siems

advertisement
SIEMs - Decoding The Mayhem
Bill Dean
Director of Computer Forensics
Sword & Shield Enterprise Security Inc.
Outline
• Today’s Threat Landscape
• Why Do I Need a SIEM?
• Choosing and Deploying a SIEM
• This Will Not Be Boring
Computer Security LandScape
• You Are Being Blamed
• Your Money Isn’t Safe
• Your Information Isn’t Safe
• Your Reputation Is at Stake
• More Threats, Less People
Your Are Being Blamed
• BotNets
• Pivoting
Stealing Your $$
Stealing Your Information
• Computers Are No Longer for “Productivity”
• You Have Valuable Information
• You ARE A Target
• You Aren’t Dealing With “Amateurs”
Hactivists – Exposing Your Secrets
Hactivists – Exposing Your Secrets
Hactivists – Business Disruption
Your Challenge
SIEMS
You Need An “Oracle”
• Know The Past
• Knows The Present
• Knows The Future
• Knows How to CYA
SIEM Basics
• Provides “Instant Replay”
• 24 X 7 Security Guard
• SIEMs v. Firewall v. IDS v. IPS
• SIEM v. SEIM v. SIM
• Typically Compliance Driven
Compliance
• HIPAA
• PII
• Data Breach Notification Laws
Why Do I Need A SIEM?
• Infrastructure Monitoring
• Reporting
• Threat Correlation
• Instant Replay
• Incident Response
What Is Monitored?
• Account Activity
• Availability
• IDS/Context Correlation
• Data Exfiltration
• Client Side Attacks
• Brute Force Attacks
Windows Accounts
•
•
•
•
•
•
Accounts Created, By Whom, and When
New Accounts That Aren’t Standard
New Accounts Created At Odd Time
New Workstation Account Created
Key Group Membership Change
Accounts Logon Hours
19
Availability
• System Uptime Statistics
• Availability Reporting
• Uptime is “Relative”
IDS Context/Correlation
• Place Value On Assets
• Context Is Essential
• Maintain Current Vulnerability DBs
• Create Priority Rules
21
Data Exfiltration
•
•
•
•
You Must Know What Is “Normal”
Deviations From The Norm Warrant An Alert
Some Events Are “Non-Negotiable”
“You” Typically Initiate Data Transfers
22
Client Side Attacks
• Windows Event Logs Information
•
•
•
•
Process Status Changes
New Services Created
Scheduled Tasks Creations
Changes to Audit Policies
23
Brute-force Attacks
• Detailed Reports of Failed Logins
• Source Of Failed Login Attempts
• Locked Accounts Report
24
Incident Response
Incident Response Scenario #1
• Law Firm With Dealings In China
• Law Firm Was “Owned” More Than A Year
• Access To Every Machine On Network
• Thousands of “Responsive” Emails Obtained
•“Privilege” Was Not Observed
Incident Response Scenario #2
• VP of Finance Promoted to CFO
• Attack on the “Weakest” Link
AV Will Save Us!!
Incident Response Scenario #3
http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
How SIEMs Would Have Helped
• Accounts Enabled
• Services Created
• Firewall Changes
• Data Exfiltration
• Network Communications
• Incident Response Costs
Choosing A SIEM
• Not a Replacement for Security Engineers
• Must Support Disparate Devices (Agentless)
• Don’t Plan To Monitor? DON’T BOTHER
Deploying a SIEM
• Architecture Options
• Tuning Out The “Noise”
SIEM Option$
• OutSourced Options
•SecureWorks
• High-Cost
•ArcSight, Q1 Labs Radar, RSA, Tripwire
•Lower-Cost
•Q1 Labs FE, TriGEO, Splunk
• No-Cost
•OSSIM
•OSSEC
Summary
• You Must Anticipate Today’s Threats
• SIEMs Are Extremely Valuable
• SIEMs Are Not A Silver Bullet
Questions?
Bill Dean
Director of Computer Forensics
Sword & Shield Enterprise Security Inc.
bdean@swordshield.com
http://www.twitter.com/BillDeanCCE
Download