Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Got SIEM? Now what? Getting SIEM Work For You

6,352 views

Published on

Got SIEM? Now what? Making SIEM work for you!

Dr Anton Chuvakin
SANS 2010

Security Information and Event Management (SIEM) as well as log management tools have become more common across large organizations in recent years. SIEM and log management have also been a topic of hot debates. In fact, you organization might have purchased these tools already. However, many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful. Attend this session to learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made.

Published in: Technology
  • Be the first to comment

Got SIEM? Now what? Getting SIEM Work For You

  1. 1. Got SIEM? Now what? Making SIEM work for you Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com SANS @ Night, San Francisco 2010
  2. 2. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Outline • Brief: What is SIEM/LM? • “You got it!” • SIEM Pitfalls and Challenges • Useful SIEM Practices – From Deployment Onwards • SIEM “Worst Practices” • Secret to SIEM Magic! • Conclusions
  3. 3. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin About Anton • Former employee of SIEM and log management vendors • Now consulting for SIEM vendors and SIEM users • SANS class author (SEC434 Log Management) • Author, speaker, blogger, podcaster (on logs, naturally )
  4. 4. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
  5. 5. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Got SIEM? Now what?
  6. 6. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM and Log Management • SIEM: Security Information and Event Management • Focus on security use of logs and other data LM: Log Management Focus on all uses for logs
  7. 7. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Why SO many people think that “SIEM sucks?”
  8. 8. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM Evolution • 1997-2002 IDS and Firewall – Worms, alert overflow, etc – Sold as “SOC in the box” • 2003 – 2007 Above + Server + Context – PCI DSS, SOX, users – Sold as “SOC in the box”++ • 2008+ Above + Applications + … – Fraud, activities, cybercrime – Sold as “SOC in the box”+++++
  9. 9. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin What SIEM MUST Have? 1. Log and Context Data Collection 2. Normalization and categorization 3. Correlation (“SEM”) 4. Notification/alerting (“SEM”) 5. Prioritization (“SEM”) 6. Dashboards and visualization 7. Reporting and report delivery (“SIM”) 8. Security role workflow (IR, SOC, etc)
  10. 10. What SIEM Eats: Logs <122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006 A 4574 <57> Dec 25 00:04:32:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system- warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
  11. 11. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html
  12. 12. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Just What Is “Correlation”? • Dictionary: “establishing relationships” • SIEM: “relate events together for security benefit” • Why correlate events? • Automated cross-device data analysis! • Simple correlation rule: • If this, followed by that, take some action
  13. 13. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Popular #SIEM_FAIL … in partial answer to “why people think SIEM sucks?” 1. Misplaced expectations (“SOC-in-a-box”) 2. Missing requirements (“SIEM…huh?”) 3. Missed project sizing 4. Political challenges with integration 5. Lack of commitment 6. Vendor deception (*) 7. And only then: product not working 
  14. 14. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Big 3 for SIEM/LM Compliance Security SIEM LM Operations Compliance Security Ops
  15. 15. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin In Reality … Compliance budget Security budget
  16. 16. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM Planning Areas 1.Goals and requirements 2.Functionality / features 3.Scoping of data collection 4.Sizing 5.Architecting … in THAT order!
  17. 17. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin What is a “Best Practice”? • A process or practice that –The leaders in the field are doing today –Generally leads to useful results with cost effectiveness P.S. If you still hate it – say “useful practices”
  18. 18. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management! SEM alone is just not that useful…
  19. 19. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Graduating from LM to SIEM Are you ready? Well, do you have… 1. Response capability – Prepared to response to alerts 2. Monitoring capability – Has an operational process to monitor 3. Tuning and customization ability – Can customize the tools and content
  20. 20. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM/LM Maturity Curve
  21. 21. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin BP2 Evolving to SIEM Steps of a journey … • Establish response process • Deploy a SIEM • Think “use cases” • Start filtering logs from LM to SIEM – Phases! • Prepare for the initial increase in workload
  22. 22. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Example LM->SIEM Filtering 3D: Devices / Network topology / Events • Devices: NIDS/NIPS, WAF, servers • Network: DMZ, payment network (PCI scope), other “key domains” • Events: authentication, outbound firewall access Later: proxies, more firewall data, web servers
  23. 23. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin “Complianc-y” Approach to SIEM 1. List regulations 2. Identify other “use cases” 3. Review whether SIEM/LM is needed 4. Map features to controls 5. Select and deploy 6. Operationalize regulations 7. Expand use
  24. 24. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin “Quick Wins” for Phased Approach Phased approach #1 • Collect problems • Plan architecture • Start collecting • Start reviewing • Solve problem 1 • Solve problem n Phased approach #2 • Focus on 1 problem • Plan architecture • Start collecting • Start reviewing • Solve problem 1 • Plan again
  25. 25. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin BP3 SIEM First Steps First step = BABY steps! • Compliance monitoring • “Traditional” SIEM uses – Authentication tracking – IPS/IDS + firewall correlation – Web application hacking • Simple use cases – based on your risks What problems do YOU want solved?
  26. 26. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Example SIEM Use Case Cross-system authentication tracking • Scope: all systems with authentication (!) • Purpose: detect unauthorized access to systems • Method: track login failures and successes • Rule details: multiple login failures followed by login success • Response plan: user account investigation, suspension, communication with suspect user
  27. 27. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin 10 minutes or 10 months? Our log management appliance can be racked, configured and collecting logs in 10 minutes A typical large customer takes 10 months to deploy a log management architecture based on our technology ?
  28. 28. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Secret to SIEM Magic! “Operationalizing” SIEM (e.g. SOC building) Deployment Service SIEM Software/Appliance
  29. 29. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Ultimate SIEM Usage Scenarios 1. Security Operations Center (SOC) – RT views, analysts 24/7, chase alerts 2. Mini-SOC / “morning after” – Delayed views, analysts 1/24, review and drill-down 3. “Automated SOC” / alert + investigate – Configure and forget, investigate alerts 4. Compliance status reporting – Review reports/views weekly/monthly
  30. 30. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin What is a “Worst Practice”? • As opposed to the “best practice” it is … –What the losers in the field are doing today –A practice that generally leads to disastrous results, despite its popularity
  31. 31. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin WP for SIEM Project scope • WP1: Postpone scope until after the purchase – “The vendor says ‘it scales’ so we will just feed ALL our logs” – Windows, Linux, i5/OS, OS/390, Cisco – send’em in! • WP2: Assume you will be the only user of the tool – “Steakholders”? What’s that?  – Common consequence: two or more simiilar tools are bought
  32. 32. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Case Study: “We Use’em All” At SANS Log Management Summit 200X… • Vendors X, Y and Z claim “Big Finance” as a customer • How can that be? • Well, different teams purchased different products … • About $2.3m wasted on tools that do the same!
  33. 33. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin WPs for Deployment • WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations – “Tell us what we need – tell us what you have” forever… • WP4: Unpack the boxes and go! – “Coordinating with network and system folks is for cowards!” – Do you know why LM projects take months sometimes? • WP5: Don’t prepare the infrastructure – “Time synchronization? Pah, who needs it” • WP6: Deploy Everywhere At Once – “We need it everywhere!! Now!!”
  34. 34. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Case Study: Shelfware Forever! • Financial company gets a SIEM tool after many months of “evaluations” • Vendor SEs deploy it • One year passes by • A new CSO comes in; looks for what is deployed • Finds a SIEM tool – which database contains exactly 53 log records (!) – It was never connected to a production network…
  35. 35. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin WPs for Expanding Deployment • WP7: Don’t Bother With A Product Owner – “We all use it – we all run it (=nobody does)” • WP8: Don’t Check For Changed Needs – Just Buy More of the Same – “We made the decision – why fuss over it?” • WP9: If it works for 10, it will be OK for 10,000 – “1,10,100, …, 1 trillion – they are just numbers”
  36. 36. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Case Study: Today - Datacenter, Tomorrow … Oops! • Log management tool is tested and deployed at two datacenters – with great success! • PCI DSS comes in; scope is expanded to wireless systems and POS branch servers • The tool is prepared to be deployed in 410 (!) more locations • “Do you think it will work?” - “Suuuuure!”, says the vendor • Security director resigns …
  37. 37. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin More Quick SIEM Tips Cost countless sleepless night and boatloads of pain…. • No SIEM before IR plans/procedures • No SIEM before basic log management • Think "quick wins", not "OMG ...that SIEM boondoggle" • Tech matters! But practices matter more • Things will get worse before better. Invest time before collecting value!
  38. 38. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin SIEM Resourcing Voodoo “Things get worse before they get better” • Hardware – initial + growth • Software license fees (CPU, device, EPS, user, etc, etc) • Support and integration projects • Operations Personnel (analysts, developer) • SIEM Administrator Personnel (SA, DBA, application admin)
  39. 39. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Conclusions • SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required • FOCUS on what problems you are trying to solve with SIEM: requirements! • Phased approach WITH “quick wins” is the easiest way to go • Operationalize!!!
  40. 40. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin And If You Only … … learn one thing from this…. … then let it be….
  41. 41. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements Requirements Requirements Requirements Requirvements Requirements
  42. 42. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Questions? Dr. Anton Chuvakin Email: anton@chuvakin.org Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org Twitter: @anton_chuvakin Consulting: http://www.securitywarriorconsulting.com
  43. 43. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin More Resources • Blog: www.securitywarrior.org • Podcast: look for “LogChat” on iTunes • Slides: http://www.slideshare.net/anton_chuvakin • Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin • Consulting: http://www.securitywarriorconsulting.com/
  44. 44. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin More on Anton • Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc • Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide • Standard developer: CEE, CVSS, OVAL, etc • Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others • Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  45. 45. Security Warrior Consulting www.securitywarriorconsulting.com Dr. Anton Chuvakin Security Warrior Consulting Services • Logging and log management strategy, procedures and practices – Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation – Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations – Help integrate logging tools and processes into IT and business operations • SIEM and log management content development – Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs – Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com

×