SlideShare a Scribd company logo

Information Security: Advanced SIEM Techniques

Download as PPTX, PDF
ReliaQuest
ReliaQuest

Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.

Technology
1 of 19
Advanced SIEM Optimization Joe Partlow BSides Atlanta 2015
Joe Partlow (jpartlow@reliaquest.com) – CISO, ReliaQuest Been in the IT and information Security industry for 15+ years and has experience in Operations Management, Information Security, Network Security, Systems Design, Risk Assessment, Database Administration, Network Infrastructure, Web Application Development, Systems Design & Integration and Project Management. I just spend a lot of time playing around with SIEM and logging!
• Blue Team vs Red Team? • Who currently manages a SIEM at work? User of a SIEM?
Security Incident & Event Management (SIEM) systems allow you to consolidate the million log sources you have in one spot and perform advanced correlation across all the various log sources. • Compliance tells us we have to… • Ex. Did the increase in WAF entries also correspond with login attempts for our various internal applications or servers. • You can’t defend against things you can’t see. • Try searching across each individual server’s event logs for all activity from a particular timeframe • Logs are boring so let’s make something to analyze and alert on this stuff for us. • We don’t if we try to block it first from our IPS/Firewall, then you don’t have to worry about it right 
This is not a set it and forget tool like a firewall. SIEM tools require constant configuration and optimization instead of small incremental changes. Many of the same problems as IDS/IPS: • Need to constantly create/tune rules/alerts to adjust for new attack signatures • Business is always evolving and adding new technologies and applications and we need to monitor those logs • Easy to get overwhelmed with sheer volume of logs and alerts from those logs • Expensive! (Time and money)
All is not lost! It’s easy to feel like security and monitoring is a losing battle, but let’s find some ways to make it easier on ourselves. • Filter/Aggregate events – Start with importing all logs until you see what you are getting, then scale back to what is important. Use splunk or MS LogParser for large files (ex. IIS logs). • Tune alerts – Flooding the security team mailbox with 1000’s of alerts just makes them get ignored or disabled. Make sure set realistic thresholds and aggregate alert events. • Don’t overwhelm the SIEM – Make sure you scale up the SIEM hardware as you add devices across the enterprise. Start with critical or PCI/HIPAA/X systems and move outward. Slowness of the tool is one of the most common complaints. • Those were easy, now for the hard ones…
Windows event logs and syslog are only the beginning. Other types of logs are important as well: • Applications – In-house operational apps, HR, billing, manufacturing, etc. • Windows protections – HIDS, AV, EMET, Applocker • Weblogs - IIS, Apache, etc. - Poor man’s WAF  • Databases – User Auditing has disadvantages, customize what to get pulled and logged. • MDM – Many users using mobile devices on the network, restrict and monitor via MDM or at least DNS. • SNMP config data – Performance data might overwhelm but could be aggregated with OSSEC or Nagios…
• VOIP servers – Asterisks etc… • Cisco UCS API – better than SNMP  • DNS/DHCP logs • SQL Server DMV - (Dynamic Management Views) for advanced SQL data (mirroring, Full-Text Search, Filestream/filetable etc.) • How to get them (show 1337 code): • Convert to syslog or write to windows event log
You must get visibility into EVERY area of the business and network. Most companies don’t know what to log or even what is available. These include in-house applications, databases, web logs and of course system logs. We could have a whole con for this, but some questions to ask are: • VMware – Do you have visibility when new machines are created or deleted? • Web Servers/WAF – Can you tell if injection attacks are being thrown at you and if they were successful? One of the most common causes of breaches so make sure you can see them. • Show leet code • Configuration auditing – do you know what machines are running cracked Photoshop? Wireshark? Metasploit? Users don’t have admin rights to their workstation, right?  • Windows Updates – Do you know if a system hasn’t been patched or rebooted in awhile?
• DNS records – Would you know if you got hijacked? ? Any bots phoning home? How many users are going to www.securitytube.com? Draft them onto the team or monitor all activities… • OpenDNS has an API  • DHCP – need to attribute activity to a user. Match IP to workstation and even logged on user… (PowerShell is awesome!) • Amazon/Azure Cloud API – Find out what’s up with your cloud • Microsoft enterprise – SharePoint, exchange, Forefront, Azure, System Center, etc. • Google Maps Integration – Hook up geo location or zip code mapping to visually map • Create dashboards and reports around every technology coming into the SIEM. It’s too helpful and expensive to just be used as a log repository (although very common). • Any other interesting ones deployed in your environments? I have prizes…
Unfortunately most of the time the security team is last to know about servers being brought online or decommissioned. We need to have a handle on the device inventory. What can we do? • Regular nmap scans and bounce against internal SIEM host inventory • Import vulnerability scans – Cuts down on noise by adjusting severity of alert if destination system has a vulnerability on that port. • Import from inventory systems (Altirus, HPNA, SCCM, MS Excel etc.) – Keep it up to date! • Set baselines – Run the SIEM for a few weeks to know what is a normal amount of login attempts, protocols in use, netflow traffic, etc. before you turn on all the alerts.
This is probably one of the biggest areas for improvement and one of the least common setup that I see. It’s time consuming to setup and maintain the lists and expensive to buy them, but usually your first indicator of malicious attempts… • Very easy to setup an alert for matching on any source or destination IP that is in our bad people list. • Do you have customers in other countries? If not, start with this. If so, should it only be web traffic? Probably not SSH… • Problem is that no-one has time to keep up with all the new threats. We all wish we could spend time doing actual research instead of looking at account lockouts… • Anyone able to run honeypots? How about just honey hashes or canary files/records? • OSINT is our friend! Alienvault, Facebook, etc. all have threat sharing programs.
• Live memory monitoring – Most malware only memory resident, so let’s try to find it before it hits the network. Ex. EnCase enterprise, regular Volatility dump/analysis. • Live network monitoring – Use your IDS/IPS Integration, it’s not as common as it should be. PCAP parsing, Nield tool looks promising as well… • Continued expansion of UTM – The more sources we can get, the better. (AV/Malware/Phishing etc.) • Integration Commands – Cool feature in ArcSight to extend functionality (use Snort, nmap, windump, nessus, forensics from within an event viewer) • Mobile devices – Android logging library now has built-in splunk logging available
Monitor the latest attacks – How many people are monitoring for well known, misbehaving URLS or IP addresses • Threatstream/Mandiant/Looking Glass/etc. – Commercial feeds • APT1 • Dshield • Malwaredomainlist.com • Known botnets or C&C servers • List goes on and on and new ones daily…
• With great power comes great responsibility. • Make sure it’s your network. Just sharing pastebin links get you terrorism charges – ask Weev • Make sure you know where your network ends. Don’t trust the A records! • Make sure you are authorized to run pen tests on your network (even if you are on the security team) • Work with the sys admins. Accidents happen and you don’t want to explain to the C-Level guys why you caused a production outage. Or even worse, that it took hours to figure out why. • Work with those red teamers – these guys will be more than willing to point out the weak points 
Attackers are sharing techniques and tactics, but rarely seen on the defensive side. I know it’s not as glamorous as trading 1337 sploitz, but let’s face it, most of us are tasked with this day to day  • Forensics sites and forums are good start • SANS ISC Diary (http://isc.sans.edu/diary.html) • AlienVault Community – More and more SIEM vendors are trying to do this • Local groups (Vendor specific, Def Con, Linux User Groups, Hackerspaces, etc.)
Presentation Title RQP3

Recommended

Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
SIEM
SIEMSIEM
SIEM
Napier University
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
Andris Soroka
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 

Recommended

Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
SIEM
SIEMSIEM
SIEM
Napier University
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
Andris Soroka
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
Anton Chuvakin
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
Michael Nickle
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
Pinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
Sridhar Karnam
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
CloudAccess
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Anton Goncharov
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
DATA SECURITY SOLUTIONS
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
Imperva
 
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el EstadoAcciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Facultad Ingeniería Udec
 

More Related Content

What's hot

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
Anton Chuvakin
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
Michael Nickle
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
Pinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
Sridhar Karnam
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
CloudAccess
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Anton Goncharov
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
DATA SECURITY SOLUTIONS
 

What's hot (20)

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
 
SIEM
SIEMSIEM
SIEM
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 

Viewers also liked

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
Imperva
 
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el EstadoAcciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Facultad Ingeniería Udec
 
Active security monitoring
Active security monitoringActive security monitoring
Active security monitoring
Petra Divekyova
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014
Ricardo Resnik
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
Cloud Security Monitoring at Auth0 - Security BSides Seattle
Cloud Security Monitoring at Auth0 - Security BSides SeattleCloud Security Monitoring at Auth0 - Security BSides Seattle
Cloud Security Monitoring at Auth0 - Security BSides Seattle
Eugene Kogan
 
Seguridad informática en el ecuador expreso - v18082011
Seguridad informática en el ecuador expreso - v18082011Seguridad informática en el ecuador expreso - v18082011
Seguridad informática en el ecuador expreso - v18082011
ROBERTH CHAVEZ
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
Tripwire
 
SIEM
SIEM SIEM
SIEM
e.ferreira
 
Control y monitoreo (seguridad)
Control y monitoreo (seguridad) Control y monitoreo (seguridad)
Control y monitoreo (seguridad)
marce18091
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siem
guesta606d9
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
n|u - The Open Security Community
 
8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace
Tripwire
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
Amazon Web Services
 
Network Security Monitoring or How to mitigate a DDoS attack in 20'
Network Security Monitoring or How to mitigate a DDoS attack in 20'Network Security Monitoring or How to mitigate a DDoS attack in 20'
Network Security Monitoring or How to mitigate a DDoS attack in 20'
thaidn
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 

Viewers also liked (17)

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
 
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el EstadoAcciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
Acciones de MinTIC en Seguridad y privacidad de T.I. para el Estado
 
Active security monitoring
Active security monitoringActive security monitoring
Active security monitoring
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 
Cloud Security Monitoring at Auth0 - Security BSides Seattle
Cloud Security Monitoring at Auth0 - Security BSides SeattleCloud Security Monitoring at Auth0 - Security BSides Seattle
Cloud Security Monitoring at Auth0 - Security BSides Seattle
 
Seguridad informática en el ecuador expreso - v18082011
Seguridad informática en el ecuador expreso - v18082011Seguridad informática en el ecuador expreso - v18082011
Seguridad informática en el ecuador expreso - v18082011
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
SIEM
SIEM SIEM
SIEM
 
Control y monitoreo (seguridad)
Control y monitoreo (seguridad) Control y monitoreo (seguridad)
Control y monitoreo (seguridad)
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siem
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
 
Network Security Monitoring or How to mitigate a DDoS attack in 20'
Network Security Monitoring or How to mitigate a DDoS attack in 20'Network Security Monitoring or How to mitigate a DDoS attack in 20'
Network Security Monitoring or How to mitigate a DDoS attack in 20'
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 

Similar to Information Security: Advanced SIEM Techniques

Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Websec México, S.C.
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Sagi Brody
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
nitinscribd
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
Michael Gough
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 

Similar to Information Security: Advanced SIEM Techniques (20)

Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 

Recently uploaded

Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Information Security: Advanced SIEM Techniques

  • 1. Advanced SIEM Optimization Joe Partlow BSides Atlanta 2015
  • 2. Joe Partlow (jpartlow@reliaquest.com) – CISO, ReliaQuest Been in the IT and information Security industry for 15+ years and has experience in Operations Management, Information Security, Network Security, Systems Design, Risk Assessment, Database Administration, Network Infrastructure, Web Application Development, Systems Design & Integration and Project Management. I just spend a lot of time playing around with SIEM and logging!
  • 3. • Blue Team vs Red Team? • Who currently manages a SIEM at work? User of a SIEM?
  • 4. Security Incident & Event Management (SIEM) systems allow you to consolidate the million log sources you have in one spot and perform advanced correlation across all the various log sources. • Compliance tells us we have to… • Ex. Did the increase in WAF entries also correspond with login attempts for our various internal applications or servers. • You can’t defend against things you can’t see. • Try searching across each individual server’s event logs for all activity from a particular timeframe • Logs are boring so let’s make something to analyze and alert on this stuff for us. • We don’t if we try to block it first from our IPS/Firewall, then you don’t have to worry about it right 
  • 5. This is not a set it and forget tool like a firewall. SIEM tools require constant configuration and optimization instead of small incremental changes. Many of the same problems as IDS/IPS: • Need to constantly create/tune rules/alerts to adjust for new attack signatures • Business is always evolving and adding new technologies and applications and we need to monitor those logs • Easy to get overwhelmed with sheer volume of logs and alerts from those logs • Expensive! (Time and money)
  • 6. All is not lost! It’s easy to feel like security and monitoring is a losing battle, but let’s find some ways to make it easier on ourselves. • Filter/Aggregate events – Start with importing all logs until you see what you are getting, then scale back to what is important. Use splunk or MS LogParser for large files (ex. IIS logs). • Tune alerts – Flooding the security team mailbox with 1000’s of alerts just makes them get ignored or disabled. Make sure set realistic thresholds and aggregate alert events. • Don’t overwhelm the SIEM – Make sure you scale up the SIEM hardware as you add devices across the enterprise. Start with critical or PCI/HIPAA/X systems and move outward. Slowness of the tool is one of the most common complaints. • Those were easy, now for the hard ones…
  • 7. Windows event logs and syslog are only the beginning. Other types of logs are important as well: • Applications – In-house operational apps, HR, billing, manufacturing, etc. • Windows protections – HIDS, AV, EMET, Applocker • Weblogs - IIS, Apache, etc. - Poor man’s WAF  • Databases – User Auditing has disadvantages, customize what to get pulled and logged. • MDM – Many users using mobile devices on the network, restrict and monitor via MDM or at least DNS. • SNMP config data – Performance data might overwhelm but could be aggregated with OSSEC or Nagios…
  • 8. • VOIP servers – Asterisks etc… • Cisco UCS API – better than SNMP  • DNS/DHCP logs • SQL Server DMV - (Dynamic Management Views) for advanced SQL data (mirroring, Full-Text Search, Filestream/filetable etc.) • How to get them (show 1337 code): • Convert to syslog or write to windows event log
  • 9. You must get visibility into EVERY area of the business and network. Most companies don’t know what to log or even what is available. These include in-house applications, databases, web logs and of course system logs. We could have a whole con for this, but some questions to ask are: • VMware – Do you have visibility when new machines are created or deleted? • Web Servers/WAF – Can you tell if injection attacks are being thrown at you and if they were successful? One of the most common causes of breaches so make sure you can see them. • Show leet code • Configuration auditing – do you know what machines are running cracked Photoshop? Wireshark? Metasploit? Users don’t have admin rights to their workstation, right?  • Windows Updates – Do you know if a system hasn’t been patched or rebooted in awhile?
  • 10. • DNS records – Would you know if you got hijacked? ? Any bots phoning home? How many users are going to www.securitytube.com? Draft them onto the team or monitor all activities… • OpenDNS has an API  • DHCP – need to attribute activity to a user. Match IP to workstation and even logged on user… (PowerShell is awesome!) • Amazon/Azure Cloud API – Find out what’s up with your cloud • Microsoft enterprise – SharePoint, exchange, Forefront, Azure, System Center, etc. • Google Maps Integration – Hook up geo location or zip code mapping to visually map • Create dashboards and reports around every technology coming into the SIEM. It’s too helpful and expensive to just be used as a log repository (although very common). • Any other interesting ones deployed in your environments? I have prizes…
  • 11.
  • 12.
  • 13. Unfortunately most of the time the security team is last to know about servers being brought online or decommissioned. We need to have a handle on the device inventory. What can we do? • Regular nmap scans and bounce against internal SIEM host inventory • Import vulnerability scans – Cuts down on noise by adjusting severity of alert if destination system has a vulnerability on that port. • Import from inventory systems (Altirus, HPNA, SCCM, MS Excel etc.) – Keep it up to date! • Set baselines – Run the SIEM for a few weeks to know what is a normal amount of login attempts, protocols in use, netflow traffic, etc. before you turn on all the alerts.
  • 14. This is probably one of the biggest areas for improvement and one of the least common setup that I see. It’s time consuming to setup and maintain the lists and expensive to buy them, but usually your first indicator of malicious attempts… • Very easy to setup an alert for matching on any source or destination IP that is in our bad people list. • Do you have customers in other countries? If not, start with this. If so, should it only be web traffic? Probably not SSH… • Problem is that no-one has time to keep up with all the new threats. We all wish we could spend time doing actual research instead of looking at account lockouts… • Anyone able to run honeypots? How about just honey hashes or canary files/records? • OSINT is our friend! Alienvault, Facebook, etc. all have threat sharing programs.
  • 15. • Live memory monitoring – Most malware only memory resident, so let’s try to find it before it hits the network. Ex. EnCase enterprise, regular Volatility dump/analysis. • Live network monitoring – Use your IDS/IPS Integration, it’s not as common as it should be. PCAP parsing, Nield tool looks promising as well… • Continued expansion of UTM – The more sources we can get, the better. (AV/Malware/Phishing etc.) • Integration Commands – Cool feature in ArcSight to extend functionality (use Snort, nmap, windump, nessus, forensics from within an event viewer) • Mobile devices – Android logging library now has built-in splunk logging available
  • 16. Monitor the latest attacks – How many people are monitoring for well known, misbehaving URLS or IP addresses • Threatstream/Mandiant/Looking Glass/etc. – Commercial feeds • APT1 • Dshield • Malwaredomainlist.com • Known botnets or C&C servers • List goes on and on and new ones daily…
  • 17. • With great power comes great responsibility. • Make sure it’s your network. Just sharing pastebin links get you terrorism charges – ask Weev • Make sure you know where your network ends. Don’t trust the A records! • Make sure you are authorized to run pen tests on your network (even if you are on the security team) • Work with the sys admins. Accidents happen and you don’t want to explain to the C-Level guys why you caused a production outage. Or even worse, that it took hours to figure out why. • Work with those red teamers – these guys will be more than willing to point out the weak points 
  • 18. Attackers are sharing techniques and tactics, but rarely seen on the defensive side. I know it’s not as glamorous as trading 1337 sploitz, but let’s face it, most of us are tasked with this day to day  • Forensics sites and forums are good start • SANS ISC Diary (http://isc.sans.edu/diary.html) • AlienVault Community – More and more SIEM vendors are trying to do this • Local groups (Vendor specific, Def Con, Linux User Groups, Hackerspaces, etc.)