Tips on SIEM Ops 2015
Download as PPTX, PDF•1 like•400 views
Dr. Anton Chuvakin provides an overview of SIEM architecture and operational processes. He notes that while a SIEM tool can be purchased, developing a full security monitoring capability requires growing people and maturing processes over time. The document outlines key aspects of deploying, running, and evolving a SIEM program, including common pitfalls to avoid, such as failing to define an initial scope or assuming the SIEM will run itself. It emphasizes taking an "output-driven" approach focused on solving security problems.
Tips on SIEM Ops 2015
- 1. Dr. Anton Chuvakin @anton_chuvakin SIEM Architecture and Operational Processes
- 2. Disclaimer: HISTORICAL INTEREST ONLY This material is at least several years old and is preserved here for HISTORICAL INTEREST ONLY Advice may not reflect current conditions (but then again, it may reflect yours…)
- 3. To Start… • You can buy a SIEM tool — but you cannot buy a security monitoring capability • Even MSSP only gives you many of the blocks of it, but not the whole thing! • You have to buy the tools, grow the people and mature the processes • Security monitoring is an eternal commitment
- 4. Outline • SIEM 2015: A Brief Refresher • Before SIEM • Deploying SIEM • Running SIEM • Evolving SIEM • Pitfalls • Recommendations
- 5. Security Information and Event Management (SIEM) Decomposed? SIEM Analysis Repository Query Reports Data Collection SIM Incident Management CorrelationNormalization Real-time Monitoring SEM Threat Intelligence Data Asset Vulnerability User Context Network Firewall Application FirewallApplication Database Server Network Device NIDS/NIPS Endpoint Protection Data Loss Prevention File Integrity Monitor Event Data Log Management Lives Here Too
- 6. Select 2015 SIEM Usage Trends • More log data (of course!) • More threat intel into SIEM • More managed SIEM • “Brainy” SIEM add-ons emerge
- 7. USE CASES!!!! Taking aspirin is about the headache, not about low aspirin content in your blood! What problem are you trying to solve?! 7
- 8. SIEM Uses Logs — Where Are Yours? • Logging policy fundamentals: • Identify, configure, tune — repeat! • What people log first? 1. Network devices, servers (AD!), security appliances. 2. Proxies, Web servers, antivirus. 3. Databases, application, desktops. • SIEM project phases set the order!
- 9. Compete Use Case Example Step Details Use-case Selection Focus on tracking authentication across systems to detect unauthorized access. Data Collection Have a list of systems: servers, VPN concentrators, network devices, and others. Log Source Configuration Contact the team that operates the systems and make them modify the logging configurations SIEM Content Preparation Review vendor's content, check it for suitability; modify the reports and rules until satisfied. Definition of Operational Processes Review operational processes (e.g a process for suspending or disabling user accounts) Refinement of the Content Review dashboards and test rules to see whether incidents will be detected.
- 10. Top Starter Use Cases (2015) 1. Authentication monitoring by using login logs 2. Compromised- and infected-system tracking; malware detection by using outbound firewall logs, NIPS alerts and Web proxy logs 3. Validating IDS/IPS (IDS/IPS) alerts by using context data 4. Monitoring for suspicious outbound connectivity and data transfers 5. Tracking system changes and other administrative actions across internal systems and matching them to allowed policy 6. Tracking of Web application attacks and their consequences by using Web server, WAF and application server logs
- 11. Architecture of an SIEM Deployment • Agents versus agentless for collection? • Log sources to collectors? Volume? • Network architecture constraints (such as connectivity and link bandwidth)? • Log collection across network architecture boundaries? • Can correlation be distributed? Can storage be? • How will redundancy be architected?
- 13. Successfully Run SIEM Deployment? • Goals • Processes • People
- 14. Essential SIEM Operational Processes • Use-case Independent: • Collector and log source configuration process • Escalation and collaboration process • Analyst training process (tool and process!) • Content tuning and customization process (<-KEY!) • SIEM program checkpoint process
- 15. More Essential SIEM Processes • Incident response • Security: • Monitoring: • Alert triage process • Activity baselining process • Investigation: • Indicator analysis process • Remediation process • Compliance: - Report review process - Report refinement based on changing requirements process - Compliance issue remediation process Advanced only: Data exploration process/"hunting"
- 16. People Shorthand Description Common Job Titles for This Role Run Maintain an SIEM product in operational status, monitor its uptime, optimize performance, deploy updates , and perform other system management tasks SIEM administrator and SIEM engineer Watch Use the SIEM product for security monitoring, investigate alerts and review activity reports Security analyst, SIEM analyst, and incident responder Tune Refine and customize SIEM content and create content specific to new use cases Content developer and SIEM consultant
- 17. SIEM Maturity Road Map State No. Maturity Stage Key Processes That Must Be in Place 1 SIEM deployed and collecting some log data SIEM infrastructure monitoring process Log collection monitoring process 2 Periodic SIEM usage, dashboard/report review Incident response process Report review process 3 SIEM alerts and correlation rules enabled Alert triage process 4 SIEM tuned with customized filters, rules, alerts, and reports Real-time alert triage process Content tuning process 5 Advanced monitoring use cases, custom SIEM content use cases Threat intelligence process Content research and development
- 18. SIEM And/Or/Vs/With Security Analytics? • Have to solve security problems that SIEM is sub-optimal for? • Want to apply more algorithms to log, flow and context data? • Have higher volume or diversity of data? • Need to post-process alerts? 18
- 19. Quick Win: Going Beyond SIEM • User Behavior Analytics (UBA) - “add-on” SIEM brain for user-focused analysis • Detect compromised accounts “automatically” • Enrich alerts with user behavior profiles • Utilize vendor-provided anomaly algorithms 19
- 20. SIEM Pitfalls • Planning: • Skip the planning stage and just buy some SIEM tool • Fail to define the initial deployment scope • Deployment: • Ignore a phased approach for deployment • Install the tool before a logging policy is clarified • Operation: • Assume that the SIEM would run itself • Lack a program owner
- 21. Advice Think "security monitoring capability," not "SIEM box." SIEM requires "care and feeding" to give value. Prepare to be involved with the tool indefinitely. Use "output-driven" SIEM approach. Define processes and dedicate personnel to use the tool. Define/Refine and incident response process. Follow the maturity levels — or suffer! Review your route beyond SIEM – UBA, etc