Your SlideShare is downloading. ×
0
SIEM : putting ya goggles on.Wednesday 22 December 2010
2 rulesWednesday 22 December 2010
Disclaimer                             This talk != an EY talk                             This talk != an [] talk        ...
Disclaimer                             This talk != an EY talk                             This talk != an [] talk        ...
I. What is SIEM                  II. Challenges                  III. Common-Sense SIEM                  V. What’s the fut...
What is SIEM ?                             * What is it not (Log Management)                             * It’s about info...
Log                                     SIEM             Management                                     Log Collection    ...
INFORMATION                                    PROCESSING                             DATAWednesday 22 December 2010
Data vs. information     May 21 20:22:28 slacker2 sshd[8813]: Accepted password for     root from 192.168.20.185 port 1066...
Data vs. information    May 21 20:20:15 slacker sshd[17834]: Failed password for root from    192.168.20.185 port 1058 ssh...
Data vs. information    May 21 19:30:28 slacker sshd[9287]: Failed password for root from    192.168.20.185 port 1080 ssh2...
Information vs. context                             SIEM                                               IDS                ...
Information vs. context                                              1                             SIEM                   ...
Information vs. context                                              1                             SIEM                   ...
Information vs. context                                              1                             SIEM                   ...
Information vs. context                                              1                             SIEM     2             ...
Information vs. context                                                     1                             SIEM     2      ...
Information vs. context                                                       1                             SIEM     2    ...
Information vs. context                              5                                    meh!                            ...
Why SIEM ?                             * React Faster !                             * Increase efficiency                 ...
ChallengesWednesday 22 December 2010
Where do we get data from ?                             App      App       App          App     DB                        ...
How do we work together ?Wednesday 22 December 2010
Parsing data for fun and ...                                    (kill me now)Wednesday 22 December 2010
IP Addresses ...                             bd{1,3}.d{1,3}.d{1,3}.d{1,3}b                                        999.999....
IP Addresses ...                             bd{1,3}.d{1,3}.d{1,3}.d{1,3}b                                        999.999....
Matching an RFC 822 valid e-mail address                     using regular expressions ...                             cou...
Wednesday 22 December 2010
(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))...
Making sense of data                  user 1            user 2                            user 1       user 2             ...
Making sense of dataWednesday 22 December 2010
Making sense of dataWednesday 22 December 2010
common-sense SIEMWednesday 22 December 2010
common-sense SIEM!                                           DATA                                                         ...
So, where do we go from here ?Wednesday 22 December 2010
mee                                                               tH                                                      ...
Thank you!Wednesday 22 December 2010
Thank you!                             Marishka Hargitay !Wednesday 22 December 2010
Upcoming SlideShare
Loading in...5
×

SIEM brown-bag presentation

1,204

Published on

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,204
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SIEM brown-bag presentation"

  1. 1. SIEM : putting ya goggles on.Wednesday 22 December 2010
  2. 2. 2 rulesWednesday 22 December 2010
  3. 3. Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talkWednesday 22 December 2010
  4. 4. Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talk Marishka Hargitay !Wednesday 22 December 2010
  5. 5. I. What is SIEM II. Challenges III. Common-Sense SIEM V. What’s the future? VI. ...Wednesday 22 December 2010
  6. 6. What is SIEM ? * What is it not (Log Management) * It’s about information. * It’s about your needs !Wednesday 22 December 2010
  7. 7. Log SIEM Management Log Collection Context Data Collection Log Collection Normalization Retention Categorization Search Correlation Indexing/Parsing Notification/Alerting Reporting Prioritization Reporting Security role workflow All types of log data Security relevant dataWednesday 22 December 2010
  8. 8. INFORMATION PROCESSING DATAWednesday 22 December 2010
  9. 9. Data vs. information May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  10. 10. Data vs. information May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  11. 11. Data vs. information May 21 19:30:28 slacker sshd[9287]: Failed password for root from 192.168.20.185 port 1080 ssh2 May 21 19:32:30 slacker sshd[10254]: Failed password for root from 192.168.20.185 port 1045 ssh2 ... (2000 of those) May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  12. 12. Information vs. context SIEM IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  13. 13. Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  14. 14. Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  15. 15. Information vs. context 1 SIEM MS08-067 ! IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  16. 16. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  17. 17. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  18. 18. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  19. 19. Information vs. context 5 meh! 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  20. 20. Why SIEM ? * React Faster ! * Increase efficiency * Automate ComplianceWednesday 22 December 2010
  21. 21. ChallengesWednesday 22 December 2010
  22. 22. Where do we get data from ? App App App App DB Virtualisation Wintel Unix NETWORKWednesday 22 December 2010
  23. 23. How do we work together ?Wednesday 22 December 2010
  24. 24. Parsing data for fun and ... (kill me now)Wednesday 22 December 2010
  25. 25. IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999Wednesday 22 December 2010
  26. 26. IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999 b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4] [0-9]|[01]?[0-9][0-9]?)bWednesday 22 December 2010
  27. 27. Matching an RFC 822 valid e-mail address using regular expressions ... couldn’t be that hard !Wednesday 22 December 2010
  28. 28. Wednesday 22 December 2010
  29. 29. (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?: rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:( ?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-0 31]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)* ](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?: (?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) ?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn) ?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t] )*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])* )(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*) *:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+ |Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:r n)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t ]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[]000-031 ]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*]( ?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(? :(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(? :rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(? :(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<> @,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|" (?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(? :[^()<>@,;:".[]000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|( ?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,; :".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([ ^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:" .[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[ ]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[] r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r] |.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 0 00-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@, ;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(? :[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])* (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[ ^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[] ]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*( ?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:( ?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t ])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t ])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(? :.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+| Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn) ?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[" ()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn) ?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<> @,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@, ;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)? (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[ "()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t]) *))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?: .(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:( ?:rn)?[ t])*))*)?;s*)Wednesday 22 December 2010
  30. 30. Making sense of data user 1 user 2 user 1 user 2 user 3 user 4 user 3 user 4 70 200 52,5 150 100 35 50 17,5 0 0 monday wednesday friday monday wednesday friday 200 150 user 4 100 user 3 user 2 50 user 1 0 monday wednesday fridayWednesday 22 December 2010
  31. 31. Making sense of dataWednesday 22 December 2010
  32. 32. Making sense of dataWednesday 22 December 2010
  33. 33. common-sense SIEMWednesday 22 December 2010
  34. 34. common-sense SIEM! DATA Use Cases Data Points time/date who user name what source when destination where host name why ? action €€€ ... ...Wednesday 22 December 2010
  35. 35. So, where do we go from here ?Wednesday 22 December 2010
  36. 36. mee tH oov er ; -) http://www.loggly.com != SIEM = LaaS currently running in beta log collection/parsing/search/visualization (demo)Wednesday 22 December 2010
  37. 37. Thank you!Wednesday 22 December 2010
  38. 38. Thank you! Marishka Hargitay !Wednesday 22 December 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×