Upload
anton-chuvakin
View
15.859
Download
1
Tags:
Embed Size (px)
Citation preview
Something Fun About Using SIEM and Not Failing
or Only Failing Non-Miserably or Not-Too-Miserably
Dr. Anton Chuvakin
@anton_chuvakin
SecurityWarrior LLCwww.securitywarriorconsulting.com
Security BSides SF 2011 @ RSA 2011
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
About Anton: SIEM Builder and User
• Former employee of SIEM and log management vendors
• Now consulting for SIEM vendors and SIEM users
• SANS Log Management SEC434 class author
• Author, speaker, blogger, podcaster (on logs, naturally )
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
NEWSFLASH!! New Phobia Found!
“Over the past month, I have come across this fear of ownership of the SIEM. Are that many people afraid to “own” the application?” (source: siemninja.com)
Fear of SIEM = fear of complexity?
Let’s try to find out!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Outline
• Quickly: SIEM Defined• SIEM done “right”?• SIEM Pitfalls and Challenges• Useful SIEM Practices• Painful Worst Practices• Conclusions
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM vs Log Management
SIEM:
Security Information
and Event Management
Focus on security use of logs and other data
LM:
Log Management
Focus on all uses for logs
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting and report delivery (“SIM”)
7. Security role workflow (IR, SOC, etc)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM Evolution
• 1996-2002 IDS and Firewall– Worms, alert overflow, etc– Sold as “SOC in the box”
• 2003 – 2007 Above + Server + Context – PCI DSS, SOX, users– Sold as “SOC in the box”++
• 2008+ Above + Applications + …– Fraud, insiders, cybercrime– Sold as “SOC in the box”+++++
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What do we know about SIEM?
Ties to many technologies, analyzes data, requires process around it, overhyped
What does it actually mean?
Many people think “SIEM is complex”
Thinking Aloud Here…
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
I will tell you how to do SIEM
RIGHT!
Useless Consultant Advice Alert!!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
The Right Way to SIEM
1. Figure out what problems you want to solve with SIEM
2. Confirm that SIEM is the best way to solve them
3. Define and analyze use cases
4. Create requirements for a tool
5. Choose scope for SIEM coverage
6. Assess data volume
7. Perform product research
8. Create a tool shortlist
9. Pilot top 2-3 products
10. Test the products for features, usability and scalability vs requirements
11. Select a product for deployment
12. Update or create procedures, IR plans, etc
13. Deploy the tool (phase 1)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
The Popular Way to SIEM
1. Buy a SIEM appliance
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Got Difference?
What people WANT to know and have before they deploy a SIEM?
What people NEED to know and have before they deploy a SIEM?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Got SIEM?Have you inherited it?
Now what?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Popular #SIEM_FAIL
… in partial answer to “why people think SIEM sucks?”
1. Misplaced expectations (“SOC-in-a-box”)
2. Missing requirements (“SIEM…huh?”)
3. Wrong project sizing
4. Political challenges with integration
5. Lack of commitment
6. Vendor deception (*)
7. And only then: product not working
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
One Way to NOT Fail
1.Goals and requirements
2.Functionality / features
3.Scoping of data collection
4.Sizing
5.Architecting
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that–The leaders in the field
are doing today–Generally leads to useful
results with cost effectiveness
P.S. If you still hate it – say
“useful practices”
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments FAILED?
A: There was no log management!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Graduating from LM to SIEM
Are you ready? Well, do you have…
1. Response capability and process– Prepared to response to alerts
2. Monitoring capability– Has an operational process to monitor
3. Tuning and customization ability– Can customize the tools and content
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM/LM Maturity Curve
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP2 Evolving Your SIEM
Steps of a journey …
1. Establish response process
2. Deploy a SIEM
3. Think “use cases”
4. Start filtering logs from LM to SIEM– Phases: features and information sources
Prepare for the initial increase in workload
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example LM->SIEM Filtering
3D: Devices / Network topology / Events• Devices: NIDS/NIPS, WAF, servers• Network: DMZ, payment network, other
“key domains”• Events: authentication, outbound firewall
access, IPS
Later: proxies, more firewall data, web servers
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
“Quick Wins” for Phased Approach
Phased
approach #1• Collect problems• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Solve problem n
Phased
approach #2• Focus on 1 problem• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Plan again
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP3 Expanding SIEM Use
First step, next BABY steps!
1. Compliance monitoring often first
2. “Traditional” SIEM uses– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking
3. Your simple use cases – What problems do YOU want solved?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Best Reports? SANS Top 7
DRAFT “SANS Top 7 Log Reports”
1. Authentication
2. Changes
3. Network activity
4. Resource access
5. Malware activity
6. Failures
7. Analytic reports
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Best Correlation Rules? Nada
• Vendor default rules?• IDS/IPS + vulnerability
scan?
Anton fave rules:
1. Authentication
2. Outbound access
3. Safeguard failure?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example SIEM Use Case
Cross-system authentication tracking• Scope: all systems with authentication • Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed
by login success• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
On SIEM Resourcing
NEWSFLASH! SIEM costs money.But …
Or…
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
“Hard” Costs - Money
• Initial– SIEM license, hardware, 3rd party software– Deployment service
• Ongoing– Support and ongoing services– Operations personnel (0.5 - any FTEs)
• Periodic– Vendor services– Specialty personnel (DBA, sysadmin)– Deployment expansion costs
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
“Soft” Costs - Time
• Initial– Deployment time– Log source configuration and integration– Initial tuning, content creation
• Ongoing– Report review– Alert response and escalation
• Periodic– Tuning– Expansion: same as initial
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What is a “Worst Practice”?
• As opposed to the “best practice” it is …–What the losers in the
field are doing today–A practice that generally
leads to disastrous results, despite its popularity
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
WP for SIEM Planning
• WP1: Skip this step altogether – just buy something– “John said that we need a correlation engine”– “I know this guy who sells log management tools”
• WP2: Postpone scope until after the purchase– “The vendor says ‘it scales’ so we will just feed ALL
our logs”– Windows, Linux, i5/OS, OS/390, Cisco – send’em
in!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Case Study: “We Use’em All”
At SANS Log Management Summit 200X…• Vendors X, Y and Z claim “Big Finance” as
a customer• How can that be?• Well, different teams purchased different
products …• About $2.3m wasted on tools
that do the same!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
WPs for Deployment
• WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations– “Tell us what we need – tell us what you have”
forever…• WP4: Unpack the boxes and go!
– “Coordinating with network and system folks is for cowards!”
– Do you know why LM projects take months sometimes?
• WP5: Don’t prepare the infrastructure – “Time synchronization? Pah, who needs it”
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More Quick SIEM TipsCost countless sleepless night and boatloads
of pain….• No SIEM before IR plans/procedures• No SIEM before basic log management • Think "quick wins", not "OMG ...that SIEM
boondoggle"• Tech matters! But practices matter more• Things will get worse before better.
Invest time before collecting value!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Tip: When To AVOID A SIEM
In some cases, the best “SIEM strategy” is NOT to buy one:
1. Log retention focus
2. Investigation focus (log search)
If you only plan to look BACKWARDS – no need for a SIEM!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Conclusions
• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
• FOCUS on what problems you are trying to solve with SIEM: requirements!
• Phased approach WITH “quick wins” is the easiest way to go
• Operationalize!!!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
And If You Only …
… learn one thing from this….
… then let it be….
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements
Requirements
Requirements
Requirements
Requirvements
Requirements
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More Resources
• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin
• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
• Consulting: http://www.securitywarriorconsulting.com/
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management / SIEM strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
Others at www.SecurityWarriorConsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management / SIEM strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
Others at www.SecurityWarriorConsulting.com