Embed Size (px)
DESCRIPTION
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Citation preview
Making Log Data Useful:SIEM and Log Management
Together
Dr. Anton Chuvakin
Security Warrior Consulting
www.securitywarriorconsulting.com
April 2010
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Outline
• Security Information and Event Management vs/with Log Management
• Graduating from LM to SIEM• SIEM and LM “best practices”• First steps with SIEM• Using SIEM and LM together• Conclusions
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM vs LM
SIEM = SECURITY information and event management
vs
LM = LOG management
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting (“SIM”)
7. Security role workflow
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What LM MUST Have?
1. Broad Scope Log Data Collection
2. Efficient Log Data Retention
3. Searching Across All Data
4. Broad Use Log Reporting
5. Scalable Operation: Collection, Retention, Searching, Reporting
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Graduating from LM to SIEM
Are you ready? Well, do you have…
1. Response capability– Prepared to response to alerts
2. Monitoring capability– Has an operational process to monitor
3. Tuning and customization ability– Can customize the tools and content
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
How to “Graduate?”
Just like college… Graduation tips:• Satisfy the graduation criteria• Use a LM vendors that has a good SIEM• Deploy LM and use it operationally
– Periodic log reviews = first step to monitoring• Look for integrated capability
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that–The leaders in the field
are doing today–Generally leads to
useful results with cost effectiveness
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments FAILED?
A: There was no log management!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example Scenario
• A mid-size regional bank deploys log management – Compliance, fraud tracking, user activity audit
• Use the tool on incident only first• Start checking reports once in a while• Establish log review process• In two years, gets a SIEM to automate it!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP2 Evolving to SIEM
Steps of a journey• Establish response process• Deploy a SIEM• Think “use cases”• Start filtering logs from LM to SIEM
– Phases!• Prepare for the initial increase in workload
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example LM->SIEM Filtering
3D: Devices / Network topology / Events• Devices: NIDS/NIPS, WAF, servers• Network: DMZ, payment network (PCI
scope), other “key domains”• Events: authentication, outbound firewall
access
Later: proxies, more firewall data, web servers
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP3 SIEM First Steps
First step = BABY steps!• Compliance monitoring• “Traditional” SIEM uses
– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking
• Simple use cases – based on your risk
What problems do YOU want solved?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example SIEM Use Case
Cross-system authentication tracking• Scope: all systems with authentication (!)• Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed
by login success• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM + LM Integrated Use
• Correlated SIEM alert is generated– Database server login guessing
• Key information is shown– Account guessed, time, source
• Context information is pulled from LM– What happened with this user before?– What else the source did?– What other logs were produced on server?
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Eventually: SIEM Usage Scenarios
1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate– Configure and forget, investigate alerts
4. Compliance status reporting– Review reports/views weekly/monthly
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Conclusions
• Everybody has logs -> needs to deal with them -> needs LOG MANAGEMENT!
• Deploy LM before SIEM– Then decide whether and when you need
SIEM• Operationalize Log Management first, use it
“early and often”• Start with SIEM slowly and only for
tangible, solvable problems!
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Questions
Dr. Anton Chuvakin
Email: [email protected]
Google Voice: 510-771-7106
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager, Consultant
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
