Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements Presentation by: Peter Thomas Blue Lance, Inc Outline • SIEM Overview • Why SIEM Implementations Fail? • SIEM Strategies for Security, Audit and Compliance • Recommended Events & Reports • Q&A SIEM Overview • Definition – “SIEM technology is used to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report in log data for regulatory compliance and forensics” • Key Objectives • Identify threats and possible breaches • Collect audit logs for security and compliance • Conduct investigations and provide evidence SIEM Process Flow Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports SIEM Architecture System Inputs Event Data Operating Systems Applications Devices Databases Data Collection Normalization Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence SIEM System Outputs Analysis Reports Real Time Monitoring Correlation Logic/Rules Aggregation Why SIEM Implementations Fail? • Lack of Planning • No defined scope • Faulty Deployment Strategies • Incoherent log management data collection • High volume of irrelevant data can overload the system • Operational • Lack of management oversight • Assume plug and play EFFECTIVE SIEM STRATEGIES Output-driven Log Management Strategy Context data Log data Other data Collect events relevant for desired outcomes • High quality in High quality out • Reduces costs and improves efficiency • Requires upfront planning Data Interpretation • Ability to interpret log and event data • Capture critical information • • • • User name/ID Host name Station address (IP) Destination/target address Examples of Data Interpretation Jan 5 16:50:38 OES3R1 sshd[30645]: Failed keyboard-interactive/pam for invalid user jsmith from 10.4.0.4 port 49384 ssh2 Jan 5 16:55:16 OES3R1 sshd[21721]: Accepted keyboard-interactive/pam for jsmith from 10.4.0.4 port 49379 ssh2 Jan 5 17:32:17 OES3R1 sudo: jsmith : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jsmith ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd Adding Value or Context to data • Examples of context • Add geo-location information • Get information from DNS servers • Get User details (Full Name, Job Title & Description) • Add context aids in identifying • Access from foreign locations • Suspect data transfer Case Management • Issue Tracking and Metrics • Capability to create and track tickets on core assets • Document and validate tickets are handled and processed to comply with organizational SLAs • Track number of threats detected Typical Events to Alert • Repeat Attacks (Brute force) • 3 or more failed login attempts • Network Attacks (Port scans, worm propagation) • Numerous firewall drop/reject/deny events from a single source IP address • Numerous IDS alerts from a single source • Alert for multiple connections from a single host • Application Attacks • Cross-site scripting / SQL Injection • Unauthorized file activity on We Servers Common Reports for Compliance • User Activity Reports • • Track authentication activity (VPN, Active Directory, Access to devices (Firewalls, routers ..) • Track when users are created, deleted and modified • Track access by privileged accounts • Track usage of service accounts • Track escalation of privileges Configuration Change Reports • • Changes made to operating system configurations Track device configuration changes Conclusion • SIEM requires constant oversight to give value. • Adopt "output-driven" SIEM approach. • Look for data quality (interpreted data) • Define/Refine incident response process. Q&A