Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?

So You Got That SIEM.

NOW What Do You Do?

Dr. Anton Chuvakin

SecurityWarrior LLC

www.securitywarriorconsulting.com

http://www.securitywarriorconsulting.com/

Security Warrior Consulting

Dr. Anton Chuvakin

DIRE WARNING:

This presentation does

NOT mention PCI DSS…

…oh wait

www.pcicompliancebook.info

http://www.pcicompliancebook.info/


Dr. Anton Chuvakin

Outline

• Brief: What is SIEM?

• “You got it!”

• SIEM Pitfalls and Challenges

• Useful SIEM Practices

– From Deployment Onwards

• SIEM “Worst Practices”

• Replacing a SIEM and Other Tips

• Conclusions


Dr. Anton Chuvakin

About Anton: SIEM Builder and

User• Former employee of SIEM and log

management vendors

• Now consulting for SIEM vendors and

SIEM users

• SANS Log Management SEC434 class

author

• Author, speaker, blogger, podcaster (on

logs, naturally )


Dr. Anton Chuvakin

SIEM?

Security Information and Event

Management!

(sometimes: SIM or SEM)


Dr. Anton Chuvakin

SIEM and Log Management

SIEM:

Security Information

and Event Management

Focus on security use

of logs and other data

LM:

Log Management

Focus on all uses

for logs


Dr. Anton Chuvakin

What SIEM MUST Have?

1. Log and Context Data Collection

2. Normalization

3. Correlation (“SEM”)

4. Notification/alerting (“SEM”)

5. Prioritization (“SEM”)

6. Reporting and report delivery (“SIM”)

7. Security role workflow (IR, SOC, etc)

What SIEM Eats: Logs

<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for

anton from ::ffff:192.168.138.35 port 2895 ssh2

<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit

ENTERPRISE Account Logon

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: ANTON Source Workstation: ENTERPRISE Error

Code: 0xC000006A 4574

<57> Dec 25 00:04:32:%SEC_LOGIN-5-

LOGIN_SUCCESS:Login Success [user:anton]

[Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb

28 2006

<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp

system-warning-00515: Admin User anton has logged on via Telnet from

10.14.98.55:39073 (2002-12-17 15:50:53)


Dr. Anton Chuvakin

What SIEM Eats: Context

http://chuvakin.blogspot.com/2010/01/on-log-context.html







Dr. Anton Chuvakin

How SIEM Got Here!?

• 1996-2002 IDS and Firewall

– Worms, alert overflow, etc

– Sold as “SOC in the box”

• 2003 – 2007 Above + Server + Context

– PCI DSS, SOX, users

– Sold as “SOC in the box”++

• 2008+ Above + Applications + …

– Fraud, insiders, cybercrime

– Sold as “SOC in the box”+++++


Dr. Anton Chuvakin

What do we know about SIEM?

Ties to many technologies, analyzes

data, requires process around it,

overhyped

What does it actually mean?

Many people think “SIEM is complex”

Thinking Aloud Here…


Dr. Anton Chuvakin

I will tell you how to do SIEM

RIGHT!

Useless Consultant Advice Alert!!


Dr. Anton Chuvakin

The Right Way to SIEM

1. Figure out what problems you want to solve with SIEM

2. Confirm that SIEM is the best way to solve them

3. Define and analyze your use cases

4. Gather stakeholders and analyze their use cases

5. Research SIEM functionality

6. Create requirements for your tool, including process requirements

7. Choose scope for SIEM coverage (with phases)

8. Assess data volume over all Phase 1 log sources and plan ahead

9. Perform product research, vendor interviews, references, peer groups

10. Create a tool shortlist

11. Pilot top 2-3 products in your environment

12. Test the products for features, usability and scalability vs requirements

13. Select a product for deployment and #2 product for backup

14. Update or create procedures, IR plans, etc

15. Create SIEM operational procedures

16. Deploy the tool (phase 1)


Dr. Anton Chuvakin

The Popular Way to SIEM…

1. Buy a SIEM appliance


Dr. Anton Chuvakin

… Backed by Online “Research”

15


Dr. Anton Chuvakin

Got Difference?

What people

WANT to know

and have before

they deploy a

SIEM?

What people

NEED to know

and have before

they deploy a

SIEM?


Dr. Anton Chuvakin

Got SIEM?Have you inherited it?

Now what?


Dr. Anton Chuvakin

Popular #SIEM_FAIL

… in descending order by frequency:

1. Misplaced expectations (“SOC-in-a-box”)

2. Missing requirements (“SIEM…huh?”)

3. Wrong project sizing

4. Political challenges with integration

5. Vendor deception

6. And only then: product not working


Dr. Anton Chuvakin

What is a “Best Practice”?

• A process or practice that

–The leaders in the field

are doing today

–Generally leads to useful

results with cost

effectiveness

P.S. If you still hate it – say

“useful practices”


Dr. Anton Chuvakin

BP0 How to Plan Your Project?

1.Goals and requirements (WHY)

2.Functionality / features (HOW)

3.Scope of data collection (WHAT)

4.Sizing (HOW MUCH)

5.Architecting (WHERE)


Dr. Anton Chuvakin

BP1 LM before SIEM!

If you remember one thing from this, let it

be:

Deploy Log Management

BEFORE SIEM!

Q: Why do you think MOST 1990s SIEM

deployments FAILED?

A: There was no log management!


Dr. Anton Chuvakin

SIEM/LM Maturity Curve


Dr. Anton Chuvakin

Graduating from LM to SIEM

Are you ready? Well, do you have…

1. Response capability and process

– Prepared to response to alerts

2. Monitoring capability

– Has an operational process to monitor

3. Tuning and customization ability

– Can customize the tools and content


Dr. Anton Chuvakin

BP2 Initial SIEM Use

Steps of a journey …

1. Establish response process

2. Deploy a SIEM

3. Think “use cases”

4. Start filtering logs from LM to SIEM

– Phases: features and information sources

Prepare for the initial increase in workload


Dr. Anton Chuvakin

Example LM->SIEM Filtering

3D: Devices / Network topology / Events

• Devices: NIDS/NIPS, WAF, servers

• Network: DMZ, payment network, other

“key domains”

• Events: authentication, outbound firewall

access, IPS

Later: proxies, more firewall data, web

servers


Dr. Anton Chuvakin

BP3 Expanding SIEM Use

First step, next BABY steps!

1. Compliance monitoring often first

2. “Traditional” SIEM uses

– Authentication tracking

– IPS/IDS + firewall correlation

– Web application hacking

3. Your simple use cases

– What problems do YOU want solved?


Dr. Anton Chuvakin

Example: Use Case

Example: cross-system authentication tracking

• Scope: all systems with authentication

• Purpose: detect unauthorized access to

systems

• Method: track login failures and successes

• Rule details: multiple login failures followed by

login success

• Response plan: user account investigation,

suspension, communication with suspect user


Dr. Anton Chuvakin

“Quick Wins” for Phased Approach

Phased

approach #1

• Collect problems

• Plan architecture

• Start collecting

• Start reviewing

• Solve problem 1

• Solve problem n

Phased

approach #2

• Focus on 1 problem

• Plan architecture

• Start collecting

• Start reviewing

• Solve problem 1

• Plan again


Dr. Anton Chuvakin

10 minutes or 10 months?

Our log

management

appliance can

be racked,

configured and

collecting logs in

10 minutes

A typical large

customer takes

10 months to

deploy a log

management

architecture

based on our

technology

?


Dr. Anton Chuvakin

What is a “Worst Practice”?

• As opposed to the “best

practice” it is …

–What the losers in the

field are doing today

–A practice that generally

leads to disastrous

results, despite its

popularity


Dr. Anton Chuvakin

WP for SIEM Planning

• WP1: Skip this step altogether – just buy

something

– “John said that we need a correlation engine”

– “I know this guy who sells log management tools”

• WP2: Postpone scope until after the purchase

– “The vendor says „it scales‟ so we will just feed ALL

our logs”

– Windows, Linux, i5/OS, OS/390, Cisco – send‟em

in!


Dr. Anton Chuvakin

Case Study: “We Use‟em All”

At SANS Log Management Summit …

• Vendors X, Y and Z claim “Big Finance” as

a customer

• How can that be?

• Well, different teams purchased different

products …

• About $2.3m wasted on tools

that do the same!


Dr. Anton Chuvakin

WPs for Deployment

• WP3: Expect The Vendor To Write Your

Logging Policy OR Ignore Vendor

Recommendations

– “Tell us what we need – tell us what you

have” forever…

• WP4: Don’t prepare the infrastructure

– “Time synchronization? Pah, who needs it”


Dr. Anton Chuvakin

Misc Useful SIEM Tips

34


Dr. Anton Chuvakin

On SIEM Resourcing

NEWSFLASH! SIEM costs money.

But …

Or…


Dr. Anton Chuvakin

“Hard” Costs - Money

• Initial

– SIEM license, hardware, 3rd party software

– Deployment and integration services

• Ongoing

– Support and ongoing services

– Operations personnel (0.5 - any FTEs)

• Periodic

– Vendor services

– Specialty personnel (DBA, sysadmin)

– Deployment expansion costs


Dr. Anton Chuvakin

“Soft” Costs - Time

• Initial

– Deployment time

– Log source configuration and integration (BIG!)

– Initial tuning, content creation

• Ongoing

– Report and log review

– Alert response and escalation

• Periodic

– Tuning and content creation

– Expansion: same as initial


Dr. Anton Chuvakin

Secret to SIEM Magic!

“Operationalizing” SIEM(e.g. SOC building)

Deployment Service

SIEM Software/Appliance


Dr. Anton Chuvakin

On Replacing a SIEM

39


Dr. Anton Chuvakin

How to Do It?

1. Prepare to run both products for some

time

2. Draft the new vendor to help you migrate

the data

3. Be prepared to keep the old SIEM or

keep the data backups

4. BIG! Migrate SIEM content: reports,

rules, views, alerts, etc

40


Dr. Anton Chuvakin

Tip: When To AVOID A SIEM

In some cases, the best “SIEM strategy” is

NOT to buy one:

1. Log retention focus

2. Investigation focus (log search)

If you only plan to look BACKWARDS – no

need for a SIEM!


Dr. Anton Chuvakin

Conclusions

• SIEM will work and has value … but

BOTH initial and ongoing time/focus

commitment is required

• FOCUS on what problems you are trying

to solve with SIEM: requirements!

• Phased approach WITH “quick wins” is

the easiest way to go

• Operationalize!!!


Dr. Anton Chuvakin

SIEM Reminders

Cost countless sleepless night and boatloads

of pain….

• No SIEM before IR plans/procedures

• No SIEM before basic log management

• Think "quick wins", not "OMG ...that SIEM

boondoggle"

• Tech matters! But practices matter more

• Things will get worse before better.

Invest time before collecting value!


Dr. Anton Chuvakin

And If You Only …

… learn one thing from this….

… then let it be….


Dr. Anton Chuvakin

Requirements! Requirements! Requirements! Requirements! Requirements!
























Requirements

Requirements

Requirements

Requirements

Requirvements

Requirements


Dr. Anton Chuvakin

Questions?

Dr. Anton Chuvakin

Email: [email protected]

Site: http://www.chuvakin.org

Blog: http://www.securitywarrior.org

Twitter: @anton_chuvakin

Consulting: http://www.securitywarriorconsulting.com

mailto:[email protected]

http://www.chuvakin.org/

http://www.securitywarrior.org/



Dr. Anton Chuvakin

More Resources

• Blog: www.securitywarrior.org

• Podcast: look for “LogChat” on iTunes

• Slides: http://www.slideshare.net/anton_chuvakin

• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin

• Consulting: http://www.securitywarriorconsulting.com/

http://www.slideshare.net/anton_chuvakin

http://www.info-secure.org/



http://www.docstoc.com/profile/anton1chuvakin



Dr. Anton Chuvakin

More on Anton

• Consultant: http://www.securitywarriorconsulting.com

• Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know

Your Enemy II”, “Hacker‟s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA,

CSI, RSA, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc

• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others

• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager



Dr. Anton Chuvakin


Services• Logging and log management / SIEM strategy, procedures and practices

– Develop logging policies and processes, log review procedures, workflows and

periodic tasks as well as help architect those to solve organization problems

– Plan and implement log management architecture to support your business

cases; develop specific components such as log data collection, filtering,

aggregation, retention, log source configuration as well as reporting, review and

validation

– Customize industry “best practices” related to logging and log review to fit your

environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations

• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log

management product more useful to you and more applicable to your risk profile

and compliance needs

– Create and refine policies, procedures and operational practices for logging

and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA

and other regulations

Others at www.SecurityWarriorConsulting.com



Dr. Anton Chuvakin

Misc Resource Slides

50


Dr. Anton Chuvakin

Best Reports? SANS Top 7

DRAFT “SANS Top

7 Log Reports”1. Authentication

2. Changes

3. Network activity

4. Resource access

5. Malware activity

6. Failures

7. Analytic reports


Dr. Anton Chuvakin

Best Correlation Rules? Nada

• Vendor default rules?

• IDS/IPS + vulnerability

scan?

Anton fave rules:

1. Authentication

2. Outbound access

3. Safeguard failure

Technology

Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?