Downloaded 404 times
![What SIEM Eats: Logs<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574](https://image.slidesharecdn.com/rochestersiemprimer-110726220338-phpapp02/75/SIEM-Primer-10-2048.jpg)
Uploaded byAnton Chuvakin
SIEM Primer:
SIEM stands for Security Information and Event Management. It involves collecting, aggregating, normalizing and retaining logs and other security-related data from across an organization. SIEM performs analysis on this data through correlation, prioritization and notification/alerting. It also provides reporting and workflow capabilities for security teams. While SIEM promises improved security through these functions, it requires careful planning, scoping, requirements development and ongoing focus to avoid failures and ensure value.
More Related Content
More from Anton Chuvakin
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
SIEM Primer:
- 1. SIEM Primer:Security Informationand Event Management Dr. Anton ChuvakinSecurityWarrior LLCwww.securitywarriorconsulting.comRochester Institute of Technology4/2011
- 2. OutlineWhat is SIEM?Whatare logs?How SIEM helps security?Promises and failures of SIEM!Conclusions2
- 3. SIEM?Security Information andEvent Management!(sometimes: SIM or SEM)
- 4. SIEM vs LogManagement LM:Log ManagementFocus on all uses for logsSIEM: Security Information and Event ManagementFocus on security useof logs and other data
- 5.
- 6. Big 3 forSIEM/LMComplianceSecurityOps
- 7. SIEM and LMDefinedSecurity Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
- 8. What SIEM MUSTHave?Log and Context Data CollectionNormalizationCorrelation (“SEM”)Notification/alerting (“SEM”)Prioritization (“SEM”)Reporting and report delivery (“SIM”)Security role workflow (IR, SOC, etc)
- 9. Just What Is“Correlation”?Dictionary: “establishing relationships”SIEM: “relate events together for security benefit”Why correlate events?Automated cross-device data analysis!Simple correlation rule:If this, followed by that, take some action
- 10. What SIEM Eats:Logs<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574
- 11. What SIEM Eats:Contexthttp://chuvakin.blogspot.com/2010/01/on-log-context.html
- 12. Example SIEM UseCaseCross-system authentication trackingScope: all systems with authentication Purpose: detect unauthorized access to systemsMethod: track login failures and successesRule details: multiple login failures followed by login successResponse plan: user account investigation, suspension, communication with suspect user
- 13. What do weknow about SIEM?Ties to many technologies, analyzes data, requires process around it, etcWhat does it actually mean?Many people think “SIEM is complex”Thinking Aloud Here…
- 14. Broad SIEM UsageScenariosSecurity Operations Center (SOC)RT views, analysts 24/7, chase alertsMini-SOC / “morning after”Delayed views, analysts 1/24, review and drill-down“Automated SOC” / alert + investigateConfigure and forget, investigate alertsCompliance status reportingReview reports/views weekly/monthly
- 15. The Right Wayto SIEMFigure out what problems you want to solve with SIEMConfirm that SIEM is the best way to solve themDefine and analyze use casesCreate requirements for a toolChoose scope for SIEM coverageAssess data volumePerform product researchCreate a tool shortlistPilot top 2-3 productsTest the products for features, usability and scalability vs requirementsSelect a product for deploymentUpdate or create procedures, IR plans, etcDeploy the tool (phase 1)
- 16. The Popular Wayto SIEMBuy a SIEM appliance
- 17. Got Difference?What people WANT to know and have before they deploy a SIEM?What people NEED to know and have before they deploy a SIEM?
- 18. Got SIEM?Have youinherited it?Now what?
- 19. One Way toNOT Fail With SIEMSIEM Project Plan:Goals and requirementsFunctionality / featuresScoping of data collectionSizingArchitecting
- 20.
- 21. Best Reports? SANSTop 7DRAFT “SANS Top 7 Log Reports”Authentication ChangesNetwork activityResource accessMalware activityFailuresAnalytic reports
- 22. Best Correlation Rules? NadaVendor default rules?IDS/IPS + vulnerability scan?Anton fave rules:AuthenticationOutbound accessSafeguard failure?
- 23. Secret to SIEMMagic!
- 24. ConclusionsSIEM will workand has value … but BOTH initial and ongoing time/focus commitment is requiredFOCUS on what problems you are trying to solve with SIEM: requirements!Phased approach WITH “quick wins” is the easiest way to goOperationalize!!!
- 25. Questions?Dr. Anton ChuvakinEmail:anton@chuvakin.orgSite:http://www.chuvakin.orgBlog:http://www.securitywarrior.orgTwitter:@anton_chuvakinConsulting:http://www.securitywarriorconsulting.com
- 26. More ResourcesBlog: www.securitywarrior.orgPodcast:look for “LogChat” on iTunesSlides: http://www.slideshare.net/anton_chuvakinPapers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakinConsulting: http://www.securitywarriorconsulting.com/
- 27. More on AntonConsultant: http://www.securitywarriorconsulting.comBook author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etcConference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwideStandard developer: CEE, CVSS, OVAL, etcCommunity role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, othersPast roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
- 28. Security Warrior ConsultingServicesLogging and log management / SIEM strategy, procedures and practicesDevelop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulationsHelp integrate logging tools and processes into IT and business operationsSIEM and log management content developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsOthers at www.SecurityWarriorConsulting.com
Editor's Notes
- #4 No “incident”, not “intelligence” (open or otherwise), not anything else.
- #7 Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
- #8 Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
- #10 What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
- #14 Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
- #16 Figure OutCustom StuffTunedRightAdapted
- #19 Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
- #22 The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user
- #29 Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.