Presentation Title: Deconstructing the SIEM Platform There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
Short Bio: Harry McLaren is a Senior Consultant at ECS and is responsible for service delivery, technical leadership and people development in the rapidly growing Splunk consulting practice and is responsible for growing our team of talented Splunk Consultants. ECS, a specialist in enterprise IT services, has an award-winning IT security capability which is focused on Cybersecurity Operations Centres and IT security consulting.
Define ‘Big Data’ Define ’SIEM’
Few Security based use cases you have leverage big data platforms for, but how?
SIEM evolution and the (often fallacy) that is ‘next-gen’ SIEM. “Next-gen” shouldn’t even be a term as your security operational capability to grow organically and the tools should be able to keep up. How a platform which can grow as your security maturity and technical ability also grows (not limited to only “out-of-the-box features”).
Building full featured SIEMs is hard. Many try, many fail. Big data platforms only provide access to (hopefully) easy to search data. Most end up as very basic rule engines similar in function to a distributed IDS (NIDS or HIDS).
Rules Threshold Based Anomaly/Behaviour Based Boolean Based Context Asset & Identity Awareness Risk Profiling/Analytics Approved Types of Activity vs Not Frameworks Scalability (Volume, Complexity) User Empowerment (without being a platform expert) Expansion and development of custom use cases. Integration Data Source Compatibility (Schema vs Write one, read multiple ways). Workflow Integration & Centralised Investigation Orchestration
Example high-level architecture of a SIEM platform. Lots of components working together. Inputs, procedures and outputs are covered. Five frameworks mentioned covered in more detail. Not going to talk all the way through each one, purpose is to show the types of frameworks required and illustrate the contents of them.
This is about what is important to you, what does your threat modelling identify as ‘at risk’ and the framework to identify, group and report of these events of interest. Workflow management, including analyst actions and status of event/events of interest.
Contextual awareness within an organisation involves telling the SIEM who your users are and what assets are within your estate. Dynamic updates are a priority as context changes (JML).
Not my favourite term… So lets pretend it says ‘Threat Data’. Up to date information is key, various types of data provider. Additional context, terms unknowns into knowns. From a potential threat (unlikely to be triaged), so a known threat.
Correlation between contextual sources. Custom inputs / outputs. Useful for more mature threat assessment of behaviour.
Most recent addiction to most SIEM platforms. Splunk supported calling scripts / APIs, but all were custom and not part of a ecosystem. Major next step in rapid response to threat and taking action to halt the threat before the end of the kill-chain/attack cycle. Builds up operational capability with the ability to gather relevant context automatically, then triage and act in a flued and informed manner.
Understand the reasons for the project, use cases, motivations and what constraints might apply. Prepare, prepare, prepare. Ensure you have scoped all required inputs, outputs and the level of dependencies between them. Integrate everything! Not just the data sources, but workflow, automation and orchestration. SIEM can be very powerful tools, however if the team which is going to own it/use it doesn’t know how, it’ll go to waste. SecOps teams should be a the forefront of exploring the data, hunting and defining their own use cases.
What are SIEM platforms made of and why
are frameworks so important?
Harry McLaren – Senior Security Consultant at ECS
•Alumnus of Edinburgh Napier
•Senior Security Consultant at ECS
• Splunk Consultant & Architect
• SOC Build & Use Case Development
Security Information & Event
Software products and services combine
security information management (SIM)
and security event management (SEM).
They provide real-time analysis of security alerts
generated by network hardware and applications.
Source: Wikipedia & Gartner
SIEM USE CASES
S & FORENSICS
Coined in 2005
v1.0 Ticketing &
v1.5 Risk Based
v2.0 “Next-Gen SIEM”v3.0
Initial Rule Sets
& Event Queues
& Threat Data
Maximize cross-silo visibility by on-boarding ALL data sources.
Automate repetitive tasks and setup orchestration for the rest.
Understand your project’s input and output requirements.
Champion the project and identify project dependencies.
Identify the problem(s) you’re trying to solve.
Document the risks/threats this control mitigates or minimises.
Position SIEM project as part of transformative change.
Enable and engage SecOps to own and evolve platform.
SPLUNK USER GROUP - EDINBURGH
• Splunking at Home (Homegrown Lab)
• Supporting Splunk at Scale
• Overview of Splunk Enterprise Security
• Tuesday, 27th of June, 5:30pm-8pm
• Edinburgh Napier University, 10 Colinton
Road, Edinburgh, EH10 5DT