Using SIEM Solutions Effectively to meet Security, Audit, and
Compliance Requirements
Presentation by:
Peter Thomas
Blue Lance, Inc
Outline
• SIEM Overview
• Why SIEM Implementations Fail?
• SIEM Strategies for Security, Audit and Compliance
• Recommended Events & Reports
• Q&A
SIEM Overview
• Definition – “SIEM technology is used to analyze security
event data in real time for internal and external threat
management, and to collect, store, analyze and report in log
data for regulatory compliance and forensics”
• Key Objectives
• Identify threats and possible breaches
• Collect audit logs for security and compliance
• Conduct investigations and provide evidence
SIEM Process Flow
Data
Collection
Extract
Intelligent
Information
Add Value
Presentation
Dashboards
& Reports
SIEM Architecture
System Inputs
Event Data
Operating Systems
Applications
Devices
Databases
Data
Collection
Normalization
Contextual Data
Vulnerability Scans
User Information
Asset Information
Threat Intelligence
SIEM
System Outputs
Analysis
Reports
Real Time Monitoring
Correlation
Logic/Rules
Aggregation
Why SIEM Implementations Fail?
• Lack of Planning
• No defined scope
• Faulty Deployment Strategies
• Incoherent log management data collection
• High volume of irrelevant data can overload the system
• Operational
• Lack of management oversight
• Assume plug and play
EFFECTIVE SIEM STRATEGIES
Output-driven Log Management Strategy
Context
data
Log
data
Other
data
Collect events relevant for
desired outcomes
• High quality in  High quality out
• Reduces costs and improves efficiency
• Requires upfront planning
Data Interpretation
• Ability to interpret log and event data
• Capture critical information
•
•
•
•
User name/ID
Host name
Station address (IP)
Destination/target address
Examples of Data Interpretation
Jan 5 16:50:38 OES3R1 sshd[30645]: Failed keyboard-interactive/pam for invalid user jsmith from
10.4.0.4 port 49384 ssh2
Jan 5 16:55:16 OES3R1 sshd[21721]: Accepted keyboard-interactive/pam for jsmith from 10.4.0.4
port 49379 ssh2
Jan 5 17:32:17 OES3R1 sudo: jsmith : 1 incorrect password attempt ; TTY=pts/0 ;
PWD=/home/jsmith ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd
Adding Value or Context to data
• Examples of context
• Add geo-location information
• Get information from DNS servers
• Get User details (Full Name, Job Title & Description)
• Add context aids in identifying
• Access from foreign locations
• Suspect data transfer
Case Management
• Issue Tracking and Metrics
• Capability to create and track tickets on core assets
• Document and validate tickets are handled and processed
to comply with organizational SLAs
• Track number of threats detected
Typical Events to Alert
• Repeat Attacks (Brute force)
• 3 or more failed login attempts
• Network Attacks (Port scans, worm propagation)
• Numerous firewall drop/reject/deny events from a single
source IP address
• Numerous IDS alerts from a single source
• Alert for multiple connections from a single host
• Application Attacks
• Cross-site scripting / SQL Injection
• Unauthorized file activity on We Servers
Common Reports for Compliance
•
User Activity Reports
•
•
Track authentication activity (VPN, Active Directory,
Access to devices (Firewalls, routers ..)
• Track when users are created, deleted and modified
• Track access by privileged accounts
• Track usage of service accounts
• Track escalation of privileges
Configuration Change Reports
•
•
Changes made to operating system configurations
Track device configuration changes
Conclusion
• SIEM requires constant oversight to give value.
• Adopt "output-driven" SIEM approach.
• Look for data quality (interpreted data)
• Define/Refine incident response process.
Q&A