siems - decoding the mayhem bill dean director of computer forensics sword & shield enterprise...

38
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

Post on 19-Dec-2015

221 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

SIEMs - Decoding The Mayhem

Bill DeanDirector of Computer Forensics

Sword & Shield Enterprise Security Inc.

Page 2: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Outline• Today’s Threat Landscape• Why Do I Need a SIEM?• Choosing and Deploying a SIEM• This Will Not Be Boring

Page 3: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Computer Security LandScape• You Are Being Blamed• Your Money Isn’t Safe• Your Information Isn’t Safe• Your Reputation Is at Stake• More Threats, Less People

Page 4: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Your Are Being Blamed• BotNets• Pivoting

Page 5: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Stealing Your $$

Page 6: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Stealing Your Information• Computers Are No Longer for “Productivity”• You Have Valuable Information• You ARE A Target• You Aren’t Dealing With “Amateurs”

Page 7: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Hactivists – Exposing Your Secrets

Page 8: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Hactivists – Exposing Your Secrets

Page 9: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Hactivists – Business Disruption

Page 10: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Your Challenge

Page 11: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

SIEMS

Page 12: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

You Need An “Oracle”• Know The Past• Knows The Present• Knows The Future• Knows How to CYA

Page 13: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc
Page 14: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

SIEM Basics• Provides “Instant Replay”• 24 X 7 Security Guard• SIEMs v. Firewall v. IDS v. IPS• SIEM v. SEIM v. SIM• Typically Compliance Driven

Page 15: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Compliance • HIPAA• PII• Data Breach Notification Laws

Page 16: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc
Page 17: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Why Do I Need A SIEM?• Infrastructure Monitoring• Reporting• Threat Correlation• Instant Replay• Incident Response

Page 18: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

What Is Monitored?• Account Activity• Availability• IDS/Context Correlation• Data Exfiltration• Client Side Attacks• Brute Force Attacks

Page 19: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

19

Windows Accounts• Accounts Created, By Whom,

and When • New Accounts That Aren’t

Standard• New Accounts Created At Odd

Time• New Workstation Account

Created• Key Group Membership Change• Accounts Logon Hours

Page 20: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Availability• System Uptime Statistics• Availability Reporting• Uptime is “Relative”

Page 21: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

21

IDS Context/Correlation• Place Value On Assets• Context Is Essential• Maintain Current Vulnerability DBs

• Create Priority Rules

Page 22: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

22

Data Exfiltration

• You Must Know What Is “Normal”• Deviations From The Norm Warrant

An Alert• Some Events Are “Non-Negotiable”• “You” Typically Initiate Data Transfers

Page 23: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

23

Client Side Attacks

• Windows Event Logs Information• Process Status Changes• New Services Created• Scheduled Tasks Creations • Changes to Audit Policies

Page 24: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

24

Brute-force Attacks

• Detailed Reports of Failed Logins• Source Of Failed Login Attempts• Locked Accounts Report

Page 25: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Incident Response

Page 26: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Incident Response Scenario #1• Law Firm With Dealings In China• Law Firm Was “Owned” More Than A Year• Access To Every Machine On Network• Thousands of “Responsive” Emails Obtained•“Privilege” Was Not Observed

Page 27: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Incident Response Scenario #2• VP of Finance Promoted to CFO • Attack on the “Weakest” Link

Page 28: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc
Page 29: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc
Page 30: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc
Page 31: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

AV Will Save Us!!

Page 33: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

How SIEMs Would Have Helped• Accounts Enabled • Services Created• Firewall Changes• Data Exfiltration• Network Communications• Incident Response Costs

Page 34: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Choosing A SIEM• Not a Replacement for Security Engineers• Must Support Disparate Devices (Agentless)• Don’t Plan To Monitor? DON’T BOTHER

Page 35: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Deploying a SIEM• Architecture Options • Tuning Out The “Noise”

Page 36: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

SIEM Option$• OutSourced Options• SecureWorks• High-Cost• ArcSight, Q1 Labs Radar, RSA, Tripwire•Lower-Cost• Q1 Labs FE, TriGEO, Splunk• No-Cost• OSSIM• OSSEC

Page 37: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Summary• You Must Anticipate Today’s Threats• SIEMs Are Extremely Valuable• SIEMs Are Not A Silver Bullet

Page 38: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc

Questions?

Bill DeanDirector of Computer Forensics

Sword & Shield Enterprise Security Inc.

[email protected]://www.twitter.com/

BillDeanCCE