Your SlideShare is downloading. ×
SIEM Primer:
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SIEM Primer:

3,986

Published on

SIEM Primer: Security Information and Event Management by Dr. Anton Chuvakin

SIEM Primer: Security Information and Event Management by Dr. Anton Chuvakin

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,986
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
256
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • No “incident”, not “intelligence” (open or otherwise), not anything else.
  • Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
  • Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
  • What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
  • Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
  • Figure OutCustom StuffTunedRightAdapted
  • Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  • The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user 
  • Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.
  • Transcript

    • 1. SIEM Primer:Security Information and Event Management
      Dr. Anton Chuvakin
      SecurityWarrior LLC
      www.securitywarriorconsulting.com
      Rochester Institute of Technology
      4/2011
    • 2. Outline
      What is SIEM?
      What are logs?
      How SIEM helps security?
      Promises and failures of SIEM!
      Conclusions
      2
    • 3. SIEM?
      Security Information and Event Management!
      (sometimes: SIM or SEM)
    • 4. SIEM vs Log Management
      LM:
      Log Management
      Focus on all uses for logs
      SIEM:
      Security Information
      and Event Management
      Focus on security useof logs and other data
    • 5. The Big Picture
    • 6. Big 3 for SIEM/LM
      Compliance
      Security
      Ops
    • 7. SIEM and LM Defined
      Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.
      Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
    • 8. What SIEM MUST Have?
      Log and Context Data Collection
      Normalization
      Correlation (“SEM”)
      Notification/alerting (“SEM”)
      Prioritization (“SEM”)
      Reporting and report delivery (“SIM”)
      Security role workflow (IR, SOC, etc)
    • 9. Just What Is “Correlation”?
      Dictionary: “establishing relationships”
      SIEM: “relate events together for security benefit”
      Why correlate events?
      Automated cross-device data analysis!
      Simple correlation rule:
      If this, followed by that, take some action
    • 10. What SIEM Eats: Logs
      <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
      <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
      <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
      <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574
    • 11. What SIEM Eats: Context
      http://chuvakin.blogspot.com/2010/01/on-log-context.html
    • 12. Example SIEM Use Case
      Cross-system authentication tracking
      Scope: all systems with authentication
      Purpose: detect unauthorized access to systems
      Method: track login failures and successes
      Rule details: multiple login failures followed by login success
      Response plan: user account investigation, suspension, communication with suspect user
    • 13. What do we know about SIEM?
      Ties to many technologies, analyzes data, requires process around it, etc
      What does it actually mean?
      Many people think “SIEM is complex”
      Thinking Aloud Here…
    • 14. Broad SIEM Usage Scenarios
      Security Operations Center (SOC)
      RT views, analysts 24/7, chase alerts
      Mini-SOC / “morning after”
      Delayed views, analysts 1/24, review and drill-down
      “Automated SOC” / alert + investigate
      Configure and forget, investigate alerts
      Compliance status reporting
      Review reports/views weekly/monthly
    • 15. The Right Way to SIEM
      Figure out what problems you want to solve with SIEM
      Confirm that SIEM is the best way to solve them
      Define and analyze use cases
      Create requirements for a tool
      Choose scope for SIEM coverage
      Assess data volume
      Perform product research
      Create a tool shortlist
      Pilot top 2-3 products
      Test the products for features, usability and scalability vs requirements
      Select a product for deployment
      Update or create procedures, IR plans, etc
      Deploy the tool (phase 1)
    • 16. The Popular Way to SIEM
      Buy a SIEM appliance
    • 17. Got Difference?
      What people WANT to know and have before they deploy a SIEM?
      What people NEED to know and have before they deploy a SIEM?
    • 18. Got SIEM?Have you inherited it?
      Now what?
    • 19. One Way to NOT Fail With SIEM
      SIEM Project Plan:
      Goals and requirements
      Functionality / features
      Scoping of data collection
      Sizing
      Architecting
    • 20. SIEM/LM Maturity Curve
    • 21. Best Reports? SANS Top 7
      DRAFT “SANS Top 7 Log Reports”
      Authentication
      Changes
      Network activity
      Resource access
      Malware activity
      Failures
      Analytic reports
    • 22. Best Correlation Rules? Nada
      Vendor default rules?
      IDS/IPS + vulnerability scan?
      Anton fave rules:
      Authentication
      Outbound access
      Safeguard failure
      ?
    • 23. Secret to SIEM Magic!
    • 24. Conclusions
      SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
      FOCUS on what problems you are trying to solve with SIEM: requirements!
      Phased approach WITH “quick wins” is the easiest way to go
      Operationalize!!!
    • 25. Questions?
      Dr. Anton Chuvakin
      Email:anton@chuvakin.org
      Site:http://www.chuvakin.org
      Blog:http://www.securitywarrior.org
      Twitter:@anton_chuvakin
      Consulting:http://www.securitywarriorconsulting.com
    • 26. More Resources
      Blog: www.securitywarrior.org
      Podcast: look for “LogChat” on iTunes
      Slides: http://www.slideshare.net/anton_chuvakin
      Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
      Consulting: http://www.securitywarriorconsulting.com/
    • 27. More on Anton
      Consultant: http://www.securitywarriorconsulting.com
      Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
      Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
      Standard developer: CEE, CVSS, OVAL, etc
      Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
      Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
    • 28. Security Warrior Consulting Services
      Logging and log management / SIEM strategy, procedures and practices
      Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      Help integrate logging tools and processes into IT and business operations
      SIEM and log management content development
      Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
      Others at www.SecurityWarriorConsulting.com

    ×