leveraging compliance for security with siem and log management
DESCRIPTION
With the fast changing regulatory and threat landscape, organizations need to gain quick knowledge of how log management and SIEM solutions help them meet their compliance and security needs. The 2010 Data Breach Investigations Report highlights this issue, revealing that 86 percent of organizations breached had evidence of the breach in their logs. Had they found this evidence in a timely manner, they likely could have prevented much of the damage associated with a breach from occurring. In this webcast, security and compliance expert Anton Chuvakin and Tripwire's Cindy Valladares offer practical strategies organizations can apply to meet their compliance needs and improve security with log management and SIEM solutions. The difference between log management and SIEM solutions and why you need both. How defining the problem you are trying to solve helps you choose the right solution. A pragmatic approach to SIEM that ensures a successful compliance audit, but also improves security. How SIEM and log management requirements tie in to various regulations and standards like PCI, HIPAA and NERC. Additional steps organizations can take to improve security through the solutions they use for compliance. Mistakes organizations make that undermine the organization's security. Learn how solutions in the Tripwire VIA suite are a perfect fit for this pragmatic approach.TRANSCRIPT
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementDr. Anton Chuvakin, Security Warrior ConsultingCindy Valladares, Tripwire, Inc.
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Outline
• Compliance Basics• SIEM and Log Management Defined• Why SIEM and LM?• SIEM: A Perfect Compliance Technology• Pragmatic Approach to SIEM/LM• Moving Beyond Compliance!• Conclusions
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
So, what are we doing?Aka “What is Security?”
• Protecting the data • Defending the network• Guarding the IT environment • Reducing “risk” (what risk?)
However, we are also:• Checking the boxes
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
In Reality …
Compliance budget
Security budget
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance Reigns Supreme!
… even though the purpose of these:
… is to make sure organization care about security!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance Mystery Solved!!
Compliance is the “floor” of security
And a motivator to DO IT!
However, many prefer to treat it as a “ceiling”
Result: breaches, 0wnage, mayhem!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance is NOT All!!!
YOUR DATA: Key Organization Data, IP, “Secrets”, Trade Secrets
CUSTODIAL DATA: SSN, PAN, ID, Addresses, Health records
Usually not regulated Usually regulated: PCILoss causes pain to you! Loss causes pain to
others!You are responsible for protection
You are responsible for protection
Cannot be “killed” Can be “killed”
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Big 3 for SIEM/LM
Compliance
Security
SIEM
LM
Operations
Compliance
SecurityOps
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM vs LM
SIEM = SECURITY information and event management
vs
LM = LOG management
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting (“SIM”)
7. Security role workflow
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Just What Is “Correlation”?
• Dictionary: “establishing relationships”• SIEM: “relate events together for security
benefit”
• Why correlate events?• Automated cross-device data analysis!
• Simple correlation rule:• If this, followed by that, take some action
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Pragmatic Approach to SIEM
1. List regulations
2. Identify other “use cases”
3. Review whether SIEM/LM is needed
4. Map features to controls
5. Select and deploy
6. Operationalize regulations
7. Expand use
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that–The leaders in the field
are doing today–Generally leads to
useful results with cost effectiveness
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP1 Evolve to SIEM
Steps of a journey• Establish response process• Deploy a SIEM• Think “use cases”• Start filtering logs from LM to SIEM
– Phases!• Prepare for the initial increase in workload
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP2 SIEM First Steps
First step = BABY steps!• Compliance monitoring
– Log collection– Log retention– Log review– Using logs to attest to other controls
• PCI DSS, HIPAA, ISO, ITIL and others
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP3 Evolve Beyond Compliance
Walk before you run!• Focus on “Traditional” SIEM uses
– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking
• Simple use cases – based on your risk
• Now, what else can SIEM do for you?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example SIEM Use Case
Cross-system authentication tracking• Scope: all systems with authentication (!)• Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed
by login success• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM Usage Scenarios
1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate– Configure and forget, investigate alerts
4. Compliance status reporting– Review reports/views weekly/monthly
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM and Compliance Mistakes
• Log collection is NOT compliance– Many regulations prescribe log review!
• Obsess about letter, forget the spirit!– Regulations compel you to do the right thing,
not check the box• Address regulations in silo’ fashion
– Expand and adopt your SIEM across mandates
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
How To “Profit” From Compliance?
Everything you do for compliance, MUST have security benefit for your
organization!
SIEM and Log Management MUST work!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Conclusions: SIEM and Compliance
• Use compliance to get SIEM/LM• Start USING SIEM for compliance
– Operationalize!• Slowly expand beyond compliance• Address common use cases for log data
– Celebrate success after each phase!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Released December 2009!
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!