Your SlideShare is downloading. ×
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

3,326
views

Published on

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,326
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
  • Security Information and Event Management covers relevant log collection, aggregation, normalization, retention; context data collection; alerting; analysis (correlation, prioritization); presentation (reporting, visualization); security-related workflow and relevant security content. Typical uses for SIEM tools center around network security, data security as well as regulatory compliance.  On the other hand, Log Management includes comprehensive log collection, original log retention; analysis; presentation (search, reporting, and visualization); related workflow and relevant content such as reports and search queries. Log management usage is broad and covers all possible applications for log data across IT and even beyond information technology – but certainly includes security and compliance use. To summarize this, SIEM focuses on security while log management focuses on a broad use for log data. Most specifically, SIEM tools include correlation and other real time analysis functionality, useful for real-time monitoring. Log tools often focus on advanced search across all log data. Today, many tools combine select capabilities of SIEM and log management in a single product or product suite.
  • What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
  • First, compile a list of regulations that you have to comply with, focus in particular attention to areas where a SIEM or log management tool can be useful. In many cases, the list will contain only one regulation – but the one you absolutely must handle. Next, if possible, review other possible goals that SIEM can help you achieve. Deciding whether SIEM satisfies a critical business need – such as by as an enabling technology for your SOC– is an essential step.  Third, at this point you must decide whether you are prepared to work to make SIEM solve your problem – whether compliance or other. Despite help from the vendor and possibly consultants, there are areas where you have to work to make SIEM work. Now, acquire and implement the SIEM solution. This is where you work jointly with the vendor in order to build your initial implementation for regulatory compliance, such as PCI DSS.Now, start actually using SIEM for both “letter and spirit “ of the regulation. This is the most important step in the approach – one of the biggest mistakes organizations make in this area is thinking that simply owning a SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM is the only way to do that. Sadly, few people remember that PCI DSS prescribes a large set of periodic tasks, from annual to daily (log review being the most well-known example of a daily practice) and not just “having logs.” Finally, expand the use case to beyond compliance. Only at this step you can plan for expanding deployment and solving other problems. The tips for that are provided in the next section. One way to quickly grow your security capability is on the incident response side. This is due to the fact that the easiest and most common security use for log management and SIEM tools - beyond compliance - is related to incident response and forensics.
  • SIEM for Compliance Mistakes The most burning logging, SIEM and compliance mistake is simply this: thinking that to be compliant you have to have logs collected in a log management tool – and do nothing else. This mistake is as egregious as they come – simply reading the text of most regulations will uncover such items as log review, log protection, logging specific details for various events, handling exceptions and many other items. PCI DSS prescribes log review and log protection, HIPAA calls so monitoring, NERC asks for incident process ease; not a single regulations is only about storing logs. A second common mistake is focusing on the letter of regulations – and not their intended spirit. The best way to summarize it is: if you focus on security, you have a shot at being compliant and secure; if you only focus on compliance, you will likely not be secure and not compliant. Just us could the victims of recent breaches who were justifiably found to not be compliant. Finally, silo’d approach to regulations is unfortunately the norm today. Still, it does not make it right – it is still a mistake. Given a large overlap across regulations in what the mandate in regards to look logging, security monitoring, change detection, incident response and other security practices, it makes sense to implement this super set of requirements and not try to “chew” on regulations one by one, wasting resources and causing delays.
  • Every time you think “Compliance OR security,” god kills a kitten!
  • Conclusions  While some organizations, continue to try to degrade sensible security choir events to some minimum baseline, this and not a recipe to create customer trust and protect the data. Some of the recent challenges with SIEM and log frequently stem from the fact that powerful SIEM technology is purchased to address a compliance mandate – and to do so in narrow and short-sighted fashion. Following our roadmap to effective use of SIEM for compliance in beyond will allow you to avoid the mistakes and gain all the benefits you paid for when procuring a SIEM or log management tool. Next, you can then expand the use of a SIEM beyond compliance to security and operational use cases happens, focusing on improved incident response practices and then going to near-real-time automated security monitoring. This is the only way to gain visibility and thus control over your ever growing IT environments. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what information and IT assets needs to be protected. The final word on succeeding with SIEM is hereby this: start using the regulatory guidance, take it to heart, operationalize it, then expand to solving “bigger and better“ problems.
  • Consulting Servicesfocused on security product strategy, SIEM / log management as well as PCI DSS and other regulatory compliance (details [PDF] )Technology Vendor ServicesThis section of the services is intended for security vendors and security services providers. The focus is on security and compliance strategy for product planning, development and marketing as well as on content development. Product management and strategyReview security product compliance strategy, PCI DSS strategy and optimize them for the marketPerform market assessment and analysis, competitive analysis, product strategy (build/buy/partner); prepare Market Requirements Documents (MRDs)Help develop and refine security product marketing and positioning messages, focused on compliance and new threatsAugment internal Product Management staff for strategic security and compliance projects, use case analysis, product definition, Product Requirement Documents (PRD) developmentWork with product management team to help define and prioritize product features based on market feedback and compliance requirements.Research and content developmentLead content development for whitepapers, "thought leadership"; documents, research papers and other messaging documents, related to security and regulatory compliance (example whitepaper, recent book on PCI DSS)Review security and compliance marketing materials, site contents and other public- or partner-facing materialsCreate correlation rules, reports as well as policies and procedures and other operational content to make SIEM and log management products more useful to your customersMap regulatory compliance controls such as PCI DSS (key focus!), HIPAA, NERC, FISMA, NIST, ISO, ITIL to security product features and document the use of the product in support of the mandatesDevelop compliance content such as reports, correlation rules, queries and other relevant compliance content for security product.Events and webinarsPrepare and conduct thought leadership webinars, seminars and other events on PCI DSS, log management, SIEM and other security topics (example webinar).TrainingPrepare and conduct customized training on log management, log review processes, logging "best practices," PCI DSS for customers and partners (example training class).Develop advanced training on effective operation and tuning of SIEM and log management tools to complement basic training.End-user Organization / Enterprise ServicesThis section of services menu applies to end-user organizations. The main theme is related to planning and implementing logging, log management and SIEM / SIM / SEM for security and compliance. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.Incident response artifact analysisAnalyze logs and other evidence collected during security incident response
  • Transcript

    • 1. Practical Strategies to Compliance and Security with SIEM
      Dr. Anton Chuvakin
      Security Warrior Consulting
      www.securitywarriorconsulting.com
      “Vendor T” Webinar, Oct 2010
    • 2. Outline
      Compliance Basics
      SIEM and Log Management Defined
      Why SIEM and LM?
      SIEM: A Perfect Compliance Technology
      Pragmatic Approach to SIEM/LM
      Moving Beyond Compliance!
      Conclusions
    • 3. So, what are we doing?Aka “What is Security?”
      Protecting the data
      Defending the network
      Guarding the IT environment
      Reducing “risk” (what risk?)
      However, we are also:
      Checking the boxes
    • 4. In Reality …
      Compliance budget
      Security budget
    • 5. Compliance Reigns Supreme!
      … even though the purpose of these:
      … is to make sure organization care about security!
    • 6. Compliance Mystery Solved!!
      Compliance is the “floor” of security
      And a motivator to DO IT!
      However, many prefer to treat it as a “ceiling”
      Result: breaches, 0wnage, mayhem!
    • 7. Compliance is NOT All!!!
    • 8. Big 3 for SIEM/LM
      Compliance
      Security
      Ops
    • 9. SIEM vs LM
      SIEM = SECURITY information and event management
      vs
      LM = LOG management
    • 10. What SIEM MUST Have?
      Log and Context Data Collection
      Normalization and categorization
      Correlation (“SEM”)
      Notification/alerting (“SEM”)
      Dashboards
      Prioritization (“SEM”)
      Reporting (“SIM”)
      Security role workflow
    • 11. Just What Is “Correlation”?
      Dictionary: “establishing relationships”
      SIEM: “relate events together for security benefit”
      Why correlate events?
      Automated cross-device data analysis!
      Simple correlation rule:
      If this, followed by that, take some action
    • 12. Pragmatic Approach to SIEM
      List regulations
      Identify other “use cases”
      Review whether SIEM/LM is needed
      Map features to controls
      Select and deploy
      Operationalize regulations
      Expand use
    • 13. What is a “Best Practice”?
      A process or practice that
      The leaders in the field are doing today
      Generally leads to useful results with cost effectiveness
    • 14. BP1 Evolve to SIEM
      Steps of a journey
      Establish response process
      Deploy a SIEM
      Think “use cases”
      Start filtering logs from LM to SIEM
      Phases!
      Prepare for the initial increase in workload
    • 15. BP2 SIEM First Steps
      First step = BABY steps!
      Compliance monitoring
      Log collection
      Log retention
      Log review
      Using logs to attest to other controls
      PCI DSS, HIPAA, ISO, ITIL and others
    • 16. BP3 Evolve Beyond Compliance
      Walk before you run!
      Focus on “Traditional” SIEM uses
      Authentication tracking
      IPS/IDS + firewall correlation
      Web application hacking
      Simple use cases
      based on your risk
      Now, what else can SIEM do for you?
    • 17. Example SIEM Use Case
      Cross-system authentication tracking
      Scope: all systems with authentication (!)
      Purpose: detect unauthorized access to systems
      Method: track login failures and successes
      Rule details: multiple login failures followed by login success
      Response plan: user account investigation, suspension, communication with suspect user
    • 18. SIEM Usage Scenarios
      Security Operations Center (SOC)
      RT views, analysts 24/7, chase alerts
      Mini-SOC / “morning after”
      Delayed views, analysts 1/24, review and drill-down
      “Automated SOC” / alert + investigate
      Configure and forget, investigate alerts
      Compliance status reporting
      Review reports/views weekly/monthly
    • 19. Secret to SIEM Magic!
    • 20. SIEM and Compliance Mistakes
      Log collection is NOT compliance
      Many regulations prescribe log review!
      Obsess about letter, forget the spirit!
      Regulations compel you to do the right thing, not check the box
      Address regulations in silo’ fashion
      Expand and adopt your SIEM across mandates
    • 21. How To “Profit” From Compliance?
      Everything you do for compliance, MUST have security benefit for your organization!
      SIEM and Log Management MUST work!
    • 22. Conclusions: SIEM and Compliance
      Use compliance to get SIEM/LM
      Start USING SIEM for compliance
      Operationalize!
      Slowly expand beyond compliance
      Address common use cases for log data
      Celebrate success after each phase!
    • 23. Questions?
      Dr. Anton Chuvakin
      Email:anton@chuvakin.org
      Site:http://www.chuvakin.org
      Blog:http://www.securitywarrior.org
      Twitter:@anton_chuvakin
      Consulting:http://www.securitywarriorconsulting.com
    • 24. More Resources
      Blog: www.securitywarrior.org
      Podcast: look for “LogChat” on iTunes
      Slides: http://www.slideshare.net/anton_chuvakin
      Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
      Consulting: http://www.securitywarriorconsulting.com/
    • 25. More on Anton
      Consultant: http://www.securitywarriorconsulting.com
      Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
      Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
      Standard developer: CEE, CVSS, OVAL, etc
      Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
      Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
    • 26. Security Warrior Consulting Services
      Logging and log management strategy, procedures and practices
      Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      Help integrate logging tools and processes into IT and business operations
      SIEM and log management content development
      Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
      More at www.SecurityWarriorConsulting.com
    • 27. Want a PCI DSS Book?
      “PCI Compliance” by Anton Chuvakin and Branden Williams
      Useful reference for merchants, vendors – and everybody else
      Released December 2009!
      www.pcicompliancebook.info

    ×