MISTI Infosec 2010- SIEM Implementation

1,768 views

Published on

Talk that I gave in 2010 for the MIS Training Institute in Orlando. Two areas that garnered the most questions from the crowd were how to establish effective business objectives prior to implementing the SIEM in order to effectively manage expectations and of course vendor selection criteria. I could probably do a whole other talk on selecting a SIEM vendor.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,768
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
8
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Session #: Title
  • MISTI Infosec 2010- SIEM Implementation

    1. 1. <ul><li>C9 </li></ul><ul><li>Implementing Security Information and Event Management </li></ul><ul><li>Wednesday, April 21, 2010 </li></ul><ul><li>11:30 AM - 1:00 PM </li></ul><ul><li>Michael Nickle, CISSP </li></ul><ul><li>[email_address] </li></ul>
    2. 2. Key Points <ul><li>Development of baseline business and technical requirements </li></ul><ul><li>Value of SIEM in managing compliance and risk mitigation </li></ul><ul><li>Walkthrough of a successful implementation </li></ul><ul><li>Post implementation issues </li></ul><ul><li>Vendor Selection Criteria </li></ul>
    3. 3. Terminology <ul><li>Aggregation </li></ul><ul><ul><li>To gather together as a whole </li></ul></ul><ul><ul><li>Singular repository for data </li></ul></ul><ul><li>Normalization </li></ul><ul><ul><li>To create consistent records </li></ul></ul><ul><ul><li>By type and format (syslog, application, Windows log) </li></ul></ul><ul><li>Reporting </li></ul><ul><ul><li>Interpreting data to create information over time </li></ul></ul><ul><ul><li>Mapped against goals to drive decisions </li></ul></ul>
    4. 4. Terminology <ul><li>Correlation </li></ul><ul><ul><li>Determining relationships between data points </li></ul></ul><ul><ul><li>If a and b are not null, then c </li></ul></ul><ul><li>Visualization </li></ul><ul><ul><li>Translate events and data into pictures </li></ul></ul><ul><ul><li>Ex: Changing a device’s color on a map </li></ul></ul><ul><ul><li>Creating hyperbolic trees to show traffic </li></ul></ul>
    5. 5. Terminology
    6. 6. Looking at Business Requirements
    7. 7. Development of Baseline Requirements: Business <ul><li>What is the problem that you are addressing? </li></ul><ul><ul><li>This is the primary driver for procurement </li></ul></ul><ul><ul><li>Technical objectives should follow statement of problem </li></ul></ul><ul><li>Set realistic requirements </li></ul><ul><ul><li>Overly ambitious goals ultimately lead to a perceived failure </li></ul></ul><ul><ul><li>The point is to enable business activity </li></ul></ul><ul><ul><li>Create phases in the project plan to establish success and build </li></ul></ul>
    8. 8. Development of Baseline Requirements: Business <ul><li>Common business drivers: </li></ul><ul><ul><li>Risk management </li></ul></ul><ul><ul><li>Service Continuity </li></ul></ul><ul><ul><li>IT Alignment </li></ul></ul><ul><ul><li>Regulatory compliance </li></ul></ul><ul><li>The more clarity that exists as to the driver, the better the procurement </li></ul>
    9. 9. Development of Baseline Requirements: Business <ul><li>Regulatory Compliance- </li></ul><ul><ul><li>What standards affect the organization? </li></ul></ul><ul><ul><ul><li>Internal Policies </li></ul></ul></ul><ul><ul><ul><li>ISO </li></ul></ul></ul><ul><ul><ul><li>Regulations </li></ul></ul></ul><ul><ul><ul><ul><li>SOX, HIPAA, GLBa, FISMA </li></ul></ul></ul></ul><ul><ul><ul><li>Partner agreements </li></ul></ul></ul><ul><ul><li>Dynamics may affect vendor selection </li></ul></ul>
    10. 10. Development of Baseline Requirements: Business <ul><li>Regulatory Compliance- </li></ul><ul><ul><li>What is the organization required to supply by law? </li></ul></ul><ul><ul><ul><li>Audit Compliance </li></ul></ul></ul><ul><ul><ul><ul><li>Governmental (SOX, FISMA, GLBa) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Industry regulation (FINRA, PCI) </li></ul></ul></ul></ul><ul><ul><ul><li>Who is responsible for compliance? </li></ul></ul></ul><ul><ul><ul><li>Does non compliance lead to fines? Sanctions? </li></ul></ul></ul><ul><ul><li>Why it Matters </li></ul></ul><ul><ul><ul><li>Business continuation </li></ul></ul></ul><ul><ul><ul><li>Passing audit </li></ul></ul></ul><ul><ul><ul><li>Reporting requirements </li></ul></ul></ul>
    11. 11. Development of Baseline Requirements: Business <ul><li>Regulatory Compliance- </li></ul><ul><ul><li>Multiple standards may apply to a single organization </li></ul></ul><ul><ul><ul><li>PCI-DSS requires log management and collection </li></ul></ul></ul><ul><ul><ul><li>SOX 404 requires privileged user reporting </li></ul></ul></ul><ul><ul><ul><li>HIPAA requires audit trail on systems that ‘process’ PHI </li></ul></ul></ul>
    12. 12. Looking at Technical Requirements
    13. 13. Development of Baseline Requirements: Technical <ul><li>Expected event rate </li></ul><ul><li>Incident response </li></ul><ul><li>Extensibility of solution </li></ul><ul><li>Integration with other applications </li></ul>
    14. 14. Development of Baseline Requirements: Technical <ul><li>Expected event rate </li></ul><ul><ul><li>Understand the average and peak event rates for your organization </li></ul></ul><ul><ul><li>Study event sources closely </li></ul></ul><ul><ul><ul><li>Growth in the business versus event rates </li></ul></ul></ul><ul><ul><ul><ul><li>Peak </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Average </li></ul></ul></ul></ul><ul><ul><ul><li>Is a source producing redundant events? </li></ul></ul></ul>
    15. 15. Development of Baseline Requirements: Technical <ul><li>Incident response </li></ul><ul><ul><li>Is the SIEM for incident response? </li></ul></ul><ul><ul><li>Automation </li></ul></ul><ul><ul><ul><li>Notification </li></ul></ul></ul><ul><ul><ul><li>Workflow </li></ul></ul></ul><ul><ul><ul><li>Triggering </li></ul></ul></ul><ul><ul><li>Workflow will need to be adapted </li></ul></ul>
    16. 16. Development of Baseline Requirements: Technical <ul><li>Extensibility of solution </li></ul><ul><ul><li>What is the projected final state? </li></ul></ul><ul><ul><ul><li>Departmental </li></ul></ul></ul><ul><ul><ul><li>Division </li></ul></ul></ul><ul><ul><ul><li>Enterprise-wide </li></ul></ul></ul><ul><ul><ul><li>Critical assets only </li></ul></ul></ul>
    17. 17. Development of Baseline Requirements: Technical <ul><li>Extensibility of solution </li></ul><ul><ul><li>What are the data retention requirements? </li></ul></ul><ul><ul><ul><li>Driven by regulations typically </li></ul></ul></ul><ul><ul><ul><li>Reporting and investigation </li></ul></ul></ul><ul><ul><ul><li>DBMS adequacy </li></ul></ul></ul><ul><ul><ul><li>Online, near-line, archive </li></ul></ul></ul>
    18. 18. Development of Baseline Requirements: Technical <ul><li>Extensibility of solution </li></ul><ul><ul><li>How dispersed will the solution be? </li></ul></ul><ul><ul><ul><li>Hierarchical versus distributed </li></ul></ul></ul><ul><ul><ul><li>Data latency is unavoidable </li></ul></ul></ul><ul><ul><ul><li>Char-set issues in normalization </li></ul></ul></ul><ul><ul><ul><li>Political versus technical issues </li></ul></ul></ul>
    19. 19. Development of Baseline Requirements: Technical <ul><li>Integration with other applications </li></ul><ul><ul><li>Implementing data feeds </li></ul></ul><ul><ul><ul><li>No single solution supports everything out of the box </li></ul></ul></ul><ul><ul><ul><li>Understanding the feed is key to usable information </li></ul></ul></ul><ul><ul><ul><li>Agent/Agentless </li></ul></ul></ul>
    20. 20. Development of Baseline Requirements: Technical <ul><li>Workflow Management </li></ul><ul><ul><li>Change Management </li></ul></ul><ul><ul><li>Ticketing within SIEM </li></ul></ul><ul><ul><li>Approval Processes </li></ul></ul><ul><ul><li>ERP </li></ul></ul><ul><ul><li>Identity Provisioning lifecycle </li></ul></ul><ul><li>Sticking points </li></ul><ul><ul><li>Manual processes </li></ul></ul><ul><ul><li>Compatibility- eg. XML, proprietary </li></ul></ul><ul><ul><li>SIEM has to integrate with existing </li></ul></ul>
    21. 21. Development of Baseline Requirements: Technical <ul><li>Integration with other applications </li></ul><ul><ul><li>Workflow integration </li></ul></ul><ul><ul><ul><li>Will the SIEM generate tickets? Where? </li></ul></ul></ul><ul><ul><ul><li>How does the SIEM fit into the network management strategy? </li></ul></ul></ul><ul><ul><ul><li>Is provisioning lifecycle a factor? </li></ul></ul></ul>
    22. 22. Looking at Value of SIEM
    23. 23. Value of SIEM- Risk Management <ul><li>Real Corporate Network </li></ul><ul><ul><li>Events flowed into SIEM </li></ul></ul><ul><ul><li>Protection of data integrity was driver </li></ul></ul><ul><ul><li>Correlate events to actions </li></ul></ul><ul><ul><li>Integration with Vulnerability Management </li></ul></ul><ul><ul><li>More than 10,000 assets as data sources </li></ul></ul>UNIX SysLogs 65,000 events* Windows Event Log 1,036,800 events* IDS and Access Logs 1,100,000 events* Firewall 787,000 events* Antivirus 12,000 events* Events Correlated Events Distinctive Security Issues Incidents Requiring Action 8 24 15,000 3 Million
    24. 24. Value of SIEM- Compliance Management <ul><li>Public Pharmacy Benefit Company </li></ul><ul><ul><li>SOX 404 requires privileged user reporting </li></ul></ul><ul><ul><ul><li>Report aggregates events and links log data to identity management platform </li></ul></ul></ul><ul><ul><li>PCI-DSS requires log management and collection </li></ul></ul><ul><ul><ul><li>PCI hosts need to be within solution scope </li></ul></ul></ul><ul><ul><li>HIPAA requires audit trail on systems that ‘process’ PHI </li></ul></ul><ul><ul><ul><li>User data </li></ul></ul></ul><ul><ul><ul><li>Process data </li></ul></ul></ul>
    25. 25. Looking at Successful SIEM Implementation
    26. 26. SIEM Success Walkthrough <ul><li>XYZ Corp. decided to acquire a SIEM </li></ul><ul><li>Business Drivers: </li></ul><ul><li>Reporting as the key driver </li></ul><ul><ul><li>Tired of compiling custom reports </li></ul></ul><ul><ul><li>Multi-platform insight non-existent </li></ul></ul><ul><ul><li>Auditors using staff time </li></ul></ul><ul><li>Situational awareness is secondary driver </li></ul><ul><ul><li>Large percentage of Enterprise Value lies in digital assets </li></ul></ul>
    27. 27. SIEM Success Walkthrough <ul><li>Technical Requirements: </li></ul><ul><li>Events per second </li></ul><ul><ul><li>Average EPS in boundary ~ 10,000 </li></ul></ul><ul><ul><li>Peak EPS ~ 25,000 </li></ul></ul><ul><ul><li>Peak limited to end of quarter reporting period </li></ul></ul><ul><li>Incident response not a driver </li></ul><ul><ul><li>Control remediation took precedent </li></ul></ul><ul><ul><li>Strong desire to integrate custom policy </li></ul></ul><ul><li>Multiple departments </li></ul><ul><ul><li>All on same MPLS cloud </li></ul></ul>
    28. 28. SIEM Success Walkthrough <ul><li>Technical Requirements: </li></ul><ul><li>Data retention </li></ul><ul><ul><li>SOX relevant- 1 quarter + 7 years </li></ul></ul><ul><ul><li>Patented asset- 16 years (filing + 10 years) </li></ul></ul><ul><ul><li>Trade secrets- indefinite </li></ul></ul><ul><li>Integration- Data feed </li></ul><ul><ul><li>Windows server </li></ul></ul><ul><ul><li>CA Identity Manager </li></ul></ul><ul><ul><li>AIX 4.2.1- 6.1 </li></ul></ul><ul><ul><li>Oracle DMBS </li></ul></ul><ul><ul><li>Hyperion </li></ul></ul>
    29. 29. SIEM Success Walkthrough <ul><li>Technical Requirements: </li></ul><ul><li>Integration- Application </li></ul><ul><ul><li>ServiceDesk for ticket generation </li></ul></ul><ul><ul><li>Not integrated into NMS </li></ul></ul><ul><ul><li>Strong desire to integrate with external reporting </li></ul></ul>
    30. 30. SIEM Success Walkthrough <ul><li>Implementation Project: </li></ul><ul><li>Project initiated with steering committee </li></ul><ul><ul><li>Platform owners </li></ul></ul><ul><ul><li>Application owners </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><li>3 phases to Project </li></ul><ul><ul><li>Base installation (hardware, DB, software) </li></ul></ul><ul><ul><li>SOX implementation </li></ul></ul><ul><ul><li>Asset implementation </li></ul></ul>
    31. 31. SIEM Success Walkthrough <ul><li>Project Outcome: </li></ul><ul><li>Business objectives met </li></ul><ul><ul><li>Auditors now have reports through browser </li></ul></ul><ul><ul><li>High degree of confidence in protection of key assets </li></ul></ul><ul><li>Technical objectives largely met </li></ul><ul><ul><li>Hyperion integration breaks with new releases </li></ul></ul><ul><ul><li>Technical controls have improved </li></ul></ul><ul><ul><li>Ticketing is functional </li></ul></ul><ul><ul><li>External reporting not implemented (cost) </li></ul></ul>
    32. 32. Looking at Post Implementation Issues
    33. 33. Post Implementation Issues <ul><li>Support costs can exceed acquisition over 5 year lifecycle </li></ul><ul><li>Database cost can greatly exceed cost of SIEM software </li></ul><ul><li>Training cost </li></ul>Issue #1 Cost:
    34. 34. Post Implementation Issues <ul><li>Ensure that project is well documented </li></ul><ul><li>Have technical resources review custom integration code </li></ul><ul><ul><li>Understand the code </li></ul></ul><ul><ul><li>Ensure it is well commented </li></ul></ul><ul><li>Diffusion of knowledge within organization </li></ul>Issue #2 Complexity:
    35. 35. Post Implementation Issues <ul><li>Unlike AV or firewall, SIEM doesn’t “fit” into a tidy security box </li></ul><ul><li>Multiple stakeholders can muddle ownership </li></ul><ul><li>Who is accountable for the SIEM and related data? </li></ul><ul><ul><li>Complex hierarchies </li></ul></ul><ul><ul><li>Departments, partners, auditors </li></ul></ul>Issue #3 Ownership:
    36. 36. Looking at Vendor Selection
    37. 37. Vendor Selection Criteria <ul><li>Business Drivers </li></ul><ul><li>Technical requirements </li></ul><ul><li>Current technology mix </li></ul><ul><ul><li>Can your staff not manage a particular product? </li></ul></ul><ul><li>Architecture </li></ul><ul><ul><li>Hierarchical </li></ul></ul><ul><ul><li>Distributed </li></ul></ul><ul><li>Interface & Usability </li></ul><ul><li>Reporting </li></ul>
    38. 38. Vendor Selection Criteria <ul><li>Vendor Feature Showdown </li></ul><ul><ul><li>All of the products have an impressive list of features </li></ul></ul><ul><ul><li>Is a specific feature beneficial to your organization? </li></ul></ul><ul><ul><li>Difference between out of the box functionality and product capabilities </li></ul></ul>
    39. 39. Vendor Selection Criteria <ul><li>Identity Management </li></ul><ul><ul><li>How well does the product integrate with your IdM infrastructure </li></ul></ul><ul><ul><li>Security consequence of a changed password on a host ? </li></ul></ul><ul><ul><li>Difference between out of the box functionality and product capabilities </li></ul></ul><ul><li>Network Management Integration </li></ul><ul><ul><li>Most security groups are not 24/7 </li></ul></ul><ul><ul><li>NOC/SIEM data flow </li></ul></ul><ul><ul><li>Is there a workflow to coordinate escalation and response </li></ul></ul>
    40. 40. Summary <ul><li>Business objectives need to drive the acquisition </li></ul><ul><li>Understand your organization’s needs prior to meeting with a vendor </li></ul><ul><li>‘ Boil the ocean’ implementations lead to disappointment </li></ul><ul><li>Tight integration with identity infrastructure eases the WHO question </li></ul><ul><li>TCO costs need to be considered closely </li></ul><ul><li>Thanks for listening! </li></ul>

    ×