siems - decoding the mayhem

Slide 1

SIEMs - Decoding The MayhemBill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.

Outline Todays Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring

Computer Security LandScape You Are Being Blamed Your Money Isnt Safe Your Information Isnt Safe Your Reputation Is at Stake More Threats, Less People

Your Are Being Blamed BotNets Pivoting

4

Stealing Your $$

Stealing Your Information Computers Are No Longer for Productivity You Have Valuable Information You ARE A Target You Arent Dealing With Amateurs

Hactivists Exposing Your Secrets

Hactivists Exposing Your Secrets

8

Hactivists Business Disruption

9

Your Challenge

10SIEMS

You Need An Oracle Know The Past Knows The Present Knows The Future Knows How to CYA

12

SIEM Basics Provides Instant Replay 24 X 7 Security Guard SIEMs v. Firewall v. IDS v. IPS SIEM v. SEIM v. SIM Typically Compliance Driven

Compliance HIPAA PII Data Breach Notification Laws

15

Why Do I Need A SIEM? Infrastructure Monitoring Reporting Threat Correlation Instant Replay Incident Response

What Is Monitored? Account Activity Availability IDS/Context Correlation Data Exfiltration Client Side Attacks Brute Force Attacks

19Windows AccountsAccounts Created, By Whom, and When New Accounts That Arent StandardNew Accounts Created At Odd TimeNew Workstation Account CreatedKey Group Membership ChangeAccounts Logon Hours

19

Availability System Uptime Statistics Availability Reporting Uptime is Relative

21IDS Context/Correlation Place Value On Assets Context Is Essential Maintain Current Vulnerability DBs Create Priority Rules

2122Data ExfiltrationYou Must Know What Is NormalDeviations From The Norm Warrant An AlertSome Events Are Non-NegotiableYou Typically Initiate Data Transfers

2223Client Side AttacksWindows Event Logs InformationProcess Status ChangesNew Services CreatedScheduled Tasks Creations Changes to Audit Policies

2324Brute-force AttacksDetailed Reports of Failed LoginsSource Of Failed Login AttemptsLocked Accounts Report

24

Incident Response

Incident Response Scenario #1 Law Firm With Dealings In China Law Firm Was Owned More Than A Year Access To Every Machine On Network Thousands of Responsive Emails ObtainedPrivilege Was Not Observed

26

Incident Response Scenario #2 VP of Finance Promoted to CFO Attack on the Weakest Link

28

29

30

AV Will Save Us!!31

Incident Response Scenario #3

http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx

How SIEMs Would Have Helped Accounts Enabled Services Created Firewall Changes Data Exfiltration Network Communications Incident Response Costs

33

Choosing A SIEM Not a Replacement for Security Engineers Must Support Disparate Devices (Agentless) Dont Plan To Monitor? DONT BOTHER

34

Deploying a SIEM Architecture Options Tuning Out The Noise

SIEM Option$ OutSourced OptionsSecureWorks High-CostArcSight, Q1 Labs Radar, RSA, TripwireLower-CostQ1 Labs FE, TriGEO, Splunk No-CostOSSIMOSSEC

Summary You Must Anticipate Todays Threats SIEMs Are Extremely Valuable SIEMs Are Not A Silver Bullet

Questions?

Bill DeanDirector of Computer ForensicsSword & Shield Enterprise Security Inc.bdean@swordshield.comhttp://www.twitter.com/BillDeanCCE