Topic: SECURITY and RISK

SIEM (Security Information Event Management)

Presenter: Ron Hruby

Topics

• Threat landscape • Breaches and hacks• Leadership and accountability• Evolution of security technology • What is SIEM?• SIEM overview and use cases • Pitfalls of SIEM implementations• Is SIEM a nice to have or need?

Background

Director of Commercial Cybersecurity for Vertek,

based out of Colchester VT

20 Years of IT solutioning, telecom and security

experience

I’ve been both a buyer and a supplier of telecom and security related services

Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek

Vertek provides BPO, BI, Order Management, Network

Migration Services, eNOC, MSSP/SOC and Consulting

services to CP, MSPs, SMB, and Large Enterprise

MSSP Division provides managed SOC services, including 24x7 network

monitoring, security intelligence and breach

detection

Can your IT Department detect a breach today?

DDoS Attack Distributed denial-of-service attack

Compromised hosts (botnet clients) - Millions of devices

Attacker machine running client program

Command and control (C2) Infect and control clients

Target of attack

Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack

Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface

Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC)

Special shout out to #39 on this list

Pwned?

Verizon DBIR 2017

Shodan.io Many organizations don’t have the basics covered

VNC Virtual Network Computing

VNC is a graphical desktop sharing program that allows someone to remotely control another computer

Workstation running VNC ServerWorkstation running VNC Viewer

Supply Chain Attacks

“Foot-in-the door” through a vendor

“CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.”

Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#abf997e316a8

Among other things, our obligation is to protect

Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it

CPNI, SPI, PII, PCI,PHI, Non-Public, etc.

Leveraging Frameworks

Sample Requirements• Assess and classify assets and information according to risk • Continuously scan and assess unpatched software and

system vulnerabilities • Identify malicious entities probing systems and network • Continuously monitor network traffic and system events for

potential unsecure behaviors • Respond to identified malicious events to remediate them • Audit and report effectiveness

http://www.27000.org/ Cybersecurity Framework

As suppliers we see this language on contracts. We also require it.

Evolution of security technology

SIEM

Router

Switch

IDS

FW

Server

Scans

ThreatFeeds

SIEM

Security Information Event Management

• Desperate security log and event sources• Manual correlation of events

Router

Switch

IDS

FW

Server

Scans

ThreatFeeds

Single pane of glass for security log and events Cross correlation of events Log retention

SIEM Components: Sensor - Logger - Server

Security Information Event Management

The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments

SIEM

TRADITIONAL SIEM •LOG MANAGEMENT•ASSET DISCOVERY•EVENT CORRELATION •FORENSIC ANALYSIS•TICKETING •REPORTING •THREAT FEEDS

VENDER FEATURES• NETWORK VULNERABILITY

SCANNING• NETWORK IDS• HOST IDS / FIM• NETFLOW • PACKET CAPTURE• OTX / FEED / IOC

INTERGRATION • POLICY VIOLATIONS

SampleSIEMDash

Assets and Groups

PluginNormalized Data

Raw log mapped to a taxonomy subtype = SIEM can read it.

IDSCritical SIEM Log Source

Firewall

VLAN 20 VLAN 10

Server Workstation

IDS

Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.

Internet

Sort (Sourcefire) Signatures

Signature vs. Anomaly Based

Firewall

VLAN 20 VLAN 10

Server Workstation

Vulnerability Scanner

Internet

NVT’s

VulnScanningCritical SIEM Log SourceOpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures

Open Threat Exchange

Key SIEM IoC sourcehttps://www.alienvault.com/open-threat-exchange

Many technologies support OTX

Correlation

Policy Violations

Attacks

Brute Force

DDOS

Malware

Network

Scanning

User Contributed

Suspicious Inbound Connections Suspicious Outbound Connections Critical Vulnerabilities

Informationisbeautiful.net

Alarm and Forensics

Ticket and Triage

IR | BPM

Reporting

SIEM Lifecycle

Security Incidents /

Events

Vulnerabilities

Policy Items

Performance

Trends

Tuning

Change

Action Items

Pitfalls of SIEM Implementations

Scope •Business drivers for implementing

•Developing use cases

01Planning •Sizing, EPS and retention•Log sources •Features

02Policy •Monitoring to much or too little

•Generating Alerts on non-priority events

03Alert Fatigue / Lack of Context •Alerts may be generating that staff may not understand

•A certain # of false positives is good, too many can lead to alert fatigue, false negative

04Inadequate staffing•A SIEM needs to be monitored, maintained, and tuned to be effective

05

Striking the balance Is a SIEM nice or have or need?

Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network… IDS provide a way to monitor traffic in and out of your network… IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate

traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic…Vulnerability scanning provides a way to scan and detect vulnerabilities…

Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)

Among other things, our obligation is to protect

Simple Principles Where is it on your network

Who has access to it

How is it secured

Who is monitoring it

Who is periodically reviewing it

3rd party testing Combination of red team blue team tactics

Checks and balance

CPNI, SPI, PII, PCI,PHI, Non-Public, etc.

1+1 should be >2

Technology (SIEM)+ People (Sr. Security Analyst) SIEM does not implement itself. It knows

nothing about your environment, your assets or your risks

Business requirements should drive directives and tuning

Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews

Signatures, directives and threat feeds are extremely important to detect new and emerging threats

Ultimately the team managing the SIEM and reviewing the reports will make or break its success

Don’t bet on luckBe well prepared

rhruby@vertek.comManagedThreatIntelligence.com