"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin

You Got That SIEM. Now What Do You Do?
Dr. Anton Chuvakin
Security Warrior Consulting
www.securitywarriorconsulting.com
BayThreat 2010

DIRE WARNING:
This presentation does NOT mention PCI DSS…
…oh wait 
www.pcicompliancebook.info

DIRE DISCLAIMER:
This presentation does NOT contains jokes about Cisco MARS!

Outline
Brief: What is SIEM/LM?
“You got it!”
SIEM Pitfalls and Challenges
Useful SIEM Practices
From Deployment Onwards
SIEM “Worst Practices”
Conclusions

About Anton
Former employee of SIEM and log management vendors
Now consulting for SIEM vendors and SIEM users
SANS class author (SEC434 Log Management)
Author, speaker, blogger, podcaster (on logs, naturally )

SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)

Got SIEM?
Now what?

SIEM and Log Management
LM:
Log Management
Focus on all uses for logs
SIEM:
Security Information
and Event Management
Focus on security useof logs and other data

Why SO many people think that “SIEM sucks?”

SIEM Evolution
1997-2002 IDS and Firewall
Worms, alert overflow, etc
Sold “SOC in the box”
2003 – 2007 Above + Server + Context
PCI DSS, SOX, users
Sold “SOC in the box”++
2008+ Above + Applications + …
Fraud, activities, cybercrime
Sold “SOC in the box”+++++

What SIEM MUST Have?
Log and Context Data Collection
Normalization
Correlation (“SEM”)
Notification/alerting (“SEM”)
Prioritization (“SEM”)
Reporting and delivery (“SIM”)
Security role workflow (IR, SOC, etc)

What SIEM Eats: Logs
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
<122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

BTW…
… yesterday I saw an RFC5424-compliant syslog message with structured data.
OMG! They really do exist!! Well, this one does – produced by rsyslog application itself….

What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html

Popular #SIEM_FAIL
… in partial answer to “why people think SIEM sucks?”
Misplaced expectations (“SOC-in-a-box”)
Missing requirements (“SIEM…huh?”)
Missed project sizing
Political challenges with integration
Lack of commitment
Vendor deception (*)
And only then: product not working 

SIEM Planning Areas
Goals and requirements
Functionality / features
Scoping of data collection
Sizing
Architecting

What is a “Best Practice”?
A process or practice that
The leaders in the field are doing today
Generally leads to useful results with cost effectiveness
P.S. If you still hate it – say
“useful practices”

BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments FAILED?
A: There was no log management!

Graduating from LM to SIEM
Are you ready? Well, do you have…
Response capability
Prepared to response to alerts
Monitoring capability
Has an operational process to monitor
Tuning and customization ability
Can customize the tools and content

SIEM/LM Maturity Curve

BP2 Evolving to SIEM
Steps of a journey …
Establish response process
Deploy a SIEM
Think “use cases”
Start filtering logs from LM to SIEM
Phases!
Prepare for the initial increase in workload

Example LM->SIEM Filtering
3D: Devices / Network topology / Events
Devices: NIDS/NIPS, WAF, servers
Network: DMZ, payment network (PCI scope), other “key domains”
Events: authentication, outbound firewall access
Later: proxies, more firewall data, web servers

“Quick Wins” for Phased Approach
Phased
approach #2
Focus on 1 problem
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Plan again
Phased
approach #1
Collect problems
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Solve problem n

BP3 SIEM First Steps
First step = BABY steps!
Compliance monitoring
“Traditional” SIEM uses
Authentication tracking
IPS/IDS + firewall correlation
Web application hacking
Simple use cases
based on your risks
What problems do YOU want solved?

Example SIEM Use Case
Cross-system authentication tracking
Scope: all systems with authentication
Purpose: detect unauthorized access to systems
Method: track login failures and successes
Rule details: multiple login failures followed by login success
Response plan: user account investigation, suspension, communication with suspect user

10 minutes or 10 months?
A typical large customer takes 10 months to deploy a log management architecture based on our technology
?
Our log management appliance can be racked, configured and collecting logs in 10 minutes

Secret to SIEM Magic!

What is a “Worst Practice”?
As opposed to the “best practice” it is …
What the losers in the field are doing today
A practice that generally leads to disastrous results, despite its popularity

WP for SIEM Project scope
WP1: Postpone scope until after the purchase
“The vendor says ‘it scales’ so we will just feed ALL our logs”
Windows, Linux, i5/OS, OS/390, Cisco – send’em in!
WP2: Assume you will be the only user of the tool
“Steakholders”? What’s that? 
Common consequence: two or more
simiilartools are bought

Case Study: “We Use’em All”
At SANS Log Management Summit 200X…
Vendors X, Y and Z claim “Big Finance” as a customer
How can that be?
Well, different teams purchased different products …
About $2.3m wasted on tools
that do the same!

WPs for Deployment
WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations
“Tell us what we need – tell us what you have” forever…
WP4: Unpack the boxes and go!
“Coordinating with network and system folks is for cowards!”
Do you know why LM projects take months sometimes?
WP5: Don’t prepare the infrastructure
“Time synchronization? Pah, who needs it”
WP6: Deploy Everywhere At Once
“We need it everywhere!! Now!!”

WPs for Expanding Deployment
WP7: Don’t Bother With A Product Owner
“We all use it – we all run it (=nobody does)”
WP8: Don’t Check For Changed Needs – Just Buy More of the Same
“We made the decision – why fuss over it?”
WP9: If it works for 10, it will be OK for 10,000
“1,10,100, …, 1 trillion –
they are just numbers”

More Quick SIEM Tips
Cost countless sleepless night and boatloads of pain….
No SIEM before IR plans/procedures
No SIEM before basic log management
Think "quick wins", not "OMG ...that SIEM boondoggle"
Tech matters! But practices matter more
Things will get worse before better. Invest time before collecting value!

Conclusions
SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
FOCUS on what problems you are trying to solve with SIEM: requirements!
Phased approach WITH “quick wins” is the easiest way to go
Operationalize!!!

And If You Only …
… learn one thing from this….
… then let it be….

Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements
Requirements
Requirements
Requirements
Requirements
Requirvements

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More Resources
Blog: www.securitywarrior.org
Podcast: look for “LogChat” on iTunes
Slides: http://www.slideshare.net/anton_chuvakin
Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
Consulting: http://www.securitywarriorconsulting.com/

More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management strategy, procedures and practices
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
SIEM and log management content development
Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

http://chuvakin.blogspot.com	206
http://www.base10.net.br	11
http://chuvakin.blogspot.in	9
http://chuvakin.blogspot.com.au	7
http://chuvakin.blogspot.co.uk	6
http://static.slidesharecdn.com	3
http://chuvakin.blogspot.ca	2
http://chuvakin.blogspot.fr	2
http://chuvakin.blogspot.it	2
http://www.securitybloggersnetwork.com	1
http://chuvakin.blogspot.se	1

"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin

by Anton Chuvakin on Dec 13, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

11 Embeds 250

Statistics

"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin — Presentation Transcript