SIEM Best Practice

1. S.Periyakaruppan

2.  Introduction
 Types of SIEM
 SIEM Vs SEM Vs SIM
 Life Cycle
 High level architecture
 Low level design
 Key Requirements
 Security Log analysis
 Security Log monitoring
 NIST Guidelines

3. SIEM ??  Security Information and event management (Refers the process of
centralized security log management with analysis, reporting and alerting function)
Security Information  An event or a record related to security devices or an event
belongs to security of the IT systems or devices
Security event  A occurrence or activity in the system related to security

4. Introduction - contd
Why SIEM ???
To improve log analysis
To support Incident analysis
To improve incident response
To support forensic investigations
To support regulatory compliance
To support internal process adherence and audit requirements

5. Introduction - contd
Why Log Management is important ???
To generate logs for what is worth
To support operation maintenance & Troubleshooting
To transmit filtered logs in a secured fashion
To what and how long logs should be stored  Log retention
To store logs for appropriate, in a secured fashion
To ensure relevant security metrics as triggered appropriate logs
To enhance the threat discovery

6. SIEM vs SIM vs SEM
SIM,SIEM &SEM are often interchange for its meaning…..
Are they same ?????
SEM  real-time monitoring and event management to support IT security operations.
SEM requires several capabilities  event and data collection, aggregation and
correlation in near real time; a dynamic monitoring/security event console for viewing
and managing events; and automated response generation for security events.
SIM  historical analysis and reporting for security event data. This requires event and
data collection/correlation (but not in real time), an indexed repository for log data and
flexible query and reporting capabilities.
SIEM = SIM+SEM

7. SIEM
Agent based Plug and
collection Play
Special software need to End system can be
collect logs pushed logs to SIEM or
Collection/Filtering/Aggreg SIEM can pull logs from log
ation/Normalization sources
happened in agent Collection/Filtering/Aggreg
Implementation challenges ation/Normalization
due to different agents happened in SIEM 
required to process different Performance impact
formats Near or Near real time
Near or Near real time logs
logs

8. SIEM&LM – Life-cycle
Notify
Identify React
Analyze
Monitor
Collect Trigger

9. Key Requirements - SIEM

10. User interface
Log Sources
Ticketing
Log Collection Data Process Analysis system
LOG
Collection
s
E-mail system
Data
Managemen
Universal t Data Analysis
device Log Intelligent event
support storage/Thi and payload
Agent rd party inspection Console
collection storage Co-relation and
Log Normalizati Alerting
Consolidati on Base-line and
on/Compre Other Reporting engine
ssion Analytics Normalization
Other Analytics
SOC

11. Log Sources
Log
Attack Collection
Log Source
Agent Collection Analysis
Context E-mail
Data Info
Process Console
Filterin Normalizati Aggregati Correlatio Alert Ticketing
g on on n system
Repor
t
Storage

12. Log Analysis  Studying log entries to identify events of interest or
suppress log entries for insignificant events.
Correlation structure
Vulnerability
database & Historical events
Event correlation Alerts/reports
Security policy and observations
correlation
SMTP
SNMP
Behavior XML
Analysis Proprietar
Message y
Analysis
Statistical
Baseline of Analysis
multiple events
Structural Functional
Analysis Analysis

13. Critical Success factors - Security Log Analysis
Observe  Study the logs to filter unwanted noises and to
understand the very nature of the system
Brainstorm / Mining  Mining the logs leads to understand
beyond the level of good or bad. Read the logs to know the
behavior of the system in various situation
Understand the insight  The objective of the log trigger
may or may not be achieve its worthiness so we need to
understand the insight of the logs
Classify  Once you understand the insight you would be
able to classify the logs
Prioritize  The prioritization takes vital part of detection as
you might be miss a log due to poor prioritization

14. Security Log Monitoring - Approach
•Compliance
Map Requirements •Regulatory requirements
•Scenario of the event
Declare Use case •Appropriate reaction
• Appropriate criteria to understand the reality or the
Match Criteria degree of the occurrence
•Based on pre-defined procedure or incident nature
Declare Priority
•Alert the operations team to take action
Notify
•The logs should be monitored for recurrence
Post Incident review
•Closure should be captured in KB for future reference
Closure

15. Critical Success factors - Security Log Monitoring

16. NIST Guidelines  Security Log management
To establish and maintain successful log management infrastructures,
an organization should perform significant planning and other preparatory
actions for performing log management.
This is important for creating consistent, reliable, and efficient log management
practices that meet the organization’s needs and requirements and also
provide additional value
SECURITY IS PROCESS NOT PRODUCT !!!!!!!!!!!
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92