SIEM brown-bag presentation
Upcoming SlideShare
Loading in...5
×
 

SIEM brown-bag presentation

on

  • 1,462 views

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

Statistics

Views

Total Views
1,462
Views on SlideShare
1,461
Embed Views
1

Actions

Likes
0
Downloads
20
Comments
0

1 Embed 1

http://twittertim.es 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SIEM brown-bag presentation SIEM brown-bag presentation Presentation Transcript

  • SIEM : putting ya goggles on.Wednesday 22 December 2010
  • 2 rulesWednesday 22 December 2010
  • Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talkWednesday 22 December 2010
  • Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talk Marishka Hargitay !Wednesday 22 December 2010
  • I. What is SIEM II. Challenges III. Common-Sense SIEM V. What’s the future? VI. ...Wednesday 22 December 2010
  • What is SIEM ? * What is it not (Log Management) * It’s about information. * It’s about your needs !Wednesday 22 December 2010
  • Log SIEM Management Log Collection Context Data Collection Log Collection Normalization Retention Categorization Search Correlation Indexing/Parsing Notification/Alerting Reporting Prioritization Reporting Security role workflow All types of log data Security relevant dataWednesday 22 December 2010
  • INFORMATION PROCESSING DATAWednesday 22 December 2010
  • Data vs. information May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • Data vs. information May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • Data vs. information May 21 19:30:28 slacker sshd[9287]: Failed password for root from 192.168.20.185 port 1080 ssh2 May 21 19:32:30 slacker sshd[10254]: Failed password for root from 192.168.20.185 port 1045 ssh2 ... (2000 of those) May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • Information vs. context SIEM IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM MS08-067 ! IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • Information vs. context 5 meh! 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • Why SIEM ? * React Faster ! * Increase efficiency * Automate ComplianceWednesday 22 December 2010
  • ChallengesWednesday 22 December 2010
  • Where do we get data from ? App App App App DB Virtualisation Wintel Unix NETWORKWednesday 22 December 2010
  • How do we work together ?Wednesday 22 December 2010
  • Parsing data for fun and ... (kill me now)Wednesday 22 December 2010
  • IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999Wednesday 22 December 2010
  • IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999 b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4] [0-9]|[01]?[0-9][0-9]?)bWednesday 22 December 2010
  • Matching an RFC 822 valid e-mail address using regular expressions ... couldn’t be that hard !Wednesday 22 December 2010
  • Wednesday 22 December 2010
  • (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?: rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:( ?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-0 31]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)* ](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?: (?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) ?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn) ?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t] )*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])* )(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*) *:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+ |Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:r n)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t ]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[]000-031 ]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*]( ?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(? :(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(? :rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(? :(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<> @,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|" (?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(? :[^()<>@,;:".[]000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|( ?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,; :".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([ ^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:" .[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[ ]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[] r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r] |.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 0 00-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@, ;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(? :[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])* (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[ ^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[] ]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*( ?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:( ?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t ])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t ])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(? :.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+| Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn) ?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[" ()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn) ?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<> @,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@, ;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)? (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[ "()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t]) *))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?: .(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:( ?:rn)?[ t])*))*)?;s*)Wednesday 22 December 2010
  • Making sense of data user 1 user 2 user 1 user 2 user 3 user 4 user 3 user 4 70 200 52,5 150 100 35 50 17,5 0 0 monday wednesday friday monday wednesday friday 200 150 user 4 100 user 3 user 2 50 user 1 0 monday wednesday fridayWednesday 22 December 2010
  • Making sense of dataWednesday 22 December 2010
  • Making sense of dataWednesday 22 December 2010
  • common-sense SIEMWednesday 22 December 2010
  • common-sense SIEM! DATA Use Cases Data Points time/date who user name what source when destination where host name why ? action €€€ ... ...Wednesday 22 December 2010
  • So, where do we go from here ?Wednesday 22 December 2010
  • mee tH oov er ; -) http://www.loggly.com != SIEM = LaaS currently running in beta log collection/parsing/search/visualization (demo)Wednesday 22 December 2010
  • Thank you!Wednesday 22 December 2010
  • Thank you! Marishka Hargitay !Wednesday 22 December 2010