View
3.138
Download
5
Category
Preview:
DESCRIPTION
End-User Case Study: Five Best and Five Worst Practices for SIEMImplementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of securitymonitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEMimplementation will help maximize security and compliance value, and avoid costly obstacles,inefficiencies, and risks
Citation preview
Dr. Anton Chuvakin
Principal @ SecurityWarrior, LLC
(until July 30, 2011)
Catalyst 2011, San Diego, CA
Five Best and Five Worst Practices for SIEM
Security Warrior ConsultingDr. Anton Chuvakin
Outline
• Quick SIEM Introduction• SIEM Pitfalls and Challenges• SIEM “Best Practices”• SIEM “Worst Practices”• Conclusions
Security Warrior ConsultingDr. Anton Chuvakin
SIEM?
Security Information and Event Management!
(sometimes: SIM or SEM)
Security Warrior ConsultingDr. Anton Chuvakin
SIEM and Log Management
SIEM:
Security Information
and Event Management
Focus on security use of logs and other data
LM:
Log Management
Focus on all uses for logs
Security Warrior ConsultingDr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting and report delivery (“SIM”)
7. Security role workflow (IR, SOC, etc)
Security Warrior ConsultingDr. Anton Chuvakin
I can tell you how to do SIEM
RIGHT!
Security Warrior ConsultingDr. Anton Chuvakin
The Right Way to SIEM
1. Figure out what problems you want to solve with SIEM
2. Confirm that SIEM is the best way to solve them
3. Define and analyze your use cases
4. Gather stakeholders and analyze their use cases
5. Research SIEM functionality
6. Create requirements for your tool, including process requirements
7. Choose scope for SIEM coverage (with phases)
8. Assess data volume over all Phase 1 log sources and plan ahead
9. Perform product research, vendor interviews, references, peer groups
10. Create a tool shortlist
11. Pilot top 2-3 products in your environment
12. Test the products for features, usability and scalability vs requirements
13. Select a product for deployment and #2 product for backup
14. Update or create procedures, IR plans, etc
15. Create SIEM operational procedures
16. Deploy the tool (phase 1)
Security Warrior ConsultingDr. Anton Chuvakin
The Popular Way to SIEM…
1. Buy a SIEM appliance
Security Warrior ConsultingDr. Anton Chuvakin
Got Difference?
What people WANT to know and have before they deploy a SIEM?
What people NEED to know and have before they deploy a SIEM?
Security Warrior ConsultingDr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that–The leaders in the field
are doing today–Generally leads to useful
results with cost effectiveness
P.S. If you still hate it – say
“useful practices”
Security Warrior ConsultingDr. Anton Chuvakin
BP1 How to Plan Your Project?
1.Goals and requirements (WHY)
2.Functionality / features (HOW)
3.Scope of data collection (WHAT)
4.Sizing (HOW MUCH)
5.Architecting (WHERE)
Security Warrior ConsultingDr. Anton Chuvakin
BP2 LM before SIEM!
If you remember one thing from this, let it be:
Deploy Log Management BEFORE SIEM!
“Deploy log management functions before you attempt a wide-scale implementation of real-time event management.” (Gartner, 2009)
Security Warrior ConsultingDr. Anton Chuvakin
Graduating from LM to SIEM
Are you ready? Well, do you have…
1. Response capability and process– Prepared to response to alerts
2. Monitoring capability– Has an operational process to monitor
3. Tuning and customization ability– Can customize the tools and content
Security Warrior ConsultingDr. Anton Chuvakin
BP3 Initial SIEM Use
Steps of a journey …
1. Establish response process
2. Deploy a SIEM
3. Think “use cases”
4. Start filtering logs from LM to SIEM– Phases: features and information sources
Prepare for the initial increase in workload
Security Warrior ConsultingDr. Anton Chuvakin
Case Study: Good Initial SIEM Use
Example: cross-system authentication tracking• Scope: all systems with authentication • Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed by
login success• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior ConsultingDr. Anton Chuvakin
BP4 Expanding SIEM UseFirst step, next BABY steps!
1. Compliance monitoring often first
2. “Traditional” SIEM uses– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking
3. Your simple use cases – What problems do YOU want solved?
Security Warrior ConsultingDr. Anton Chuvakin
“Quick Wins” for Phased Approach
Phased
approach #1• Collect problems• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Solve problem n
Phased
approach #2• Focus on 1 problem• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Plan again
Security Warrior ConsultingDr. Anton Chuvakin
What is a “Worst Practice”?
• As opposed to the “best practice” it is …–What the losers in the
field are doing today–A practice that generally
leads to disastrous results, despite its popularity
Security Warrior ConsultingDr. Anton Chuvakin
WP for SIEM Planning
• WP1: Skip this step altogether – just buy something– “John said that we need a correlation engine”– “I know this guy who sells log management tools”
• WP2: Postpone scope until after the purchase– “The vendor says ‘it scales’ so we will just feed ALL
our logs”– Windows, Linux, i5/OS, OS/390, Cisco – send’em
in!
Security Warrior ConsultingDr. Anton Chuvakin
Case Study – Just Buy a SIEM!
• Medium-sized financial company
• New CSO comes in from a much larger organization
• “We need a SIEM! ASAP!”• Can you spell “boondoggle?
• Lessons learned: which problem did we solve? Huh!? None?
Security Warrior ConsultingDr. Anton Chuvakin
WPs for Deployment
• WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations– “Tell us what we need – tell us what you
have” forever…• WP4: Don’t prepare the infrastructure
– “Time synchronization? Pah, who needs it”
Security Warrior ConsultingDr. Anton Chuvakin
Case Study: Shelfware Forever!
• Financial company gets a SIEM tool after many months of “evaluations”
• Vendor SEs deploy it• One year passes by• A new CSO comes in; looks for what is
deployed• Finds a SIEM tool – which database
contains exactly 53 log records (!)– It was never connected to a production
network…
Security Warrior ConsultingDr. Anton Chuvakin
Summary of Practices“Best Practices”
1. Follow a logical SIEM deployment process
2. Log management before SIEM!
3. Start from simple SIEM use cases
4. Expand the use gradually
“Worst Practices”
1. Skip requirement determination phase
2. Postpone scoping until after SIEM purchase
3. Expect the vendor to tell you what to log
4. Fail to prepare the infrastructure
Security Warrior ConsultingDr. Anton Chuvakin
SIEM RemindersCost countless sleepless night and boatloads
of pain….• No SIEM before IR plans/procedures• No SIEM before basic log management • Think "quick wins", not "OMG ...that SIEM
boondoggle"• Tech matters! But practices matter more• Things will get worse before better.
Invest time before collecting value!
Security Warrior ConsultingDr. Anton Chuvakin
Conclusions
• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required
• FOCUS on what problems you are trying to solve with SIEM: requirements!
• Phased approach WITH “quick wins” is the easiest way to go
• Operationalize!!!
Security Warrior ConsultingDr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior ConsultingDr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Email: anton@chuvakin.org
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior ConsultingDr. Anton Chuvakin
More Resources
• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin
• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
• Consulting: http://www.securitywarriorconsulting.com/
Security Warrior ConsultingDr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Recommended