10 things we're doing wrong with siem

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Logs

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

Disclaimer

the views and opinions expressed in thispresentation are those of the speaker alone

and do not necessarily represent those of his past, current or future employers,

clients and/or associates.

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

10 things we’re doing wrong !About me

Wim RemesInfosec Consultant

Ernst & YoungGeek

I talk a lotI <3 beer cervezaI <3 conversation

wremes@gmail.com@wimremes on twitter

About this talkSIEM is on the floorthe reason is techthe reason is methe reason is you

why do we f**k up?how can we f**k up less?

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

SIEM

People Product

Process

Security Information and Event Management

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

1It’s the information silly !

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

DATA

FILTER

RELATIONSHIP?

INFORMATION

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

DATA INFORMATION(psstt... this isn’t the end !)

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

KNOWLEDGE

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

UNDERSTANDING

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

WISDOM

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

2cuz that’s the way we roll ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

PLAN

DO

CHECK(study)

ACT

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Wendy at the last SIEM team team-building weekend ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

3Cylinders of excellence ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

INFO

SEC

NET

WO

RK

APP

S

INFR

A

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

4COMPLIANCE DRIVEN SECURITY

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

80% 15%

5%

I want to I’m ready I have to

* I err on the side of optimism

- regulatory- internal audit

- higher forces

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

5FEAR DRIVEN SECURITY

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Manage your defenses based on reality, not on publicity !

Verizon DBIR 2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

6WYAFIWYG

(what you ask for is what you get)

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Log Management ...

Correlation !

Detect APT Hackers !!

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Log Management ...

We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go.

What box can help us to get all that stuff centralized ?

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Correlation !

We have heard of this thing called correlation and apparently$solution from $vendor can do that for us.

When can you ship that box ?

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Detect APT Hackers !!

Hackers are dangerous!

We need SIEM to catch them !

(Gimme, gimme, gimme)

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Fraud alerts are the leading method of discovering breaches

Verizon DBIR 2010

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Build YOUR use case !

a. React Fasterb. Improve Efficiency

c. Automate Compliance

Securosis : Understanding and Selecting SIEM/Log Management

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

7In the beginning ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

FLAT HIERARCHY MESH

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Who?

What?

When?Where?

Why?

src ip addressdst ip address

usernamehost nameapp name

actionDat

a Po

ints

Dat

a So

urce

s

Use Cases

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

8Linking it up ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

SIEM

Vulnerability Management

CMDB Vulnerability Management

Network BehaviourAnalysis

Incident Response Process

Change Management

CONTEXT

Incident Data

InfosecBI

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

9Reporting for duty ...

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

1. Choose the right metrics2. Choose the right charts3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management !

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

10Standards ?

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

CEF(common event format)

CEE(common event expression)

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

CEE(common event expression)

event CLT logCELR & CLS

Dictio

nary/

Taxonom

y

Common Event Log RecommendationsCommon Log Syntax

Common Log Transport

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

CEECommon Log Syntax

Event Details

Field

Set

Name

Entry

Name

Entry

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

@anton_chuvakin@zrlram

@andrewsmhay@rockyd

@securosis

Who to follow ?

Sunday 3 October 2010

The SIEM Daily Barcelona, 21/09/2010

Sunday 3 October 2010