Got SIEM? Now what? Getting SIEM Work For You

Got SIEM?
Now what?
Making SIEM work for you
Dr. Anton Chuvakin
Security Warrior Consulting
www.securitywarriorconsulting.com
SANS @ Night, San Francisco 2010

Dr. Anton Chuvakin
Outline
• Brief: What is SIEM/LM?
• “You got it!”
• SIEM Pitfalls and Challenges
• Useful SIEM Practices
– From Deployment Onwards
• SIEM “Worst Practices”
• Secret to SIEM Magic!
• Conclusions

Dr. Anton Chuvakin
About Anton
• Former employee of SIEM and log
management vendors
• Now consulting for SIEM vendors and
SIEM users
• SANS class author (SEC434 Log
Management)
• Author, speaker, blogger, podcaster (on
logs, naturally )

Dr. Anton Chuvakin
SIEM?
Security Information and Event
Management!
(sometimes: SIM or SEM)

Dr. Anton Chuvakin
Got SIEM?
Now what?

Dr. Anton Chuvakin
SIEM and Log Management
• SIEM:
Security Information
and Event Management
• Focus on security use
of logs and other data
LM:
Log Management
Focus on all uses
for logs

Dr. Anton Chuvakin
Why SO many people
think that “SIEM sucks?”

Dr. Anton Chuvakin
SIEM Evolution
• 1997-2002 IDS and Firewall
– Worms, alert overflow, etc
– Sold as “SOC in the box”
• 2003 – 2007 Above + Server + Context
– PCI DSS, SOX, users
– Sold as “SOC in the box”++
• 2008+ Above + Applications + …
– Fraud, activities, cybercrime
– Sold as “SOC in the box”+++++

Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization and categorization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Dashboards and visualization
7. Reporting and report delivery (“SIM”)
8. Security role workflow (IR, SOC, etc)

What SIEM Eats: Logs
<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from
::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit
ENTERPRISE Account Logon
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006
A 4574
<57> Dec 25 00:04:32:%SEC_LOGIN-5-
LOGIN_SUCCESS:Login Success [user:anton]
[Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28
2006
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-
warning-00515: Admin User anton has logged on via Telnet from
10.14.98.55:39073 (2002-12-17 15:50:53)

Dr. Anton Chuvakin
What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html

Dr. Anton Chuvakin
Just What Is “Correlation”?
• Dictionary: “establishing relationships”
• SIEM: “relate events together for security
benefit”
• Why correlate events?
• Automated cross-device data analysis!
• Simple correlation rule:
• If this, followed by that, take some action

Dr. Anton Chuvakin
Popular #SIEM_FAIL
… in partial answer to “why people think SIEM sucks?”
1. Misplaced expectations (“SOC-in-a-box”)
2. Missing requirements (“SIEM…huh?”)
3. Missed project sizing
4. Political challenges with integration
5. Lack of commitment
6. Vendor deception (*)
7. And only then: product not working 

Dr. Anton Chuvakin
Big 3 for SIEM/LM
Compliance
Security
SIEM
LM
Operations
Compliance
Security
Ops

Dr. Anton Chuvakin
In Reality …
Compliance budget
Security budget

Dr. Anton Chuvakin
SIEM Planning Areas
1.Goals and requirements
2.Functionality / features
3.Scoping of data collection
4.Sizing
5.Architecting
… in THAT order!

Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that
–The leaders in the field
are doing today
–Generally leads to useful
results with cost
effectiveness
P.S. If you still hate it – say
“useful practices”

Dr. Anton Chuvakin
BP1 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management
BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM deployments
FAILED?
A: There was no log management! SEM alone is just not
that useful…

Dr. Anton Chuvakin
Graduating from LM to SIEM
Are you ready? Well, do you have…
1. Response capability
– Prepared to response to alerts
2. Monitoring capability
– Has an operational process to monitor
3. Tuning and customization ability
– Can customize the tools and content

Dr. Anton Chuvakin
SIEM/LM Maturity Curve

Dr. Anton Chuvakin
BP2 Evolving to SIEM
Steps of a journey …
• Establish response process
• Deploy a SIEM
• Think “use cases”
• Start filtering logs from LM to SIEM
– Phases!
• Prepare for the initial increase in workload

Dr. Anton Chuvakin
Example LM->SIEM Filtering
3D: Devices / Network topology / Events
• Devices: NIDS/NIPS, WAF, servers
• Network: DMZ, payment network (PCI
scope), other “key domains”
• Events: authentication, outbound firewall
access
Later: proxies, more firewall data, web
servers

Dr. Anton Chuvakin
“Complianc-y” Approach to SIEM
1. List regulations
2. Identify other “use cases”
3. Review whether SIEM/LM is needed
4. Map features to controls
5. Select and deploy
6. Operationalize regulations
7. Expand use

Dr. Anton Chuvakin
“Quick Wins” for Phased Approach
Phased
approach #1
• Collect problems
• Plan architecture
• Start collecting
• Start reviewing
• Solve problem 1
• Solve problem n
Phased
approach #2
• Focus on 1 problem
• Plan architecture
• Start collecting
• Start reviewing
• Solve problem 1
• Plan again

Dr. Anton Chuvakin
BP3 SIEM First Steps
First step = BABY steps!
• Compliance monitoring
• “Traditional” SIEM uses
– Authentication tracking
– IPS/IDS + firewall correlation
– Web application hacking
• Simple use cases
– based on your risks
What problems do YOU want solved?

Dr. Anton Chuvakin
Example SIEM Use Case
Cross-system authentication tracking
• Scope: all systems with authentication (!)
• Purpose: detect unauthorized access to
systems
• Method: track login failures and successes
• Rule details: multiple login failures followed
by login success
• Response plan: user account investigation,
suspension, communication with suspect user

Dr. Anton Chuvakin
10 minutes or 10 months?
Our log
management
appliance can
be racked,
configured and
collecting logs in
10 minutes
A typical large
customer takes
10 months to
deploy a log
management
architecture
based on our
technology
?

Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM
(e.g. SOC building)
Deployment Service
SIEM Software/Appliance

Dr. Anton Chuvakin
Ultimate SIEM Usage Scenarios
1. Security Operations Center (SOC)
– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”
– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate
– Configure and forget, investigate alerts
4. Compliance status reporting
– Review reports/views weekly/monthly

Dr. Anton Chuvakin
What is a “Worst Practice”?
• As opposed to the “best
practice” it is …
–What the losers in the
field are doing today
–A practice that generally
leads to disastrous
results, despite its
popularity

Dr. Anton Chuvakin
WP for SIEM Project scope
• WP1: Postpone scope until after the purchase
– “The vendor says ‘it scales’ so we will just feed
ALL our logs”
– Windows, Linux, i5/OS, OS/390, Cisco –
send’em in!
• WP2: Assume you will be the only user of the
tool
– “Steakholders”? What’s that? 
– Common consequence: two or more
simiilar tools are bought

Dr. Anton Chuvakin
Case Study: “We Use’em All”
At SANS Log Management Summit 200X…
• Vendors X, Y and Z claim “Big Finance” as
a customer
• How can that be?
• Well, different teams purchased different
products …
• About $2.3m wasted on tools
that do the same!

Dr. Anton Chuvakin
WPs for Deployment
• WP3: Expect The Vendor To Write Your Logging
Policy OR Ignore Vendor Recommendations
– “Tell us what we need – tell us what you have”
forever…
• WP4: Unpack the boxes and go!
– “Coordinating with network and system folks is
for cowards!”
– Do you know why LM projects take months
sometimes?
• WP5: Don’t prepare the infrastructure
– “Time synchronization? Pah, who needs it”
• WP6: Deploy Everywhere At Once
– “We need it everywhere!! Now!!”

Dr. Anton Chuvakin
Case Study: Shelfware Forever!
• Financial company gets a SIEM tool after many
months of “evaluations”
• Vendor SEs deploy it
• One year passes by
• A new CSO comes in; looks for what is deployed
• Finds a SIEM tool – which database contains
exactly 53 log records (!)
– It was never connected to a production
network…

Dr. Anton Chuvakin
WPs for Expanding Deployment
• WP7: Don’t Bother With A Product Owner
– “We all use it – we all run it (=nobody does)”
• WP8: Don’t Check For Changed Needs –
Just Buy More of the Same
– “We made the decision – why fuss over it?”
• WP9: If it works for 10, it will be OK for
10,000
– “1,10,100, …, 1 trillion –
they are just numbers”

Dr. Anton Chuvakin
Case Study: Today - Datacenter,
Tomorrow … Oops!
• Log management tool is tested and deployed
at two datacenters – with great success!
• PCI DSS comes in; scope is expanded to
wireless systems and POS branch servers
• The tool is prepared to be deployed in 410 (!)
more locations
• “Do you think it will work?” - “Suuuuure!”, says
the vendor
• Security director resigns …

Dr. Anton Chuvakin
More Quick SIEM Tips
Cost countless sleepless night and boatloads
of pain….
• No SIEM before IR plans/procedures
• No SIEM before basic log management
• Think "quick wins", not "OMG ...that SIEM
boondoggle"
• Tech matters! But practices matter more
• Things will get worse before better.
Invest time before collecting value!

Dr. Anton Chuvakin
SIEM Resourcing Voodoo
“Things get worse before they get better”
• Hardware – initial + growth
• Software license fees (CPU, device, EPS,
user, etc, etc)
• Support and integration projects
• Operations Personnel (analysts, developer)
• SIEM Administrator Personnel (SA, DBA,
application admin)

Dr. Anton Chuvakin
Conclusions
• SIEM will work and has value … but BOTH
initial and ongoing time/focus
commitment is required
• FOCUS on what problems you are trying
to solve with SIEM: requirements!
• Phased approach WITH “quick wins” is
the easiest way to go
• Operationalize!!!

Dr. Anton Chuvakin
And If You Only …
… learn one thing from this….
… then let it be….

Dr. Anton Chuvakin
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements
Requirements
Requirements
Requirements
Requirvements
Requirements

Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Email: anton@chuvakin.org
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com

Dr. Anton Chuvakin
More Resources
• Blog: www.securitywarrior.org
• Podcast: look for “LogChat” on iTunes
• Slides: http://www.slideshare.net/anton_chuvakin
• Papers: www.info-secure.org and
http://www.docstoc.com/profile/anton1chuvakin
• Consulting: http://www.securitywarriorconsulting.com/

Dr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com
• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know
Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA,
CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc
• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others
• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager

Dr. Anton Chuvakin
Security Warrior Consulting Services
• Logging and log management strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and
periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business
cases; develop specific components such as log data collection, filtering,
aggregation, retention, log source configuration as well as reporting, review and
validation
– Customize industry “best practices” related to logging and log review to fit your
environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations
• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log
management product more useful to you and more applicable to your risk profile
and compliance needs
– Create and refine policies, procedures and operational practices for logging
and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA
and other regulations
More at www.SecurityWarriorConsulting.com

Got SIEM? Now what? Getting SIEM Work For You

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Got SIEM? Now what? Getting SIEM Work For You

Similar to Got SIEM? Now what? Getting SIEM Work For You (20)

More from Anton Chuvakin

More from Anton Chuvakin (20)

Recently uploaded

Recently uploaded (20)

Got SIEM? Now what? Getting SIEM Work For You

Editor's Notes