Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin

Making Log Data Useful:SIEM and Log Management Together
Dr. Anton Chuvakin
Security Warrior Consulting
www.securitywarriorconsulting.com
April 2010

Outline
Security Information and Event Management vs/with Log Management
Graduating from LM to SIEM
SIEM and LM “best practices”
First steps with SIEM
Using SIEM and LM together
Conclusions

SIEM vs LM
SIEM = SECURITY information and event management
vs
LM = LOG management

What SIEM MUST Have?
Log and Context Data Collection
Normalization
Correlation (“SEM”)
Notification/alerting (“SEM”)
Prioritization (“SEM”)
Reporting (“SIM”)
Security role workflow

What LM MUST Have?
Broad Scope Log Data Collection
Efficient Log Data Retention
Searching Across All Data
Broad Use Log Reporting
Scalable Operation: Collection, Retention, Searching, Reporting

Graduating from LM to SIEM
Are you ready? Well, do you have…
Response capability
Prepared to response to alerts
Monitoring capability
Has an operational process to monitor
Tuning and customization ability
Can customize the tools and content

How to “Graduate?”
Just like college…  Graduation tips:
Satisfy the graduation criteria
Use a LM vendors that has a good SIEM
Deploy LM and use it operationally
Periodic log reviews = first step to monitoring
Look for integrated capability

What is a “Best Practice”?
A process or practice that
The leaders in the field are doing today
Generally leads to useful results with cost effectiveness

BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments FAILED?
A: There was no log management!

Example Scenario
A mid-size regional bank deploys log management
Compliance, fraud tracking, user activity audit
Use the tool on incident only first
Start checking reports once in a while
Establish log review process
In two years, gets a SIEM to automate it!

BP2 Evolving to SIEM
Steps of a journey
Establish response process
Deploy a SIEM
Think “use cases”
Start filtering logs from LM to SIEM
Phases!
Prepare for the initial increase in workload

Example LM->SIEM Filtering
3D: Devices / Network topology / Events
Devices: NIDS/NIPS, WAF, servers
Network: DMZ, payment network (PCI scope), other “key domains”
Events: authentication, outbound firewall access
Later: proxies, more firewall data, web servers

BP3 SIEM First Steps
First step = BABY steps!
Compliance monitoring
“Traditional” SIEM uses
Authentication tracking
IPS/IDS + firewall correlation
Web application hacking
Simple use cases
based on your risk
What problems do YOU want solved?

Example SIEM Use Case
Cross-system authentication tracking
Scope: all systems with authentication (!)
Purpose: detect unauthorized access to systems
Method: track login failures and successes
Rule details: multiple login failures followed by login success
Response plan: user account investigation, suspension, communication with suspect user

SIEM + LM Integrated Use
Correlated SIEM alert is generated
Database server login guessing
Key information is shown
Account guessed, time, source
Context information is pulled from LM
What happened with this user before?
What else the source did?
What other logs were produced on server?

Eventually: SIEM Usage Scenarios
Security Operations Center (SOC)
RT views, analysts 24/7, chase alerts
Mini-SOC / “morning after”
Delayed views, analysts 1/24, review and drill-down
“Automated SOC” / alert + investigate
Configure and forget, investigate alerts
Compliance status reporting
Review reports/views weekly/monthly

Conclusions
Everybody has logs -> needs to deal with them -> needs LOG MANAGEMENT!
Deploy LM before SIEM
Then decide whether and when you need SIEM
Operationalize Log Management first, use it “early and often”
Start with SIEM slowly and only for tangible, solvable problems!

Secret to SIEM Magic!

Questions
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Google Voice: 510-771-7106
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
LinkedIn:http://www.linkedin.com/in/chuvakin
Consulting: www.securitywarriorconsulting.com
Twitter:@anton_chuvakin

More on Anton
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant

Security Warrior Consulting Services
Logging and log management strategy, procedures and practices
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
SIEM and log management content development
Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin

by Anton Chuvakin on Jul 26, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin — Presentation Transcript