siem primer:

SIEM Primer:Security Information and

Event Management

Dr. Anton ChuvakinSecurityWarrior LLC

www.securitywarriorconsulting.com

Rochester Institute of Technology4/2011

http://www.securitywarriorconsulting.com/

Security Warrior ConsultingDr. Anton Chuvakin

2

Outline

• What is SIEM?• What are logs?• How SIEM helps security?• Promises and failures of SIEM!• Conclusions


SIEM?

Security Information and Event Management!

(sometimes: SIM or SEM)


SIEM vs Log Management

SIEM:

Security Information and Event Management

Focus on security use of logs and other data

LM:

Log Management

Focus on all uses for logs


The Big Picture


Big 3 for SIEM/LM

Compliance

Security

SIEM LM

Operations

Compliance

SecurityOps


SIEM and LM DefinedSecurity Information and

Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.

Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.


What SIEM MUST Have?

1. Log and Context Data Collection2. Normalization3. Correlation (“SEM”)4. Notification/alerting (“SEM”)5. Prioritization (“SEM”)6. Reporting and report delivery (“SIM”)7. Security role workflow (IR, SOC, etc)


Just What Is “Correlation”?• Dictionary: “establishing relationships”• SIEM: “relate events together for security

benefit”

• Why correlate events?• Automated cross-device data analysis!

• Simple correlation rule:• If this, followed by that, take some action

What SIEM Eats: Logs

<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2

<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006

<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)


What SIEM Eats: Context

http://chuvakin.blogspot.com/2010/01/on-log-context.html

http://chuvakin.blogspot.com/2010/01/on-log-context.html


Example SIEM Use CaseCross-system authentication tracking• Scope: all systems with authentication • Purpose: detect unauthorized access to

systems• Method: track login failures and successes• Rule details: multiple login failures followed

by login success• Response plan: user account investigation,

suspension, communication with suspect user


What do we know about SIEM?Ties to many technologies, analyzes

data, requires process around it, etc

What does it actually mean?Many people think “SIEM is complex”

Thinking Aloud Here…


Broad SIEM Usage Scenarios

1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts

2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and

drill-down3. “Automated SOC” / alert + investigate

– Configure and forget, investigate alerts4. Compliance status reporting

– Review reports/views weekly/monthly


The Right Way to SIEM1. Figure out what problems you want to solve with SIEM2. Confirm that SIEM is the best way to solve them3. Define and analyze use cases4. Create requirements for a tool5. Choose scope for SIEM coverage6. Assess data volume7. Perform product research8. Create a tool shortlist9. Pilot top 2-3 products10. Test the products for features, usability and scalability vs requirements11. Select a product for deployment12. Update or create procedures, IR plans, etc13. Deploy the tool (phase 1)


The Popular Way to SIEM

1. Buy a SIEM appliance


Got Difference?

What people WANT to know and have before they deploy a SIEM?

What people NEED to know and have before they deploy a SIEM?


Got SIEM?Have you inherited it?

Now what?


One Way to NOT Fail With SIEM

SIEM Project Plan:1.Goals and requirements2.Functionality / features3.Scoping of data collection4.Sizing5.Architecting


SIEM/LM Maturity Curve


Best Reports? SANS Top 7

DRAFT “SANS Top 7 Log Reports”

1. Authentication 2. Changes3. Network activity4. Resource access5. Malware activity6. Failures7. Analytic reports


Best Correlation Rules? Nada

• Vendor default rules?• IDS/IPS + vulnerability

scan?

Anton fave rules:1. Authentication2. Outbound access3. Safeguard failure

?


Secret to SIEM Magic!

“Operationalizing” SIEM(e.g. SOC building)

Deployment Service

SIEM Software/Appliance


Conclusions

• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required

• FOCUS on what problems you are trying to solve with SIEM: requirements!

• Phased approach WITH “quick wins” is the easiest way to go

• Operationalize!!!


Questions?

Dr. Anton Chuvakin

Email: [email protected] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org Twitter: @anton_chuvakinConsulting: http://www.securitywarriorconsulting.com

mailto:[email protected]

http://www.chuvakin.org/

http://www.securitywarrior.org/



More Resources

• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin

• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin

• Consulting: http://www.securitywarriorconsulting.com/

http://www.slideshare.net/anton_chuvakin

http://www.info-secure.org/

http://www.docstoc.com/profile/anton1chuvakin



More on Anton• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager



Security Warrior Consulting Services

• Logging and log management / SIEM strategy, procedures and practices– Develop logging policies and processes, log review procedures, workflows and

periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business

cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation

– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs

– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations

Others at www.SecurityWarriorConsulting.com
