siem primer:
DESCRIPTION
SIEM Primer:Security Information and Event Management by Dr. Anton ChuvakinTRANSCRIPT
SIEM Primer:Security Information and
Event Management
Dr. Anton ChuvakinSecurityWarrior LLC
www.securitywarriorconsulting.com
Rochester Institute of Technology4/2011
Security Warrior ConsultingDr. Anton Chuvakin
2
Outline
• What is SIEM?• What are logs?• How SIEM helps security?• Promises and failures of SIEM!• Conclusions
Security Warrior ConsultingDr. Anton Chuvakin
SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)
Security Warrior ConsultingDr. Anton Chuvakin
SIEM vs Log Management
SIEM:
Security Information and Event Management
Focus on security use of logs and other data
LM:
Log Management
Focus on all uses for logs
Security Warrior ConsultingDr. Anton Chuvakin
The Big Picture
Security Warrior ConsultingDr. Anton Chuvakin
Big 3 for SIEM/LM
Compliance
Security
SIEM LM
Operations
Compliance
SecurityOps
Security Warrior ConsultingDr. Anton Chuvakin
SIEM and LM DefinedSecurity Information and
Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.
Log Management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
Security Warrior ConsultingDr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection2. Normalization3. Correlation (“SEM”)4. Notification/alerting (“SEM”)5. Prioritization (“SEM”)6. Reporting and report delivery (“SIM”)7. Security role workflow (IR, SOC, etc)
Security Warrior ConsultingDr. Anton Chuvakin
Just What Is “Correlation”?• Dictionary: “establishing relationships”• SIEM: “relate events together for security
benefit”
• Why correlate events?• Automated cross-device data analysis!
• Simple correlation rule:• If this, followed by that, take some action
What SIEM Eats: Logs
<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574
<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
Security Warrior ConsultingDr. Anton Chuvakin
What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html
Security Warrior ConsultingDr. Anton Chuvakin
Example SIEM Use CaseCross-system authentication tracking• Scope: all systems with authentication • Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed
by login success• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior ConsultingDr. Anton Chuvakin
What do we know about SIEM?Ties to many technologies, analyzes
data, requires process around it, etc
What does it actually mean?Many people think “SIEM is complex”
Thinking Aloud Here…
Security Warrior ConsultingDr. Anton Chuvakin
Broad SIEM Usage Scenarios
1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and
drill-down3. “Automated SOC” / alert + investigate
– Configure and forget, investigate alerts4. Compliance status reporting
– Review reports/views weekly/monthly
Security Warrior ConsultingDr. Anton Chuvakin
The Right Way to SIEM1. Figure out what problems you want to solve with SIEM2. Confirm that SIEM is the best way to solve them3. Define and analyze use cases4. Create requirements for a tool5. Choose scope for SIEM coverage6. Assess data volume7. Perform product research8. Create a tool shortlist9. Pilot top 2-3 products10. Test the products for features, usability and scalability vs requirements11. Select a product for deployment12. Update or create procedures, IR plans, etc13. Deploy the tool (phase 1)
Security Warrior ConsultingDr. Anton Chuvakin
The Popular Way to SIEM
1. Buy a SIEM appliance
Security Warrior ConsultingDr. Anton Chuvakin
Got Difference?
What people WANT to know and have before they deploy a SIEM?
What people NEED to know and have before they deploy a SIEM?
Security Warrior ConsultingDr. Anton Chuvakin
Got SIEM?Have you inherited it?
Now what?
Security Warrior ConsultingDr. Anton Chuvakin
One Way to NOT Fail With SIEM
SIEM Project Plan:1.Goals and requirements2.Functionality / features3.Scoping of data collection4.Sizing5.Architecting
Security Warrior ConsultingDr. Anton Chuvakin
SIEM/LM Maturity Curve
Security Warrior ConsultingDr. Anton Chuvakin
Best Reports? SANS Top 7
DRAFT “SANS Top 7 Log Reports”
1. Authentication 2. Changes3. Network activity4. Resource access5. Malware activity6. Failures7. Analytic reports
Security Warrior ConsultingDr. Anton Chuvakin
Best Correlation Rules? Nada
• Vendor default rules?• IDS/IPS + vulnerability
scan?
Anton fave rules:1. Authentication2. Outbound access3. Safeguard failure
?
Security Warrior ConsultingDr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior ConsultingDr. Anton Chuvakin
Conclusions
• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
• FOCUS on what problems you are trying to solve with SIEM: requirements!
• Phased approach WITH “quick wins” is the easiest way to go
• Operationalize!!!
Security Warrior ConsultingDr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Email: [email protected] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org Twitter: @anton_chuvakinConsulting: http://www.securitywarriorconsulting.com
Security Warrior ConsultingDr. Anton Chuvakin
More Resources
• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin
• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
• Consulting: http://www.securitywarriorconsulting.com/
Security Warrior ConsultingDr. Anton Chuvakin
More on Anton• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior ConsultingDr. Anton Chuvakin
Security Warrior Consulting Services
• Logging and log management / SIEM strategy, procedures and practices– Develop logging policies and processes, log review procedures, workflows and
periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business
cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
Others at www.SecurityWarriorConsulting.com