not your father’s siemisc... · benefits of using a siem • central repository for...
TRANSCRIPT
Not your Father’s SIEM Getting Better Insights & Results
Bill Thorn Director, Security Operations Apollo Education Group
Agenda • Why use a SIEM? • What is a SIEM? • Benefits of Using a SIEM • Considerations Before Implementing • Put the Crown Jewels First • Advanced SIEM Features & Benefits • Use Cases - Walkthrough • Lessons Learned
Why Use a SIEM?
• Evolving Needs - More of the Same • Enterprises and security leaders
constantly need better information • Increasing amounts of data to cull • Need for better intelligence • Resource constraints and contentions • Budgets are tight • Knowledge deficits
What is a SIEM?
• Security Information & Event Manager • Single pane of glass to manage events
and output from all security tools and critical inputs – Hardware – Software – Applications – Processes
What is a SIEM?
Benefits of Using a SIEM • Central repository for security-relevant data
– Structured or unstructured data • Real-time event aggregation and monitoring • Real-time correlation and alerting • Identify baseline versus anomalies • Investigation, analysis, and forensics • Compliance, Reporting, Trending, and
Analytics • Apply contextual factors to security events
Considerations Before Implementing
• What is the problem being solved? • What data will feed the SIEM? • What are the anticipated outputs? • Who will use the information and how will
they use it? – Incident workflow – Systems integration – Reporting
Advanced SIEM Features & Benefits
• “Big Data” approach • Ability to take automated responses • Provide better views and insights into the
larger security ecosystem • Active lists/watch lists • Zones & asset groups • Custom criticality • Threat intelligence feeds
Put the Crown Jewels First
• Bring in events from the most critical assets first – Don’t try and “boil the ocean” – Tuning critical assets as needed will make
bringing in subsequent systems easier – Starting small allows you to tune processes
and procedures as well
Potential Use Cases are Endless
• Once rules for the Crown Jewels are in place – open the throttle up
• Consider all the data movement in and out of your enterprise – Mobility – Vendors – 3rd Party Cloud Services
Map Out Your Use Cases
Context Through Data Enrichment
• Data enrichment is information that makes the events more meaningful: – Asset criticality – Watch lists – Vulnerability data – Embargoed countries – Threat intelligence
Use of Watch lists • Lists can be of set timeframes to allow
efficient information turnover • Watch lists can provide context • Watch lists can be comprised of:
– system names – IP addresses – Ports – user names – file names – file hashes
Firewall Dropped/Blocked Connects
• Source IP’s for multiple dropped connections are added to a 10-day Watch List
• Subsequent successful
connections then alert as suspicious activity to be investigated
Host Malware Detection
The detection triggers a number of automatic actions:
1. System is added to 3 separate watch lists
2. Full system scan is triggered 3. More restrictive host
intrusion policies are enabled
4. Logs, Netstat details, running process info gathered
5. Incident record created 6. Suspicious new executables
are uploaded to McAfee for examination
Antivirus identifies a suspected Trojan based on heuristics
The suspected file is deleted
Repeated Malware Detection
• Malware detection on a system already in 24-hour watch list
• Detection triggers the following actions: – System isolation – Logs, Netstat details, running
process info gathered – Incident record created – Suspicious new executables
are uploaded to McAfee for examination
Failed Admin Account Logins
• Accounts with 5 failed attempts in 20 minutes are added to watch list
• Subsequent successful logins alert
Using File Hashes
• Watch lists can be set up to compare hash values
• Use hashes to identify files that have changed
• Use hashes to identify unwanted software
Additional Use Case Considerations
• User profiling to identify high-risk users – Job board visits and data exfiltration – VPN and mobility usage
• Connection profiling to identify system connection anomalies
• Use of NetFlow data to identify abnormal patterns
Lessons Learned – A Review • Start with the end in mind
– Know what data you want and… – Know who and how it will be handled
• Concentrate on the most important data elements first
• Tune the rules and tune the process • Take advantage of data enrichment and
automation opportunities to improve insights and outcomes