The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily      Barcelona, 21/09/2010




                               L ogs




Sunday 3 October 2010
Disclaimer

                           the views and opinions expressed in this
                         presentation are ...
The SIEM Daily                             Barcelona, 21/09/2010




                         10 things we’re doing wrong ...
The SIEM Daily                              Barcelona, 21/09/2010




                        Security Information and Eve...
The SIEM Daily               Barcelona, 21/09/2010




                                     1
                        It’s...
The SIEM Daily                 Barcelona, 21/09/2010




                           DATA

                                ...
The SIEM Daily                                Barcelona, 21/09/2010




                        DATA                      ...
The SIEM Daily      Barcelona, 21/09/2010




                           KNOWLEDGE

Sunday 3 October 2010
The SIEM Daily    Barcelona, 21/09/2010




                         UNDERSTANDING

Sunday 3 October 2010
The SIEM Daily     Barcelona, 21/09/2010




                             WISDOM

Sunday 3 October 2010
The SIEM Daily               Barcelona, 21/09/2010




                                      2
                        cuz...
The SIEM Daily                     Barcelona, 21/09/2010




                                          PLAN

             ...
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily                                 Barcelona, 21/09/2010




                        Wendy at the last SIEM te...
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily             Barcelona, 21/09/2010




                                    3
                        Cylinde...
The SIEM Daily                          Barcelona, 21/09/2010




                                       NETWORK




     ...
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily         Barcelona, 21/09/2010




                                   4
                        COMPLIANCE D...
The SIEM Daily                                                            Barcelona, 21/09/2010




                      ...
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily        Barcelona, 21/09/2010




                                 5
                        FEAR DRIVEN SEC...
The SIEM Daily                                        Barcelona, 21/09/2010




                        Manage your defens...
The SIEM Daily                              Barcelona, 21/09/2010




                                         6
         ...
The SIEM Daily                   Barcelona, 21/09/2010




                            Detect APT Hackers !!


           ...
The SIEM Daily                                        Barcelona, 21/09/2010




                                          ...
The SIEM Daily                                        Barcelona, 21/09/2010




                                          ...
The SIEM Daily                         Barcelona, 21/09/2010




                             Detect APT Hackers !!


    ...
The SIEM Daily                                         Barcelona, 21/09/2010




                        Fraud alerts are ...
The SIEM Daily                                                          Barcelona, 21/09/2010




                        ...
The SIEM Daily           Barcelona, 21/09/2010




                                  7
                         In the beg...
The SIEM Daily           Barcelona, 21/09/2010




                        FLAT   HIERARCHY   MESH


Sunday 3 October 2010
The SIEM Daily
               Data Sources
                                                               Barcelona, 21/09...
The SIEM Daily              Barcelona, 21/09/2010




                                  8
                           Linki...
The SIEM Daily                                    Barcelona, 21/09/2010




                                          Chan...
The SIEM Daily           Barcelona, 21/09/2010




                                  9
                        Reporting f...
The SIEM Daily                        Barcelona, 21/09/2010




                  1. Choose the right metrics
            ...
The SIEM Daily         Barcelona, 21/09/2010




                                10
                            Standards ...
The SIEM Daily                                 Barcelona, 21/09/2010




                               CEF               ...
The SIEM Daily                                       Barcelona, 21/09/2010




                                           ...
The SIEM Daily                      Barcelona, 21/09/2010




                                      CEE
                  ...
The SIEM Daily            Barcelona, 21/09/2010




                           Who to follow ?
                           ...
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
Upcoming SlideShare
Loading in...5
×

10 things we're doing wrong with SIEM

3,705

Published on

This is the slidedeck of the presentation I gave at Source Barcelona 2010 titled "10 things we're doing wrong with SIEM".

1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,705
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
170
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

10 things we're doing wrong with SIEM

  1. 1. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  2. 2. The SIEM Daily Barcelona, 21/09/2010 L ogs Sunday 3 October 2010
  3. 3. Disclaimer the views and opinions expressed in this presentation are those of the speaker alone and do not necessarily represent those of his past, current or future employers, clients and/or associates. Sunday 3 October 2010
  4. 4. The SIEM Daily Barcelona, 21/09/2010 10 things we’re doing wrong ! About me About this talk Wim Remes SIEM is on the floor Infosec Consultant the reason is tech Ernst & Young the reason is me Geek the reason is you I talk a lot why do we f**k up? I <3 beer cerveza how can we f**k up less? I <3 conversation wremes@gmail.com @wimremes on twitter Sunday 3 October 2010
  5. 5. The SIEM Daily Barcelona, 21/09/2010 Security Information and Event Management SIEM People Product Process Sunday 3 October 2010
  6. 6. The SIEM Daily Barcelona, 21/09/2010 1 It’s the information silly ! Sunday 3 October 2010
  7. 7. The SIEM Daily Barcelona, 21/09/2010 DATA FILTER RELATIONSHIP? INFORMATION Sunday 3 October 2010
  8. 8. The SIEM Daily Barcelona, 21/09/2010 DATA INFORMATION (psstt... this isn’t the end !) Sunday 3 October 2010
  9. 9. The SIEM Daily Barcelona, 21/09/2010 KNOWLEDGE Sunday 3 October 2010
  10. 10. The SIEM Daily Barcelona, 21/09/2010 UNDERSTANDING Sunday 3 October 2010
  11. 11. The SIEM Daily Barcelona, 21/09/2010 WISDOM Sunday 3 October 2010
  12. 12. The SIEM Daily Barcelona, 21/09/2010 2 cuz that’s the way we roll ... Sunday 3 October 2010
  13. 13. The SIEM Daily Barcelona, 21/09/2010 PLAN ACT DO CHECK (study) Sunday 3 October 2010
  14. 14. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  15. 15. The SIEM Daily Barcelona, 21/09/2010 Wendy at the last SIEM team team-building weekend ... Sunday 3 October 2010
  16. 16. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  17. 17. The SIEM Daily Barcelona, 21/09/2010 3 Cylinders of excellence ... Sunday 3 October 2010
  18. 18. The SIEM Daily Barcelona, 21/09/2010 NETWORK INFOSEC INFRA APPS Sunday 3 October 2010
  19. 19. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  20. 20. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  21. 21. The SIEM Daily Barcelona, 21/09/2010 4 COMPLIANCE DRIVEN SECURITY Sunday 3 October 2010
  22. 22. The SIEM Daily Barcelona, 21/09/2010 I want to I’m ready I have to 5% - regulatory - internal audit - higher forces 80% 15% * I err on the side of optimism Sunday 3 October 2010
  23. 23. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  24. 24. The SIEM Daily Barcelona, 21/09/2010 5 FEAR DRIVEN SECURITY Sunday 3 October 2010
  25. 25. The SIEM Daily Barcelona, 21/09/2010 Manage your defenses based on reality, not on publicity ! Verizon DBIR 2010 Sunday 3 October 2010
  26. 26. The SIEM Daily Barcelona, 21/09/2010 6 WYAFIWYG (what you ask for is what you get) Sunday 3 October 2010
  27. 27. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Correlation ! Log Management ... Sunday 3 October 2010
  28. 28. The SIEM Daily Barcelona, 21/09/2010 Log Management ... We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go. What box can help us to get all that stuff centralized ? Sunday 3 October 2010
  29. 29. The SIEM Daily Barcelona, 21/09/2010 Correlation ! We have heard of this thing called correlation and apparently $solution from $vendor can do that for us. When can you ship that box ? Sunday 3 October 2010
  30. 30. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Hackers are dangerous! We need SIEM to catch them ! (Gimme, gimme, gimme) Sunday 3 October 2010
  31. 31. The SIEM Daily Barcelona, 21/09/2010 Fraud alerts are the leading method of discovering breaches Verizon DBIR 2010 Sunday 3 October 2010
  32. 32. The SIEM Daily Barcelona, 21/09/2010 Build YOUR use case ! a. React Faster b. Improve Efficiency c. Automate Compliance Securosis : Understanding and Selecting SIEM/Log Management Sunday 3 October 2010
  33. 33. The SIEM Daily Barcelona, 21/09/2010 7 In the beginning ... Sunday 3 October 2010
  34. 34. The SIEM Daily Barcelona, 21/09/2010 FLAT HIERARCHY MESH Sunday 3 October 2010
  35. 35. The SIEM Daily Data Sources Barcelona, 21/09/2010 Who? Why? What? src ip address Where? When? Data Points dst ip address username host name app name Use Cases action Sunday 3 October 2010
  36. 36. The SIEM Daily Barcelona, 21/09/2010 8 Linking it up ... Sunday 3 October 2010
  37. 37. The SIEM Daily Barcelona, 21/09/2010 Change Management Network Vulnerability CMDB V Behaviour Management M Analysis CONTEXT SIEM Incident Response Process Infosec BI Incident Data Sunday 3 October 2010
  38. 38. The SIEM Daily Barcelona, 21/09/2010 9 Reporting for duty ... Sunday 3 October 2010
  39. 39. The SIEM Daily Barcelona, 21/09/2010 1. Choose the right metrics 2. Choose the right charts 3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management ! Sunday 3 October 2010
  40. 40. The SIEM Daily Barcelona, 21/09/2010 10 Standards ? Sunday 3 October 2010
  41. 41. The SIEM Daily Barcelona, 21/09/2010 CEF CEE (common event format) (common event expression) Sunday 3 October 2010
  42. 42. The SIEM Daily Barcelona, 21/09/2010 CEE (common event expression) m y/ no ar y event & log xo on CELR CLS CLT Ta icti D Common Event Log Recommendations Common Log Syntax Common Log Transport Sunday 3 October 2010
  43. 43. The SIEM Daily Barcelona, 21/09/2010 CEE Common Log Syntax Name Field Entry Event Details Name Set Entry Sunday 3 October 2010
  44. 44. The SIEM Daily Barcelona, 21/09/2010 Who to follow ? @anton_chuvakin @zrlram @andrewsmhay @rockyd @securosis Sunday 3 October 2010
  45. 45. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×