So You Got That SIEM. NOW What Do You Do? by Dr. Anton Chuvakin

So You Got That SIEM. NOW What Do You Do?
Dr. Anton Chuvakin
SecurityWarrior LLC
www.securitywarriorconsulting.com

DIRE WARNING:
This presentation does NOT mention PCI DSS…
…oh wait 
www.pcicompliancebook.info

Outline
Brief: What is SIEM?
“You got it!”
SIEM Pitfalls and Challenges
Useful SIEM Practices
From Deployment Onwards
SIEM “Worst Practices”
Replacing a SIEM and Other Tips
Conclusions

About Anton: SIEM Builder and User
Former employee of SIEM and log management vendors
Now consulting for SIEM vendors and SIEM users
SANS Log Management SEC434 class author
Author, speaker, blogger, podcaster (on logs, naturally )

SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)

SIEM and Log Management
LM:
Log Management
Focus on all uses for logs
SIEM:
Security Information
and Event Management
Focus on security useof logs and other data

What SIEM MUST Have?
Log and Context Data Collection
Normalization
Correlation (“SEM”)
Notification/alerting (“SEM”)
Prioritization (“SEM”)
Reporting and report delivery (“SIM”)
Security role workflow (IR, SOC, etc)

What SIEM Eats: Logs
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged onvia Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess[user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
<122> Mar 4 09:23:15 localhostsshd[27577]: Accepted passwordfor anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html

How SIEM Got Here!?
1996-2002 IDS and Firewall
Worms, alert overflow, etc
Sold as “SOC in the box”
2003 – 2007 Above + Server + Context
PCI DSS, SOX, users
Sold as “SOC in the box”++
2008+ Above + Applications + …
Fraud, insiders, cybercrime
Sold as “SOC in the box”+++++

What do we know about SIEM?
Ties to many technologies, analyzes data, requires process around it, overhyped
What does it actually mean?
Many people think “SIEM is complex”
Thinking Aloud Here…

I will tell you how to do SIEM
RIGHT!
Useless Consultant Advice Alert!!

The Right Way to SIEM
Figure out what problems you want to solve with SIEM
Confirm that SIEM is the best way to solve them
Define and analyze your use cases
Gather stakeholders and analyze their use cases
Research SIEM functionality
Create requirements for your tool, including process requirements
Choose scope for SIEM coverage (with phases)
Assess data volume over all Phase 1 log sources and plan ahead
Perform product research, vendor interviews, references, peer groups
Create a tool shortlist
Pilot top 2-3 products in your environment
Test the products for features, usability and scalability vs requirements
Select a product for deployment and #2 product for backup
Update or create procedures, IR plans, etc
Create SIEM operational procedures
Deploy the tool (phase 1)

The Popular Way to SIEM…
Buy a SIEM appliance

… Backed by Online “Research”
15

Got Difference?
What people WANT to know and have before they deploy a SIEM?
What people NEED to know and have before they deploy a SIEM?

Got SIEM?Have you inherited it?
Now what?

Popular #SIEM_FAIL
… in descending order by frequency:
Misplaced expectations (“SOC-in-a-box”)
Missing requirements (“SIEM…huh?”)
Wrong project sizing
Political challenges with integration
Vendor deception
And only then: product not working 

What is a “Best Practice”?
A process or practice that
The leaders in the field are doing today
Generally leads to useful results with cost effectiveness
P.S. If you still hate it – say
“useful practices”

BP0 How to Plan Your Project?
Goals and requirements (WHY)
Functionality / features (HOW)
Scope of data collection (WHAT)
Sizing (HOW MUCH)
Architecting (WHERE)

BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments FAILED?
A: There was no log management!

SIEM/LM Maturity Curve

Graduating from LM to SIEM
Are you ready? Well, do you have…
Response capability and process
Prepared to response to alerts
Monitoring capability
Has an operational process to monitor
Tuning and customization ability
Can customize the tools and content

BP2 Initial SIEM Use
Steps of a journey …
Establish response process
Deploy a SIEM
Think “use cases”
Start filtering logs from LM to SIEM
Phases: features and information sources
Prepare for the initial increase in workload

Example LM->SIEM Filtering
3D: Devices / Network topology / Events
Devices: NIDS/NIPS, WAF, servers
Network: DMZ, payment network, other “key domains”
Events: authentication, outbound firewall access, IPS
Later: proxies, more firewall data, web servers

BP3 Expanding SIEM Use
First step, next BABY steps!
Compliance monitoring often first
“Traditional” SIEM uses
Authentication tracking
IPS/IDS + firewall correlation
Web application hacking
Your simple use cases
What problems do YOU want solved?

Example: Use Case
Example: cross-system authentication tracking
Scope: all systems with authentication
Purpose: detect unauthorized access to systems
Method: track login failures and successes
Rule details: multiple login failures followed by login success
Response plan: user account investigation, suspension, communication with suspect user

“Quick Wins” for Phased Approach
Phased
approach #1
Collect problems
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Solve problem n
Phased
approach #2
Focus on 1 problem
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Plan again

10 minutes or 10 months?
A typical large customer takes 10 months to deploy a log management architecture based on our technology
?
Our log management appliance can be racked, configured and collecting logs in 10 minutes

What is a “Worst Practice”?
As opposed to the “best practice” it is …
What the losers in the field are doing today
A practice that generally leads to disastrous results, despite its popularity

WP for SIEM Planning
WP1: Skip this step altogether – just buy something
“John said that we need a correlation engine”
“I know this guy who sells log management tools”
WP2: Postpone scope until after the purchase
“The vendor says ‘it scales’ so we will just feed ALL our logs”
Windows, Linux, i5/OS, OS/390, Cisco – send’em in!

Case Study: “We Use’em All”
At SANS Log Management Summit …
Vendors X, Y and Z claim “Big Finance” as a customer
How can that be?
Well, different teams purchased different products …
About $2.3m wasted on tools
that do the same!

WPs for Deployment
WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations
“Tell us what we need – tell us what you have” forever…
WP4: Don’t prepare the infrastructure
“Time synchronization? Pah, who needs it”

Misc Useful SIEM Tips
34

On SIEM Resourcing
NEWSFLASH! SIEM costs money.
But …
Or…

“Hard” Costs - Money
Initial
SIEM license, hardware, 3rd party software
Deployment and integration services
Ongoing
Support and ongoing services
Operations personnel (0.5 - any FTEs)
Periodic
Vendor services
Specialty personnel (DBA, sysadmin)
Deployment expansion costs

“Soft” Costs - Time
Initial
Deployment time
Log source configuration and integration (BIG!)
Initial tuning, content creation
Ongoing
Report and log review
Alert response and escalation
Periodic
Tuning and content creation
Expansion: same as initial

Secret to SIEM Magic!

On Replacing a SIEM
39

How to Do It?
Prepare to run both products for some time
Draft the new vendor to help you migrate the data
Be prepared to keep the old SIEM or keep the data backups
BIG! Migrate SIEM content: reports, rules, views, alerts, etc
40

Tip: When To AVOID A SIEM
In some cases, the best “SIEM strategy” is NOT to buy one:
Log retention focus
Investigation focus (log search)
If you only plan to look BACKWARDS – no need for a SIEM!

Conclusions
SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
FOCUS on what problems you are trying to solve with SIEM: requirements!
Phased approach WITH “quick wins” is the easiest way to go
Operationalize!!!

SIEM Reminders
Cost countless sleepless night and boatloads of pain….
No SIEM before IR plans/procedures
No SIEM before basic log management
Think "quick wins", not "OMG ...that SIEM boondoggle"
Tech matters! But practices matter more
Things will get worse before better. Invest time before collecting value!

And If You Only …
… learn one thing from this….
… then let it be….

Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements
Requirements
Requirements
Requirements
Requirements
Requirvements

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More Resources
Blog: www.securitywarrior.org
Podcast: look for “LogChat” on iTunes
Slides: http://www.slideshare.net/anton_chuvakin
Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
Consulting: http://www.securitywarriorconsulting.com/

More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management / SIEM strategy, procedures and practices
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
SIEM and log management content development
Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
Others at www.SecurityWarriorConsulting.com

Misc Resource Slides
50

Best Reports? SANS Top 7
DRAFT “SANS Top 7 Log Reports”
Authentication
Changes
Network activity
Resource access
Malware activity
Failures
Analytic reports

Best Correlation Rules? Nada
Vendor default rules?
IDS/IPS + vulnerability scan?
Anton fave rules:
Authentication
Outbound access
Safeguard failure
?

So You Got That SIEM. NOW What Do You Do? by Dr. Anton Chuvakin

by Anton Chuvakin on Apr 22, 2011

Accessibility

Categories

Upload Details

Usage Rights

Statistics

So You Got That SIEM. NOW What Do You Do? by Dr. Anton Chuvakin Presentation Transcript