Beruflich Dokumente
Kultur Dokumente
2
To SIEM or not to SIEM
Challenges
Analysts say for every dollar you spend directly on the SIEM you will spend 3 more to
manage it
Requires a lot of planning and a complete understanding of your environment (network,
server and workstation levels)
Useful implementations require good security processes and take a long time initially and
remains ongoing, forever
Vendors over promise and under deliver
Unrealistic expectations of a SIEM being the answer to all your problems
Benefits
Bad guys have the upper hand and there is too much information to handle with manual
processes
Verizons Data Breach Investigation Report over the last several years says that 97
percent of attacks could have been prevented by using simple security controls including
log management and analysis
A mature SOC depends on a mature SIEM implementation
3
Most SIEMs have lots of capabilities and integrations to 3rd party feeds
My OpinionYES you must SIEM
4
Why do People Struggle with SIEMs?
Not prepared for the commitment of money and time up front and the
ongoing needs
Dont understand their environment and their needs
Vikas Bhatia, CEO of the New York-based cyber security consultancy Kalki
Consulting,
"Almost all vendors want to sell you a big bang approach. but the best way to
deploy is a phased approach.
It is essential to identify in advance what system log files will be required for
monitoringand know what level of security each asset requires.
Security is a process and not a one-and-done tactical operation
Mike Spencer with Accuvant, "Many organizations do not know what their
critical assets are and therefore do not know how to protect them,"
5
Features
Basic Features
Event Consolidation and Normalization
Log Retention
Alerting\Correlation
Dashboards
Reporting
Advanced
Threat Feeds
Compliance
Situational Awareness
User Analytics
Reduce False Positives
Packet Capture
File Integrity Monitoring
Geo Location
Work flows
Forensic Analysis
6
Ticketing
Long Term Retention
Determine Your Use Cases
7
Compliance Examples
PCI 10.7:
Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
backup).
NERC CIP 007-6 Table R4:
4.1 - Log events at the BES Cyber System level (per BES Cyber System capability) or at
the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact
investigations of, Cyber Security Incidents that includes, as a minimum, each of the
following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected
failed access attempts and failed login attempts; 4.1.3. Detected malicious code.
4.2 - Generate alerts for security events that the Responsible Entity determines
necessitates an alert, that includes, as a minimum, each of the following types of events
(per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from
Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging.
4.3 - Where technically feasible, retain applicable event logs identified in Part 4.1 for at
least the last 90 consecutive calendar days except under CIP Exceptional Circumstances.
8
Choosing a Deployment Model
Outsourced
Benefits
Less training is required
Higher level of expertise available
Can be more of an operating rather than a capital expenditure
Staff turnover is less of a concern
24/7 analysis
Concerns
Your data leaves the premises
Reliance on the Internet in order to manage the network
Alarms still need investigated
Limited visibility to data for custom or additional analysis
Less opportunity to tune out false alarms (vendor decides what is important) 9
On-Premise
Benefits
Control over the your data and system functions
Maximum ability to configure the correlation rules, reporting, retention periods, and other
settings to meet your needs
Easier to create custom feeds and input custom IOCs (such as IPs, URLs, etc. from sources
like E-ISAC alerts)
Concerns
Tend to suffer from low staffing rates
Staff being pulled off SIEM work to work on projects or other duties (hard to do part-time)
Requires specialized training
Often oversized versus actual needs
10
Sizing the SIEM
11
Questions To Ask SIEM Vendors
What log sources does it handles out of the box? How to create custom maps?
What Out of the box reports for security and compliance are included?
What is the cost of maintenance?
What is the cost of the SIEM product? How is it licensed?
What is the cost of training?
How is post-sale technical support handled? Stats? (time to first contact,
ticket priorities, average time to resolution)
Require hardware? Support virtualization? Support hybrid?
Will it integrate with your current ticketing system?
How much report/dashboard/alert customization options are available?
12
Questions To Ask SIEM Vendors (cont.)
How will it help with operational roles and not just security?
Is there a packet capture or flow option?
How does the product handle older data that has been archived off-box?
How thorough is the product documentation?
What does the product do in the event of a license violation?
How much staffing will I need for a deployment of this size?
13
Your SIEM Uses Versus Whats Built-in
14
The Path to SIEM Success
16
A SIEM can help with CIS Critical Security
Controls
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 11: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
CSC 14: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 18: Application Software Security
CSC 19: Incident Response and Management
17
What to Look for on Linux
18
Top Windows 10 Event IDs to Monitor
and Alarm on (according to MalwareArchaeology.com)
4688 - New Process Look for the obvious malicious executables like cscript.exe,
sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe,
psexecsvc.exe, ipconfig.exe, ping.exe, powershell.exe or new odd .exes
4624 - Some account logged in. What is normal?
5140 - A share was accessed. They most likely connected to the C$ share
5156 Windows Firewall Network connection by process. Can see the process
connecting to an IP that you can use GEOIP to resolve Country, Region and City.
7040 - A new service has changed. Static systems don't change details of services
7045 - A new service is installed. Static systems don't get new services except at
patch time and new installs.
4663 - File auditing must be enabled on directories you want to monitor
4657 Registry auditing will give more Registry details than 4663 for Reg items
501 PowerShell execution
4104 PowerShell Scriptblockmodule loading 19
What to Look for on Cisco ASA
20
What to Look for on Web Servers
24