10 things we're doing wrong with siem

45
The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010

Upload: wremes

Post on 18-Nov-2014

4.001 views

Category:

Documents


4 download

DESCRIPTION

This is the slidedeck of the presentation I gave at Source Barcelona 2010 titled "10 things we're doing wrong with SIEM".

TRANSCRIPT

Page 1: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 2: 10 things we're doing wrong with SIEM

Logs

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 3: 10 things we're doing wrong with SIEM

Disclaimer

the views and opinions expressed in thispresentation are those of the speaker alone

and do not necessarily represent those of his past, current or future employers,

clients and/or associates.

Sunday 3 October 2010

Page 4: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

10 things we’re doing wrong !About me

Wim RemesInfosec Consultant

Ernst & YoungGeek

I talk a lotI <3 beer cervezaI <3 conversation

[email protected]@wimremes on twitter

About this talkSIEM is on the floorthe reason is techthe reason is methe reason is you

why do we f**k up?how can we f**k up less?

Sunday 3 October 2010

Page 5: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

SIEM

People Product

Process

Security Information and Event Management

Sunday 3 October 2010

Page 6: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

1It’s the information silly !

Sunday 3 October 2010

Page 7: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

DATA

FILTER

RELATIONSHIP?

INFORMATION

Sunday 3 October 2010

Page 8: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

DATA INFORMATION(psstt... this isn’t the end !)

Sunday 3 October 2010

Page 9: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

KNOWLEDGE

Sunday 3 October 2010

Page 10: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

UNDERSTANDING

Sunday 3 October 2010

Page 11: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

WISDOM

Sunday 3 October 2010

Page 12: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

2cuz that’s the way we roll ...

Sunday 3 October 2010

Page 13: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

PLAN

DO

CHECK(study)

ACT

Sunday 3 October 2010

Page 14: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 15: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Wendy at the last SIEM team team-building weekend ...

Sunday 3 October 2010

Page 16: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 17: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

3Cylinders of excellence ...

Sunday 3 October 2010

Page 18: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

INFO

SEC

NET

WO

RK

APP

S

INFR

A

Sunday 3 October 2010

Page 19: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 20: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 21: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

4COMPLIANCE DRIVEN SECURITY

Sunday 3 October 2010

Page 22: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

80% 15%

5%

I want to I’m ready I have to

* I err on the side of optimism

- regulatory- internal audit

- higher forces

Sunday 3 October 2010

Page 23: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Page 24: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

5FEAR DRIVEN SECURITY

Sunday 3 October 2010

Page 25: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Manage your defenses based on reality, not on publicity !

Verizon DBIR 2010

Sunday 3 October 2010

Page 26: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

6WYAFIWYG

(what you ask for is what you get)

Sunday 3 October 2010

Page 27: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Log Management ...

Correlation !

Detect APT Hackers !!

Sunday 3 October 2010

Page 28: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Log Management ...

We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go.

What box can help us to get all that stuff centralized ?

Sunday 3 October 2010

Page 29: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Correlation !

We have heard of this thing called correlation and apparently$solution from $vendor can do that for us.

When can you ship that box ?

Sunday 3 October 2010

Page 30: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Detect APT Hackers !!

Hackers are dangerous!

We need SIEM to catch them !

(Gimme, gimme, gimme)

Sunday 3 October 2010

Page 31: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Fraud alerts are the leading method of discovering breaches

Verizon DBIR 2010

Sunday 3 October 2010

Page 32: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Build YOUR use case !

a. React Fasterb. Improve Efficiency

c. Automate Compliance

Securosis : Understanding and Selecting SIEM/Log Management

Sunday 3 October 2010

Page 33: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

7In the beginning ...

Sunday 3 October 2010

Page 34: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

FLAT HIERARCHY MESH

Sunday 3 October 2010

Page 35: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Who?

What?

When?Where?

Why?

src ip addressdst ip address

usernamehost nameapp name

actionDat

a Po

ints

Dat

a So

urce

s

Use Cases

Sunday 3 October 2010

Page 36: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

8Linking it up ...

Sunday 3 October 2010

Page 37: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

SIEM

Vulnerability Management

CMDB Vulnerability Management

Network BehaviourAnalysis

Incident Response Process

Change Management

CONTEXT

Incident Data

InfosecBI

Sunday 3 October 2010

Page 38: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

9Reporting for duty ...

Sunday 3 October 2010

Page 39: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

1. Choose the right metrics2. Choose the right charts3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management !

Sunday 3 October 2010

Page 40: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

10Standards ?

Sunday 3 October 2010

Page 41: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

CEF(common event format)

CEE(common event expression)

Sunday 3 October 2010

Page 42: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

CEE(common event expression)

event CLT logCELR & CLS

Dictio

nary/

Taxonom

y

Common Event Log RecommendationsCommon Log Syntax

Common Log Transport

Sunday 3 October 2010

Page 43: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

CEECommon Log Syntax

Event Details

Field

Set

Name

Entry

Name

Entry

Sunday 3 October 2010

Page 44: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

@anton_chuvakin@zrlram

@andrewsmhay@rockyd

@securosis

Who to follow ?

Sunday 3 October 2010

Page 45: 10 things we're doing wrong with SIEM

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010