Your SlideShare is downloading. ×
0
Content-Aware SIEM<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />Fe...
Outline<br />Brief SIEM History<br />SIEM Today<br />Today’s SIEM Use Cases<br />Evolution of SIEM: Content-Aware SIEM<br ...
SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
SIEM Evolution<br />1997-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />2003 – 2007  Above + Server + Context ...
SIEM Today<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“S...
SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning a...
What SIEM Eats?<br />Logs<br />Context<br />Content (NEW)<br />
One: Logs<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has ...
Two: Context<br />http://chuvakin.blogspot.com/2010/01/on-log-context.html<br />
Three: Content<br />Emails<br />Attachment<br />IM chats<br />Facebook posts<br />Videos<br />Images<br />
Note: Content is NOT Just Packets<br />Drilldown to packets<br />Drilldown to emailed document <br />
Legacy SIEM vs CA-SIEM?<br />
Secret to SIEM Magic!<br />
Conclusions<br />SIEM is evolving to today’s needs, while still solving the  old needs<br />Note: no old IT security threa...
Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.sec...
More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Yo...
Upcoming SlideShare
Loading in...5
×

On Content-Aware SIEM by Dr. Anton Chuvakin

1,669

Published on

On Content-Aware SIEM by Dr. Anton Chuvakin

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,669
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
70
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • No problem is truly solved!!
  • Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Also: WHY SIEM – too many IDS alerts!SIEM = SECURITY information and event managementvsLM = LOG management
  • SIEM use casesSOC – full real-time monitoringMini-SOC / ”morning after”Remote monitoring + investigationsCompliance status reporting
  • Mention vulnerability data
  • Transcript of "On Content-Aware SIEM by Dr. Anton Chuvakin"

    1. 1. Content-Aware SIEM<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />February 2010<br />
    2. 2. Outline<br />Brief SIEM History<br />SIEM Today<br />Today’s SIEM Use Cases<br />Evolution of SIEM: Content-Aware SIEM<br />What SIEM “Eats”? <br />Logs + context + content!<br />Legacy SIEM vs Content-Aware SIEM<br />Why Deploy a CA-SIEM?<br />
    3. 3. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
    4. 4. SIEM Evolution<br />1997-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />2003 – 2007 Above + Server + Context <br />PCI DSS, SOX, users<br />2008+ Above + Applications+ Content <br />Fraud, activities, cybercrime<br />
    5. 5. SIEM Today<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow<br />
    6. 6. SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning after”<br />Delayed views, analysts 1/24, review and drill-down<br />“Automated SOC” / alert + investigate<br />Configure and forget, investigate alerts<br />Compliance status reporting<br />Review reports/views weekly/monthly<br />
    7. 7. What SIEM Eats?<br />Logs<br />Context<br />Content (NEW)<br />
    8. 8. One: Logs<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
    9. 9. Two: Context<br />http://chuvakin.blogspot.com/2010/01/on-log-context.html<br />
    10. 10. Three: Content<br />Emails<br />Attachment<br />IM chats<br />Facebook posts<br />Videos<br />Images<br />
    11. 11. Note: Content is NOT Just Packets<br />Drilldown to packets<br />Drilldown to emailed document <br />
    12. 12. Legacy SIEM vs CA-SIEM?<br />
    13. 13. Secret to SIEM Magic!<br />
    14. 14. Conclusions<br />SIEM is evolving to today’s needs, while still solving the old needs<br />Note: no old IT security threat has gone away yet…<br />SIEMs that can consume content and not just logs can win the battle<br />Note: logs are voluminous, but content is EVEN LARGER<br />
    15. 15. Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />Consulting Services: SIEM, Log management<br />http://www.securitywarriorconsulting.com<br />
    16. 16. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×