This document discusses the differences between security information and event management (SIEM) and log management (LM), and provides best practices for using SIEM and LM together. It recommends deploying LM before SIEM to collect and manage log data. Then organizations can decide when to implement SIEM to automate monitoring and correlation. The document provides examples of gradually evolving from solely using LM to integrating it with SIEM for increased monitoring and analytics capabilities.

1. Making Log Data Useful:SIEM and Log Management TogetherDr. Anton ChuvakinSecurity Warrior Consultingwww.securitywarriorconsulting.comApril 2010

2. OutlineSecurity Information and Event Management vs/with Log Management Graduating from LM to SIEMSIEM and LM “best practices”First steps with SIEMUsing SIEM and LM togetherConclusions

3. SIEM vs LMSIEM = SECURITY information and event managementvsLM = LOG management

4. What SIEM MUST Have?Log and Context Data CollectionNormalizationCorrelation (“SEM”)Notification/alerting (“SEM”)Prioritization (“SEM”)Reporting (“SIM”)Security role workflow

5. What LM MUST Have?Broad Scope Log Data CollectionEfficient Log Data RetentionSearching Across All DataBroad Use Log Reporting Scalable Operation: Collection, Retention, Searching, Reporting

6. Graduating from LM to SIEMAre you ready? Well, do you have…Response capabilityPrepared to response to alertsMonitoring capabilityHas an operational process to monitorTuning and customization abilityCan customize the tools and content

7. How to “Graduate?” Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability

8. What is a “Best Practice”?A process or practice thatThe leaders in the field are doing todayGenerally leads to useful results with cost effectiveness

9. BP1 LM before SIEM!If you remember one thing from this, let it be:Deploy Log Management BEFORE SIEM!Q: Why do you think MOST 1990s SIEM deployments FAILED?A: There was no log management!

10. Example ScenarioA mid-size regional bank deploys log management Compliance, fraud tracking, user activity auditUse the tool on incident only firstStart checking reports once in a whileEstablish log review processIn two years, gets a SIEM to automate it!

11. BP2 Evolving to SIEM Steps of a journeyEstablish response processDeploy a SIEMThink “use cases”Start filtering logs from LM to SIEMPhases!Prepare for the initial increase in workload

12. Example LM->SIEM Filtering3D: Devices / Network topology / EventsDevices: NIDS/NIPS, WAF, serversNetwork: DMZ, payment network (PCI scope), other “key domains”Events: authentication, outbound firewall accessLater: proxies, more firewall data, web servers

13. BP3 SIEM First StepsFirst step = BABY steps!Compliance monitoring“Traditional” SIEM usesAuthentication trackingIPS/IDS + firewall correlationWeb application hackingSimple use cases based on your riskWhat problems do YOU want solved?

14. Example SIEM Use CaseCross-system authentication trackingScope: all systems with authentication (!)Purpose: detect unauthorized access to systemsMethod: track login failures and successesRule details: multiple login failures followed by login successResponse plan: user account investigation, suspension, communication with suspect user

15. SIEM + LM Integrated UseCorrelated SIEM alert is generatedDatabase server login guessingKey information is shownAccount guessed, time, source Context information is pulled from LMWhat happened with this user before?What else the source did?What other logs were produced on server?

16. Eventually: SIEM Usage ScenariosSecurity Operations Center (SOC)RT views, analysts 24/7, chase alertsMini-SOC / “morning after”Delayed views, analysts 1/24, review and drill-down“Automated SOC” / alert + investigateConfigure and forget, investigate alertsCompliance status reportingReview reports/views weekly/monthly

17. ConclusionsEverybody has logs -> needs to deal with them -> needs LOG MANAGEMENT!Deploy LM before SIEMThen decide whether and when you need SIEMOperationalize Log Management first, use it “early and often”Start with SIEM slowly and only for tangible, solvable problems!

18. Secret to SIEM Magic!

19. QuestionsDr. Anton ChuvakinEmail:anton@chuvakin.orgGoogle Voice: 510-771-7106 Site:http://www.chuvakin.orgBlog:http://www.securitywarrior.orgLinkedIn:http://www.linkedin.com/in/chuvakinConsulting: www.securitywarriorconsulting.comTwitter:@anton_chuvakin

20. More on AntonBook author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etcConference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwideStandard developer: CEE, CVSS, OVAL, etcCommunity role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, othersPast roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant

21. Security Warrior Consulting ServicesLogging and log management strategy, procedures and practicesDevelop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulationsHelp integrate logging tools and processes into IT and business operationsSIEM and log management content developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsMore at www.SecurityWarriorConsulting.com