No “incident”, not “intelligence” (open or otherwise), not anything else.
Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
Figure OutCustom StuffTunedRightAdapted
Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user
Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.
SIEM Primer:Security Information and Event Management Dr. Anton Chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com Rochester Institute of Technology 4/2011
Outline What is SIEM? What are logs? How SIEM helps security? Promises and failures of SIEM! Conclusions 2
SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
SIEM vs Log Management LM: Log Management Focus on all uses for logs SIEM: Security Information and Event Management Focus on security useof logs and other data
SIEM and LM Defined Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content. Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)
Just What Is “Correlation”? Dictionary: “establishing relationships” SIEM: “relate events together for security benefit” Why correlate events? Automated cross-device data analysis! Simple correlation rule: If this, followed by that, take some action
What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574
What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html
Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, etc What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…
The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve them Define and analyze use cases Create requirements for a tool Choose scope for SIEM coverage Assess data volume Perform product research Create a tool shortlist Pilot top 2-3 products Test the products for features, usability and scalability vs requirements Select a product for deployment Update or create procedures, IR plans, etc Deploy the tool (phase 1)
Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
Questions? Dr. Anton Chuvakin Email:firstname.lastname@example.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/
More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com