Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On Content-Aware SIEM by Dr. Anton Chuvakin

2,372 views

Published on

On Content-Aware SIEM by Dr. Anton Chuvakin

Published in: Technology
  • Be the first to comment

On Content-Aware SIEM by Dr. Anton Chuvakin

  1. 1. Content-Aware SIEM<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />February 2010<br />
  2. 2. Outline<br />Brief SIEM History<br />SIEM Today<br />Today’s SIEM Use Cases<br />Evolution of SIEM: Content-Aware SIEM<br />What SIEM “Eats”? <br />Logs + context + content!<br />Legacy SIEM vs Content-Aware SIEM<br />Why Deploy a CA-SIEM?<br />
  3. 3. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
  4. 4. SIEM Evolution<br />1997-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />2003 – 2007 Above + Server + Context <br />PCI DSS, SOX, users<br />2008+ Above + Applications+ Content <br />Fraud, activities, cybercrime<br />
  5. 5. SIEM Today<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow<br />
  6. 6. SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning after”<br />Delayed views, analysts 1/24, review and drill-down<br />“Automated SOC” / alert + investigate<br />Configure and forget, investigate alerts<br />Compliance status reporting<br />Review reports/views weekly/monthly<br />
  7. 7. What SIEM Eats?<br />Logs<br />Context<br />Content (NEW)<br />
  8. 8. One: Logs<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
  9. 9. Two: Context<br />http://chuvakin.blogspot.com/2010/01/on-log-context.html<br />
  10. 10. Three: Content<br />Emails<br />Attachment<br />IM chats<br />Facebook posts<br />Videos<br />Images<br />
  11. 11. Note: Content is NOT Just Packets<br />Drilldown to packets<br />Drilldown to emailed document <br />
  12. 12. Legacy SIEM vs CA-SIEM?<br />
  13. 13. Secret to SIEM Magic!<br />
  14. 14. Conclusions<br />SIEM is evolving to today’s needs, while still solving the old needs<br />Note: no old IT security threat has gone away yet…<br />SIEMs that can consume content and not just logs can win the battle<br />Note: logs are voluminous, but content is EVEN LARGER<br />
  15. 15. Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />Consulting Services: SIEM, Log management<br />http://www.securitywarriorconsulting.com<br />
  16. 16. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />

×