On Content-Aware SIEM by Dr. Anton Chuvakin

1. Content-Aware SIEM Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com February 2010

2. Outline Brief SIEM History SIEM Today Today’s SIEM Use Cases Evolution of SIEM: Content-Aware SIEM What SIEM “Eats”? Logs + context + content! Legacy SIEM vs Content-Aware SIEM Why Deploy a CA-SIEM?

3. SIEM? Security Information and Event Management! (sometimes: SIM or SEM)

4. SIEM Evolution 1997-2002 IDS and Firewall Worms, alert overflow, etc 2003 – 2007 Above + Server + Context PCI DSS, SOX, users 2008+ Above + Applications+ Content Fraud, activities, cybercrime

5. SIEM Today Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow

6. SIEM Use Cases Security Operations Center (SOC) RT views, analysts 24/7, chase alerts Mini-SOC / “morning after” Delayed views, analysts 1/24, review and drill-down “Automated SOC” / alert + investigate Configure and forget, investigate alerts Compliance status reporting Review reports/views weekly/monthly

7. What SIEM Eats? Logs Context Content (NEW)

8. One: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

9. Two: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html

10. Three: Content Emails Attachment IM chats Facebook posts Videos Images

11. Note: Content is NOT Just Packets Drilldown to packets Drilldown to emailed document

12. Legacy SIEM vs CA-SIEM?

13. Secret to SIEM Magic!

14. Conclusions SIEM is evolving to today’s needs, while still solving the old needs Note: no old IT security threat has gone away yet… SIEMs that can consume content and not just logs can win the battle Note: logs are voluminous, but content is EVEN LARGER

15. Questions Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org LinkedIn:http://www.linkedin.com/in/chuvakin Twitter:@anton_chuvakin Consulting Services: SIEM, Log management http://www.securitywarriorconsulting.com

16. More on Anton Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant