SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. Outline • Today’s Threat Landscape • Why Do I Need a SIEM? • Choosing and Deploying a SIEM • This Will Not Be Boring Computer Security LandScape • You Are Being Blamed • Your Money Isn’t Safe • Your Information Isn’t Safe • Your Reputation Is at Stake • More Threats, Less People Your Are Being Blamed • BotNets • Pivoting Stealing Your $$ Stealing Your Information • Computers Are No Longer for “Productivity” • You Have Valuable Information • You ARE A Target • You Aren’t Dealing With “Amateurs” Hactivists – Exposing Your Secrets Hactivists – Exposing Your Secrets Hactivists – Business Disruption Your Challenge SIEMS You Need An “Oracle” • Know The Past • Knows The Present • Knows The Future • Knows How to CYA SIEM Basics • Provides “Instant Replay” • 24 X 7 Security Guard • SIEMs v. Firewall v. IDS v. IPS • SIEM v. SEIM v. SIM • Typically Compliance Driven Compliance • HIPAA • PII • Data Breach Notification Laws Why Do I Need A SIEM? • Infrastructure Monitoring • Reporting • Threat Correlation • Instant Replay • Incident Response What Is Monitored? • Account Activity • Availability • IDS/Context Correlation • Data Exfiltration • Client Side Attacks • Brute Force Attacks Windows Accounts • • • • • • Accounts Created, By Whom, and When New Accounts That Aren’t Standard New Accounts Created At Odd Time New Workstation Account Created Key Group Membership Change Accounts Logon Hours 19 Availability • System Uptime Statistics • Availability Reporting • Uptime is “Relative” IDS Context/Correlation • Place Value On Assets • Context Is Essential • Maintain Current Vulnerability DBs • Create Priority Rules 21 Data Exfiltration • • • • You Must Know What Is “Normal” Deviations From The Norm Warrant An Alert Some Events Are “Non-Negotiable” “You” Typically Initiate Data Transfers 22 Client Side Attacks • Windows Event Logs Information • • • • Process Status Changes New Services Created Scheduled Tasks Creations Changes to Audit Policies 23 Brute-force Attacks • Detailed Reports of Failed Logins • Source Of Failed Login Attempts • Locked Accounts Report 24 Incident Response Incident Response Scenario #1 • Law Firm With Dealings In China • Law Firm Was “Owned” More Than A Year • Access To Every Machine On Network • Thousands of “Responsive” Emails Obtained •“Privilege” Was Not Observed Incident Response Scenario #2 • VP of Finance Promoted to CFO • Attack on the “Weakest” Link AV Will Save Us!! Incident Response Scenario #3 http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx How SIEMs Would Have Helped • Accounts Enabled • Services Created • Firewall Changes • Data Exfiltration • Network Communications • Incident Response Costs Choosing A SIEM • Not a Replacement for Security Engineers • Must Support Disparate Devices (Agentless) • Don’t Plan To Monitor? DON’T BOTHER Deploying a SIEM • Architecture Options • Tuning Out The “Noise” SIEM Option$ • OutSourced Options •SecureWorks • High-Cost •ArcSight, Q1 Labs Radar, RSA, Tripwire •Lower-Cost •Q1 Labs FE, TriGEO, Splunk • No-Cost •OSSIM •OSSEC Summary • You Must Anticipate Today’s Threats • SIEMs Are Extremely Valuable • SIEMs Are Not A Silver Bullet Questions? Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc. bdean@swordshield.com http://www.twitter.com/BillDeanCCE