SIEMs - Decoding The Mayhem

Bill DeanDirector of Computer Forensics

Sword & Shield Enterprise Security Inc.

Outline• Today’s Threat Landscape• Why Do I Need a SIEM?• Choosing and Deploying a SIEM• This Will Not Be Boring

Computer Security LandScape• You Are Being Blamed• Your Money Isn’t Safe• Your Information Isn’t Safe• Your Reputation Is at Stake• More Threats, Less People

Your Are Being Blamed• BotNets• Pivoting

Stealing Your $$

Stealing Your Information• Computers Are No Longer for “Productivity”• You Have Valuable Information• You ARE A Target• You Aren’t Dealing With “Amateurs”

Hactivists – Exposing Your Secrets

Hactivists – Exposing Your Secrets

Hactivists – Business Disruption

Your Challenge

SIEMS

You Need An “Oracle”• Know The Past• Knows The Present• Knows The Future• Knows How to CYA

SIEM Basics• Provides “Instant Replay”• 24 X 7 Security Guard• SIEMs v. Firewall v. IDS v. IPS• SIEM v. SEIM v. SIM• Typically Compliance Driven

Compliance • HIPAA• PII• Data Breach Notification Laws

Why Do I Need A SIEM?• Infrastructure Monitoring• Reporting• Threat Correlation• Instant Replay• Incident Response

What Is Monitored?• Account Activity• Availability• IDS/Context Correlation• Data Exfiltration• Client Side Attacks• Brute Force Attacks

19

Windows Accounts• Accounts Created, By Whom,

and When • New Accounts That Aren’t

Standard• New Accounts Created At Odd

Time• New Workstation Account

Created• Key Group Membership Change• Accounts Logon Hours

Availability• System Uptime Statistics• Availability Reporting• Uptime is “Relative”

21

IDS Context/Correlation• Place Value On Assets• Context Is Essential• Maintain Current Vulnerability DBs

• Create Priority Rules

22

Data Exfiltration• You Must Know What Is “Normal”• Deviations From The Norm Warrant

An Alert• Some Events Are “Non-Negotiable”• “You” Typically Initiate Data Transfers

23

Client Side Attacks• Windows Event Logs Information• Process Status Changes• New Services Created• Scheduled Tasks Creations • Changes to Audit Policies

24

Brute-force Attacks• Detailed Reports of Failed Logins• Source Of Failed Login Attempts• Locked Accounts Report

Incident Response

Incident Response Scenario #1• Law Firm With Dealings In China• Law Firm Was “Owned” More Than A Year• Access To Every Machine On Network• Thousands of “Responsive” Emails Obtained•“Privilege” Was Not Observed

Incident Response Scenario #2• VP of Finance Promoted to CFO • Attack on the “Weakest” Link

AV Will Save Us!!

Incident Response Scenario #3

http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx

How SIEMs Would Have Helped• Accounts Enabled • Services Created• Firewall Changes• Data Exfiltration• Network Communications• Incident Response Costs

Choosing A SIEM• Not a Replacement for Security Engineers• Must Support Disparate Devices (Agentless)• Don’t Plan To Monitor? DON’T BOTHER

Deploying a SIEM• Architecture Options • Tuning Out The “Noise”

SIEM Option$• OutSourced Options• SecureWorks• High-Cost• ArcSight, Q1 Labs Radar, RSA, Tripwire•Lower-Cost• Q1 Labs FE, TriGEO, Splunk• No-Cost• OSSIM• OSSEC

Summary• You Must Anticipate Today’s Threats• SIEMs Are Extremely Valuable• SIEMs Are Not A Silver Bullet

Questions?

Bill DeanDirector of Computer Forensics

Sword & Shield Enterprise Security Inc.

bdean@swordshield.comhttp://www.twitter.com/

BillDeanCCE