Don t let your SIeM become your Nightmare!

(1)

Don’t let your SIeM

become your Nightmare!

(2)

2 Endpoint Security Service Logs Asset Management  Packets  Protocols  IP-Adresses  Files  Usernames  Hosts  User Logins  Service Activity  Configuration Changes  Apps  Business Processes  Business Owners

What is SIEM?

Combining Security Components

11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck

(3)

3

What is Siem?

Security Information and event Management

Garbage IN SIEM Garbage OUT

“SIEM is only as useful as the information you put in”

ManagementLayer

Management Layer above existing

 systems

 security controls

UnifiesInformation

Unifies and connects information of an existing System

 to be analyzed

 and cross-referenzed from a single interface

(4)

4

Input Data?

Where Usable data is generated

(5)

Functionality

specialized on information security

 Event reduction

 Real time alerting

 Workflow to address security breaches

 Incorporation of non event based data (e.g. reports)

Functionality

search and parse data for

 Trends

 Anomalies

 Other relevant information

5

What’S SpecIal?

More than simple Log Management

Log Management SIEM

Source: http://www.blackstratus.com/blog/siem-log-management-compliance/

Collecting and analyzing network data

 Security events

 Operational events

(6)

6

What’S SpecIal?

More than simple Log Management

Highlights important events over minor ones

 Easily keep track of security

situation

 Includes input from reports

 Updated frequently

Prioritization Workflow

Comprehensive incident management

 Real-time identification and

notification of threats

Important part of regulatory compliance

 Allows analysts to document threat

response

Correlation

Important tool to identify relevant security events

 Can compute massive amounts of

logged data

Analysis of event data

 Real-time

(7)

7

What’S SpecIal?

Example: Correlation

Prioritization Workflow

Correlation

Important tool to identify relevant security events

 Can compute massive amounts of

logged data

Analysis of event data

 Real-time

(8)

8

SIEM Integration?

How to

not

Integrate your siem

•Buy SIEM appliance

•Connect all your IDS, Logs, Everything, etc with SIEM

•Get high amount of security events/notifications

•No qualified personal to handle events and/or adjust the system

•SIEM gets abandoned, alarms are ignored

(9)

9

SIEM Integration?

How to do things right

•Define Scope

•Connect Point Solutions (IDS, Central Logging, Firewalls, etc)

•Filter logs

•Establish criteria (when, who, what, where, why)

•Progressive rollout to assimilate generated information with internal processes

•Additional value for your enterprise

(10)

10

Security Visibility?

Considering the following divergent goals

Needs high level (near real time) view plus ability to see details quickly

 “Are we going to pass PCI

compliance?”

 “Are there signs of malware in our

systems?”

 “Are our insiders misusing their

access?”

Operational Security Senior Management

Needs a concise view

 “How do we compare with our

peers?”

 “Are we spending the right amount

of money?”

 “Are we better off than we were this

time last year?”

Source: SANS

Front line analysts

Need even greater detail

 “Which devices are trying to

communicate with known

malicious sites on the internet?”

 “What systems are probing our

networks?”

 “Are we seeing any indication of

(11)

11

What to do with the information from your SIEM?

SOC – Security Operations Center

What is it? Organisation

Someone has to handle the information from SIEM

 Centrally monitors, detects and handles security

incidents based on the information from SIEM

 Evaluate and measure the efficiency of

security-processes

 Operate security tools (SIEM + other)

 Operative security tasks in contrast to ISMS (strategic

tasks)

Someone has to handle the information from SIEM

 Role taken over by a person

 May not be the only role of this person

 Define use-cases, tasks, scope and responsibilities

 SOP – Standard Operation Procedures

 Interface to other roles

(12)

Monitor

Operate

Control

12

Security Operations Center

Primary functions

Logs, Events Incidents Threat Intelligence Devices, Tools Compliance Vulnerabilities Security Controls Security Devices Security Systems Security Tools

(13)

13

Security Operations Center?

Control

 Continous automated assessment

of systems

 Against known vulnerabilities

 Broad scope / coverage

Vulnerability Assessment Compliance Testing

 Development of operational

IT security operational controls based on control objectives from governance / ISMS

 Verification of control

implementation

Penetration Testing

 Manual testing of systems for

security vulnerabilities

 Validation and complementation of

automated assessment

 Defined samples (small scale)

Steering and priorization of the development of operational security

measures based on cyber risk exposure

(14)

14

Security Operations Center?

Monitor

 Handle security incidents

 Track and monitor incident

resolution

 Detect systematic misuse cases

( Problem Management) Security Incidents Logs, Events  Log Management  SIEM (-> Events)  Broad coverage Threats

 Monitor threat landscape

(Threat Intelligence)

 Derive necessary measures

 Interface with

IT Govermance/ISMS

(15)

15

Security Operations Center?

Operate

 Setup and rollout of toolset

Implementation Design

 Definition of functional areas

 Definition of tooling

 Existing Tools vs. New Tools

 Needs vs. Nice to Have

Operation  Configuration Management  Change Management  Incident Management  Problem Management  Support

(16)

Incident Handler

Operator

Auditor

Document Writer

Trainer

Incident Response

Tool Operations

Audits & Assessments

Monitoring & Reporting

Training of IT Staff

16

Staffing

Tasks & Qualifications

(17)

SUMMARY

11/6/2015 17 -- OFFEN -- Thomas Bleier, Herwig Köck

A SIEM should combine data from different sources to derive more usable information.

Careful selection of sources, reduction of data and

priorization of events is key!

Somebody needs to use the SIEM and handle the

information it produces!  SOC

The implementation process is a critical success factor

(Scoping, Rollout Process, etc.)!

The SOC has to control,

(18)

Thomas Bleier

DI MSc CISSP CISA CISM CEH zPM Teamlead Security Professional Services T-Systems Austria GesmbH

Rennweg 97-99 A-1030 Wien E-Mail:thomas.bleier@t-systems.at Phone: +43 676 8642 8587

Thank You!

Questions?

18

T-Systems Austria GesmbH 2014

All Rights reserved. This document and all contained information and picture are protected by copyright. Propagation or duplication of this documents or parts of it is forbidden. Any usage in any form without written

permission by T-Systems Austria GesmbH is chargeable.

Herwig Köck

BSc ACSA ACSE MCP Fachlead Security Consulting T-Systems Austria GesmbH Rennweg 97-99

A-1030 Wien

E-Mail:herwig.köck@t-systems.at