SIEM stands for Security Information and Event Management. It involves collecting, aggregating, normalizing and retaining logs and other security-related data from across an organization. SIEM performs analysis on this data through correlation, prioritization and notification/alerting. It also provides reporting and workflow capabilities for security teams. While SIEM promises improved security through these functions, it requires careful planning, scoping, requirements development and ongoing focus to avoid failures and ensure value.

1. SIEM Primer:Security Information and Event Management Dr. Anton Chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com Rochester Institute of Technology 4/2011

2. Outline What is SIEM? What are logs? How SIEM helps security? Promises and failures of SIEM! Conclusions 2

3. SIEM? Security Information and Event Management! (sometimes: SIM or SEM)

4. SIEM vs Log Management LM: Log Management Focus on all uses for logs SIEM: Security Information and Event Management Focus on security useof logs and other data

5. The Big Picture

6. Big 3 for SIEM/LM Compliance Security Ops

7. SIEM and LM Defined Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content. Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.

8. What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)

9. Just What Is “Correlation”? Dictionary: “establishing relationships” SIEM: “relate events together for security benefit” Why correlate events? Automated cross-device data analysis! Simple correlation rule: If this, followed by that, take some action

10. What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

11. What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html

12. Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user

13. What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, etc What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…

14. Broad SIEM Usage Scenarios Security Operations Center (SOC) RT views, analysts 24/7, chase alerts Mini-SOC / “morning after” Delayed views, analysts 1/24, review and drill-down “Automated SOC” / alert + investigate Configure and forget, investigate alerts Compliance status reporting Review reports/views weekly/monthly

15. The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve them Define and analyze use cases Create requirements for a tool Choose scope for SIEM coverage Assess data volume Perform product research Create a tool shortlist Pilot top 2-3 products Test the products for features, usability and scalability vs requirements Select a product for deployment Update or create procedures, IR plans, etc Deploy the tool (phase 1)

16. The Popular Way to SIEM Buy a SIEM appliance

17. Got Difference? What people WANT to know and have before they deploy a SIEM? What people NEED to know and have before they deploy a SIEM?

18. Got SIEM?Have you inherited it? Now what?

19. One Way to NOT Fail With SIEM SIEM Project Plan: Goals and requirements Functionality / features Scoping of data collection Sizing Architecting

20. SIEM/LM Maturity Curve

21. Best Reports? SANS Top 7 DRAFT “SANS Top 7 Log Reports” Authentication Changes Network activity Resource access Malware activity Failures Analytic reports

22. Best Correlation Rules? Nada Vendor default rules? IDS/IPS + vulnerability scan? Anton fave rules: Authentication Outbound access Safeguard failure ?

23. Secret to SIEM Magic!

24. Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!

25. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com

26. More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/

27. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

28. Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com