Sie sind auf Seite 1von 24

Security Information

and Event Management

Craig Pennington
Sr. Network Information Security Analyst
Wabash Valley Power Association
Show of Hands.Which describes you.

Have a SIEM in place

Fully Implemented, and is the Cornerstone of your SOC
Doing lots of good stuff for you and have even more in the works
I cant possibly keep up with all the alarms and I wish that thing would just shut up
Paid someone else to deal with it and tell me what to do (Hosted or On-Premise?)
Nothing yet but plan to get one soon
Not sure I need one, or too much to deal with right now

To SIEM or not to SIEM
Analysts say for every dollar you spend directly on the SIEM you will spend 3 more to
manage it
Requires a lot of planning and a complete understanding of your environment (network,
server and workstation levels)
Useful implementations require good security processes and take a long time initially and
remains ongoing, forever
Vendors over promise and under deliver
Unrealistic expectations of a SIEM being the answer to all your problems

Bad guys have the upper hand and there is too much information to handle with manual
Verizons Data Breach Investigation Report over the last several years says that 97
percent of attacks could have been prevented by using simple security controls including
log management and analysis
A mature SOC depends on a mature SIEM implementation
Most SIEMs have lots of capabilities and integrations to 3rd party feeds
My OpinionYES you must SIEM

There is so much information needing analyzed, so many compliance

requirements, and due care standards, that realistically it is impossible to
faithfully perform it all without these tools.
You are probably already performing most (Hopefully at least some) of these
activities. Look for ways the SIEM can automate it so you can reclaim at least
some of the time investment it takes to run the SIEM

Why do People Struggle with SIEMs?

Not prepared for the commitment of money and time up front and the
ongoing needs
Dont understand their environment and their needs

Vikas Bhatia, CEO of the New York-based cyber security consultancy Kalki
"Almost all vendors want to sell you a big bang approach. but the best way to
deploy is a phased approach.
It is essential to identify in advance what system log files will be required for
monitoringand know what level of security each asset requires.
Security is a process and not a one-and-done tactical operation
Mike Spencer with Accuvant, "Many organizations do not know what their
critical assets are and therefore do not know how to protect them,"
Basic Features
Event Consolidation and Normalization
Log Retention
Threat Feeds
Situational Awareness
User Analytics
Reduce False Positives
Packet Capture
File Integrity Monitoring
Geo Location
Work flows
Forensic Analysis
Long Term Retention
Determine Your Use Cases

Gather information on your possible uses:

Compliance (control-centric use cases)
Threat assessment results and threats lists (threat-centric use cases)
Asset lists (asset-centric use cases)
Generate a big list of candidate use cases from the information you collect
Determine the relevance of the above threats, controls and assets to your
specific needs
Initially prioritize the use cases focused on importance AND doability then
prioritize and select top use cases by value to you

Compliance Examples
PCI 10.7:
Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
NERC CIP 007-6 Table R4:
4.1 - Log events at the BES Cyber System level (per BES Cyber System capability) or at
the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact
investigations of, Cyber Security Incidents that includes, as a minimum, each of the
following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected
failed access attempts and failed login attempts; 4.1.3. Detected malicious code.
4.2 - Generate alerts for security events that the Responsible Entity determines
necessitates an alert, that includes, as a minimum, each of the following types of events
(per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from
Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging.
4.3 - Where technically feasible, retain applicable event logs identified in Part 4.1 for at
least the last 90 consecutive calendar days except under CIP Exceptional Circumstances.
Choosing a Deployment Model

Less training is required
Higher level of expertise available
Can be more of an operating rather than a capital expenditure
Staff turnover is less of a concern
24/7 analysis

Your data leaves the premises
Reliance on the Internet in order to manage the network
Alarms still need investigated
Limited visibility to data for custom or additional analysis
Less opportunity to tune out false alarms (vendor decides what is important) 9

Inability to move between vendors and maintain the older logs

Choosing a Deployment Model (cont.)

Control over the your data and system functions
Maximum ability to configure the correlation rules, reporting, retention periods, and other
settings to meet your needs
Easier to create custom feeds and input custom IOCs (such as IPs, URLs, etc. from sources
like E-ISAC alerts)

Tend to suffer from low staffing rates
Staff being pulled off SIEM work to work on projects or other duties (hard to do part-time)
Requires specialized training
Often oversized versus actual needs
Sizing the SIEM

Avoid playing feature bingo

Compare the list of use cases features to the features from each product
Look for the ability to deploy an evaluation or a proof of concept in your
Licensed by endpoint or message volume? If hosted, are there additional costs
for volume of storage to satisfy your retention requirements?
If you only need basic features like log correlation and reporting dont pay for
advanced enterprise features
Do you require redundancy?
How does the system scale? Do I have to throw away existing hardware
investment if I need to scale up?

Questions To Ask SIEM Vendors

What log sources does it handles out of the box? How to create custom maps?
What Out of the box reports for security and compliance are included?
What is the cost of maintenance?
What is the cost of the SIEM product? How is it licensed?
What is the cost of training?
How is post-sale technical support handled? Stats? (time to first contact,
ticket priorities, average time to resolution)
Require hardware? Support virtualization? Support hybrid?
Will it integrate with your current ticketing system?
How much report/dashboard/alert customization options are available?
Questions To Ask SIEM Vendors (cont.)

How will it help with operational roles and not just security?
Is there a packet capture or flow option?
How does the product handle older data that has been archived off-box?
How thorough is the product documentation?
What does the product do in the event of a license violation?
How much staffing will I need for a deployment of this size?

Your SIEM Uses Versus Whats Built-in

The Path to SIEM Success

Collect logs from standard security sources (Firewalls, IPS, Domain

Controllers, Anti-virus/Anti-malware, Netflow, Web Proxy, etc.)
Enrich logs with supplemental data (Vulnerabilities, Software versions, etc.)
Global Threat Intelligence Feeds
Correlate - finding the proverbial needles in the log haystacks
Investigate - follow up and fix data source and normalization issues
Document - Standard Operating Procedures, Service Level Agreements,
Forensics/Investigation Procedures
Incorporate Expanded log collection (more servers, workstations), additional
uses such as application monitoring and analysis
Continuously Improve Your Processes
Gartner Magic Quadrant

A SIEM can help with CIS Critical Security
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 11: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
CSC 14: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 18: Application Software Security
CSC 19: Incident Response and Management
What to Look for on Linux

Successful user login: Accepted password, Accepted publickey, "session

Failed user login: authentication failure, failed password
User log-off: session closed
User account change or deletion: password changed, new user,
delete user
Sudo actions: sudo: COMMAND=, FAILED su
Service failure: failed or failure

Top Windows 10 Event IDs to Monitor
and Alarm on (according to
4688 - New Process Look for the obvious malicious executables like cscript.exe,
sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe,
psexecsvc.exe, ipconfig.exe, ping.exe, powershell.exe or new odd .exes
4624 - Some account logged in. What is normal?
5140 - A share was accessed. They most likely connected to the C$ share
5156 Windows Firewall Network connection by process. Can see the process
connecting to an IP that you can use GEOIP to resolve Country, Region and City.
7040 - A new service has changed. Static systems don't change details of services
7045 - A new service is installed. Static systems don't get new services except at
patch time and new installs.
4663 - File auditing must be enabled on directories you want to monitor
4657 Registry auditing will give more Registry details than 4663 for Reg items
501 PowerShell execution
4104 PowerShell Scriptblockmodule loading 19
What to Look for on Cisco ASA

Traffic allowed on firewall: Built connection, access-list permitted

Traffic blocked on firewall: access-list denied, deny inbound; Deny
Bytes transferred (large files?): Teardown TCP connection duration
Bandwidth and protocol usage: limit exceeded, CPU utilization
Detected attack activity: attack from
User account changes: user added, user deleted, User priv level
Administrator access : AAA user , User locked out, login failed

What to Look for on Web Servers

Excessive access attempts to non-existent files

Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to risky pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication: Error code 401, 403
Invalid request: Error code 400
Internal server error: Error code 500
A Few Informational Sites
NRECA Managed Cybersecurity Services Provider List -
Windows Security Log Quick Reference Guide -
Windows Security Log Events Encyclopedia -
Windows event ID lookup -
Monitoring Windows Event Logs for Security Breaches -
SANS reading room -
Information Assurance Directorate - (lots of secure config advice in Library)
Spotting the Adversary with Windows Event Log Monitoring -
Assess the Mess - 22
A Few Informational Sites (cont.)
IASE Information Assurance Support Environment -
Security Technical Implementation Guides (STIGs) -
Windows Logging Cheat Sheets -
Preso from 2015 Splunk Conference - Finding Advanced Attacks and Malware With Only 6
Windows EventIDs-
Australian Government Department of Defense
Australian Signals Directorate -
Critical Log Review Checklist for Security Incidents -
Identity and Access in Windows Server 2016 Appendix L: Events to Monitor -
Log analysis references -