five best and five worst practices for siem by dr. anton chuvakin

Dr. Anton Chuvakin

Principal @ SecurityWarrior, LLC

(until July 30, 2011)

Catalyst 2011, San Diego, CA

Five Best and Five Worst Practices for SIEM

Security Warrior ConsultingDr. Anton Chuvakin

Outline

• Quick SIEM Introduction• SIEM Pitfalls and Challenges• SIEM “Best Practices”• SIEM “Worst Practices”• Conclusions


SIEM?

Security Information and Event Management!

(sometimes: SIM or SEM)


SIEM and Log Management

SIEM:

Security Information

and Event Management

Focus on security use of logs and other data

LM:

Log Management

Focus on all uses for logs


What SIEM MUST Have?

1. Log and Context Data Collection

2. Normalization

3. Correlation (“SEM”)

4. Notification/alerting (“SEM”)

5. Prioritization (“SEM”)

6. Reporting and report delivery (“SIM”)

7. Security role workflow (IR, SOC, etc)


I can tell you how to do SIEM

RIGHT!


The Right Way to SIEM

1. Figure out what problems you want to solve with SIEM

2. Confirm that SIEM is the best way to solve them

3. Define and analyze your use cases

4. Gather stakeholders and analyze their use cases

5. Research SIEM functionality

6. Create requirements for your tool, including process requirements

7. Choose scope for SIEM coverage (with phases)

8. Assess data volume over all Phase 1 log sources and plan ahead

9. Perform product research, vendor interviews, references, peer groups

10. Create a tool shortlist

11. Pilot top 2-3 products in your environment

12. Test the products for features, usability and scalability vs requirements

13. Select a product for deployment and #2 product for backup

14. Update or create procedures, IR plans, etc

15. Create SIEM operational procedures

16. Deploy the tool (phase 1)


The Popular Way to SIEM…

1. Buy a SIEM appliance


Got Difference?

What people WANT to know and have before they deploy a SIEM?

What people NEED to know and have before they deploy a SIEM?


What is a “Best Practice”?

• A process or practice that–The leaders in the field

are doing today–Generally leads to useful

results with cost effectiveness

P.S. If you still hate it – say

“useful practices”


BP1 How to Plan Your Project?

1.Goals and requirements (WHY)

2.Functionality / features (HOW)

3.Scope of data collection (WHAT)

4.Sizing (HOW MUCH)

5.Architecting (WHERE)


BP2 LM before SIEM!

If you remember one thing from this, let it be:

Deploy Log Management BEFORE SIEM!

“Deploy log management functions before you attempt a wide-scale implementation of real-time event management.” (Gartner, 2009)


Graduating from LM to SIEM

Are you ready? Well, do you have…

1. Response capability and process– Prepared to response to alerts

2. Monitoring capability– Has an operational process to monitor

3. Tuning and customization ability– Can customize the tools and content


BP3 Initial SIEM Use

Steps of a journey …

1. Establish response process

2. Deploy a SIEM

3. Think “use cases”

4. Start filtering logs from LM to SIEM– Phases: features and information sources

Prepare for the initial increase in workload


Case Study: Good Initial SIEM Use

Example: cross-system authentication tracking• Scope: all systems with authentication • Purpose: detect unauthorized access to

systems• Method: track login failures and successes• Rule details: multiple login failures followed by

login success• Response plan: user account investigation,

suspension, communication with suspect user


BP4 Expanding SIEM UseFirst step, next BABY steps!

1. Compliance monitoring often first

2. “Traditional” SIEM uses– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking

3. Your simple use cases – What problems do YOU want solved?


“Quick Wins” for Phased Approach

Phased

approach #1• Collect problems• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Solve problem n

Phased

approach #2• Focus on 1 problem• Plan architecture• Start collecting• Start reviewing• Solve problem 1• Plan again


What is a “Worst Practice”?

• As opposed to the “best practice” it is …–What the losers in the

field are doing today–A practice that generally

leads to disastrous results, despite its popularity


WP for SIEM Planning

• WP1: Skip this step altogether – just buy something– “John said that we need a correlation engine”– “I know this guy who sells log management tools”

• WP2: Postpone scope until after the purchase– “The vendor says ‘it scales’ so we will just feed ALL

our logs”– Windows, Linux, i5/OS, OS/390, Cisco – send’em

in!


Case Study – Just Buy a SIEM!

• Medium-sized financial company

• New CSO comes in from a much larger organization

• “We need a SIEM! ASAP!”• Can you spell “boondoggle?

• Lessons learned: which problem did we solve? Huh!? None?


WPs for Deployment

• WP3: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations– “Tell us what we need – tell us what you

have” forever…• WP4: Don’t prepare the infrastructure

– “Time synchronization? Pah, who needs it”


Case Study: Shelfware Forever!

• Financial company gets a SIEM tool after many months of “evaluations”

• Vendor SEs deploy it• One year passes by• A new CSO comes in; looks for what is

deployed• Finds a SIEM tool – which database

contains exactly 53 log records (!)– It was never connected to a production

network…


Summary of Practices“Best Practices”

1. Follow a logical SIEM deployment process

2. Log management before SIEM!

3. Start from simple SIEM use cases

4. Expand the use gradually

“Worst Practices”

1. Skip requirement determination phase

2. Postpone scoping until after SIEM purchase

3. Expect the vendor to tell you what to log

4. Fail to prepare the infrastructure


SIEM RemindersCost countless sleepless night and boatloads

of pain….• No SIEM before IR plans/procedures• No SIEM before basic log management • Think "quick wins", not "OMG ...that SIEM

boondoggle"• Tech matters! But practices matter more• Things will get worse before better.

Invest time before collecting value!


Conclusions

• SIEM will work and has value … but BOTH initial and ongoing time/focus commitment is required

• FOCUS on what problems you are trying to solve with SIEM: requirements!

• Phased approach WITH “quick wins” is the easiest way to go

• Operationalize!!!


Secret to SIEM Magic!

“Operationalizing” SIEM(e.g. SOC building)

Deployment Service

SIEM Software/Appliance


Questions?

Dr. Anton Chuvakin

Email: [email protected]

Site: http://www.chuvakin.org

Blog: http://www.securitywarrior.org

Twitter: @anton_chuvakin

Consulting: http://www.securitywarriorconsulting.com

mailto:[email protected]

http://www.chuvakin.org/

http://www.securitywarrior.org/

http://www.securitywarriorconsulting.com/


More Resources

• Blog: www.securitywarrior.org• Podcast: look for “LogChat” on iTunes• Slides: http://www.slideshare.net/anton_chuvakin

• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin

• Consulting: http://www.securitywarriorconsulting.com/

http://www.slideshare.net/anton_chuvakin

http://www.info-secure.org/

http://www.docstoc.com/profile/anton1chuvakin



More on Anton

• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager


five best and five worst practices for siem by dr. anton chuvakin

Technology