industry’s first neutral siem training course · sec555 | siem with tactical analysis 3 welcome!...
TRANSCRIPT
SEC555
Industry’s First Neutral SIEM Training Course
Justin Henderson (GSE # 108)
@SecurityMapper
SIEM and Tactical Analytics
SEC555 | SIEM with Tactical Analysis 2
About Me
• Author of SEC555: SIEM and Tactical Analytics
• GIAC GSE # 108, Cyber Guardian Blue and Red
• 58 industry certifications (need to get a new hobby)
• Two time NetWars Core tournament winner (offense)
• And security hobbyist and community supporter
• Collecting interns/contributors in bulk (research teams)
• Release research to the community
• See https://github.com/SMAPPER
SEC555 | SIEM with Tactical Analysis 3
Welcome!
A copy of this talk is available at https://www.securitymapper.com
At end of presentations links will be provided to download SOF-ELK and ELK Hunter
• More on these later…
Also https://github.com/SMAPPER
SEC555 | SIEM with Tactical Analysis 4
Vendor Specific Training
SIEM is an advanced tool with many use cases
• Requires training for proper utilization
Vendor specific training focuses on how to use their tool
• This is important and makes sense
• But focus on tool lacks a focus on people and process
HowWhat Why When
Where
SEC555 | SIEM with Tactical Analysis 5
SEC555 Training
SEC555: SIEM with Tactical Analytics is product neutral
• Focus is on utilizing a SIEM for tactical defense
• Puts focus on people and process
Sets direction for designing and building an effective SIEM
• Learn how to build your own or revitalize what you have
HowWhat
WhyWhen
Where
SEC555 | SIEM with Tactical Analysis 6
Hewlett Packard – State of Security Operations
Annual study measures maturity of organizations
• Score ranges from 0 (no maturity) to 5 (full maturity)
• Level of 3 is ideal for most enterprise SOCs
• Scores broken down by people, processes, technology, and business integration
Five year overall average is 1.45
• Lowest scores year after year are people and processes
SEC555 | SIEM with Tactical Analysis 7
Why SEC555?
Working with multiple organizations there were clearly gaps in SIEM deployments
Example: One organization spent 14 months in deployment
• SIEM was within top 5 of magic quadrant 2014 + 2015
• Two employees during roll out (> 1 FTE of labor for 14 months)
• Within less than 1 month open source solution exceeded what they had
SEC555 | SIEM with Tactical Analysis 8
SIEM Deployment
Well they must have lacked training and planning, right?
• Both employees attended week long vendor training
• POC lasted well over three months
• Implementation had >30 days of vendor services
• One employee hired as dedicated FTE to SIEM
• One PTE and other employee(s) available to help
Above looks better than what some organizations have
SEC555 | SIEM with Tactical Analysis 9
What Happened?
Ultimately the company discarded commercial solution
• Open source solution still in place
Discard was not due to a faulty commercial solution
• Again, product is a multi year leader in magic quadrant
People and processes are more important than the tool
• Open source met needs and saved them money
SEC555 is not about switching solutions…
• Focus is to train people how to use any SIEM (tool)
SEC555 | SIEM with Tactical Analysis 10
Sample Concepts
Below are a few concepts addressed in SEC555:
• What to collect, where to get it, and how to collect it
• Quantity vs Quality
• Turning low value data into high value data
• Overwhelming alerts
• Inability to identify logs of interest
• Lack of processes and use cases
SEC555 | SIEM with Tactical Analysis 11
Course Outline
• Day 1 - SIEM Architecture
• Day 2 - Service Profiling with SIEM
• Day 3 - Endpoint Analytics
• Day 4 - Baselining and User Behavior Monitoring
• Day 5 - Correlation and Post-Mortem Analysis
• Day 6 - Capstone: Design, Detect, Defend
Days 1 - 5 are boot camp (means lots of hands on labs)
* Day titles subject to change (content should not)
SEC555 | SIEM with Tactical Analysis 12
Day 1 - SIEM Architecture
SIEM can be complicated but does not always have to be
• Covers SIEM using a building block approach
• Demystifies complexity and makes it easier to use
Learn how to effectively implement log collection, aggregation, storage strategies, and more
• 5 out of 5 interns built and understood ELK Hunter* in less than two weeks
SEC555 | SIEM with Tactical Analysis 13
Day 2 - Service Profiling with SIEM
Service Logs Augmentation Techniques
• DNS
• HTTP
• HTTPS
• SMTP
Almost every network uses them
• Lots of noise = lots of logs
• Yet can be high value
Low value logs can morph into highly actionable detects
• Baby Domains
• Entropy Test (PH Imbalance)
• Invalid Fields (wrong state)
• Fuzzy Phishing
SEC555 | SIEM with Tactical Analysis 14
Day 3 - Endpoint Analytics
Endpoint logs are incredibly powerful yet underutilized
• Too much emphasis has been placed on “insert security product here”
• Endpoint logs can readily be operationalized
Strategies such as below can be used to detect attacks using
• Long command lines
• Unauthorized service creations
• Malicious PowerShell use
• Internal Pivoting
• Brute force logins
• Whitelist evasion
SEC555 | SIEM with Tactical Analysis 15
Collection Strategies
Many attacks today are client side attacks
• Means the attack occurs at the desktop
• If desktops are main point of attack… you might need logs from them
Part of day 3 is a focus on collection strategies
• Such as minimizing the impact of desktop logs
• Emphasis is on actionable collection that scales
SEC555 | SIEM with Tactical Analysis 16
Day 4 - Baselining and User Behavior Monitoring
Knowing how malware and hackers operate is important and helps
• Yet knowing yourself is more important
• Detects unauthorized changes
• Works with zero days… and everything
Example: This author’s wife can detect a 1 degree
change in household temperature
- Catches me changing thermostat… every time
- Or kids turning on heater
SEC555 | SIEM with Tactical Analysis 17
Day 5 - Correlation and Post-Mortem Analysis
Many public breaches have suffered from too many alerts per analyst
• 1 person @ 1 mil alerts a day = fail
• Focus is on how to put context behind alerts and go tactical
Other key concepts covered:
• Post-mortem detection of evil
• Fighting dirty with tripwires
SEC555 | SIEM with Tactical Analysis 18
Day 6 - Capstone: Design, Detect, Defend
Class combines hands on labs all week
• But just to drive things home day 6 is 100% lab
Defense based capture the flag
• Winners will receive a coveted SANS challenge coin
• Most importantly everyone wins by receiving hands on experience
SEC555 | SIEM with Tactical Analysis 19
SOF-ELK
A SIEM course requires a SIEM
• To remain neutral concepts are taught using SOF-ELK
SOF-ELK is a combination of open source solutions
• Maintained by Phil Hagen (FOR572 author) and Justin Henderson (SEC555 author)
• Effectively is a free SIEM in a box
• Built for forensics and SOC use
• Did I mention it is free?
SEC555 | SIEM with Tactical Analysis 20
SOF-ELK Components
Primary components consist of:
• Elasticsearch - Big data storage search platform
• Logstash - Log aggregation, parsing, and transformer
• Kibana - Used for reporting, visualizations, and dashboards
• Other components constantly being baked in such as:
• Mark Baggett’s freq_server.py and domain_stats.py
• Mark is the author of SEC573 and I’m pretty sure he regularly wears a cape and flies around saving the world
SEC555 | SIEM with Tactical Analysis 21
ELK Hunter
Designed for analysis, research, and proof of concept
• ELK Hunter is a test bed for configs and concepts
• Contains Security Onion, ELK, and analysis scripts
• Designed to plug into network or deploy to hypervisor
• Verifies legitimacy of techniques and configurations
• Discover new techniques or abnormal behaviors
• Performs mass pcap analysis such as Contagio dumps
• Project in pipeline to add mass analysis of Windows logs
SEC555 | SIEM with Tactical Analysis 22
No Strings Attached
For those of you who do not have a SIEM this course:
• Gives you a free SIEM (SOF-ELK)
• Shows you what to look for in a commercial SIEM
If you already have a SIEM you will:
• Be able to operationalize, enhance, and revitalize existing SIEM
• Be able to apply open source solutions that can integrate with existing SIEM to lower costs and/or handle high EPS logs
Regardless of SIEM situation this class is designed for you
SEC555 | SIEM with Tactical Analysis 23
Return on Investment (ROI)
Immediately after taking this course you will be able to:
• Understand and apply SIEM use, architecture, and best practices
• Identify data sources to collect logs from
• Deploy scalable log solutions that can handle any number of logs
• Enhance logs to obtain added value and correlation capabilities
• Build actionable visualizations and dashboards
• Detect adversaries by using their own tactics against them
• Establish baselines and identify unauthorized deviations
• Minimize and reduce alerts to items of interests