Making Log Data Useful: SIEM and Log Management Together


Published on

Outline for Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin @ Security Warrior Consulting

Security Information and Event Management vs/with Log Management
Graduating from LM to SIEM
SIEM and LM “best practices”
First steps with SIEM
Using SIEM and LM together

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential.
  • “Graduating” from LM to SIEMWho should do it? Orgs that are ready for monitoring and responseHow to go about it? Use a vendor that does bothWhen? Deploy LM first and use it. Be ready to monitor [reactive -> faster/better reactive]What to look for? Integrated LM and SIEM
  • Deploy – use - operationalize – get comfortable with!
  • LM before SIEM!Plan, deploy and operationalize LM (forget SIEM for now)Use LM regularly before evolvingSolve problems – and discover new problems (that call for SIEM maybe)
  • Happy with LM? Then go -> SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!
  • SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  • Using SIEM with LM: integrated use caseIncident response use case: alert -> log investigationMini-SOC monitoring and analysis
  • SIEM use casesSOC – full real-time monitoringMini-SOC / ”morning after”Remote monitoring + investigationsCompliance status reporting
  • Making Log Data Useful: SIEM and Log Management Together

    1. 1. Making Log Data Useful:SIEM and Log Management Together<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br /><br />April 2010<br />
    2. 2. Outline<br />Security Information and Event Management vs/with Log Management <br />Graduating from LM to SIEM<br />SIEM and LM “best practices”<br />First steps with SIEM<br />Using SIEM and LM together<br />Conclusions<br />
    3. 3. SIEM vs LM<br />SIEM = SECURITY information and event management<br />vs<br />LM = LOG management<br />
    4. 4. What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting (“SIM”)<br />Security role workflow<br />
    5. 5. What LM MUST Have?<br />Broad Scope Log Data Collection<br />Efficient Log Data Retention<br />Searching Across All Data<br />Broad Use Log Reporting <br />Scalable Operation: Collection, Retention, Searching, Reporting<br />
    6. 6. Graduating from LM to SIEM<br />Are you ready? Well, do you have…<br />Response capability<br />Prepared to response to alerts<br />Monitoring capability<br />Has an operational process to monitor<br />Tuning and customization ability<br />Can customize the tools and content<br />
    7. 7. How to “Graduate?” <br />Just like college…  Graduation tips:<br />Satisfy the graduation criteria<br />Use a LM vendors that has a good SIEM<br />Deploy LM and use it operationally<br />Periodic log reviews = first step to monitoring<br />Look for integrated capability<br />
    8. 8. What is a “Best Practice”?<br />A process or practice that<br />The leaders in the field are doing today<br />Generally leads to useful results with cost effectiveness<br />
    9. 9. BP1 LM before SIEM!<br />If you remember one thing from this, let it be:<br />Deploy Log Management BEFORE SIEM!<br />Q: Why do you think MOST 1990s SIEM deployments FAILED?<br />A: There was no log management!<br />
    10. 10. Example Scenario<br />A mid-size regional bank deploys log management <br />Compliance, fraud tracking, user activity audit<br />Use the tool on incident only first<br />Start checking reports once in a while<br />Establish log review process<br />In two years, gets a SIEM to automate it!<br />
    11. 11. BP2 Evolving to SIEM <br />Steps of a journey<br />Establish response process<br />Deploy a SIEM<br />Think “use cases”<br />Start filtering logs from LM to SIEM<br />Phases!<br />Prepare for the initial increase in workload<br />
    12. 12. Example LM->SIEM Filtering<br />3D: Devices / Network topology / Events<br />Devices: NIDS/NIPS, WAF, servers<br />Network: DMZ, payment network (PCI scope), other “key domains”<br />Events: authentication, outbound firewall access<br />Later: proxies, more firewall data, web servers<br />
    13. 13. BP3 SIEM First Steps<br />First step = BABY steps!<br />Compliance monitoring<br />“Traditional” SIEM uses<br />Authentication tracking<br />IPS/IDS + firewall correlation<br />Web application hacking<br />Simple use cases <br />based on your risk<br />What problems do YOU want solved?<br />
    14. 14. Example SIEM Use Case<br />Cross-system authentication tracking<br />Scope: all systems with authentication (!)<br />Purpose: detect unauthorized access to systems<br />Method: track login failures and successes<br />Rule details: multiple login failures followed by login success<br />Response plan: user account investigation, suspension, communication with suspect user<br />
    15. 15. SIEM + LM Integrated Use<br />Correlated SIEM alert is generated<br />Database server login guessing<br />Key information is shown<br />Account guessed, time, source <br />Context information is pulled from LM<br />What happened with this user before?<br />What else the source did?<br />What other logs were produced on server?<br />
    16. 16. Eventually: SIEM Usage Scenarios<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning after”<br />Delayed views, analysts 1/24, review and drill-down<br />“Automated SOC” / alert + investigate<br />Configure and forget, investigate alerts<br />Compliance status reporting<br />Review reports/views weekly/monthly<br />
    17. 17. Conclusions<br />Everybody has logs -> needs to deal with them -> needs LOG MANAGEMENT!<br />Deploy LM before SIEM<br />Then decide whether and when you need SIEM<br />Operationalize Log Management first, use it “early and often”<br />Start with SIEM slowly and only for tangible, solvable problems!<br />
    18. 18. Secret to SIEM Magic!<br />
    19. 19. Questions<br />Dr. Anton Chuvakin<br /><br />Google Voice: 510-771-7106 <br />Site:<br />Blog:<br />LinkedIn:<br />Consulting:<br />Twitter:@anton_chuvakin<br />
    20. 20. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />
    21. 21. Security Warrior Consulting Services<br />Logging and log management strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at<br />