Not your Father’s SIEM Getting Better Insights & Results

Bill Thorn Director, Security Operations Apollo Education Group

Agenda • Why use a SIEM? • What is a SIEM? • Benefits of Using a SIEM • Considerations Before Implementing • Put the Crown Jewels First • Advanced SIEM Features & Benefits • Use Cases - Walkthrough • Lessons Learned

THE SIEM

Why Use a SIEM?

• Evolving Needs - More of the Same • Enterprises and security leaders

constantly need better information • Increasing amounts of data to cull • Need for better intelligence • Resource constraints and contentions • Budgets are tight • Knowledge deficits

What is a SIEM?

• Security Information & Event Manager • Single pane of glass to manage events

and output from all security tools and critical inputs – Hardware – Software – Applications – Processes

What is a SIEM?

Benefits of Using a SIEM • Central repository for security-relevant data

– Structured or unstructured data • Real-time event aggregation and monitoring • Real-time correlation and alerting • Identify baseline versus anomalies • Investigation, analysis, and forensics • Compliance, Reporting, Trending, and

Analytics • Apply contextual factors to security events

Considerations Before Implementing

• What is the problem being solved? • What data will feed the SIEM? • What are the anticipated outputs? • Who will use the information and how will

they use it? – Incident workflow – Systems integration – Reporting

Advanced SIEM Features & Benefits

• “Big Data” approach • Ability to take automated responses • Provide better views and insights into the

larger security ecosystem • Active lists/watch lists • Zones & asset groups • Custom criticality • Threat intelligence feeds

USE CASES

Put the Crown Jewels First

• Bring in events from the most critical assets first – Don’t try and “boil the ocean” – Tuning critical assets as needed will make

bringing in subsequent systems easier – Starting small allows you to tune processes

and procedures as well

Potential Use Cases are Endless

• Once rules for the Crown Jewels are in place – open the throttle up

• Consider all the data movement in and out of your enterprise – Mobility – Vendors – 3rd Party Cloud Services

Map Out Your Use Cases

Context Through Data Enrichment

• Data enrichment is information that makes the events more meaningful: – Asset criticality – Watch lists – Vulnerability data – Embargoed countries – Threat intelligence

Use of Watch lists • Lists can be of set timeframes to allow

efficient information turnover • Watch lists can provide context • Watch lists can be comprised of:

– system names – IP addresses – Ports – user names – file names – file hashes

Firewall Dropped/Blocked Connects

• Source IP’s for multiple dropped connections are added to a 10-day Watch List

• Subsequent successful

connections then alert as suspicious activity to be investigated

Host Malware Detection

The detection triggers a number of automatic actions:

1. System is added to 3 separate watch lists

2. Full system scan is triggered 3. More restrictive host

intrusion policies are enabled

4. Logs, Netstat details, running process info gathered

5. Incident record created 6. Suspicious new executables

are uploaded to McAfee for examination

Antivirus identifies a suspected Trojan based on heuristics

The suspected file is deleted

Repeated Malware Detection

• Malware detection on a system already in 24-hour watch list

• Detection triggers the following actions: – System isolation – Logs, Netstat details, running

process info gathered – Incident record created – Suspicious new executables

are uploaded to McAfee for examination

Failed Admin Account Logins

• Accounts with 5 failed attempts in 20 minutes are added to watch list

• Subsequent successful logins alert

Using File Hashes

• Watch lists can be set up to compare hash values

• Use hashes to identify files that have changed

• Use hashes to identify unwanted software

Additional Use Case Considerations

• User profiling to identify high-risk users – Job board visits and data exfiltration – VPN and mobility usage

• Connection profiling to identify system connection anomalies

• Use of NetFlow data to identify abnormal patterns

Lessons Learned – A Review • Start with the end in mind

– Know what data you want and… – Know who and how it will be handled

• Concentrate on the most important data elements first

• Tune the rules and tune the process • Take advantage of data enrichment and

automation opportunities to improve insights and outcomes

QUESTIONS