The document provides an overview of security information and event management (SIEM) systems. It discusses what a SIEM is, why organizations purchase them, typical SIEM architectures and components, use cases, and considerations for implementation. The presentation also touches on various SIEM vendors and products, common challenges organizations face with SIEM, and recommendations for rolling out and operating a SIEM.

1. SIEM 101 Workshop
Optimize IT with Security Information and Event Management
Alex Dow
Chief Research Officer – Mirai Security Inc.
GCIH|SCF|CISSP|OPST
Alex.Dow@miraisecurity.com
https://www.miraisecurity.com

2. Agenda
• What is SIEM?
• Why buy SIEM?
• Architectures
• Components
• Use Cases
• Townhall Discussion

3. …A Little Street Cred
• 90’s – Computers & The Internet!, The movie ‘Hackers’ was released, NetBus, BackOrifice
• 2001 – School (Boring, but I finally learned TCP/IP)
• 2004 – Bell SOC
• 2008 – Olympic SOC & HoneyNet
• 2010 – Consulting (SIEM, SecOps and ESA)
• 2012 – Co-Founded The Mainland Advanced Research Society (BSides Vancouver)
• 2017 – Co-Founded The Mirai Security Collective (Insert shameless plug here)

4. Disclaimer
• Generalizations
• Trying to be as vendor agnostic as possible but there are nuances with each
vendor/technology
• Jaded Infosec Warrior
• The views expressed within this presentation are those of the presenters
and do not necessarily reflect the views of their former/current/future
employers, clients, partners, friends and/or family members
• Professional Consultation
• I am a security advisor, but I am not YOUR security advisor (yet)
• This presentation is for educational purposes only and should not replace
independent professional consultation

5. What is SIEM?
• First: SIEM, SIM, SEM? Huh?
• Logs -> Log management -> SIEM
• Logs vs Events?
• Primary Features
• Centralized, secure and reliable log collection and retention
• Fast and easy searching
• Event correlation and alerting
• Analytics
• Dashboarding
• Reporting
• Ticketing and automation

6. The Who’s Who of SIEM
• Notable (Unmentioned?) Players
• Elastic Stack
• Sumo Logic
• JASK
• The emergence of Cloud SIEMs
• Death by Acquisition

7. Drivers for SIEM
• Security
• Security alert aggregation
• Anomaly detection via correlations or visualizations
• Investigation and incident response
• Situational Awareness
• IT Operations
• Troubleshooting
• Alerting on troubles
• Compliance
• Log retention
• Audits and real-time risk dashboards

8. SIEM Component Architecture
1. Event Generation
2. Event Collection
3. Normalization & Enrichment
4. Transport
5. Indexing, Analytics & Correlation
Normalized
Data
Collector Agents
Indexes and
Analytics
Engine
1 2 3 4 5
Operating System
Network Device
Security Device
Authentication
Event Collection & Event Management Event Correlation
Anti-X
Applications

9. Log Generation and Collection
• Log Sources
• What: Firewall, OS, DB, application, antivirus, IDS, cloud, packet capture, Nessus Data*
and pretty much anything ASCII!
• How: Configuring logging on your sources
• Collection
• Agent vs centralized agent
• Protocols: Syslog, SNMP, HTTPS/API, WMI, SMB/CIFS, FTP, ODBC, etc
• Real-time vs batching
• To collect or not to collect, that is the question
• Use case/value
• Licen$ing
• Capacity Normalized
Data
Collector Agents
Indexes and
Analytics
Engine
1 2 3 4 5
Operating System
Network Device
Security Device
Authentication
Event Collection & Event Management Event Correlation
Anti-X
Applications

10. Normalization, Enrichment & Transport
• Parsing and Normalization
• Structured vs Unstructured Data
• Disparate logs into one common format
• Filtering and Aggregation
• Remove noise and save on bandwidth/licen$ing
• Enrichment
• GeoIP, asset/network models, categorization/tagging, DNS lookups, etc
• Transportation
• Caching, encryption, compression, bandwidth management
• Forwards to one or many destinations
Normalized
Data
Collector Agents
Indexes and
Analytics
Engine
1 2 3 4 5
Operating System
Network Device
Security Device
Authentication
Event Collection & Event Management Event Correlation
Anti-X
Applications

11. Indexing, Analytics and Correlations
• Indexing
• Event database management
• Search management
• Data retention and archiving
• Analytics and Correlation
• Asset and network models
• Dashboards and visualizations
• Searching
• (Real-time) alerting and correlation
• Reporting
• Ticketing and automation
Normalized
Data
Collector Agents
Indexes and
Analytics
Engine
1 2 3 4 5
Operating System
Network Device
Security Device
Authentication
Event Collection & Event Management Event Correlation
Anti-X
Applications

12. Component Architecture
Data Sources Analytics Consumption
Indexing
Collection
Security Analyst
Normalization &
Enrichment
Transport
ODBC
File
WMI/SMB
Syslog
API Caching, encryption, compression,
bandwidth management
Asset/Network Models, DNS, GeoIP, Vuln
Database, etc

13. Traditional SIEM Topography
Correlation
Engine
ArcSight Console and Command Centre
(Administrative)
Security Analyst
Primary DC
Regular Remote Site
ArcSight Command Centre
(Read Only Web)
Operations Team
Secondary DC
Small Remote Site
User
Zone
Security
Zone
Remote
Sites
Virtualized
Virtualized
Virtualized
Virtualized
Virtualized
Virtualized
Virtualized
Virtualized
Virtualized
ArcSight
Communications
TCP8443
Event Transport
TCP 8443
ArcMC C&C
Communications
TCP 9000-9050
Event Collection
TCP 445, 1433, 443
UDP 514, 161
Legend
Virtualized
Virtualized Virtualized
Virtualized
Virtualized
Virtualized

14. Elastic Stack Topology
• Shippers and Indexers
• Message Bus
• Ingestion Nodes
• Master Nodes
• Data Nodes
• Coordination Nodes
• Tribe Nodes
• Kibana Nodes
Data Sources Master Modes Analytics
Data Nodes
Shipper
Message Bus
Collection &
Parsing
ODBC
File
WMI/SMB
Syslog
API
Security Analyst

15. Splunk Topology
• Forwarders
• Indexers
• Search Heads
• ES Search Heads
• Master Cluster Node
• Deployment/License Servers
• Now Cloudy!

16. Cloud Topology
• Forwarders
• Indexers
• Search Heads
• ES Search Heads
• Master Cluster Node
• Deployment/License Servers

17. Product Decisions
Traditional
• Pros
• Security centric
• Lots of use cases
• Appliance based
• Decent documentation
• Cons
• Appliance based
• Likely higher costs
• Scalability concerns
• Less innovation
Bleeding Edge
• Pros
• Designed for scale and performance
• Likely lower costs
• No appliances
• Bleeding edge technologies
• Cons
• Not necessarily focused on security
• Requires much more knowledgeable
staff, less support from vendors
• Bleeding edge technologies

18. Advancement and Cool Concepts
• Load Balancing
• Message Bus
• ML, AI
• HDFS and Data Lake
• SOAR

19. Design Considerations
• Retention
• Performance
• Multitenancy

20. When implementing a SIEM, goes wrong…
• Sales people suck
• Lack of vision
• Outsourcing 24/7
• Failure to Perform Detailed Planning Before Buying
• Failure to Define Scope
• Overly Optimistic Scoping
• Monitoring Noise
• Lack of Sufficient Context
• Insufficient Resources

21. Pragmatic Role Out Recommendations
• Day in the life of a SIEM
• Roles and Responsibilities
• Health Monitoring

22. Use Cases
• Workflow
• Choosing data sources
• Examples
• Change management
• Unauthorized access

23. Operations
• Roles and Responsibilities
• Health Monitoring and Tuning
• Use case development
• Atomic, vs correlation, vs advanced correlation
• Map to other frameworks

24. Pitfalls
• Parsing
• Stability
• MIA data sources
• Bad forecasting
• Bugs
• What do SIEMs do terribly, stop trying to make it an updown monitor
• Losing data
• WUCS

25. Town Hall
• What are your drivers?
• Complexity