SlideShare a Scribd company logo
Something Fun About Using SIEM and Not Failingor Only Failing Non-Miserably or Not-Too-Miserably Dr. Anton Chuvakin @anton_chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com Security BSides SF 2011 @ RSA 2011
About Anton: SIEM Builder and User Former employee of  SIEM and log management vendors Now consulting for SIEM vendors and SIEM users SANS Log Management SEC434 class author  Author, speaker, blogger, podcaster (on logs, naturally )
NEWSFLASH!! New Phobia Found! “Over the past month, I have come across this fear of ownership of the SIEM. Are that many people afraid to “own” the application?” (source: siemninja.com) Fear of SIEM = fear of complexity? Let’s try to find out!
Outline Quickly: SIEM Defined SIEM done “right”? SIEM Pitfalls and Challenges Useful SIEM Practices Painful Worst Practices Conclusions
SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
SIEM vs Log Management  LM: Log Management Focus on all uses for logs SIEM:  Security Information  and Event Management Focus on security useof logs and other data
What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)
SIEM Evolution 1996-2002 IDS and Firewall Worms, alert overflow, etc Sold as “SOC in the box” 2003 – 2007  Above + Server + Context  PCI DSS, SOX, users Sold as “SOC in the box”++ 2008+  Above + Applications + … Fraud, insiders, cybercrime Sold as “SOC in the box”+++++
What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, overhyped What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…
I will tell you how to do SIEM  RIGHT! Useless Consultant Advice Alert!!
The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve  them Define and analyze use cases Create requirements for a tool Choose scope for SIEM coverage Assess data volume Perform product research Create a tool shortlist Pilot top 2-3 products Test the products for features, usability and scalability vs requirements Select a product for deployment Update or create procedures, IR plans, etc Deploy the tool (phase 1)
The Popular Way to SIEM Buy a SIEM appliance
Got Difference? What  people WANT to know and have before they deploy a SIEM? What  people NEED to know and have before they deploy a SIEM?
Got SIEM?Have you inherited it? Now what?
Popular #SIEM_FAIL … in partial answer to “why people think SIEM sucks?” Misplaced expectations (“SOC-in-a-box”) Missing requirements (“SIEM…huh?”) Wrong project sizing Political challenges with integration Lack of commitment Vendor deception (*) And only then: product not working 
One Way to NOT Fail Goals and requirements Functionality / features Scoping of data collection Sizing Architecting
What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness P.S. If you still hate it – say  “useful  practices”
BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management!
Graduating from LM to SIEM Are you ready? Well, do you have… Response capability and process Prepared to response to alerts Monitoring capability Has an operational process to monitor Tuning and customization ability Can customize the tools and content
SIEM/LM Maturity Curve
BP2 Evolving Your SIEM  Steps of a journey … Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases: features and information sources Prepare for the initial increase in workload
Example LM->SIEM Filtering 3D: Devices / Network topology / Events Devices: NIDS/NIPS, WAF, servers Network: DMZ, payment network, other “key domains” Events: authentication, outbound firewall access, IPS Later: proxies, more firewall data, web servers
“Quick Wins” for Phased Approach Phased  approach #2 ,[object Object]
Plan architecture
Start collecting
Start reviewing
Solve problem 1
Plan againPhased  approach #1 Collect problems Plan architecture Start collecting Start reviewing Solve problem 1 Solve problem n
BP3 Expanding SIEM Use First step, next BABY steps! Compliance monitoring often first “Traditional” SIEM uses Authentication  tracking IPS/IDS + firewall correlation Web application hacking Your simple use cases  What problems do YOU want solved?
Best Reports? SANS Top 7 DRAFT “SANS Top 7 Log Reports” Authentication  Changes Network activity Resource access Malware activity Failures Analytic reports
Best Correlation Rules?  Nada Vendor default rules? IDS/IPS + vulnerability scan? Anton fave rules: Authentication Outbound access Safeguard failure ?
Example SIEM Use Case Cross-system authentication  tracking Scope: all systems with authentication  Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
On SIEM Resourcing NEWSFLASH! SIEM costs money. But … Or…
“Hard” Costs - Money Initial SIEM license, hardware, 3rd party software Deployment service Ongoing Support and ongoing services Operations personnel (0.5 - any FTEs) Periodic Vendor services Specialty personnel (DBA, sysadmin) Deployment expansion costs
“Soft” Costs - Time Initial Deployment time Log source configuration and integration Initial tuning, content creation Ongoing Report review Alert response and escalation Periodic Tuning Expansion: same as initial
What is a “Worst Practice”? As opposed to the “best practice” it is … What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity
WP for SIEM Planning WP1: Skip this step altogether – just buy something “John said that we need a correlation engine” “I know this guy who sells log management tools” WP2: Postpone scope until after the purchase “The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in!
Case Study: “We Use’em All” At SANS Log Management Summit 200X… Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
WPs for Deployment WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “Tell us what we need – tell us what you have” forever… WP4: Unpack the boxes and go! “Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP5: Don’t prepare the infrastructure  “Time synchronization? Pah, who needs it”
More Quick SIEM Tips Cost countless sleepless night and boatloads of pain…. No SIEM before IR plans/procedures No SIEM before basic log management  Think "quick wins", not "OMG ...that SIEM boondoggle" Tech matters! But practices matter more Things will get worse before better. Invest time before collecting value!
Tip: When To AVOID A SIEM In some cases, the best “SIEM strategy” is NOT to buy one:  Log retention focus Investigation focus (log search) If you only plan to look BACKWARDS – no need for a SIEM!
Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
Secret to SIEM Magic!
And If You Only … … learn one thing from this…. … then let it be….
Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!    Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!  Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!    Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!    Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!    Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements!  Requirements! Requirements!   Requirements!   Requirements!  Requirements! Requirements!   Requirements! Requirements! Requirements!  Requirements!    Requirements!  Requirements! Requirements!   Requirements! Requirements!  Requirements Requirements Requirements Requirements Requirements Requirvements

More Related Content

What's hot

Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Ulf Mattsson
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
IBM Security QRadar
 IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
Siemplify
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Security operations center 5 security controls
 Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 

What's hot (20)

Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
IBM Security QRadar
 IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Security operations center 5 security controls
 Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 

Similar to Something Fun About Using SIEM by Dr. Anton Chuvakin

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
Anton Chuvakin
 
Implementing and Running SIEM: Approaches and Lessons
Implementing  and Running SIEM: Approaches and LessonsImplementing  and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Source Conference
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
Anton Chuvakin
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies
 

Similar to Something Fun About Using SIEM by Dr. Anton Chuvakin (20)

"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
Implementing and Running SIEM: Approaches and Lessons
Implementing  and Running SIEM: Approaches and LessonsImplementing  and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 

More from Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Anton Chuvakin
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
 

Something Fun About Using SIEM by Dr. Anton Chuvakin

  • 1. Something Fun About Using SIEM and Not Failingor Only Failing Non-Miserably or Not-Too-Miserably Dr. Anton Chuvakin @anton_chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com Security BSides SF 2011 @ RSA 2011
  • 2. About Anton: SIEM Builder and User Former employee of SIEM and log management vendors Now consulting for SIEM vendors and SIEM users SANS Log Management SEC434 class author Author, speaker, blogger, podcaster (on logs, naturally )
  • 3. NEWSFLASH!! New Phobia Found! “Over the past month, I have come across this fear of ownership of the SIEM. Are that many people afraid to “own” the application?” (source: siemninja.com) Fear of SIEM = fear of complexity? Let’s try to find out!
  • 4. Outline Quickly: SIEM Defined SIEM done “right”? SIEM Pitfalls and Challenges Useful SIEM Practices Painful Worst Practices Conclusions
  • 5. SIEM? Security Information and Event Management! (sometimes: SIM or SEM)
  • 6. SIEM vs Log Management LM: Log Management Focus on all uses for logs SIEM: Security Information and Event Management Focus on security useof logs and other data
  • 7. What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)
  • 8. SIEM Evolution 1996-2002 IDS and Firewall Worms, alert overflow, etc Sold as “SOC in the box” 2003 – 2007 Above + Server + Context PCI DSS, SOX, users Sold as “SOC in the box”++ 2008+ Above + Applications + … Fraud, insiders, cybercrime Sold as “SOC in the box”+++++
  • 9. What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, overhyped What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…
  • 10. I will tell you how to do SIEM RIGHT! Useless Consultant Advice Alert!!
  • 11. The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve them Define and analyze use cases Create requirements for a tool Choose scope for SIEM coverage Assess data volume Perform product research Create a tool shortlist Pilot top 2-3 products Test the products for features, usability and scalability vs requirements Select a product for deployment Update or create procedures, IR plans, etc Deploy the tool (phase 1)
  • 12. The Popular Way to SIEM Buy a SIEM appliance
  • 13. Got Difference? What people WANT to know and have before they deploy a SIEM? What people NEED to know and have before they deploy a SIEM?
  • 14. Got SIEM?Have you inherited it? Now what?
  • 15. Popular #SIEM_FAIL … in partial answer to “why people think SIEM sucks?” Misplaced expectations (“SOC-in-a-box”) Missing requirements (“SIEM…huh?”) Wrong project sizing Political challenges with integration Lack of commitment Vendor deception (*) And only then: product not working 
  • 16. One Way to NOT Fail Goals and requirements Functionality / features Scoping of data collection Sizing Architecting
  • 17. What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness P.S. If you still hate it – say “useful practices”
  • 18. BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management!
  • 19. Graduating from LM to SIEM Are you ready? Well, do you have… Response capability and process Prepared to response to alerts Monitoring capability Has an operational process to monitor Tuning and customization ability Can customize the tools and content
  • 21. BP2 Evolving Your SIEM Steps of a journey … Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases: features and information sources Prepare for the initial increase in workload
  • 22. Example LM->SIEM Filtering 3D: Devices / Network topology / Events Devices: NIDS/NIPS, WAF, servers Network: DMZ, payment network, other “key domains” Events: authentication, outbound firewall access, IPS Later: proxies, more firewall data, web servers
  • 23.
  • 28. Plan againPhased approach #1 Collect problems Plan architecture Start collecting Start reviewing Solve problem 1 Solve problem n
  • 29. BP3 Expanding SIEM Use First step, next BABY steps! Compliance monitoring often first “Traditional” SIEM uses Authentication tracking IPS/IDS + firewall correlation Web application hacking Your simple use cases What problems do YOU want solved?
  • 30. Best Reports? SANS Top 7 DRAFT “SANS Top 7 Log Reports” Authentication Changes Network activity Resource access Malware activity Failures Analytic reports
  • 31. Best Correlation Rules? Nada Vendor default rules? IDS/IPS + vulnerability scan? Anton fave rules: Authentication Outbound access Safeguard failure ?
  • 32. Example SIEM Use Case Cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user
  • 33. On SIEM Resourcing NEWSFLASH! SIEM costs money. But … Or…
  • 34. “Hard” Costs - Money Initial SIEM license, hardware, 3rd party software Deployment service Ongoing Support and ongoing services Operations personnel (0.5 - any FTEs) Periodic Vendor services Specialty personnel (DBA, sysadmin) Deployment expansion costs
  • 35. “Soft” Costs - Time Initial Deployment time Log source configuration and integration Initial tuning, content creation Ongoing Report review Alert response and escalation Periodic Tuning Expansion: same as initial
  • 36. What is a “Worst Practice”? As opposed to the “best practice” it is … What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity
  • 37. WP for SIEM Planning WP1: Skip this step altogether – just buy something “John said that we need a correlation engine” “I know this guy who sells log management tools” WP2: Postpone scope until after the purchase “The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in!
  • 38. Case Study: “We Use’em All” At SANS Log Management Summit 200X… Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
  • 39. WPs for Deployment WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “Tell us what we need – tell us what you have” forever… WP4: Unpack the boxes and go! “Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP5: Don’t prepare the infrastructure “Time synchronization? Pah, who needs it”
  • 40. More Quick SIEM Tips Cost countless sleepless night and boatloads of pain…. No SIEM before IR plans/procedures No SIEM before basic log management Think "quick wins", not "OMG ...that SIEM boondoggle" Tech matters! But practices matter more Things will get worse before better. Invest time before collecting value!
  • 41. Tip: When To AVOID A SIEM In some cases, the best “SIEM strategy” is NOT to buy one: Log retention focus Investigation focus (log search) If you only plan to look BACKWARDS – no need for a SIEM!
  • 42. Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!
  • 43. Secret to SIEM Magic!
  • 44. And If You Only … … learn one thing from this…. … then let it be….
  • 45. Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements Requirements Requirements Requirements Requirements Requirvements
  • 46. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
  • 47. More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/
  • 48. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 49. Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com
  • 50. Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com