View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
SIEM and LM Defined Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content. Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)
Just What Is “Correlation”? Dictionary: “establishing relationships” SIEM: “relate events together for security benefit” Why correlate events? Automated cross-device data analysis! Simple correlation rule: If this, followed by that, take some action
What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574
What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html
Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, etc What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…
The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve them Define and analyze use cases Create requirements for a tool Choose scope for SIEM coverage Assess data volume Perform product research Create a tool shortlist Pilot top 2-3 products Test the products for features, usability and scalability vs requirements Select a product for deployment Update or create procedures, IR plans, etc Deploy the tool (phase 1)
Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
Questions? Dr. Anton Chuvakin Email:firstname.lastname@example.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/
More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com