So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin) Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."  So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful? At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.

1. So You Got That SIEM. NOW What Do You Do? Dr. Anton Chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com

2. DIRE WARNING: This presentation does NOT mention PCI DSS… …oh wait  www.pcicompliancebook.info

3. Outline Brief: What is SIEM? “You got it!” SIEM Pitfalls and Challenges Useful SIEM Practices From Deployment Onwards SIEM “Worst Practices” Replacing a SIEM and Other Tips Conclusions

4. About Anton: SIEM Builder and User Former employee of SIEM and log management vendors Now consulting for SIEM vendors and SIEM users SANS Log Management SEC434 class author Author, speaker, blogger, podcaster (on logs, naturally )

5. SIEM? Security Information and Event Management! (sometimes: SIM or SEM)

6. SIEM and Log Management LM: Log Management Focus on all uses for logs SIEM: Security Information and Event Management Focus on security useof logs and other data

7. What SIEM MUST Have? Log and Context Data Collection Normalization Correlation (“SEM”) Notification/alerting (“SEM”) Prioritization (“SEM”) Reporting and report delivery (“SIM”) Security role workflow (IR, SOC, etc)

8. What SIEM Eats: Logs <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged onvia Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess[user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted passwordfor anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ANTON Source Workstation: ENTERPRISE Error Code: 0xC000006A 4574

9. What SIEM Eats: Context http://chuvakin.blogspot.com/2010/01/on-log-context.html

10. How SIEM Got Here!? 1996-2002 IDS and Firewall Worms, alert overflow, etc Sold as “SOC in the box” 2003 – 2007 Above + Server + Context PCI DSS, SOX, users Sold as “SOC in the box”++ 2008+ Above + Applications + … Fraud, insiders, cybercrime Sold as “SOC in the box”+++++

11. What do we know about SIEM? Ties to many technologies, analyzes data, requires process around it, overhyped What does it actually mean? Many people think “SIEM is complex” Thinking Aloud Here…

12. I will tell you how to do SIEM RIGHT! Useless Consultant Advice Alert!!

13. The Right Way to SIEM Figure out what problems you want to solve with SIEM Confirm that SIEM is the best way to solve them Define and analyze your use cases Gather stakeholders and analyze their use cases Research SIEM functionality Create requirements for your tool, including process requirements Choose scope for SIEM coverage (with phases) Assess data volume over all Phase 1 log sources and plan ahead Perform product research, vendor interviews, references, peer groups Create a tool shortlist Pilot top 2-3 products in your environment Test the products for features, usability and scalability vs requirements Select a product for deployment and #2 product for backup Update or create procedures, IR plans, etc Create SIEM operational procedures Deploy the tool (phase 1)

14. The Popular Way to SIEM… Buy a SIEM appliance

15. … Backed by Online “Research” 15

16. Got Difference? What people WANT to know and have before they deploy a SIEM? What people NEED to know and have before they deploy a SIEM?

17. Got SIEM?Have you inherited it? Now what?

18. Popular #SIEM_FAIL … in descending order by frequency: Misplaced expectations (“SOC-in-a-box”) Missing requirements (“SIEM…huh?”) Wrong project sizing Political challenges with integration Vendor deception And only then: product not working 

19. What is a “Best Practice”? A process or practice that The leaders in the field are doing today Generally leads to useful results with cost effectiveness P.S. If you still hate it – say “useful practices”

20. BP0 How to Plan Your Project? Goals and requirements (WHY) Functionality / features (HOW) Scope of data collection (WHAT) Sizing (HOW MUCH) Architecting (WHERE)

21. BP1 LM before SIEM! If you remember one thing from this, let it be: Deploy Log Management BEFORE SIEM! Q: Why do you think MOST 1990s SIEM deployments FAILED? A: There was no log management!

22. SIEM/LM Maturity Curve

23. Graduating from LM to SIEM Are you ready? Well, do you have… Response capability and process Prepared to response to alerts Monitoring capability Has an operational process to monitor Tuning and customization ability Can customize the tools and content

24. BP2 Initial SIEM Use Steps of a journey … Establish response process Deploy a SIEM Think “use cases” Start filtering logs from LM to SIEM Phases: features and information sources Prepare for the initial increase in workload

25. Example LM->SIEM Filtering 3D: Devices / Network topology / Events Devices: NIDS/NIPS, WAF, servers Network: DMZ, payment network, other “key domains” Events: authentication, outbound firewall access, IPS Later: proxies, more firewall data, web servers

26. BP3 Expanding SIEM Use First step, next BABY steps! Compliance monitoring often first “Traditional” SIEM uses Authentication tracking IPS/IDS + firewall correlation Web application hacking Your simple use cases What problems do YOU want solved?

27. Example: Use Case Example: cross-system authentication tracking Scope: all systems with authentication Purpose: detect unauthorized access to systems Method: track login failures and successes Rule details: multiple login failures followed by login success Response plan: user account investigation, suspension, communication with suspect user

29. Plan architecture

30. Start collecting

31. Start reviewing

32. Solve problem 1

34. What is a “Worst Practice”? As opposed to the “best practice” it is … What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity

35. WP for SIEM Planning WP1: Skip this step altogether – just buy something “John said that we need a correlation engine” “I know this guy who sells log management tools” WP2: Postpone scope until after the purchase “The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in!

36. Case Study: “We Use’em All” At SANS Log Management Summit … Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!

37. WPs for Deployment WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “Tell us what we need – tell us what you have” forever… WP4: Don’t prepare the infrastructure “Time synchronization? Pah, who needs it”

38. Misc Useful SIEM Tips 34

39. On SIEM Resourcing NEWSFLASH! SIEM costs money. But … Or…

40. “Hard” Costs - Money Initial SIEM license, hardware, 3rd party software Deployment and integration services Ongoing Support and ongoing services Operations personnel (0.5 - any FTEs) Periodic Vendor services Specialty personnel (DBA, sysadmin) Deployment expansion costs

41. “Soft” Costs - Time Initial Deployment time Log source configuration and integration (BIG!) Initial tuning, content creation Ongoing Report and log review Alert response and escalation Periodic Tuning and content creation Expansion: same as initial

42. Secret to SIEM Magic!

43. On Replacing a SIEM 39

44. How to Do It? Prepare to run both products for some time Draft the new vendor to help you migrate the data Be prepared to keep the old SIEM or keep the data backups BIG! Migrate SIEM content: reports, rules, views, alerts, etc 40

45. Tip: When To AVOID A SIEM In some cases, the best “SIEM strategy” is NOT to buy one: Log retention focus Investigation focus (log search) If you only plan to look BACKWARDS – no need for a SIEM!

46. Conclusions SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required FOCUS on what problems you are trying to solve with SIEM: requirements! Phased approach WITH “quick wins” is the easiest way to go Operationalize!!!

47. SIEM Reminders Cost countless sleepless night and boatloads of pain…. No SIEM before IR plans/procedures No SIEM before basic log management Think "quick wins", not "OMG ...that SIEM boondoggle" Tech matters! But practices matter more Things will get worse before better. Invest time before collecting value!

48. And If You Only … … learn one thing from this…. … then let it be….

49. Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements! Requirements Requirements Requirements Requirements Requirements Requirvements

50. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com

51. More Resources Blog: www.securitywarrior.org Podcast: look for “LogChat” on iTunes Slides: http://www.slideshare.net/anton_chuvakin Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin Consulting: http://www.securitywarriorconsulting.com/

52. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

53. Security Warrior Consulting Services Logging and log management / SIEM strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations Others at www.SecurityWarriorConsulting.com

54. Misc Resource Slides 50

55. Best Reports? SANS Top 7 DRAFT “SANS Top 7 Log Reports” Authentication Changes Network activity Resource access Malware activity Failures Analytic reports

56. Best Correlation Rules? Nada Vendor default rules? IDS/IPS + vulnerability scan? Anton fave rules: Authentication Outbound access Safeguard failure ?