10 things we're doing wrong with SIEM
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

10 things we're doing wrong with SIEM

on

  • 3,960 views

This is the slidedeck of the presentation I gave at Source Barcelona 2010 titled "10 things we're doing wrong with SIEM".

This is the slidedeck of the presentation I gave at Source Barcelona 2010 titled "10 things we're doing wrong with SIEM".

Statistics

Views

Total Views
3,960
Views on SlideShare
3,960
Embed Views
0

Actions

Likes
4
Downloads
152
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

10 things we're doing wrong with SIEM Presentation Transcript

  • 1. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 2. The SIEM Daily Barcelona, 21/09/2010 L ogs Sunday 3 October 2010
  • 3. Disclaimer the views and opinions expressed in this presentation are those of the speaker alone and do not necessarily represent those of his past, current or future employers, clients and/or associates. Sunday 3 October 2010
  • 4. The SIEM Daily Barcelona, 21/09/2010 10 things we’re doing wrong ! About me About this talk Wim Remes SIEM is on the floor Infosec Consultant the reason is tech Ernst & Young the reason is me Geek the reason is you I talk a lot why do we f**k up? I <3 beer cerveza how can we f**k up less? I <3 conversation wremes@gmail.com @wimremes on twitter Sunday 3 October 2010
  • 5. The SIEM Daily Barcelona, 21/09/2010 Security Information and Event Management SIEM People Product Process Sunday 3 October 2010
  • 6. The SIEM Daily Barcelona, 21/09/2010 1 It’s the information silly ! Sunday 3 October 2010
  • 7. The SIEM Daily Barcelona, 21/09/2010 DATA FILTER RELATIONSHIP? INFORMATION Sunday 3 October 2010
  • 8. The SIEM Daily Barcelona, 21/09/2010 DATA INFORMATION (psstt... this isn’t the end !) Sunday 3 October 2010
  • 9. The SIEM Daily Barcelona, 21/09/2010 KNOWLEDGE Sunday 3 October 2010
  • 10. The SIEM Daily Barcelona, 21/09/2010 UNDERSTANDING Sunday 3 October 2010
  • 11. The SIEM Daily Barcelona, 21/09/2010 WISDOM Sunday 3 October 2010
  • 12. The SIEM Daily Barcelona, 21/09/2010 2 cuz that’s the way we roll ... Sunday 3 October 2010
  • 13. The SIEM Daily Barcelona, 21/09/2010 PLAN ACT DO CHECK (study) Sunday 3 October 2010
  • 14. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 15. The SIEM Daily Barcelona, 21/09/2010 Wendy at the last SIEM team team-building weekend ... Sunday 3 October 2010
  • 16. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 17. The SIEM Daily Barcelona, 21/09/2010 3 Cylinders of excellence ... Sunday 3 October 2010
  • 18. The SIEM Daily Barcelona, 21/09/2010 NETWORK INFOSEC INFRA APPS Sunday 3 October 2010
  • 19. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 20. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 21. The SIEM Daily Barcelona, 21/09/2010 4 COMPLIANCE DRIVEN SECURITY Sunday 3 October 2010
  • 22. The SIEM Daily Barcelona, 21/09/2010 I want to I’m ready I have to 5% - regulatory - internal audit - higher forces 80% 15% * I err on the side of optimism Sunday 3 October 2010
  • 23. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 24. The SIEM Daily Barcelona, 21/09/2010 5 FEAR DRIVEN SECURITY Sunday 3 October 2010
  • 25. The SIEM Daily Barcelona, 21/09/2010 Manage your defenses based on reality, not on publicity ! Verizon DBIR 2010 Sunday 3 October 2010
  • 26. The SIEM Daily Barcelona, 21/09/2010 6 WYAFIWYG (what you ask for is what you get) Sunday 3 October 2010
  • 27. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Correlation ! Log Management ... Sunday 3 October 2010
  • 28. The SIEM Daily Barcelona, 21/09/2010 Log Management ... We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go. What box can help us to get all that stuff centralized ? Sunday 3 October 2010
  • 29. The SIEM Daily Barcelona, 21/09/2010 Correlation ! We have heard of this thing called correlation and apparently $solution from $vendor can do that for us. When can you ship that box ? Sunday 3 October 2010
  • 30. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Hackers are dangerous! We need SIEM to catch them ! (Gimme, gimme, gimme) Sunday 3 October 2010
  • 31. The SIEM Daily Barcelona, 21/09/2010 Fraud alerts are the leading method of discovering breaches Verizon DBIR 2010 Sunday 3 October 2010
  • 32. The SIEM Daily Barcelona, 21/09/2010 Build YOUR use case ! a. React Faster b. Improve Efficiency c. Automate Compliance Securosis : Understanding and Selecting SIEM/Log Management Sunday 3 October 2010
  • 33. The SIEM Daily Barcelona, 21/09/2010 7 In the beginning ... Sunday 3 October 2010
  • 34. The SIEM Daily Barcelona, 21/09/2010 FLAT HIERARCHY MESH Sunday 3 October 2010
  • 35. The SIEM Daily Data Sources Barcelona, 21/09/2010 Who? Why? What? src ip address Where? When? Data Points dst ip address username host name app name Use Cases action Sunday 3 October 2010
  • 36. The SIEM Daily Barcelona, 21/09/2010 8 Linking it up ... Sunday 3 October 2010
  • 37. The SIEM Daily Barcelona, 21/09/2010 Change Management Network Vulnerability CMDB V Behaviour Management M Analysis CONTEXT SIEM Incident Response Process Infosec BI Incident Data Sunday 3 October 2010
  • 38. The SIEM Daily Barcelona, 21/09/2010 9 Reporting for duty ... Sunday 3 October 2010
  • 39. The SIEM Daily Barcelona, 21/09/2010 1. Choose the right metrics 2. Choose the right charts 3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management ! Sunday 3 October 2010
  • 40. The SIEM Daily Barcelona, 21/09/2010 10 Standards ? Sunday 3 October 2010
  • 41. The SIEM Daily Barcelona, 21/09/2010 CEF CEE (common event format) (common event expression) Sunday 3 October 2010
  • 42. The SIEM Daily Barcelona, 21/09/2010 CEE (common event expression) m y/ no ar y event & log xo on CELR CLS CLT Ta icti D Common Event Log Recommendations Common Log Syntax Common Log Transport Sunday 3 October 2010
  • 43. The SIEM Daily Barcelona, 21/09/2010 CEE Common Log Syntax Name Field Entry Event Details Name Set Entry Sunday 3 October 2010
  • 44. The SIEM Daily Barcelona, 21/09/2010 Who to follow ? @anton_chuvakin @zrlram @andrewsmhay @rockyd @securosis Sunday 3 October 2010
  • 45. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010