Successfully reported this slideshow.

Something Fun About Using SIEM by Dr. Anton Chuvakin

12

Share

1 of 45
1 of 45

More Related Content

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Something Fun About Using SIEM by Dr. Anton Chuvakin

  1. 1. Something Fun About Using SIEM and Not Failingor Only Failing Non-Miserably or Not-Too-Miserably<br />Dr. Anton Chuvakin<br />@anton_chuvakin<br />SecurityWarrior LLC<br />www.securitywarriorconsulting.com<br />Security BSides SF 2011 @ RSA 2011<br />
  2. 2. About Anton: SIEM Builder and User<br />Former employee of SIEM and log management vendors<br />Now consulting for SIEM vendors and SIEM users<br />SANS Log Management SEC434 class author <br />Author, speaker, blogger, podcaster (on logs, naturally )<br />
  3. 3. NEWSFLASH!! New Phobia Found!<br />“Over the past month, I have come across this fear of ownership of the SIEM. Are that many people afraid to “own” the application?” (source: siemninja.com)<br />Fear of SIEM = fear of complexity?<br />Let’s try to find out!<br />
  4. 4. Outline<br />Quickly: SIEM Defined<br />SIEM done “right”?<br />SIEM Pitfalls and Challenges<br />Useful SIEM Practices<br />Painful Worst Practices<br />Conclusions<br />
  5. 5. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
  6. 6. SIEM vs Log Management <br />LM:<br />Log Management<br />Focus on all uses for logs<br />SIEM: <br />Security Information <br />and Event Management<br />Focus on security useof logs and other data <br />
  7. 7. What SIEM MUST Have?<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow (IR, SOC, etc)<br />
  8. 8. SIEM Evolution<br />1996-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />Sold as “SOC in the box”<br />2003 – 2007 Above + Server + Context <br />PCI DSS, SOX, users<br />Sold as “SOC in the box”++<br />2008+ Above + Applications + …<br />Fraud, insiders, cybercrime<br />Sold as “SOC in the box”+++++<br />
  9. 9. What do we know about SIEM?<br />Ties to many technologies, analyzes data, requires process around it, overhyped<br />What does it actually mean?<br />Many people think “SIEM is complex”<br />Thinking Aloud Here…<br />
  10. 10. I will tell you how to do SIEM <br />RIGHT!<br />Useless Consultant Advice Alert!!<br />
  11. 11. The Right Way to SIEM<br />Figure out what problems you want to solve with SIEM<br />Confirm that SIEM is the best way to solve them<br />Define and analyze use cases<br />Create requirements for a tool<br />Choose scope for SIEM coverage<br />Assess data volume<br />Perform product research<br />Create a tool shortlist<br />Pilot top 2-3 products<br />Test the products for features, usability and scalability vs requirements<br />Select a product for deployment<br />Update or create procedures, IR plans, etc<br />Deploy the tool (phase 1)<br />
  12. 12. The Popular Way to SIEM<br />Buy a SIEM appliance<br />
  13. 13. Got Difference?<br />What people WANT to know and have before they deploy a SIEM?<br />What people NEED to know and have before they deploy a SIEM?<br />
  14. 14. Got SIEM?Have you inherited it?<br />Now what?<br />
  15. 15. Popular #SIEM_FAIL<br />… in partial answer to “why people think SIEM sucks?”<br />Misplaced expectations (“SOC-in-a-box”)<br />Missing requirements (“SIEM…huh?”)<br />Wrong project sizing<br />Political challenges with integration<br />Lack of commitment<br />Vendor deception (*)<br />And only then: product not working <br />
  16. 16. One Way to NOT Fail<br />Goals and requirements<br />Functionality / features<br />Scoping of data collection<br />Sizing<br />Architecting<br />
  17. 17. What is a “Best Practice”?<br />A process or practice that<br />The leaders in the field are doing today<br />Generally leads to useful results with cost effectiveness<br />P.S. If you still hate it – say <br />“useful practices”<br />
  18. 18. BP1 LM before SIEM!<br />If you remember one thing from this, let it be:<br />Deploy Log Management BEFORE SIEM!<br />Q: Why do you think MOST 1990s SIEM deployments FAILED?<br />A: There was no log management!<br />
  19. 19. Graduating from LM to SIEM<br />Are you ready? Well, do you have…<br />Response capability and process<br />Prepared to response to alerts<br />Monitoring capability<br />Has an operational process to monitor<br />Tuning and customization ability<br />Can customize the tools and content<br />
  20. 20. SIEM/LM Maturity Curve<br />
  21. 21. BP2 Evolving Your SIEM <br />Steps of a journey …<br />Establish response process<br />Deploy a SIEM<br />Think “use cases”<br />Start filtering logs from LM to SIEM<br />Phases: features and information sources<br />Prepare for the initial increase in workload<br />
  22. 22. Example LM->SIEM Filtering<br />3D: Devices / Network topology / Events<br />Devices: NIDS/NIPS, WAF, servers<br />Network: DMZ, payment network, other “key domains”<br />Events: authentication, outbound firewall access, IPS<br />Later: proxies, more firewall data, web servers<br />
  23. 23. “Quick Wins” for Phased Approach<br />Phased <br />approach #2<br /><ul><li>Focus on 1 problem
  24. 24. Plan architecture
  25. 25. Start collecting
  26. 26. Start reviewing
  27. 27. Solve problem 1
  28. 28. Plan again</li></ul>Phased <br />approach #1<br />Collect problems<br />Plan architecture<br />Start collecting<br />Start reviewing<br />Solve problem 1<br />Solve problem n<br />
  29. 29. BP3 Expanding SIEM Use<br />First step, next BABY steps!<br />Compliance monitoring often first<br />“Traditional” SIEM uses<br />Authentication tracking<br />IPS/IDS + firewall correlation<br />Web application hacking<br />Your simple use cases <br />What problems do YOU want solved?<br />
  30. 30. Best Reports? SANS Top 7<br />DRAFT “SANS Top 7 Log Reports”<br />Authentication <br />Changes<br />Network activity<br />Resource access<br />Malware activity<br />Failures<br />Analytic reports<br />
  31. 31. Best Correlation Rules? Nada<br />Vendor default rules?<br />IDS/IPS + vulnerability scan?<br />Anton fave rules:<br />Authentication<br />Outbound access<br />Safeguard failure<br />?<br />
  32. 32. Example SIEM Use Case<br />Cross-system authentication tracking<br />Scope: all systems with authentication <br />Purpose: detect unauthorized access to systems<br />Method: track login failures and successes<br />Rule details: multiple login failures followed by login success<br />Response plan: user account investigation, suspension, communication with suspect user<br />
  33. 33. On SIEM Resourcing<br />NEWSFLASH! SIEM costs money.<br />But …<br />Or…<br />
  34. 34. “Hard” Costs - Money<br />Initial<br />SIEM license, hardware, 3rd party software<br />Deployment service<br />Ongoing<br />Support and ongoing services<br />Operations personnel (0.5 - any FTEs)<br />Periodic<br />Vendor services<br />Specialty personnel (DBA, sysadmin)<br />Deployment expansion costs<br />
  35. 35. “Soft” Costs - Time<br />Initial<br />Deployment time<br />Log source configuration and integration<br />Initial tuning, content creation<br />Ongoing<br />Report review<br />Alert response and escalation<br />Periodic<br />Tuning<br />Expansion: same as initial<br />
  36. 36. What is a “Worst Practice”?<br />As opposed to the “best practice” it is …<br />What the losers in the field are doing today<br />A practice that generally leads to disastrous results, despite its popularity<br />
  37. 37. WP for SIEM Planning<br />WP1: Skip this step altogether – just buy something<br />“John said that we need a correlation engine”<br />“I know this guy who sells log management tools”<br />WP2: Postpone scope until after the purchase<br />“The vendor says ‘it scales’ so we will just feed ALL our logs”<br />Windows, Linux, i5/OS, OS/390, Cisco – send’em in!<br />
  38. 38. Case Study: “We Use’em All”<br />At SANS Log Management Summit 200X…<br />Vendors X, Y and Z claim “Big Finance” as a customer<br />How can that be?<br />Well, different teams purchased different products …<br />About $2.3m wasted on tools<br />that do the same!<br />
  39. 39. WPs for Deployment<br />WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations<br />“Tell us what we need – tell us what you have” forever…<br />WP4: Unpack the boxes and go!<br />“Coordinating with network and system folks is for cowards!”<br />Do you know why LM projects take months sometimes?<br />WP5: Don’t prepare the infrastructure <br />“Time synchronization? Pah, who needs it”<br />
  40. 40. More Quick SIEM Tips<br />Cost countless sleepless night and boatloads of pain….<br />No SIEM before IR plans/procedures<br />No SIEM before basic log management <br />Think "quick wins", not "OMG ...that SIEM boondoggle"<br />Tech matters! But practices matter more<br />Things will get worse before better. Invest time before collecting value!<br />
  41. 41. Tip: When To AVOID A SIEM<br />In some cases, the best “SIEM strategy” is NOT to buy one:<br /> Log retention focus<br />Investigation focus (log search)<br />If you only plan to look BACKWARDS – no need for a SIEM!<br />
  42. 42. Conclusions<br />SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required<br />FOCUS on what problems you are trying to solve with SIEM: requirements!<br />Phased approach WITH “quick wins” is the easiest way to go<br />Operationalize!!!<br />
  43. 43. Secret to SIEM Magic!<br />
  44. 44. And If You Only …<br />… learn one thing from this….<br />… then let it be….<br />
  45. 45. Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! <br />Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! <br />Requirements<br />Requirements<br />Requirements<br />Requirements<br />Requirements<br />Requirvements<br />
  46. 46. Questions?<br />Dr. Anton Chuvakin <br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  47. 47. More Resources<br />Blog: www.securitywarrior.org<br />Podcast: look for “LogChat” on iTunes<br />Slides: http://www.slideshare.net/anton_chuvakin<br />Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin<br />Consulting: http://www.securitywarriorconsulting.com/<br />
  48. 48. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
  49. 49. Security Warrior Consulting Services<br />Logging and log management / SIEM strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />Others at www.SecurityWarriorConsulting.com<br />
  50. 50. Security Warrior Consulting Services<br />Logging and log management / SIEM strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />Others at www.SecurityWarriorConsulting.com<br />

×