Your SlideShare is downloading. ×
0
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin

5,349

Published on

So You Got That SIEM. Now What Do You Do?  Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin) …

So You Got That SIEM. Now What Do You Do?  Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)

Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive." 
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?

At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.

Published in: Technology
1 Comment
6 Likes
Statistics
Notes
No Downloads
Views
Total Views
5,349
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • No problem is truly solved!!
  • Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
  • Figure out what problems you want to solve with SIEMConfirm that SIEM is the best way to solve themDefine and analyze your use casesGather stakeholders and analyze their use casesCreate requirements for a toolChoose scope for SIEM coverageAssess data volume over all Phase 1 log sources and plan aheadPerform product research, vendor interviews, references, peer groupsCreate a tool shortlistPilot top 2-3 products in your environmentTest the products for features, usability and scalability vs requirementsSelect a product for deployment and #2 product for backupUpdate or create procedures, IR plans, etcCreate SIEM operational proceduresDeploy the tool (phase 1)
  • Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  • http://chuvakin.blogspot.com/2010/02/logging-log-management-and-log-review.html
  • Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  • http://chuvakin.blogspot.com/2011/03/siem-resourcing-or-how-much-friggin.html
  • http://chuvakin.blogspot.com/2011/03/siem-resourcing-or-how-much-friggin.html
  • http://chuvakin.blogspot.com/2011/03/siem-resourcing-or-how-much-friggin.html
  • http://ciscomars.blogspot.com/2011/04/guest-post-how-to-replace-siem.htmlOuch! That “Venus” SIEM appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time.What do the above situations have in common? The unfortunate time to replace your SIEM has come. What to expect, apart from copious amounts of pain? This post will shed some light on this conundrum, based on author’s experiences.First, it goes without saying that it is better to choose the right SIEM the first time (e.g. see “On Choosing SIEM” and other posts mentioned below) than to migrate from a SIEM that has been collecting logs (and dust) for a few years. However, you might not have any say in the matter – you might have inherited it, your “evil boss” might have procured the previous SIEM without asking you or you might have built it yourself after a particularly bad hangover… Also, your organization might have simply outgrown the SIEM or your early generation SIEM vendor has not kept up with innovation in the space. In any case, you have a SIEM and you need a new one.
  • http://ciscomars.blogspot.com/2011/04/guest-post-how-to-replace-siem.htmlLet’s look at the good side of the situation:It is very likely that you learned some super-valuable lessons from your previous SIEM experience (other people have to hire consultants to get to those lessons) and now can avoid the common purchasing process pitfalls (some discussed here, BTW) You have much more confidence while discussing confusing SIEM features with vendors – speaking from your previous SIEM experience (this alone will make your new SIEM purchase process much less painful) You have some semblance of the logging policy across the systems that log into SIEM – that puts you ahead of those organizations who are just getting their first SIEM or log management tool It is possible that you built some operational procedures around SIEM (such as for PCI DSS log review or other purposes) and those would be handy for a new SIEM as well If you have to write an RFP (as I discuss here), the chances are that your new RFP would be MUCH better and more likely to result in a good vendor short list Treat this situation as positive, think “I now know more than 90% of people buying a SIEM, thus my new SIEM project will be a success” A few things to avoid and pay attention to:Suppress that “I’d buy anything but this crap” mentality – think “what problems will a new SIEM solve or solve better?” Avoid taking shortcuts (such as not doing a PoC); you are more knowledgeable, but not prescient… How might a migration process look like? This assumes that you have already selected a new product, tested it in the lab and are ready for production deployment. Prepare to run both products for some time – this might range from a few weeks to months Draft the new SIEM vendor to help you migrate the data; after all, they are getting the prize Potentially, be prepared to keep the old SIEM running (without paying for the support contract, of course) or at least keep the old data backups – this becomes important if complete data migration is impossible due to architecture differences between the new and old SIEMs. Ideally, your log management tool will hold raw log backups and so keeping the old SIEM in operation won’t be needed. One of the biggest migration efforts will be migrating SIEM content: reports, rules, views, alerts, etc. As well all know, such content is not really portable across SIEMs and you should be prepared to simply recreate all the custom content AND all the default content that you used in the the old SIEM and that the new SIEM might lack.
  • Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.
  • The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user 
  • Transcript

    • 1. So You Got That SIEM. NOW What Do You Do? <br />Dr. Anton Chuvakin<br />SecurityWarrior LLC<br />www.securitywarriorconsulting.com<br />
    • 2. DIRE WARNING:<br />This presentation does NOT mention PCI DSS…<br />…oh wait <br />www.pcicompliancebook.info<br />
    • 3. Outline<br />Brief: What is SIEM?<br />“You got it!”<br />SIEM Pitfalls and Challenges<br />Useful SIEM Practices<br />From Deployment Onwards<br />SIEM “Worst Practices”<br />Replacing a SIEM and Other Tips<br />Conclusions<br />
    • 4. About Anton: SIEM Builder and User<br />Former employee of SIEM and log management vendors<br />Now consulting for SIEM vendors and SIEM users<br />SANS Log Management SEC434 class author <br />Author, speaker, blogger, podcaster (on logs, naturally )<br />
    • 5. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
    • 6. SIEM and Log Management <br />LM:<br />Log Management<br />Focus on all uses for logs<br />SIEM: <br />Security Information <br />and Event Management<br />Focus on security useof logs and other data <br />
    • 7. What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow (IR, SOC, etc)<br />
    • 8. What SIEM Eats: Logs<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged onvia Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess[user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd[27577]: Accepted passwordfor anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
    • 9. What SIEM Eats: Context<br />http://chuvakin.blogspot.com/2010/01/on-log-context.html<br />
    • 10. How SIEM Got Here!?<br />1996-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />Sold as “SOC in the box”<br />2003 – 2007 Above + Server + Context <br />PCI DSS, SOX, users<br />Sold as “SOC in the box”++<br />2008+ Above + Applications + …<br />Fraud, insiders, cybercrime<br />Sold as “SOC in the box”+++++<br />
    • 11. What do we know about SIEM?<br />Ties to many technologies, analyzes data, requires process around it, overhyped<br />What does it actually mean?<br />Many people think “SIEM is complex”<br />Thinking Aloud Here…<br />
    • 12. I will tell you how to do SIEM <br />RIGHT!<br />Useless Consultant Advice Alert!!<br />
    • 13. The Right Way to SIEM<br />Figure out what problems you want to solve with SIEM<br />Confirm that SIEM is the best way to solve them<br />Define and analyze your use cases<br />Gather stakeholders and analyze their use cases<br />Research SIEM functionality<br />Create requirements for your tool, including process requirements<br />Choose scope for SIEM coverage (with phases)<br />Assess data volume over all Phase 1 log sources and plan ahead<br />Perform product research, vendor interviews, references, peer groups<br />Create a tool shortlist<br />Pilot top 2-3 products in your environment<br />Test the products for features, usability and scalability vs requirements<br />Select a product for deployment and #2 product for backup<br />Update or create procedures, IR plans, etc<br />Create SIEM operational procedures<br />Deploy the tool (phase 1)<br />
    • 14. The Popular Way to SIEM…<br />Buy a SIEM appliance<br />
    • 15. … Backed by Online “Research”<br />15<br />
    • 16. Got Difference?<br />What people WANT to know and have before they deploy a SIEM?<br />What people NEED to know and have before they deploy a SIEM?<br />
    • 17. Got SIEM?Have you inherited it?<br />Now what?<br />
    • 18. Popular #SIEM_FAIL<br />… in descending order by frequency:<br />Misplaced expectations (“SOC-in-a-box”)<br />Missing requirements (“SIEM…huh?”)<br />Wrong project sizing<br />Political challenges with integration<br />Vendor deception<br />And only then: product not working <br />
    • 19. What is a “Best Practice”?<br />A process or practice that<br />The leaders in the field are doing today<br />Generally leads to useful results with cost effectiveness<br />P.S. If you still hate it – say <br />“useful practices”<br />
    • 20. BP0 How to Plan Your Project?<br />Goals and requirements (WHY)<br />Functionality / features (HOW)<br />Scope of data collection (WHAT)<br />Sizing (HOW MUCH)<br />Architecting (WHERE)<br />
    • 21. BP1 LM before SIEM!<br />If you remember one thing from this, let it be:<br />Deploy Log Management BEFORE SIEM!<br />Q: Why do you think MOST 1990s SIEM deployments FAILED?<br />A: There was no log management!<br />
    • 22. SIEM/LM Maturity Curve<br />
    • 23. Graduating from LM to SIEM<br />Are you ready? Well, do you have…<br />Response capability and process<br />Prepared to response to alerts<br />Monitoring capability<br />Has an operational process to monitor<br />Tuning and customization ability<br />Can customize the tools and content<br />
    • 24. BP2 Initial SIEM Use<br />Steps of a journey …<br />Establish response process<br />Deploy a SIEM<br />Think “use cases”<br />Start filtering logs from LM to SIEM<br />Phases: features and information sources<br />Prepare for the initial increase in workload<br />
    • 25. Example LM->SIEM Filtering<br />3D: Devices / Network topology / Events<br />Devices: NIDS/NIPS, WAF, servers<br />Network: DMZ, payment network, other “key domains”<br />Events: authentication, outbound firewall access, IPS<br />Later: proxies, more firewall data, web servers<br />
    • 26. BP3 Expanding SIEM Use<br />First step, next BABY steps!<br />Compliance monitoring often first<br />“Traditional” SIEM uses<br />Authentication tracking<br />IPS/IDS + firewall correlation<br />Web application hacking<br />Your simple use cases <br />What problems do YOU want solved?<br />
    • 27. Example: Use Case<br />Example: cross-system authentication tracking<br />Scope: all systems with authentication <br />Purpose: detect unauthorized access to systems<br />Method: track login failures and successes<br />Rule details: multiple login failures followed by login success<br />Response plan: user account investigation, suspension, communication with suspect user<br />
    • 28. “Quick Wins” for Phased Approach<br />Phased <br />approach #1<br />Collect problems<br />Plan architecture<br />Start collecting<br />Start reviewing<br />Solve problem 1<br />Solve problem n<br />Phased <br />approach #2<br /><ul><li>Focus on 1 problem
    • 29. Plan architecture
    • 30. Start collecting
    • 31. Start reviewing
    • 32. Solve problem 1
    • 33. Plan again</li></li></ul><li>10 minutes or 10 months?<br />A typical large customer takes 10 months to deploy a log management architecture based on our technology<br />?<br />Our log management appliance can be racked, configured and collecting logs in 10 minutes<br />
    • 34. What is a “Worst Practice”?<br />As opposed to the “best practice” it is …<br />What the losers in the field are doing today<br />A practice that generally leads to disastrous results, despite its popularity<br />
    • 35. WP for SIEM Planning<br />WP1: Skip this step altogether – just buy something<br />“John said that we need a correlation engine”<br />“I know this guy who sells log management tools”<br />WP2: Postpone scope until after the purchase<br />“The vendor says ‘it scales’ so we will just feed ALL our logs”<br />Windows, Linux, i5/OS, OS/390, Cisco – send’em in!<br />
    • 36. Case Study: “We Use’em All”<br />At SANS Log Management Summit …<br />Vendors X, Y and Z claim “Big Finance” as a customer<br />How can that be?<br />Well, different teams purchased different products …<br />About $2.3m wasted on tools<br />that do the same!<br />
    • 37. WPs for Deployment<br />WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations<br />“Tell us what we need – tell us what you have” forever…<br />WP4: Don’t prepare the infrastructure <br />“Time synchronization? Pah, who needs it”<br />
    • 38. Misc Useful SIEM Tips<br />34<br />
    • 39. On SIEM Resourcing<br />NEWSFLASH! SIEM costs money.<br />But …<br />Or…<br />
    • 40. “Hard” Costs - Money<br />Initial<br />SIEM license, hardware, 3rd party software<br />Deployment and integration services <br />Ongoing<br />Support and ongoing services<br />Operations personnel (0.5 - any FTEs)<br />Periodic<br />Vendor services<br />Specialty personnel (DBA, sysadmin)<br />Deployment expansion costs<br />
    • 41. “Soft” Costs - Time<br />Initial<br />Deployment time<br />Log source configuration and integration (BIG!)<br />Initial tuning, content creation<br />Ongoing<br />Report and log review<br />Alert response and escalation<br />Periodic<br />Tuning and content creation<br />Expansion: same as initial<br />
    • 42. Secret to SIEM Magic!<br />
    • 43. On Replacing a SIEM<br />39<br />
    • 44. How to Do It?<br />Prepare to run both products for some time<br />Draft the new vendor to help you migrate the data<br />Be prepared to keep the old SIEM or keep the data backups<br />BIG! Migrate SIEM content: reports, rules, views, alerts, etc<br />40<br />
    • 45. Tip: When To AVOID A SIEM<br />In some cases, the best “SIEM strategy” is NOT to buy one:<br /> Log retention focus<br />Investigation focus (log search)<br />If you only plan to look BACKWARDS – no need for a SIEM!<br />
    • 46. Conclusions<br />SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required<br />FOCUS on what problems you are trying to solve with SIEM: requirements!<br />Phased approach WITH “quick wins” is the easiest way to go<br />Operationalize!!!<br />
    • 47. SIEM Reminders<br />Cost countless sleepless night and boatloads of pain….<br />No SIEM before IR plans/procedures<br />No SIEM before basic log management <br />Think "quick wins", not "OMG ...that SIEM boondoggle"<br />Tech matters! But practices matter more<br />Things will get worse before better. Invest time before collecting value!<br />
    • 48. And If You Only …<br />… learn one thing from this….<br />… then let it be….<br />
    • 49. Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! <br />Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! <br />Requirements<br />Requirements<br />Requirements<br />Requirements<br />Requirements<br />Requirvements<br />
    • 50. Questions?<br />Dr. Anton Chuvakin <br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
    • 51. More Resources<br />Blog: www.securitywarrior.org<br />Podcast: look for “LogChat” on iTunes<br />Slides: http://www.slideshare.net/anton_chuvakin<br />Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin<br />Consulting: http://www.securitywarriorconsulting.com/<br />
    • 52. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
    • 53. Security Warrior Consulting Services<br />Logging and log management / SIEM strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />Others at www.SecurityWarriorConsulting.com<br />
    • 54. Misc Resource Slides<br />50<br />
    • 55. Best Reports? SANS Top 7<br />DRAFT “SANS Top 7 Log Reports”<br />Authentication <br />Changes<br />Network activity<br />Resource access<br />Malware activity<br />Failures<br />Analytic reports<br />
    • 56. Best Correlation Rules? Nada<br />Vendor default rules?<br />IDS/IPS + vulnerability scan?<br />Anton fave rules:<br />Authentication<br />Outbound access<br />Safeguard failure<br />?<br />

    ×