SIEM Primer:

  • 3,721 views
Uploaded on

SIEM Primer: Security Information and Event Management by Dr. Anton Chuvakin

SIEM Primer: Security Information and Event Management by Dr. Anton Chuvakin

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,721
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
236
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • No “incident”, not “intelligence” (open or otherwise), not anything else.
  • Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
  • Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
  • What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
  • Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
  • Figure OutCustom StuffTunedRightAdapted
  • Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  • The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user 
  • Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.

Transcript

  • 1. SIEM Primer:Security Information and Event Management
    Dr. Anton Chuvakin
    SecurityWarrior LLC
    www.securitywarriorconsulting.com
    Rochester Institute of Technology
    4/2011
  • 2. Outline
    What is SIEM?
    What are logs?
    How SIEM helps security?
    Promises and failures of SIEM!
    Conclusions
    2
  • 3. SIEM?
    Security Information and Event Management!
    (sometimes: SIM or SEM)
  • 4. SIEM vs Log Management
    LM:
    Log Management
    Focus on all uses for logs
    SIEM:
    Security Information
    and Event Management
    Focus on security useof logs and other data
  • 5. The Big Picture
  • 6. Big 3 for SIEM/LM
    Compliance
    Security
    Ops
  • 7. SIEM and LM Defined
    Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.
    Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
  • 8. What SIEM MUST Have?
    Log and Context Data Collection
    Normalization
    Correlation (“SEM”)
    Notification/alerting (“SEM”)
    Prioritization (“SEM”)
    Reporting and report delivery (“SIM”)
    Security role workflow (IR, SOC, etc)
  • 9. Just What Is “Correlation”?
    Dictionary: “establishing relationships”
    SIEM: “relate events together for security benefit”
    Why correlate events?
    Automated cross-device data analysis!
    Simple correlation rule:
    If this, followed by that, take some action
  • 10. What SIEM Eats: Logs
    <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
    <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
    <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
    <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574
  • 11. What SIEM Eats: Context
    http://chuvakin.blogspot.com/2010/01/on-log-context.html
  • 12. Example SIEM Use Case
    Cross-system authentication tracking
    Scope: all systems with authentication
    Purpose: detect unauthorized access to systems
    Method: track login failures and successes
    Rule details: multiple login failures followed by login success
    Response plan: user account investigation, suspension, communication with suspect user
  • 13. What do we know about SIEM?
    Ties to many technologies, analyzes data, requires process around it, etc
    What does it actually mean?
    Many people think “SIEM is complex”
    Thinking Aloud Here…
  • 14. Broad SIEM Usage Scenarios
    Security Operations Center (SOC)
    RT views, analysts 24/7, chase alerts
    Mini-SOC / “morning after”
    Delayed views, analysts 1/24, review and drill-down
    “Automated SOC” / alert + investigate
    Configure and forget, investigate alerts
    Compliance status reporting
    Review reports/views weekly/monthly
  • 15. The Right Way to SIEM
    Figure out what problems you want to solve with SIEM
    Confirm that SIEM is the best way to solve them
    Define and analyze use cases
    Create requirements for a tool
    Choose scope for SIEM coverage
    Assess data volume
    Perform product research
    Create a tool shortlist
    Pilot top 2-3 products
    Test the products for features, usability and scalability vs requirements
    Select a product for deployment
    Update or create procedures, IR plans, etc
    Deploy the tool (phase 1)
  • 16. The Popular Way to SIEM
    Buy a SIEM appliance
  • 17. Got Difference?
    What people WANT to know and have before they deploy a SIEM?
    What people NEED to know and have before they deploy a SIEM?
  • 18. Got SIEM?Have you inherited it?
    Now what?
  • 19. One Way to NOT Fail With SIEM
    SIEM Project Plan:
    Goals and requirements
    Functionality / features
    Scoping of data collection
    Sizing
    Architecting
  • 20. SIEM/LM Maturity Curve
  • 21. Best Reports? SANS Top 7
    DRAFT “SANS Top 7 Log Reports”
    Authentication
    Changes
    Network activity
    Resource access
    Malware activity
    Failures
    Analytic reports
  • 22. Best Correlation Rules? Nada
    Vendor default rules?
    IDS/IPS + vulnerability scan?
    Anton fave rules:
    Authentication
    Outbound access
    Safeguard failure
    ?
  • 23. Secret to SIEM Magic!
  • 24. Conclusions
    SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
    FOCUS on what problems you are trying to solve with SIEM: requirements!
    Phased approach WITH “quick wins” is the easiest way to go
    Operationalize!!!
  • 25. Questions?
    Dr. Anton Chuvakin
    Email:anton@chuvakin.org
    Site:http://www.chuvakin.org
    Blog:http://www.securitywarrior.org
    Twitter:@anton_chuvakin
    Consulting:http://www.securitywarriorconsulting.com
  • 26. More Resources
    Blog: www.securitywarrior.org
    Podcast: look for “LogChat” on iTunes
    Slides: http://www.slideshare.net/anton_chuvakin
    Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
    Consulting: http://www.securitywarriorconsulting.com/
  • 27. More on Anton
    Consultant: http://www.securitywarriorconsulting.com
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 28. Security Warrior Consulting Services
    Logging and log management / SIEM strategy, procedures and practices
    Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
    Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
    Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
    Help integrate logging tools and processes into IT and business operations
    SIEM and log management content development
    Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
    Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
    Others at www.SecurityWarriorConsulting.com