• Save
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×
 

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin

on

  • 4,042 views

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin...

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin

Many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful.Here you can learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course!

Statistics

Views

Total Views
4,042
Views on SlideShare
3,467
Embed Views
575

Actions

Likes
3
Downloads
0
Comments
0

28 Embeds 575

http://chuvakin.blogspot.com 375
http://chuvakin.blogspot.co.uk 40
http://chuvakin.blogspot.in 32
http://chuvakin.blogspot.ca 24
http://chuvakin.blogspot.com.au 16
http://chuvakin.blogspot.de 11
http://www.base10.net.br 11
http://chuvakin.blogspot.sg 10
http://chuvakin.blogspot.fr 9
http://chuvakin.blogspot.cz 7
http://chuvakin.blogspot.it 5
http://chuvakin.blogspot.nl 4
http://chuvakin.blogspot.ae 4
http://chuvakin.blogspot.ch 3
http://chuvakin.blogspot.com.es 3
http://chuvakin.blogspot.co.nz 3
http://static.slidesharecdn.com 3
http://chuvakin.blogspot.com.br 3
http://chuvakin.blogspot.se 2
http://chuvakin.blogspot.ie 2
http://chuvakin.blogspot.hk 1
http://chuvakin.blogspot.kr 1
http://chuvakin.blogspot.co.il 1
http://chuvakin.blogspot.be 1
http://chuvakin.blogspot.no 1
http://chuvakin.blogspot.co.at 1
http://www.securitybloggersnetwork.com 1
http://www.google.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Got SIEM? Now what? Making SIEM work for you!Anton Chuvakin, Ph.D- Tuesday, November 9 - 7:00pm - 8:00pmSecurity Information and Event Management (SIEM) as well as log management tools have become more common across large organizations in recent years. SIEM and log management have also been a topic of hot debates. In fact, you organization might have purchased these tools already. However, many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful. Attend this session to learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made.============Only so much advice without knowing your environment/needs$10k consulting project CAN save $500k SIEM budget …Assumed in-sourced SIEM, no cloud, MSSP, co-sourcing, outsourcing, etc
  • Does everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  • CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems
  • No problem is truly solved!!
  • Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.UPDATE - see infoBoomFundamental requirements missing- real or near real time data collection- policy management- personalization for unique SIEM consumer groups- external event correlation- case management- EMS integration Let’s further define what features can be called defining SIEM features; most organization will look for most of these features while choosing a SIEM product. The features are:1. Log and Context Data Collection includes being able to collect logs and context data using a combination of agent-based and agent-based methods.2. Normalization covers being able to convert most original logs into a universal format, usable for cross-source reporting and correlation.3. Correlation is used to describe rule-based correlation, statistical or algorithmic correlation as well as other methods that include relating different events to each other and events to context data.4. Notification/alerting includes being able to trigger notifications or alerts to operators or managers. Common alerting mechanisms include email, SMS, or even SNMP messages.5. Prioritization includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or asset and identity information.6. Real-time views cover over security-monitoring dashboards and displays, used for security operations personnel. Such views are handy when looking at current system and user activity.7. Reporting and scheduled reporting cover all the historical views of data collected by the SIEM product. Some products also have a mechanism for distributing reports to security personnel, either over e-mail or using a dedicated web portal. SIEM reporting relies on parsing and normalizing log data.Security role workflow covers over incident management features such as being able to open incident cases, perform investigative triage, as well as automatically or semi-automatically perform other security operations tasks. WHAT LM MUST HAVE?!Broad Scope Log Data CollectionEfficient Log Data RetentionSearching Across All DataBroad Use Log Reporting Scalable Operation: Collection, Retention, Searching, Reporting
  • Mention vulnerability data
  • Buy correlation blog posts TBA(*) rarely just a vendor: “there is a sucker born every minute”
  • Deploy – use - operationalize – get comfortable with!
  • Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  • Happy with LM? Then go -> SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  • SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  • Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin "You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin Presentation Transcript

  • You Got That SIEM. Now What Do You Do?
    Dr. Anton Chuvakin
    Security Warrior Consulting
    www.securitywarriorconsulting.com
    BayThreat 2010
  • DIRE WARNING:
    This presentation does NOT mention PCI DSS…
    …oh wait 
    www.pcicompliancebook.info
  • DIRE DISCLAIMER:
    This presentation does NOT contains jokes about Cisco MARS!
  • Outline
    Brief: What is SIEM/LM?
    “You got it!”
    SIEM Pitfalls and Challenges
    Useful SIEM Practices
    From Deployment Onwards
    SIEM “Worst Practices”
    Conclusions
  • About Anton
    Former employee of SIEM and log management vendors
    Now consulting for SIEM vendors and SIEM users
    SANS class author (SEC434 Log Management)
    Author, speaker, blogger, podcaster (on logs, naturally )
  • SIEM?
    Security Information and Event Management!
    (sometimes: SIM or SEM)
  • Got SIEM?
    Now what?
  • SIEM and Log Management
    LM:
    Log Management
    Focus on all uses for logs
    SIEM:
    Security Information
    and Event Management
    Focus on security useof logs and other data
  • Why SO many people think that “SIEM sucks?”
  • SIEM Evolution
    1997-2002 IDS and Firewall
    Worms, alert overflow, etc
    Sold “SOC in the box”
    2003 – 2007 Above + Server + Context
    PCI DSS, SOX, users
    Sold “SOC in the box”++
    2008+ Above + Applications + …
    Fraud, activities, cybercrime
    Sold “SOC in the box”+++++
  • What SIEM MUST Have?
    Log and Context Data Collection
    Normalization
    Correlation (“SEM”)
    Notification/alerting (“SEM”)
    Prioritization (“SEM”)
    Reporting and delivery (“SIM”)
    Security role workflow (IR, SOC, etc)
  • What SIEM Eats: Logs
    <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
    <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
    <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
    <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574
  • BTW…
    … yesterday I saw an RFC5424-compliant syslog message with structured data.
    OMG! They really do exist!! Well, this one does – produced by rsyslog application itself….
  • What SIEM Eats: Context
    http://chuvakin.blogspot.com/2010/01/on-log-context.html
  • Popular #SIEM_FAIL
    … in partial answer to “why people think SIEM sucks?”
    Misplaced expectations (“SOC-in-a-box”)
    Missing requirements (“SIEM…huh?”)
    Missed project sizing
    Political challenges with integration
    Lack of commitment
    Vendor deception (*)
    And only then: product not working 
  • SIEM Planning Areas
    Goals and requirements
    Functionality / features
    Scoping of data collection
    Sizing
    Architecting
  • What is a “Best Practice”?
    A process or practice that
    The leaders in the field are doing today
    Generally leads to useful results with cost effectiveness
    P.S. If you still hate it – say
    “useful practices”
  • BP1 LM before SIEM!
    If you remember one thing from this, let it be:
    Deploy Log Management BEFORE SIEM!
    Q: Why do you think MOST 1990s SIEM deployments FAILED?
    A: There was no log management!
  • Graduating from LM to SIEM
    Are you ready? Well, do you have…
    Response capability
    Prepared to response to alerts
    Monitoring capability
    Has an operational process to monitor
    Tuning and customization ability
    Can customize the tools and content
  • SIEM/LM Maturity Curve
  • BP2 Evolving to SIEM
    Steps of a journey …
    Establish response process
    Deploy a SIEM
    Think “use cases”
    Start filtering logs from LM to SIEM
    Phases!
    Prepare for the initial increase in workload
  • Example LM->SIEM Filtering
    3D: Devices / Network topology / Events
    Devices: NIDS/NIPS, WAF, servers
    Network: DMZ, payment network (PCI scope), other “key domains”
    Events: authentication, outbound firewall access
    Later: proxies, more firewall data, web servers
  • “Quick Wins” for Phased Approach
    Phased
    approach #2
    • Focus on 1 problem
    • Plan architecture
    • Start collecting
    • Start reviewing
    • Solve problem 1
    • Plan again
    Phased
    approach #1
    Collect problems
    Plan architecture
    Start collecting
    Start reviewing
    Solve problem 1
    Solve problem n
  • BP3 SIEM First Steps
    First step = BABY steps!
    Compliance monitoring
    “Traditional” SIEM uses
    Authentication tracking
    IPS/IDS + firewall correlation
    Web application hacking
    Simple use cases
    based on your risks
    What problems do YOU want solved?
  • Example SIEM Use Case
    Cross-system authentication tracking
    Scope: all systems with authentication
    Purpose: detect unauthorized access to systems
    Method: track login failures and successes
    Rule details: multiple login failures followed by login success
    Response plan: user account investigation, suspension, communication with suspect user
  • 10 minutes or 10 months?
    A typical large customer takes 10 months to deploy a log management architecture based on our technology
    ?
    Our log management appliance can be racked, configured and collecting logs in 10 minutes
  • Secret to SIEM Magic!
  • What is a “Worst Practice”?
    As opposed to the “best practice” it is …
    What the losers in the field are doing today
    A practice that generally leads to disastrous results, despite its popularity
  • WP for SIEM Project scope
    WP1: Postpone scope until after the purchase
    “The vendor says ‘it scales’ so we will just feed ALL our logs”
    Windows, Linux, i5/OS, OS/390, Cisco – send’em in!
    WP2: Assume you will be the only user of the tool
    “Steakholders”? What’s that? 
    Common consequence: two or more
    simiilartools are bought
  • Case Study: “We Use’em All”
    At SANS Log Management Summit 200X…
    Vendors X, Y and Z claim “Big Finance” as a customer
    How can that be?
    Well, different teams purchased different products …
    About $2.3m wasted on tools
    that do the same!
  • WPs for Deployment
    WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations
    “Tell us what we need – tell us what you have” forever…
    WP4: Unpack the boxes and go!
    “Coordinating with network and system folks is for cowards!”
    Do you know why LM projects take months sometimes?
    WP5: Don’t prepare the infrastructure
    “Time synchronization? Pah, who needs it”
    WP6: Deploy Everywhere At Once
    “We need it everywhere!! Now!!”
  • WPs for Expanding Deployment
    WP7: Don’t Bother With A Product Owner
    “We all use it – we all run it (=nobody does)”
    WP8: Don’t Check For Changed Needs – Just Buy More of the Same
    “We made the decision – why fuss over it?”
    WP9: If it works for 10, it will be OK for 10,000
    “1,10,100, …, 1 trillion –
    they are just numbers”
  • More Quick SIEM Tips
    Cost countless sleepless night and boatloads of pain….
    No SIEM before IR plans/procedures
    No SIEM before basic log management
    Think "quick wins", not "OMG ...that SIEM boondoggle"
    Tech matters! But practices matter more
    Things will get worse before better. Invest time before collecting value!
  • Conclusions
    SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
    FOCUS on what problems you are trying to solve with SIEM: requirements!
    Phased approach WITH “quick wins” is the easiest way to go
    Operationalize!!!
  • And If You Only …
    … learn one thing from this….
    … then let it be….
  • Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
    Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
    Requirements
    Requirements
    Requirements
    Requirements
    Requirements
    Requirvements
  • Questions?
    Dr. Anton Chuvakin
    Email:anton@chuvakin.org
    Site:http://www.chuvakin.org
    Blog:http://www.securitywarrior.org
    Twitter:@anton_chuvakin
    Consulting:http://www.securitywarriorconsulting.com
  • More Resources
    Blog: www.securitywarrior.org
    Podcast: look for “LogChat” on iTunes
    Slides: http://www.slideshare.net/anton_chuvakin
    Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
    Consulting: http://www.securitywarriorconsulting.com/
  • More on Anton
    Consultant: http://www.securitywarriorconsulting.com
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • Security Warrior Consulting Services
    Logging and log management strategy, procedures and practices
    Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
    Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
    Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
    Help integrate logging tools and processes into IT and business operations
    SIEM and log management content development
    Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
    Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
    More at www.SecurityWarriorConsulting.com