SIEM brown-bag presentation
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

SIEM brown-bag presentation

  • 1,509 views
Uploaded on

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,509
On Slideshare
1,508
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
20
Comments
0
Likes
0

Embeds 1

http://twittertim.es 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SIEM : putting ya goggles on.Wednesday 22 December 2010
  • 2. 2 rulesWednesday 22 December 2010
  • 3. Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talkWednesday 22 December 2010
  • 4. Disclaimer This talk != an EY talk This talk != an [] talk This talk == MY talk Marishka Hargitay !Wednesday 22 December 2010
  • 5. I. What is SIEM II. Challenges III. Common-Sense SIEM V. What’s the future? VI. ...Wednesday 22 December 2010
  • 6. What is SIEM ? * What is it not (Log Management) * It’s about information. * It’s about your needs !Wednesday 22 December 2010
  • 7. Log SIEM Management Log Collection Context Data Collection Log Collection Normalization Retention Categorization Search Correlation Indexing/Parsing Notification/Alerting Reporting Prioritization Reporting Security role workflow All types of log data Security relevant dataWednesday 22 December 2010
  • 8. INFORMATION PROCESSING DATAWednesday 22 December 2010
  • 9. Data vs. information May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • 10. Data vs. information May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • 11. Data vs. information May 21 19:30:28 slacker sshd[9287]: Failed password for root from 192.168.20.185 port 1080 ssh2 May 21 19:32:30 slacker sshd[10254]: Failed password for root from 192.168.20.185 port 1045 ssh2 ... (2000 of those) May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2 May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2Wednesday 22 December 2010
  • 12. Information vs. context SIEM IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • 13. Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • 14. Information vs. context 1 SIEM MS08-067 ! IDS win2K3 server 10.10.10.10Wednesday 22 December 2010
  • 15. Information vs. context 1 SIEM MS08-067 ! IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  • 16. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan win2K3 server 10.10.10.10Wednesday 22 December 2010
  • 17. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 IDS Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • 18. Information vs. context 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • 19. Information vs. context 5 meh! 1 SIEM 2 MS08-067 ! scan 10.10.10.10 4 not IDS vulnerable Vuln Scan 3 yo, win2K3 server wazzup ? 10.10.10.10Wednesday 22 December 2010
  • 20. Why SIEM ? * React Faster ! * Increase efficiency * Automate ComplianceWednesday 22 December 2010
  • 21. ChallengesWednesday 22 December 2010
  • 22. Where do we get data from ? App App App App DB Virtualisation Wintel Unix NETWORKWednesday 22 December 2010
  • 23. How do we work together ?Wednesday 22 December 2010
  • 24. Parsing data for fun and ... (kill me now)Wednesday 22 December 2010
  • 25. IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999Wednesday 22 December 2010
  • 26. IP Addresses ... bd{1,3}.d{1,3}.d{1,3}.d{1,3}b 999.999.999.999 b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4] [0-9]|[01]?[0-9][0-9]?)bWednesday 22 December 2010
  • 27. Matching an RFC 822 valid e-mail address using regular expressions ... couldn’t be that hard !Wednesday 22 December 2010
  • 28. Wednesday 22 December 2010
  • 29. (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?: rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:( ?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-0 31]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)* ](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?: (?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) ?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn) ?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t] )*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])* )(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*) *:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+ |Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:r n)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t ]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[]000-031 ]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*]( ?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(? :(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(? :rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(? :(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<> @,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|" (?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(? :[^()<>@,;:".[]000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|( ?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,; :".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([ ^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:" .[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[ ]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[] r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r] |.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 0 00-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@, ;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(? :[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])* (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[ ^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[] ]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*( ?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:( ?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t ])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t ])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(? :.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+| Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn) ?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[" ()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn) ?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<> @,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@, ;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)? (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[ "()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t]) *))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?: .(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:( ?:rn)?[ t])*))*)?;s*)Wednesday 22 December 2010
  • 30. Making sense of data user 1 user 2 user 1 user 2 user 3 user 4 user 3 user 4 70 200 52,5 150 100 35 50 17,5 0 0 monday wednesday friday monday wednesday friday 200 150 user 4 100 user 3 user 2 50 user 1 0 monday wednesday fridayWednesday 22 December 2010
  • 31. Making sense of dataWednesday 22 December 2010
  • 32. Making sense of dataWednesday 22 December 2010
  • 33. common-sense SIEMWednesday 22 December 2010
  • 34. common-sense SIEM! DATA Use Cases Data Points time/date who user name what source when destination where host name why ? action €€€ ... ...Wednesday 22 December 2010
  • 35. So, where do we go from here ?Wednesday 22 December 2010
  • 36. mee tH oov er ; -) http://www.loggly.com != SIEM = LaaS currently running in beta log collection/parsing/search/visualization (demo)Wednesday 22 December 2010
  • 37. Thank you!Wednesday 22 December 2010
  • 38. Thank you! Marishka Hargitay !Wednesday 22 December 2010