More Related Content

Slideshows for you(15)

Similar to "You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin(20)

More from Anton Chuvakin(20)

Recently uploaded(20)

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin

  1. Plan architecture
  2. Start collecting
  3. Start reviewing
  4. Solve problem 1

Editor's Notes

  1. Got SIEM? Now what? Making SIEM work for you!Anton Chuvakin, Ph.D- Tuesday, November 9 - 7:00pm - 8:00pmSecurity Information and Event Management (SIEM) as well as log management tools have become more common across large organizations in recent years. SIEM and log management have also been a topic of hot debates. In fact, you organization might have purchased these tools already. However, many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful. Attend this session to learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made.============Only so much advice without knowing your environment/needs$10k consulting project CAN save $500k SIEM budget …Assumed in-sourced SIEM, no cloud, MSSP, co-sourcing, outsourcing, etc
  2. Does everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
  3. CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems
  4. No problem is truly solved!!
  5. Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.UPDATE - see infoBoomFundamental requirements missing- real or near real time data collection- policy management- personalization for unique SIEM consumer groups- external event correlation- case management- EMS integration Let’s further define what features can be called defining SIEM features; most organization will look for most of these features while choosing a SIEM product. The features are:1. Log and Context Data Collection includes being able to collect logs and context data using a combination of agent-based and agent-based methods.2. Normalization covers being able to convert most original logs into a universal format, usable for cross-source reporting and correlation.3. Correlation is used to describe rule-based correlation, statistical or algorithmic correlation as well as other methods that include relating different events to each other and events to context data.4. Notification/alerting includes being able to trigger notifications or alerts to operators or managers. Common alerting mechanisms include email, SMS, or even SNMP messages.5. Prioritization includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or asset and identity information.6. Real-time views cover over security-monitoring dashboards and displays, used for security operations personnel. Such views are handy when looking at current system and user activity.7. Reporting and scheduled reporting cover all the historical views of data collected by the SIEM product. Some products also have a mechanism for distributing reports to security personnel, either over e-mail or using a dedicated web portal. SIEM reporting relies on parsing and normalizing log data.Security role workflow covers over incident management features such as being able to open incident cases, perform investigative triage, as well as automatically or semi-automatically perform other security operations tasks. WHAT LM MUST HAVE?!Broad Scope Log Data CollectionEfficient Log Data RetentionSearching Across All DataBroad Use Log Reporting Scalable Operation: Collection, Retention, Searching, Reporting
  6. Mention vulnerability data
  7. Buy correlation blog posts TBA(*) rarely just a vendor: “there is a sucker born every minute”
  8. Deploy – use - operationalize – get comfortable with!
  9. Organizations that graduate too soon will waste time and effort, and won't any increased efficiency in their security operation. However, waiting too long also means that the organization will never develop the necessary capabilities to secure themselves. In brief, the criteria are:Response capability: the organization must be ready to respond to alerts soon after they are produced.Monitoring capability: the organization must have or start to build security monitoring capability such as a Security Operation Center (SOC) or at least a team dedicated to ongoing periodic monitoring.Tuning and customization ability: the organization must accept the responsibility for tuning and customizing the deployed SIEM tool. Out-of-the-box SIEM deployments rarely succeed, or manage to reach their full potential. Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  10. Happy with LM? Then go -> SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!Just like college…  Graduation tips:Satisfy the graduation criteriaUse a LM vendors that has a good SIEMDeploy LM and use it operationallyPeriodic log reviews = first step to monitoringLook for integrated capability
  11. SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  12. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.