3. TrueSec
$ cat ~/.profile
• I like (your) logs
• Security vizualisation
• Playing with SIEM’s for 5y
• ArcSight, OSSEC, Splunk, …
(Used as tools, I’m not an evangelist ;-)
3
4. TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
4
6. TrueSec
Market Overview
6
• Products are mature
• A SIEM must be on $VENDORS portfolio
• ArcSight HP
• Nitro McAfee
• Q1Labs IBM
• SaaS Model (“SIEM as a Service”) / MSSP
• Sliding to the “bigdata” buzz
15. TrueSec
Cause != Effect
15
A classic SIEM is good to detect the effect
of an incident but detecting the cause is
more valuable…
16. TrueSec
More SIEM Killers
16
• Complexity of modern architecture
• Recurrent process(es)
• Lack of assigned resources (people|time|
money)
• Attackers are devious
• What are you looking for?
• It’s only a “dumb” toolbox
20. TrueSec
So what?
20
Pro Con
Business
Cases
Easier to implement,
Quick ROI, keep control,
accurate results
Missed events,
Limited investigations
Opportunism Forensic,
Complex, flood of data,
sizing difficult, longer ROI
24. TrueSec
Looking (Ab)normal?
24
Mar 4 21:05:02 shiva sshd[16449]: Accepted
publickey for alice from 111.112.113.114 port
62510 ssh2
• Timestamp
• Source IP
• User
• Authentication mechanism
25. TrueSec
Let’s Derive!
25
• Alice might login from 10.0.0.1
• Alice might login on Sunday
• Alice might login with a password
• Bob might replace Alice
30. TrueSec
Mapping!
30
• Mapping your assets is a critical step
• Mapping must be in accordance with the
business
• Mapping the actual exposures and issues
• Don’t forget the humans!
Critical
31. TrueSec
Early warning signs
31
• It’s not only a question of IT
• Increase calls received by the call center
• Increase resource usages (CPU, bandwidth)
33. TrueSec
Anomaly Detection
33
• Mathematics can help
• Detection systems look
for deviations from
normal or established
patterns
(Source: http://minds.cs.umn.edu/publications/chapter.pdf)
35. TrueSec
Threat Intelligence
35
“Threat intelligence is evidence-based knowledge,
including context, mechanisms, indicators, implications
and actionable advice, about an existing or emerging
menace or hazard”
(Source: http://www.gartner.com/document/2487216)
37. TrueSec
Threat Intelligence
37
• Two types: Strategic Tactical
• File bb83737167a951b3390bbea04ddd5991
is part of malware “X” (Tactical)
• Users “U” from Country “C” search for
documents “D” (Strategic)
• Use threat intelligence that focus on your
business
41. TrueSec
Conclusions
41
• Before, Security == Ability to resist to
attacks
• Now, Security == Ability to predict attacks
• Classic SIEM deployment (driven usually by
product vendors) focus on the reactive
element of the spectrum
• Looking forward at such an approach to
defensive security