Don’t let your SIeM
become your Nightmare!
2 Endpoint Security Service Logs Asset Management Packets Protocols IP-Adresses Files Usernames Hosts User Logins Service Activity Configuration Changes Apps Business Processes Business Owners
What is SIEM?
Combining Security Components
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
3
What is Siem?
Security Information and event Management
Garbage IN SIEM Garbage OUT
“SIEM is only as useful as the information you put in”
ManagementLayer
Management Layer above existing
systems
security controls
UnifiesInformation
Unifies and connects information of an existing System
to be analyzed
and cross-referenzed from a single interface
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
4
Input Data?
Where Usable data is generated
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Functionality
specialized on information security
Event reduction
Real time alerting
Workflow to address security breaches
Incorporation of non event based data (e.g. reports)
Functionality
search and parse data for
Trends
Anomalies
Other relevant information
5
What’S SpecIal?
More than simple Log Management
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Log Management SIEM
Source: http://www.blackstratus.com/blog/siem-log-management-compliance/
Collecting and analyzing network data
Security events
Operational events
6
What’S SpecIal?
More than simple Log Management
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Highlights important events over minor ones
Easily keep track of security
situation
Includes input from reports
Updated frequently
Prioritization Workflow
Comprehensive incident management
Real-time identification and
notification of threats
Important part of regulatory compliance
Allows analysts to document threat
response
Source: http://www.blackstratus.com/blog/siem-log-management-compliance/
Correlation
Important tool to identify relevant security events
Can compute massive amounts of
logged data
Analysis of event data
Real-time
7
What’S SpecIal?
Example: Correlation
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Prioritization Workflow
Source: http://www.blackstratus.com/blog/siem-log-management-compliance/
Correlation
Important tool to identify relevant security events
Can compute massive amounts of
logged data
Analysis of event data
Real-time
8
SIEM Integration?
How to
not
Integrate your siem
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
•Buy SIEM appliance
•Connect all your IDS, Logs, Everything, etc with SIEM
•Get high amount of security events/notifications
•No qualified personal to handle events and/or adjust the system
•SIEM gets abandoned, alarms are ignored
9
SIEM Integration?
How to do things right
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
•Define Scope
•Connect Point Solutions (IDS, Central Logging, Firewalls, etc)
•Filter logs
•Establish criteria (when, who, what, where, why)
•Progressive rollout to assimilate generated information with internal processes
•Additional value for your enterprise
10
Security Visibility?
Considering the following divergent goals
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Needs high level (near real time) view plus ability to see details quickly
“Are we going to pass PCI
compliance?”
“Are there signs of malware in our
systems?”
“Are our insiders misusing their
access?”
Operational Security Senior Management
Needs a concise view
“How do we compare with our
peers?”
“Are we spending the right amount
of money?”
“Are we better off than we were this
time last year?”
Source: SANS
Front line analysts
Need even greater detail
“Which devices are trying to
communicate with known
malicious sites on the internet?”
“What systems are probing our
networks?”
“Are we seeing any indication of
11
What to do with the information from your SIEM?
SOC – Security Operations Center
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
What is it? Organisation
Someone has to handle the information from SIEM
Centrally monitors, detects and handles security
incidents based on the information from SIEM
Evaluate and measure the efficiency of
security-processes
Operate security tools (SIEM + other)
Operative security tasks in contrast to ISMS (strategic
tasks)
Someone has to handle the information from SIEM
Role taken over by a person
May not be the only role of this person
Define use-cases, tasks, scope and responsibilities
SOP – Standard Operation Procedures
Interface to other roles
Monitor
Operate
Control
12
Security Operations Center
Primary functions
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Logs, Events Incidents Threat Intelligence Devices, Tools Compliance Vulnerabilities Security Controls Security Devices Security Systems Security Tools
13
Security Operations Center?
Control
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Continous automated assessment
of systems
Against known vulnerabilities
Broad scope / coverage
Vulnerability Assessment Compliance Testing
Development of operational
IT security operational controls based on control objectives from governance / ISMS
Verification of control
implementation
Penetration Testing
Manual testing of systems for
security vulnerabilities
Validation and complementation of
automated assessment
Defined samples (small scale)
Steering and priorization of the development of operational security
measures based on cyber risk exposure
14
Security Operations Center?
Monitor
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Handle security incidents
Track and monitor incident
resolution
Detect systematic misuse cases
( Problem Management) Security Incidents Logs, Events Log Management SIEM (-> Events) Broad coverage Threats
Monitor threat landscape
(Threat Intelligence)
Derive necessary measures
Interface with
IT Govermance/ISMS
15
Security Operations Center?
Operate
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Setup and rollout of toolset
Implementation Design
Definition of functional areas
Definition of tooling
Existing Tools vs. New Tools
Needs vs. Nice to Have
Operation Configuration Management Change Management Incident Management Problem Management Support
Incident Handler
Operator
Auditor
Document Writer
Trainer
Incident Response
Tool Operations
Audits & Assessments
Monitoring & Reporting
Training of IT Staff
16
Staffing
Tasks & Qualifications
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
SUMMARY
11/6/2015 17 -- OFFEN -- Thomas Bleier, Herwig Köck
A SIEM should combine data from different sources to derive more usable information.
Careful selection of sources, reduction of data and
priorization of events is key!
Somebody needs to use the SIEM and handle the
information it produces! SOC
The implementation process is a critical success factor
(Scoping, Rollout Process, etc.)!
The SOC has to control,
Thomas Bleier
DI MSc CISSP CISA CISM CEH zPM Teamlead Security Professional Services T-Systems Austria GesmbH
Rennweg 97-99 A-1030 Wien E-Mail:thomas.bleier@t-systems.at Phone: +43 676 8642 8587
Thank You!
Questions?
18T-Systems Austria GesmbH 2014
All Rights reserved. This document and all contained information and picture are protected by copyright. Propagation or duplication of this documents or parts of it is forbidden. Any usage in any form without written
permission by T-Systems Austria GesmbH is chargeable.
11/6/2015 -- OFFEN -- Thomas Bleier, Herwig Köck
Herwig Köck
BSc ACSA ACSE MCP Fachlead Security Consulting T-Systems Austria GesmbH Rennweg 97-99
A-1030 Wien
E-Mail:herwig.köck@t-systems.at