds
685
Actions
Shares
0
Downloads
344
Comments
0
Likes
11
Embeds 0
No embeds

No notes for slide
  • End-User Case Study: Five Best and Five Worst Practices for SIEMImplementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of securitymonitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEMimplementation will help maximize security and compliance value, and avoid costly obstacles,inefficiencies, and risks
  • End-User Case Study: Five Best and Five Worst Practices for SIEMImplementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of securitymonitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEMimplementation will help maximize security and compliance value, and avoid costly obstacles,inefficiencies, and risks
  • Figure out what problems you want to solve with SIEMConfirm that SIEM is the best way to solve themDefine and analyze your use casesGather stakeholders and analyze their use casesCreate requirements for a toolChoose scope for SIEM coverageAssess data volume over all Phase 1 log sources and plan aheadPerform product research, vendor interviews, references, peer groupsCreate a tool shortlistPilot top 2-3 products in your environmentTest the products for features, usability and scalability vs requirementsSelect a product for deployment and #2 product for backupUpdate or create procedures, IR plans, etcCreate SIEM operational proceduresDeploy the tool (phase 1)
  • The primacy of log management was highlighted in a recent Gartner note, “How to Implement SIEM Technology” (Gartner, 2009), which unambiguously states: “Deploy log management functions before you attempt a wide-scale implementation of real-time event management.”
  • Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  • Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

    1. 1. Five Best and Five Worst Practices for SIEM<br />Dr. Anton Chuvakin<br />Principal @ SecurityWarrior, LLC<br />(until July 30, 2011)<br />Catalyst 2011, San Diego, CA<br />
    2. 2. Outline<br />Quick SIEM Introduction<br />SIEM Pitfalls and Challenges<br />SIEM “Best Practices”<br />SIEM “Worst Practices”<br />Conclusions<br />
    3. 3. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
    4. 4. SIEM and Log Management <br />LM:<br />Log Management<br />Focus on all uses for logs<br />SIEM: <br />Security Information <br />and Event Management<br />Focus on security useof logs and other data <br />
    5. 5. What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow (IR, SOC, etc)<br />
    6. 6. I can tell you how to do SIEM <br />RIGHT!<br />
    7. 7. The Right Way to SIEM<br />Figure out what problems you want to solve with SIEM<br />Confirm that SIEM is the best way to solve them<br />Define and analyze your use cases<br />Gather stakeholders and analyze their use cases<br />Research SIEM functionality<br />Create requirements for your tool, including process requirements<br />Choose scope for SIEM coverage (with phases)<br />Assess data volume over all Phase 1 log sources and plan ahead<br />Perform product research, vendor interviews, references, peer groups<br />Create a tool shortlist<br />Pilot top 2-3 products in your environment<br />Test the products for features, usability and scalability vs requirements<br />Select a product for deployment and #2 product for backup<br />Update or create procedures, IR plans, etc<br />Create SIEM operational procedures<br />Deploy the tool (phase 1)<br />
    8. 8. The Popular Way to SIEM…<br />Buy a SIEM appliance<br />
    9. 9. Got Difference?<br />What people WANT to know and have before they deploy a SIEM?<br />What people NEED to know and have before they deploy a SIEM?<br />
    10. 10. What is a “Best Practice”?<br />A process or practice that<br />The leaders in the field are doing today<br />Generally leads to useful results with cost effectiveness<br />P.S. If you still hate it – say <br />“useful practices”<br />
    11. 11. BP1 How to Plan Your Project?<br />Goals and requirements (WHY)<br />Functionality / features (HOW)<br />Scope of data collection (WHAT)<br />Sizing (HOW MUCH)<br />Architecting (WHERE)<br />
    12. 12. BP2 LM before SIEM!<br />If you remember one thing from this, let it be:<br />Deploy Log Management BEFORE SIEM!<br />“Deploy log management functions before you attempt a wide-scale implementation of real-time event management.” (Gartner, 2009)<br />
    13. 13. Graduating from LM to SIEM<br />Are you ready? Well, do you have…<br />Response capability and process<br />Prepared to response to alerts<br />Monitoring capability<br />Has an operational process to monitor<br />Tuning and customization ability<br />Can customize the tools and content<br />
    14. 14. BP3 Initial SIEM Use<br />Steps of a journey …<br />Establish response process<br />Deploy a SIEM<br />Think “use cases”<br />Start filtering logs from LM to SIEM<br />Phases: features and information sources<br />Prepare for the initial increase in workload<br />
    15. 15. Case Study: Good Initial SIEM Use<br />Example: cross-system authentication tracking<br />Scope: all systems with authentication <br />Purpose: detect unauthorized access to systems<br />Method: track login failures and successes<br />Rule details: multiple login failures followed by login success<br />Response plan: user account investigation, suspension, communication with suspect user<br />
    16. 16. BP4 Expanding SIEM Use<br />First step, next BABY steps!<br />Compliance monitoring often first<br />“Traditional” SIEM uses<br />Authentication tracking<br />IPS/IDS + firewall correlation<br />Web application hacking<br />Your simple use cases <br />What problems do YOU want solved?<br />
    17. 17. “Quick Wins” for Phased Approach<br />Phased <br />approach #1<br />Collect problems<br />Plan architecture<br />Start collecting<br />Start reviewing<br />Solve problem 1<br />Solve problem n<br />Phased <br />approach #2<br /><ul><li>Focus on 1 problem
    18. 18. Plan architecture
    19. 19. Start collecting
    20. 20. Start reviewing
    21. 21. Solve problem 1
    22. 22. Plan again</li></li></ul><li>What is a “Worst Practice”?<br />As opposed to the “best practice” it is …<br />What the losers in the field are doing today<br />A practice that generally leads to disastrous results, despite its popularity<br />
    23. 23. WP for SIEM Planning<br />WP1: Skip this step altogether – just buy something<br />“John said that we need a correlation engine”<br />“I know this guy who sells log management tools”<br />WP2: Postpone scope until after the purchase<br />“The vendor says ‘it scales’ so we will just feed ALL our logs”<br />Windows, Linux, i5/OS, OS/390, Cisco – send’em in!<br />
    24. 24. Case Study – Just Buy a SIEM!<br />Medium-sized financial company <br />New CSO comes in from a much larger organization<br />“We need a SIEM! ASAP!”<br />Can you spell “boondoggle? <br />Lessons learned: which problem did we solve? Huh!? None?<br />
    25. 25. WPs for Deployment<br />WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations<br />“Tell us what we need – tell us what you have” forever…<br />WP4: Don’t prepare the infrastructure <br />“Time synchronization? Pah, who needs it”<br />
    26. 26. Case Study: Shelfware Forever!<br />Financial company gets a SIEM tool after many months of “evaluations”<br />Vendor SEs deploy it<br />One year passes by<br />A new CSO comes in; looks for what is deployed<br />Finds a SIEM tool – which database contains exactly 53 log records (!)<br />It was never connected to a production network…<br />
    27. 27. Summary of Practices<br />“Best Practices”<br />Follow a logical SIEM deployment process<br />Log management before SIEM!<br />Start from simple SIEM use cases<br />Expand the use gradually<br />“Worst Practices”<br />Skip requirement determination phase<br />Postpone scoping until after SIEM purchase<br />Expect the vendor to tell you what to log<br />Fail to prepare the infrastructure<br />
    28. 28. SIEM Reminders<br />Cost countless sleepless night and boatloads of pain….<br />No SIEM before IR plans/procedures<br />No SIEM before basic log management <br />Think "quick wins", not "OMG ...that SIEM boondoggle"<br />Tech matters! But practices matter more<br />Things will get worse before better. Invest time before collecting value!<br />
    29. 29. Conclusions<br />SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required<br />FOCUS on what problems you are trying to solve with SIEM: requirements!<br />Phased approach WITH “quick wins” is the easiest way to go<br />Operationalize!!!<br />
    30. 30. Secret to SIEM Magic!<br />
    31. 31. Questions?<br />Dr. Anton Chuvakin <br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
    32. 32. More Resources<br />Blog: www.securitywarrior.org<br />Podcast: look for “LogChat” on iTunes<br />Slides: http://www.slideshare.net/anton_chuvakin<br />Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin<br />Consulting: http://www.securitywarriorconsulting.com/<br />
    33. 33. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

    ×