SlideShare a Scribd company logo
1 of 40
You Got That SIEM. Now What Do You Do? Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com BayThreat 2010
DIRE WARNING: This presentation does NOT mention PCI DSS… …oh wait  www.pcicompliancebook.info
DIRE DISCLAIMER: This presentation does NOT contains jokes about Cisco MARS!
Outline Brief: What is SIEM/LM? “You got it!” SIEM Pitfalls and Challenges Useful SIEM Practices From Deployment Onwards SIEM “Worst Practices” Conclusions
About Anton Former employee of  SIEM and log management vendors Now consulting for SIEM vendors and SIEM users SANS class author (SEC434 Log Management) Author, speaker, blogger, podcaster (on logs, naturally )
SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
Got SIEM? Now what?
SIEM and Log Management  LM: Log Management Focus on all uses for logs SIEM:  Security Information  and Event Management Focus on security useof logs and other data
Why SO many people think that “SIEM sucks?”
SIEM Evolution 1997-2002 IDS and Firewall Worms, alert overflow, etc Sold “SOC in the box” 2003 – 2007  Above + Server + Context  PCI DSS, SOX, users Sold “SOC in the box”++ 2008+  Above + Applications + … Fraud, activities, cybercrime Sold “SOC in the box”+++++
What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and delivery (“SIM”) Security role workflow (IR, SOC, etc)
What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)  <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar  4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574
BTW… … yesterday I saw an RFC5424-compliant syslog message with structured data. OMG! They really do exist!! Well, this one does – produced by rsyslog application itself….
What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html
Popular #SIEM_FAIL … in partial answer to “why people think SIEM sucks?” Misplaced expectations (“SOC-in-a-box”) Missing requirements (“SIEM…huh?”) Missed project sizing Political challenges with integration Lack of commitment Vendor deception (*) And only then: product not working 
SIEM Planning Areas Goals and requirements Functionality / features Scoping of data collection Sizing Architecting
What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness P.S. If you still hate it – say  “useful  practices”
BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management!
Graduating from LM to SIEM Are you ready? Well, do you have… Response capability Prepared to response to alerts Monitoring capability Has an operational process to monitor Tuning and customization ability Can customize the tools and content
SIEM/LM Maturity Curve
BP2 Evolving to SIEM  Steps of a journey … Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases! Prepare for the initial increase in workload
Example LM->SIEM Filtering 3D: Devices / Network topology / Events Devices: NIDS/NIPS, WAF, servers Network: DMZ, payment network (PCI scope), other “key domains” Events: authentication, outbound firewall access Later: proxies, more firewall data, web servers
“Quick Wins” for Phased Approach Phased  approach #2 ,[object Object]
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Plan againPhased  approach #1 Collect problems Plan architecture Start collecting Start reviewing Solve problem 1 Solve problem n
BP3 SIEM First Steps First step = BABY steps! Compliance monitoring “Traditional” SIEM uses Authentication  tracking IPS/IDS + firewall correlation Web application hacking Simple use cases  based on your risks What problems do YOU want solved?
Example SIEM Use Case Cross-system authentication  tracking Scope: all systems with authentication  Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
10 minutes or 10 months? A typical large customer takes 10 months to deploy a log management  architecture based on our technology ? Our log management appliance can be  racked, configured and collecting logs in  10 minutes
Secret to SIEM Magic!
What is a “Worst Practice”? As opposed to the “best practice” it is … What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity
WP for SIEM Project scope WP1: Postpone scope until after the purchase “The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in! WP2: Assume you will be the only user of the tool “Steakholders”? What’s that?  Common consequence: two or more  simiilartools are bought
Case Study: “We Use’em All” At SANS Log Management Summit 200X… Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
WPs for Deployment WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “Tell us what we need – tell us what you have” forever… WP4: Unpack the boxes and go! “Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP5: Don’t prepare the infrastructure  “Time synchronization? Pah, who needs it” WP6: Deploy Everywhere At Once “We need it everywhere!! Now!!”
WPs for Expanding Deployment WP7: Don’t Bother With A Product Owner “We all use it – we all run it (=nobody does)” WP8: Don’t Check For Changed Needs – Just Buy More of the Same “We made the decision – why fuss over it?” WP9: If it works for 10, it will be OK for 10,000 “1,10,100, …, 1 trillion – they are just numbers”
More Quick SIEM Tips Cost countless sleepless night and boatloads of pain…. No SIEM before IR plans/procedures No SIEM before basic log management  Think "quick wins", not "OMG ...that SIEM boondoggle" Tech matters! But practices matter more Things will get worse before better. Invest time before collecting value!
Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
And If You Only … … learn one thing from this…. … then let it be….

More Related Content

What's hot

Robot Framework Introduction & Sauce Labs Integration
Robot Framework Introduction & Sauce Labs IntegrationRobot Framework Introduction & Sauce Labs Integration
Robot Framework Introduction & Sauce Labs IntegrationSauce Labs
 
Recruitment Management Systems
Recruitment Management SystemsRecruitment Management Systems
Recruitment Management SystemsMariaVyalkova
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
Test strategy Vs. Test Plan
Test strategy Vs. Test PlanTest strategy Vs. Test Plan
Test strategy Vs. Test PlanProfessional QA
 
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...Postman
 
Designing Good API Experiences Session 24
Designing Good API Experiences Session 24Designing Good API Experiences Session 24
Designing Good API Experiences Session 24Postman
 
Appium an introduction
Appium   an introductionAppium   an introduction
Appium an introductionVivek Shringi
 
UiPath vs Automation Anywhere Comparison
UiPath vs Automation Anywhere ComparisonUiPath vs Automation Anywhere Comparison
UiPath vs Automation Anywhere ComparisonTangentia
 
An introduction to api testing | David Tzemach
An introduction to api testing | David TzemachAn introduction to api testing | David Tzemach
An introduction to api testing | David TzemachDavid Tzemach
 
Mock objects - Teste de código com dependências
Mock objects - Teste de código com dependênciasMock objects - Teste de código com dependências
Mock objects - Teste de código com dependênciasDenis L Presciliano
 
Tìm hiểu về lập trình viên
Tìm hiểu về lập trình viênTìm hiểu về lập trình viên
Tìm hiểu về lập trình viênHào Nghiêm Xuân
 
Presentation on Crystal Reports and Business Objects Enterprise Features
Presentation on Crystal Reports and Business Objects Enterprise FeaturesPresentation on Crystal Reports and Business Objects Enterprise Features
Presentation on Crystal Reports and Business Objects Enterprise FeaturesInfoDev
 
01 software test engineering (manual testing)
01 software test engineering (manual testing)01 software test engineering (manual testing)
01 software test engineering (manual testing)Siddireddy Balu
 
Mobile Automation with Appium
Mobile Automation with AppiumMobile Automation with Appium
Mobile Automation with AppiumManoj Kumar Kumar
 
Performance testing using jmeter
Performance testing using jmeterPerformance testing using jmeter
Performance testing using jmeterRachappa Bandi
 

What's hot (16)

Robot Framework Introduction & Sauce Labs Integration
Robot Framework Introduction & Sauce Labs IntegrationRobot Framework Introduction & Sauce Labs Integration
Robot Framework Introduction & Sauce Labs Integration
 
Recruitment Management Systems
Recruitment Management SystemsRecruitment Management Systems
Recruitment Management Systems
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
Test strategy Vs. Test Plan
Test strategy Vs. Test PlanTest strategy Vs. Test Plan
Test strategy Vs. Test Plan
 
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
 
API TESTING
API TESTINGAPI TESTING
API TESTING
 
Designing Good API Experiences Session 24
Designing Good API Experiences Session 24Designing Good API Experiences Session 24
Designing Good API Experiences Session 24
 
Appium an introduction
Appium   an introductionAppium   an introduction
Appium an introduction
 
UiPath vs Automation Anywhere Comparison
UiPath vs Automation Anywhere ComparisonUiPath vs Automation Anywhere Comparison
UiPath vs Automation Anywhere Comparison
 
An introduction to api testing | David Tzemach
An introduction to api testing | David TzemachAn introduction to api testing | David Tzemach
An introduction to api testing | David Tzemach
 
Mock objects - Teste de código com dependências
Mock objects - Teste de código com dependênciasMock objects - Teste de código com dependências
Mock objects - Teste de código com dependências
 
Tìm hiểu về lập trình viên
Tìm hiểu về lập trình viênTìm hiểu về lập trình viên
Tìm hiểu về lập trình viên
 
Presentation on Crystal Reports and Business Objects Enterprise Features
Presentation on Crystal Reports and Business Objects Enterprise FeaturesPresentation on Crystal Reports and Business Objects Enterprise Features
Presentation on Crystal Reports and Business Objects Enterprise Features
 
01 software test engineering (manual testing)
01 software test engineering (manual testing)01 software test engineering (manual testing)
01 software test engineering (manual testing)
 
Mobile Automation with Appium
Mobile Automation with AppiumMobile Automation with Appium
Mobile Automation with Appium
 
Performance testing using jmeter
Performance testing using jmeterPerformance testing using jmeter
Performance testing using jmeter
 

Viewers also liked

Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Presentation data security solutions certified ibm business partner for ibm...
Presentation   data security solutions certified ibm business partner for ibm...Presentation   data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...xKinAnx
 
Batch file programming
Batch file programmingBatch file programming
Batch file programmingswapnil kapate
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Implementing and Running SIEM: Approaches and Lessons
Implementing  and Running SIEM: Approaches and LessonsImplementing  and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Computer networking
Computer networkingComputer networking
Computer networkingChinmoy Jena
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 

Viewers also liked (20)

Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Presentation data security solutions certified ibm business partner for ibm...
Presentation   data security solutions certified ibm business partner for ibm...Presentation   data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Implementing and Running SIEM: Approaches and Lessons
Implementing  and Running SIEM: Approaches and LessonsImplementing  and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Computer networking
Computer networkingComputer networking
Computer networking
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 

Similar to "You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin

Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop Splunk
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 

Similar to "You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin (20)

Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 

More from Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Anton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
 

Recently uploaded

Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 

Recently uploaded (20)

Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin

  • 1. You Got That SIEM. Now What Do You Do? Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com BayThreat 2010
  • 2. DIRE WARNING: This presentation does NOT mention PCI DSS… …oh wait  www.pcicompliancebook.info
  • 3. DIRE DISCLAIMER: This presentation does NOT contains jokes about Cisco MARS!
  • 4. Outline Brief: What is SIEM/LM? “You got it!” SIEM Pitfalls and Challenges Useful SIEM Practices From Deployment Onwards SIEM “Worst Practices” Conclusions
  • 5. About Anton Former employee of SIEM and log management vendors Now consulting for SIEM vendors and SIEM users SANS class author (SEC434 Log Management) Author, speaker, blogger, podcaster (on logs, naturally )
  • 6. SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
  • 8. SIEM and Log Management LM: Log Management Focus on all uses for logs SIEM: Security Information and Event Management Focus on security useof logs and other data
  • 9. Why SO many people think that “SIEM sucks?”
  • 10. SIEM Evolution 1997-2002 IDS and Firewall Worms, alert overflow, etc Sold “SOC in the box” 2003 – 2007 Above + Server + Context PCI DSS, SOX, users Sold “SOC in the box”++ 2008+ Above + Applications + … Fraud, activities, cybercrime Sold “SOC in the box”+++++
  • 11. What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and delivery (“SIM”) Security role workflow (IR, SOC, etc)
  • 12. What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574
  • 13. BTW… … yesterday I saw an RFC5424-compliant syslog message with structured data. OMG! They really do exist!! Well, this one does – produced by rsyslog application itself….
  • 14. What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html
  • 15. Popular #SIEM_FAIL … in partial answer to “why people think SIEM sucks?” Misplaced expectations (“SOC-in-a-box”) Missing requirements (“SIEM…huh?”) Missed project sizing Political challenges with integration Lack of commitment Vendor deception (*) And only then: product not working 
  • 16. SIEM Planning Areas Goals and requirements Functionality / features Scoping of data collection Sizing Architecting
  • 17. What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness P.S. If you still hate it – say “useful practices”
  • 18. BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management!
  • 19. Graduating from LM to SIEM Are you ready? Well, do you have… Response capability Prepared to response to alerts Monitoring capability Has an operational process to monitor Tuning and customization ability Can customize the tools and content
  • 21. BP2 Evolving to SIEM Steps of a journey … Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases! Prepare for the initial increase in workload
  • 22. Example LM->SIEM Filtering 3D: Devices / Network topology / Events Devices: NIDS/NIPS, WAF, servers Network: DMZ, payment network (PCI scope), other “key domains” Events: authentication, outbound firewall access Later: proxies, more firewall data, web servers
  • 23.
  • 28. Plan againPhased approach #1 Collect problems Plan architecture Start collecting Start reviewing Solve problem 1 Solve problem n
  • 29. BP3 SIEM First Steps First step = BABY steps! Compliance monitoring “Traditional” SIEM uses Authentication tracking IPS/IDS + firewall correlation Web application hacking Simple use cases based on your risks What problems do YOU want solved?
  • 30. Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
  • 31. 10 minutes or 10 months? A typical large customer takes 10 months to deploy a log management architecture based on our technology ? Our log management appliance can be racked, configured and collecting logs in 10 minutes
  • 32. Secret to SIEM Magic!
  • 33. What is a “Worst Practice”? As opposed to the “best practice” it is … What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity
  • 34. WP for SIEM Project scope WP1: Postpone scope until after the purchase “The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in! WP2: Assume you will be the only user of the tool “Steakholders”? What’s that?  Common consequence: two or more simiilartools are bought
  • 35. Case Study: “We Use’em All” At SANS Log Management Summit 200X… Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
  • 36. WPs for Deployment WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “Tell us what we need – tell us what you have” forever… WP4: Unpack the boxes and go! “Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP5: Don’t prepare the infrastructure “Time synchronization? Pah, who needs it” WP6: Deploy Everywhere At Once “We need it everywhere!! Now!!”
  • 37. WPs for Expanding Deployment WP7: Don’t Bother With A Product Owner “We all use it – we all run it (=nobody does)” WP8: Don’t Check For Changed Needs – Just Buy More of the Same “We made the decision – why fuss over it?” WP9: If it works for 10, it will be OK for 10,000 “1,10,100, …, 1 trillion – they are just numbers”
  • 38. More Quick SIEM Tips Cost countless sleepless night and boatloads of pain…. No SIEM before IR plans/procedures No SIEM before basic log management Think "quick wins", not "OMG ...that SIEM boondoggle" Tech matters! But practices matter more Things will get worse before better. Invest time before collecting value!
  • 39. Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
  • 40. And If You Only … … learn one thing from this…. … then let it be….
  • 41. Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements Requirements Requirements Requirements Requirements Requirvements
  • 42. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
  • 43. More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/
  • 44. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 45. Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com

Editor's Notes

  1. Got SIEM? Now what? Making SIEM work for you!Anton Chuvakin, Ph.D- Tuesday, November 9 - 7:00pm - 8:00pmSecurity Information and Event Management (SIEM) as well as log management tools have become more common across large organizations in recent years. SIEM and log management have also been a topic of hot debates. In fact, you organization might have purchased these tools already. However, many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that &quot;they are easy to use.&quot; So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful. Attend this session to learn from the experience of those who did not have the benefit of learning from other&apos;s mistakes. Also, learn a few tips on how to &quot;operationalize&quot; that SIEM purchase you&apos;ve made.============Only so much advice without knowing your environment/needs$10k consulting project CAN save $500k SIEM budget …Assumed in-sourced SIEM, no cloud, MSSP, co-sourcing, outsourcing, etc
  2. Does everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  3. CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems
  4. No problem is truly solved!!
  5. Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.UPDATE - see infoBoomFundamental requirements missing- real or near real time data collection- policy management- personalization for unique SIEM consumer groups- external event correlation- case management- EMS integration Let’s further define what features can be called defining SIEM features; most organization will look for most of these features while choosing a SIEM product. The features are:1. Log and Context Data Collection includes being able to collect logs and context data using a combination of agent-based and agent-based methods.2. Normalization covers being able to convert most original logs into a universal format, usable for cross-source reporting and correlation.3. Correlation is used to describe rule-based correlation, statistical or algorithmic correlation as well as other methods that include relating different events to each other and events to context data.4. Notification/alerting includes being able to trigger notifications or alerts to operators or managers. Common alerting mechanisms include email, SMS, or even SNMP messages.5. Prioritization includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or asset and identity information.6. Real-time views cover over security-monitoring dashboards and displays, used for security operations personnel. Such views are handy when looking at current system and user activity.7. Reporting and scheduled reporting cover all the historical views of data collected by the SIEM product. Some products also have a mechanism for distributing reports to security personnel, either over e-mail or using a dedicated web portal. SIEM reporting relies on parsing and normalizing log data.Security role workflow covers over incident management features such as being able to open incident cases, perform investigative triage, as well as automatically or semi-automatically perform other security operations tasks. WHAT LM MUST HAVE?!Broad Scope Log Data CollectionEfficient Log Data RetentionSearching Across All DataBroad Use Log Reporting Scalable Operation: Collection, Retention, Searching, Reporting
  6. Mention vulnerability data
  7. Buy correlation blog posts TBA(*) rarely just a vendor: “there is a sucker born every minute”
  8. Deploy – use - operationalize – get comfortable with!
  9. Organizations that graduate too soon will waste time and effort, and won&apos;t any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  10. Happy with LM? Then go -&gt; SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  11. SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  12. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry &quot;best practices&quot; related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.