SIEM: Нужная Штука или Дорогая Игрушка<br />Dr. Anton Chuvakin<br />RISSPA<br />December 2009<br />
Outline<br />Brief: What is SIEM?<br />Implementation Choices: Build/Outsource/Buy<br />Detailed Analysis of Choices<br />...
SIEM and LM Defined<br />Security Information and Event Management = relevant log collection, aggregation, normalization, ...
SIEM vs LM<br />SIEM = SECURITY information and event management<br />vs<br />LM = LOG management<br />
What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/al...
SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning a...
Secret to SIEM Magic!<br />
APPROACHES<br />Build / Buy / Outsource<br />
How Do You Do It?<br />Now that you are convinced about SIEM…<br />Outsource<br />Built<br />Buy<br />Combined strategies ...
Outsource<br />Risks<br />Somebody else will worry about your problems!<br />Requirements not met<br />SLA risks and lost ...
Likely, no need to run any equipment in house
Less staff needed
Management will like it </li></li></ul><li>What to Be Aware Of?<br />Will all your log and context data be going to the MS...
Build<br />Risks<br />Ongoing maintenance will KILL you<br />No support, apart from you<br />Does it pass the “bus test”?<...
You can do things that no vendor has
Choose platform, tools, methods
No up front cost
Its fun to do! </li></li></ul><li>Open-Source Tools to the Rescue!<br />Log collection<br />Syslog-ng, kiwi, Snare, LASSO...
Example: How to Deal with A Trillion Log Messages?<br />How to analyze a trillion (~1000 billions) of  log messages for so...
Buy<br />Advantages<br /><ul><li>“Cash and carry” – pay and get a “solution”
Support for log sources
Ongoing improvements,  support
“Have a face(s) to scream at!”</li></ul>Risks<br />“Cash and carry” – pay and get a tool you need to use now<br />Skilled ...
Questions to Discuss With Your Vendor <br />Are you collecting and aggregating 100% of all log data from all data sources ...
Combined Strategies: Often the Best…<br />Buy + Build: great idea – enhance vendor tools with internal custom development ...
Build + Buy: Surprisingly Effective!<br />Capture buy advantages:<br />Support<br />Ongoing improvement<br />Routine log a...
Finally, How to Choose?	<br />Breadth/depth of project requirements<br />Just how unusual you are?<br />Unique needs or vo...
WORST PRACTICES<br />Lessons Learned: SIEM “Worst Practices”<br />
So, You Decided to Acquire a SIEM<br />What’s next?<br />What do you want, specifically?<br />How to choose a product?<br ...
What is a “Worst Practice”?<br />As opposed to the “best practice” it is …<br />What the losers in the field are doing tod...
SIEM or LM Project Lifecycle<br />Determine the need<br />Define scope of log management <br />Select and evaluate the ven...
1. Determine the Need<br />WP1: Skip this step altogether – just buy something<br />“John said that we need a correlation ...
Case Study A – Just Buy a SIEM!<br />Medium-sized financial company <br />New CSO comes in from a much larger organization...
2. Define scope<br />WP3: Postpone scope until after the purchase<br />“The vendor says ‘it scales’ so we will just feed A...
Case Study B: “We Use’em All”<br />At SANS Log Management Summit 200X…<br />Vendors X, Y and Z claim “Big Finance” as a cu...
3. Initial vendor selection<br />WP5: Choose by price alone<br />Ignore hardware, extra modules, <br />training, service, ...
4. Vendor evaluation and POC<br />WP7: Don’t ask for and don’t check references<br />“Our environment is unique” <br />WP8...
Upcoming SlideShare
Loading in...5
×

Siem Russia Risspa

816

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
816
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
  • Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Also: WHY SIEM – too many IDS alerts!
  • SIEM use casesSOC – full real-time monitoringMini-SOC / ”morning after”Remote monitoring + investigationsCompliance status reporting
  • Siem Russia Risspa

    1. 1. SIEM: Нужная Штука или Дорогая Игрушка<br />Dr. Anton Chuvakin<br />RISSPA<br />December 2009<br />
    2. 2. Outline<br />Brief: What is SIEM?<br />Implementation Choices: Build/Outsource/Buy<br />Detailed Analysis of Choices<br />SIEM and Log Management “Worst Practices”<br />Conclusions<br />
    3. 3. SIEM and LM Defined<br />Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.<br />Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.<br />
    4. 4. SIEM vs LM<br />SIEM = SECURITY information and event management<br />vs<br />LM = LOG management<br />
    5. 5. What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting (“SIM”)<br />Security role workflow<br />
    6. 6. SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning after”<br />Delayed views, analysts 1/24, review and drill-down<br />“Automated SOC” / alert + investigate<br />Configure and forget, investigate alerts<br />Compliance status reporting<br />Review reports/views weekly/monthly<br />
    7. 7. Secret to SIEM Magic!<br />
    8. 8. APPROACHES<br />Build / Buy / Outsource<br />
    9. 9. How Do You Do It?<br />Now that you are convinced about SIEM…<br />Outsource<br />Built<br />Buy<br />Combined strategies are also possible<br />
    10. 10. Outsource<br />Risks<br />Somebody else will worry about your problems!<br />Requirements not met<br />SLA risks and lost control of data<br />Volume and log access challenges<br />Advantages<br /><ul><li>Somebody else will worry about your problems!
    11. 11. Likely, no need to run any equipment in house
    12. 12. Less staff needed
    13. 13. Management will like it </li></li></ul><li>What to Be Aware Of?<br />Will all your log and context data be going to the MSSP? <br />Does MSSP have skills to analyze your site-specific logs?<br />Can you still take a peek at your original logs?<br />Do you need to call for that?<br />Can you access them directly?<br />Cloud SIEM?<br />
    14. 14. Build<br />Risks<br />Ongoing maintenance will KILL you<br />No support, apart from you<br />Does it pass the “bus test”?<br />Handling log volume<br />Will it scale with you?<br />Advantages<br /><ul><li>Likely will get exactly what you want (*)
    15. 15. You can do things that no vendor has
    16. 16. Choose platform, tools, methods
    17. 17. No up front cost
    18. 18. Its fun to do! </li></li></ul><li>Open-Source Tools to the Rescue!<br />Log collection<br />Syslog-ng, kiwi, Snare, LASSO, Apache2syslog, logger, etc<br />Secure centralization<br />Stunnel, ssh, OpenSSL<br />Pre-processing<br />LogPP<br />Storage<br />MySQL or design your own file-based storage<br />Analysis – a tough one! <br />OSSEC and OSSIM for [some] intelligence<br />Swatch, logwatch, logsentry, other match-n-bug scripts<br />
    19. 19. Example: How to Deal with A Trillion Log Messages?<br />How to analyze a trillion (~1000 billions) of log messages for some specific goal?<br />Hundreds of terabytes (1/2 of a petabyte …) of data<br />Which tool to pick?<br />“Sorry, buddy, you are writing some code here!”<br />See loganalysis list or my blog for details about this case<br />
    20. 20. Buy<br />Advantages<br /><ul><li>“Cash and carry” – pay and get a “solution”
    21. 21. Support for log sources
    22. 22. Ongoing improvements, support
    23. 23. “Have a face(s) to scream at!”</li></ul>Risks<br />“Cash and carry” – pay and get a tool you need to use now<br />Skilled staff needed to get value out of a purchase<br />Requirements not met<br />Vendor longevity<br />
    24. 24. Questions to Discuss With Your Vendor <br />Are you collecting and aggregating 100% of all log data from all data sources on the network?<br />Are your logs transported and stored securely?<br />Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly? <br />Can you set alerts on anything in the logs?<br />Are you looking at log data on a daily basis? Can you prove that you are?<br />Can you perform fast, targeted searches for specific data?<br />Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks?<br />Can you readily prove that security, change management,and access control policies are in use and up to date?<br />Can you securely share log data with other applications and users?<br />
    25. 25. Combined Strategies: Often the Best…<br />Buy + Build: great idea – enhance vendor tools with internal custom development OR combine vendor tools with open-source tools (build, then buy or the opposite)<br />Buy + Outsource: split the work with an MSSP team and retain more control<br />Combined approaches mitigate some of the risks, but at a cost (see TANFL principle )<br />
    26. 26. Build + Buy: Surprisingly Effective!<br />Capture buy advantages:<br />Support<br />Ongoing improvement<br />Routine log analysis tasks done by vendor!<br />Capture build advantages:<br />Build analysis you want<br />Present the data you want to the people that need it<br />Critical SIEM tasks done by you!<br />
    27. 27. Finally, How to Choose? <br />Breadth/depth of project requirements<br />Just how unusual you are?<br />Unique needs or volumes<br />Size of organization<br />Available resources<br />Money, development talent<br />Organization culture and management support<br />Deployed hardware and software<br />Run any Tandem? <br />
    28. 28. WORST PRACTICES<br />Lessons Learned: SIEM “Worst Practices”<br />
    29. 29. So, You Decided to Acquire a SIEM<br />What’s next?<br />What do you want, specifically?<br />How to choose a product?<br />How not to screw it up?<br />How to make sure that it goes smoothly, now and later?<br />How to be happy with your SIEM?<br />
    30. 30. What is a “Worst Practice”?<br />As opposed to the “best practice” it is …<br />What the losers in the field are doing today<br />A practice that generally leads to disastrous results, despite its popularity<br />
    31. 31. SIEM or LM Project Lifecycle<br />Determine the need<br />Define scope of log management <br />Select and evaluate the vendor<br />Run proof of Concept – POC<br />Deploy (in phases)<br />Run the tool<br />Expand deployment<br />
    32. 32. 1. Determine the Need<br />WP1: Skip this step altogether – just buy something<br />“John said that we need a correlation engine”<br />“I know this guy who sells log management tools …”<br />WP2: Define the need in general<br />“We need, you know, ‘do SIEM’ and stuff” <br />Questions: Real-time? Platform? Appliance? Service? Correlation? Indexing? RDBMS vs files? Volume of logs? Agents? Collectors? Connectors? Users? Youruse cases? <br />
    33. 33. Case Study A – Just Buy a SIEM!<br />Medium-sized financial company <br />New CSO comes in from a much larger organization<br />“We need a SIEM! ASAP!”<br />Can you spell “boondoggle? <br />Lessons learned: which problem did we solve? Huh!? None?<br />
    34. 34. 2. Define scope<br />WP3: Postpone scope until after the purchase<br />“The vendor says ‘it scales’ so we will just feed ALL our logs”<br />Windows, Linux, i5/OS, OS/390, Cisco – send’em in!<br />WP4: Assume you will be the only user of the tool<br />“Steakholders”? What’s that? <br />Common consequence: two or more <br />simiilartools are bought<br />
    35. 35. Case Study B: “We Use’em All”<br />At SANS Log Management Summit 200X…<br />Vendors X, Y and Z claim “Big Finance” as a customer<br />How can that be?<br />Well, different teams purchased different products …<br />About $2.3m wasted on tools<br />that do the same!<br />
    36. 36. 3. Initial vendor selection<br />WP5: Choose by price alone<br />Ignore hardware, extra modules, <br />training, service, support, etc costs<br />“OMG, this tool is 30% cheaper. And it is only twice as bad.” <br />Advanced version: be suckered by the vendor’s TCO and ROI “formulas”<br />WP6: Choose by relationship or<br />“PowerPoint power”<br />“We got it with the latest router<br />purchase…”<br />
    37. 37. 4. Vendor evaluation and POC<br />WP7: Don’t ask for and don’t check references<br />“Our environment is unique” <br />WP8: Don’t do a POC<br />“We can save time!”<br />“We can just choose the best product, right?”<br />“The vendor said it works just peachy” <br />WP9: If doing a POC, let vendor dictate how OR ignore what the vendor says<br />“Windows? Sure, we will test on Windows!”<br />“Proof of concept!? Why prove what we already know!”<br />
    38. 38. Case Study C: Performance-Shmerformance <br />Retail organization deciding between two log management products, A and B<br />Vendor A: “We scale like there is no tomorrow” <br />Vendor B: “We scale like we invented scaling” <br />Q: “Can you prove it?!”<br />A: Results:<br />Vendor A claims 75,000 MPS, dies at 2300 (!)<br />Vendor B claims 75,000 MPS, runs at 85000 (!!) <br />
    39. 39. 5. Deployment<br />WP10: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations<br />“Tell us what we need – tell us what you have” forever…<br />WP11: Unpack the boxes and go!<br />“Coordinating with network and system folks is for cowards!”<br />Do you know why LM projects take months sometimes?<br />WP12: Don’t prepare the infrastructure <br />“Time synchronization? Pah, who needs it”<br />WP13: Ignore legal team<br />Pain …<br />
    40. 40. Case Study D: Shelfware Forever!<br />Financial company gets a SIEM tool after many months of “evaluations”<br />Vendor SEs deploy it<br />One year passes by<br />A new CSO comes in; looks for what is deployed<br />Finds a SIEM tool – which database contains exactly 53 log records (!)<br />It was never connected to a production network…<br />
    41. 41. 6. Running the Tool<br />WP14: Deploy Everywhere At Once<br />“We need log management everywhere!”<br />WP15: “Save Money” on Vendor Support Contract<br />“ We Have to Pay 18% for What?” <br />WP16: Ignore Upgrades<br />“It works just fine – why touch it?”<br />WP17: Training? They said it is ‘intuitive’!<br />“’A chance to “save” more money here? Suuure.”<br />
    42. 42. Case Study E: Intuitive? To Me It Isn’t!<br />A major retailer procures a log management tool from an integrator<br />A classic “high-level” sales, golf and all <br />“Intuitive UI” is high on the list of criteria<br />The tool is deployed in production<br />Security engineers hate it – and don’t touch it<br />Simple: UI workflow doesn’t match what they do every day<br />
    43. 43. 7. Expanding Deployment<br />WP18: Don’t Bother With A Product Owner<br />“We all use it – we all run it (=nobody does)”<br />WP19: Don’t Check For Changed Needs – Just Buy More of the Same<br />“We made the decision – why fuss over it?”<br />WP20: If it works for 10, it will be OK for 10,000<br />“1,10,100, …, 1 trillion –<br />they are just numbers”<br />
    44. 44. Case Study F: Today - Datacenter, Tomorrow … Oops!<br />Log management tool is tested and deployed at two datacenters – with great success!<br />PCI DSS comes in; scope is expanded to wireless systems and POS branch servers<br />The tool is prepared to be deployed in 410 (!) more locations<br />“Do you think it will work?” - “Suuuuure!”, says the vendor<br />Security director resigns …<br />
    45. 45. Conclusions – Serious!<br />Turn ON logging!<br />Learn about SIEM and log management <br />Read NIST 800-92 and other industry document; do the research!<br />Read some of the stuff I wrote on SIEM too <br />Match what you need with what they have<br />Not doing it as a key source of PAIN<br />Plan carefully – and plan your planning too <br />Work WITH the vendor – not ‘against’, not ‘without’, not ‘for’<br />
    46. 46. Final Word<br />Final word: do big IT projects have “shortcuts” to easy and effortless success – what are they?<br />The answer is …<br />NO!<br />
    47. 47. Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Google Voice: 510-771-7106 <br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />
    48. 48. Security Warrior Consulting Services<br />Logging and log management policy<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />Content development<br />Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at www.SecurityWarriorConsulting.com<br />
    49. 49. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×