10 things we're doing wrong with siem
DESCRIPTION
This is the slidedeck of the presentation I gave at Source Barcelona 2010 titled "10 things we're doing wrong with SIEM".TRANSCRIPT
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
Logs
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
Disclaimer
the views and opinions expressed in thispresentation are those of the speaker alone
and do not necessarily represent those of his past, current or future employers,
clients and/or associates.
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
10 things we’re doing wrong !About me
Wim RemesInfosec Consultant
Ernst & YoungGeek
I talk a lotI <3 beer cervezaI <3 conversation
[email protected]@wimremes on twitter
About this talkSIEM is on the floorthe reason is techthe reason is methe reason is you
why do we f**k up?how can we f**k up less?
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
SIEM
People Product
Process
Security Information and Event Management
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
1It’s the information silly !
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
DATA
FILTER
RELATIONSHIP?
INFORMATION
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
DATA INFORMATION(psstt... this isn’t the end !)
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
KNOWLEDGE
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
UNDERSTANDING
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
WISDOM
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
2cuz that’s the way we roll ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
PLAN
DO
CHECK(study)
ACT
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Wendy at the last SIEM team team-building weekend ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
3Cylinders of excellence ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
INFO
SEC
NET
WO
RK
APP
S
INFR
A
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
4COMPLIANCE DRIVEN SECURITY
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
80% 15%
5%
I want to I’m ready I have to
* I err on the side of optimism
- regulatory- internal audit
- higher forces
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
5FEAR DRIVEN SECURITY
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Manage your defenses based on reality, not on publicity !
Verizon DBIR 2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
6WYAFIWYG
(what you ask for is what you get)
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Log Management ...
Correlation !
Detect APT Hackers !!
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Log Management ...
We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go.
What box can help us to get all that stuff centralized ?
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Correlation !
We have heard of this thing called correlation and apparently$solution from $vendor can do that for us.
When can you ship that box ?
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Detect APT Hackers !!
Hackers are dangerous!
We need SIEM to catch them !
(Gimme, gimme, gimme)
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Fraud alerts are the leading method of discovering breaches
Verizon DBIR 2010
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Build YOUR use case !
a. React Fasterb. Improve Efficiency
c. Automate Compliance
Securosis : Understanding and Selecting SIEM/Log Management
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
7In the beginning ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
FLAT HIERARCHY MESH
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Who?
What?
When?Where?
Why?
src ip addressdst ip address
usernamehost nameapp name
actionDat
a Po
ints
Dat
a So
urce
s
Use Cases
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
8Linking it up ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
SIEM
Vulnerability Management
CMDB Vulnerability Management
Network BehaviourAnalysis
Incident Response Process
Change Management
CONTEXT
Incident Data
InfosecBI
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
9Reporting for duty ...
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
1. Choose the right metrics2. Choose the right charts3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management !
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
10Standards ?
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
CEF(common event format)
CEE(common event expression)
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
CEE(common event expression)
event CLT logCELR & CLS
Dictio
nary/
Taxonom
y
Common Event Log RecommendationsCommon Log Syntax
Common Log Transport
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
CEECommon Log Syntax
Event Details
Field
Set
Name
Entry
Name
Entry
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
@anton_chuvakin@zrlram
@andrewsmhay@rockyd
@securosis
Who to follow ?
Sunday 3 October 2010
The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010