SIEM Primer:

SIEM Primer:Security Information and Event Management
Dr. Anton Chuvakin
SecurityWarrior LLC
www.securitywarriorconsulting.com
Rochester Institute of Technology
4/2011

Outline
What is SIEM?
What are logs?
How SIEM helps security?
Promises and failures of SIEM!
Conclusions
2

SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)

SIEM vs Log Management
LM:
Log Management
Focus on all uses for logs
SIEM:
Security Information
and Event Management
Focus on security useof logs and other data

The Big Picture

Big 3 for SIEM/LM
Compliance
Security
Ops

SIEM and LM Defined
Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.
Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.

What SIEM MUST Have?
Log and Context Data Collection
Normalization
Correlation (“SEM”)
Notification/alerting (“SEM”)
Prioritization (“SEM”)
Reporting and report delivery (“SIM”)
Security role workflow (IR, SOC, etc)

Just What Is “Correlation”?
Dictionary: “establishing relationships”
SIEM: “relate events together for security benefit”
Why correlate events?
Automated cross-device data analysis!
Simple correlation rule:
If this, followed by that, take some action

What SIEM Eats: Logs
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
<122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html

Example SIEM Use Case
Cross-system authentication tracking
Scope: all systems with authentication
Purpose: detect unauthorized access to systems
Method: track login failures and successes
Rule details: multiple login failures followed by login success
Response plan: user account investigation, suspension, communication with suspect user

What do we know about SIEM?
Ties to many technologies, analyzes data, requires process around it, etc
What does it actually mean?
Many people think “SIEM is complex”
Thinking Aloud Here…

Broad SIEM Usage Scenarios
Security Operations Center (SOC)
RT views, analysts 24/7, chase alerts
Mini-SOC / “morning after”
Delayed views, analysts 1/24, review and drill-down
“Automated SOC” / alert + investigate
Configure and forget, investigate alerts
Compliance status reporting
Review reports/views weekly/monthly

The Right Way to SIEM
Figure out what problems you want to solve with SIEM
Confirm that SIEM is the best way to solve them
Define and analyze use cases
Create requirements for a tool
Choose scope for SIEM coverage
Assess data volume
Perform product research
Create a tool shortlist
Pilot top 2-3 products
Test the products for features, usability and scalability vs requirements
Select a product for deployment
Update or create procedures, IR plans, etc
Deploy the tool (phase 1)

The Popular Way to SIEM
Buy a SIEM appliance

Got Difference?
What people WANT to know and have before they deploy a SIEM?
What people NEED to know and have before they deploy a SIEM?

Got SIEM?Have you inherited it?
Now what?

One Way to NOT Fail With SIEM
SIEM Project Plan:
Goals and requirements
Functionality / features
Scoping of data collection
Sizing
Architecting

SIEM/LM Maturity Curve

Best Reports? SANS Top 7
DRAFT “SANS Top 7 Log Reports”
Authentication
Changes
Network activity
Resource access
Malware activity
Failures
Analytic reports

Best Correlation Rules? Nada
Vendor default rules?
IDS/IPS + vulnerability scan?
Anton fave rules:
Authentication
Outbound access
Safeguard failure
?

Secret to SIEM Magic!

Conclusions
SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
FOCUS on what problems you are trying to solve with SIEM: requirements!
Phased approach WITH “quick wins” is the easiest way to go
Operationalize!!!

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More Resources
Blog: www.securitywarrior.org
Podcast: look for “LogChat” on iTunes
Slides: http://www.slideshare.net/anton_chuvakin
Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
Consulting: http://www.securitywarriorconsulting.com/

More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management / SIEM strategy, procedures and practices
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
SIEM and log management content development
Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
Others at www.SecurityWarriorConsulting.com

SIEM Primer:

by Anton Chuvakin on Jul 26, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

SIEM Primer: — Presentation Transcript