Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
Security Information and Event Management covers relevant log collection, aggregation, normalization, retention; context data collection; alerting; analysis (correlation, prioritization); presentation (reporting, visualization); security-related workflow and relevant security content. Typical uses for SIEM tools center around network security, data security as well as regulatory compliance. On the other hand, Log Management includes comprehensive log collection, original log retention; analysis; presentation (search, reporting, and visualization); related workflow and relevant content such as reports and search queries. Log management usage is broad and covers all possible applications for log data across IT and even beyond information technology – but certainly includes security and compliance use. To summarize this, SIEM focuses on security while log management focuses on a broad use for log data. Most specifically, SIEM tools include correlation and other real time analysis functionality, useful for real-time monitoring. Log tools often focus on advanced search across all log data. Today, many tools combine select capabilities of SIEM and log management in a single product or product suite.
What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
First, compile a list of regulations that you have to comply with, focus in particular attention to areas where a SIEM or log management tool can be useful. In many cases, the list will contain only one regulation – but the one you absolutely must handle. Next, if possible, review other possible goals that SIEM can help you achieve. Deciding whether SIEM satisfies a critical business need – such as by as an enabling technology for your SOC– is an essential step. Third, at this point you must decide whether you are prepared to work to make SIEM solve your problem – whether compliance or other. Despite help from the vendor and possibly consultants, there are areas where you have to work to make SIEM work. Now, acquire and implement the SIEM solution. This is where you work jointly with the vendor in order to build your initial implementation for regulatory compliance, such as PCI DSS.Now, start actually using SIEM for both “letter and spirit “ of the regulation. This is the most important step in the approach – one of the biggest mistakes organizations make in this area is thinking that simply owning a SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM is the only way to do that. Sadly, few people remember that PCI DSS prescribes a large set of periodic tasks, from annual to daily (log review being the most well-known example of a daily practice) and not just “having logs.” Finally, expand the use case to beyond compliance. Only at this step you can plan for expanding deployment and solving other problems. The tips for that are provided in the next section. One way to quickly grow your security capability is on the incident response side. This is due to the fact that the easiest and most common security use for log management and SIEM tools - beyond compliance - is related to incident response and forensics.
SIEM for Compliance Mistakes The most burning logging, SIEM and compliance mistake is simply this: thinking that to be compliant you have to have logs collected in a log management tool – and do nothing else. This mistake is as egregious as they come – simply reading the text of most regulations will uncover such items as log review, log protection, logging specific details for various events, handling exceptions and many other items. PCI DSS prescribes log review and log protection, HIPAA calls so monitoring, NERC asks for incident process ease; not a single regulations is only about storing logs. A second common mistake is focusing on the letter of regulations – and not their intended spirit. The best way to summarize it is: if you focus on security, you have a shot at being compliant and secure; if you only focus on compliance, you will likely not be secure and not compliant. Just us could the victims of recent breaches who were justifiably found to not be compliant. Finally, silo’d approach to regulations is unfortunately the norm today. Still, it does not make it right – it is still a mistake. Given a large overlap across regulations in what the mandate in regards to look logging, security monitoring, change detection, incident response and other security practices, it makes sense to implement this super set of requirements and not try to “chew” on regulations one by one, wasting resources and causing delays.
Every time you think “Compliance OR security,” god kills a kitten!
Conclusions While some organizations, continue to try to degrade sensible security choir events to some minimum baseline, this and not a recipe to create customer trust and protect the data. Some of the recent challenges with SIEM and log frequently stem from the fact that powerful SIEM technology is purchased to address a compliance mandate – and to do so in narrow and short-sighted fashion. Following our roadmap to effective use of SIEM for compliance in beyond will allow you to avoid the mistakes and gain all the benefits you paid for when procuring a SIEM or log management tool. Next, you can then expand the use of a SIEM beyond compliance to security and operational use cases happens, focusing on improved incident response practices and then going to near-real-time automated security monitoring. This is the only way to gain visibility and thus control over your ever growing IT environments. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what information and IT assets needs to be protected. The final word on succeeding with SIEM is hereby this: start using the regulatory guidance, take it to heart, operationalize it, then expand to solving “bigger and better“ problems.
Consulting Servicesfocused on security product strategy, SIEM / log management as well as PCI DSS and other regulatory compliance (details [PDF] )Technology Vendor ServicesThis section of the services is intended for security vendors and security services providers. The focus is on security and compliance strategy for product planning, development and marketing as well as on content development. Product management and strategyReview security product compliance strategy, PCI DSS strategy and optimize them for the marketPerform market assessment and analysis, competitive analysis, product strategy (build/buy/partner); prepare Market Requirements Documents (MRDs)Help develop and refine security product marketing and positioning messages, focused on compliance and new threatsAugment internal Product Management staff for strategic security and compliance projects, use case analysis, product definition, Product Requirement Documents (PRD) developmentWork with product management team to help define and prioritize product features based on market feedback and compliance requirements.Research and content developmentLead content development for whitepapers, "thought leadership"; documents, research papers and other messaging documents, related to security and regulatory compliance (example whitepaper, recent book on PCI DSS)Review security and compliance marketing materials, site contents and other public- or partner-facing materialsCreate correlation rules, reports as well as policies and procedures and other operational content to make SIEM and log management products more useful to your customersMap regulatory compliance controls such as PCI DSS (key focus!), HIPAA, NERC, FISMA, NIST, ISO, ITIL to security product features and document the use of the product in support of the mandatesDevelop compliance content such as reports, correlation rules, queries and other relevant compliance content for security product.Events and webinarsPrepare and conduct thought leadership webinars, seminars and other events on PCI DSS, log management, SIEM and other security topics (example webinar).TrainingPrepare and conduct customized training on log management, log review processes, logging "best practices," PCI DSS for customers and partners (example training class).Develop advanced training on effective operation and tuning of SIEM and log management tools to complement basic training.End-user Organization / Enterprise ServicesThis section of services menu applies to end-user organizations. The main theme is related to planning and implementing logging, log management and SIEM / SIM / SEM for security and compliance. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.Incident response artifact analysisAnalyze logs and other evidence collected during security incident response
Practical Strategies to Compliance and Security with SIEM Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com “Vendor T” Webinar, Oct 2010
Outline Compliance Basics SIEM and Log Management Defined Why SIEM and LM? SIEM: A Perfect Compliance Technology Pragmatic Approach to SIEM/LM Moving Beyond Compliance! Conclusions
So, what are we doing?Aka “What is Security?” Protecting the data Defending the network Guarding the IT environment Reducing “risk” (what risk?) However, we are also: Checking the boxes
SIEM vs LM SIEM = SECURITY information and event management vs LM = LOG management
What SIEM MUST Have? Log and Context Data Collection Normalization and categorization Correlation (“SEM”) Notification/alerting (“SEM”) Dashboards Prioritization (“SEM”) Reporting (“SIM”) Security role workflow
Just What Is “Correlation”? Dictionary: “establishing relationships” SIEM: “relate events together for security benefit” Why correlate events? Automated cross-device data analysis! Simple correlation rule: If this, followed by that, take some action
Pragmatic Approach to SIEM List regulations Identify other “use cases” Review whether SIEM/LM is needed Map features to controls Select and deploy Operationalize regulations Expand use
What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness
BP1 Evolve to SIEM Steps of a journey Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases! Prepare for the initial increase in workload
BP2 SIEM First Steps First step = BABY steps! Compliance monitoring Log collection Log retention Log review Using logs to attest to other controls PCI DSS, HIPAA, ISO, ITIL and others
BP3 Evolve Beyond Compliance Walk before you run! Focus on “Traditional” SIEM uses Authentication tracking IPS/IDS + firewall correlation Web application hacking Simple use cases based on your risk Now, what else can SIEM do for you?
Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication (!) Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
SIEM and Compliance Mistakes Log collection is NOT compliance Many regulations prescribe log review! Obsess about letter, forget the spirit! Regulations compel you to do the right thing, not check the box Address regulations in silo’ fashion Expand and adopt your SIEM across mandates
How To “Profit” From Compliance? Everything you do for compliance, MUST have security benefit for your organization! SIEM and Log Management MUST work!
Conclusions: SIEM and Compliance Use compliance to get SIEM/LM Start USING SIEM for compliance Operationalize! Slowly expand beyond compliance Address common use cases for log data Celebrate success after each phase!
Questions? Dr. Anton Chuvakin Email:firstname.lastname@example.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/
More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com
Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009! www.pcicompliancebook.info