20 Years of SIEM - SANS Webinar 2022
•
1 j'aime•295 vues
20 years of SIEM was prepared for the SANS webinar https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/ and offers Anton's reflection on SIEM past and future
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à 20 Years of SIEM - SANS Webinar 2022
Similaire à 20 Years of SIEM - SANS Webinar 2022 (20)
Plus de Anton Chuvakin
Plus de Anton Chuvakin (20)
Dernier
Dernier (20)
20 Years of SIEM - SANS Webinar 2022
- 1. 20 Years of SIEM – What’s Next? Dr Anton Chuvakin @anton_chuvakin https://medium.com/anton-on-security
- 2. 20 years of SIEM! Time to reflect!
- 3. Outline ● SIEM: 1996-2022-??? ● SIEM challenges then … and now! ● Do we need a SIEM in 2022? No, really, do we? ● “Do better next time”, but how?
- 4. The Past
- 6. The Present
- 7. SIEM Challenges Circa 2002 Note the themes: ● False alarms ● Too much data ● Missing data ● Hard to get data
- 9. SIEM Challenges Circa 2020 (aka +20 years) Note the themes again: ● False alarms ● Hard to use ● Hard to create rules / detect
- 10. Mini-Summary: Is SIEM Broken or Not? ● Many of the SIEM challenges are with us for 20+ years ● A pile of challenges makes some say that “SIEM is broken” ● If something has been broken for 20 years, maybe it is … just broken? ● So, is SIEM broken?
- 11. The Future
- 12. Products: How I Want It Now!? 1. SaaS, definitely. Not “fake cloud”, real SaaS. 2. SIEM in the cloud? Sure, but also FOR the cloud. 3. I don’t want “SIEM and SOAR”, I want “SIEM/SOAR” 4. EDR and NDR? Yes, please! I want their telemetry too 5. Curated threat intelligence in my SIEM 6. Rules, threat intel but also algorithms. You can say “ML”, I won’t cringe 7. I want my SIEM to show what it is detecting well. Coverage!
- 13. Reminder: EDR or SIEM? Well, “AND” :-) EDR is not a magical “better answer” It's a useful endpoint visibility technology Not security magic!
- 14. Processes: How I Want It Now!? 1. Telemetry collection - easy or “magically easy” 2. Alert triage - automated wherever possible 3. Use case management - from detection to response 4. Detection measurement - clear and transparent 5. Evolve to detection engineering - intentional detection
- 15. Reminder: Good Detection Eng is Hard Detection content versioning 1 2 3 4 5 Proper “QA” for detection content” Content (code) reuse and modularity Cross-vendor and cross-tool content Metrics, coverage and improvement
- 16. The Lessons
- 17. Recommendations: No SIEM? ● 7 days ○ Briefly evaluate how you are solving the problems others solve with SIEM ● 30 days ○ Review your log management / log analysis / SIEM approach vs your ongoing requirements ● 90 days ○ Refine the approach, acquire a SIEM if needed
- 18. Recommendations: Got a SIEM? ● 7 days ○ Review SIEM processes especially alert triage ● 30 days ○ Build or refresh use case management process ● 90 days ○ Become more intentional about detection in SIEM: effectiveness, coverage, improvements
- 19. Recommendations: Zoom in on Detection Become more intentional about detection in SIEM: effectiveness, coverage, improvements ● What do I need to detect? ● What do I detect? ● Do I really detect it? ● Do I detect it well? ● Do I follow up / triage right?
- 21. Resources ● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog ● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS webinar ● “On “Output-driven” SIEM” blog (2012) ● “Anton and The Great XDR Debate, Part 1” ● … and of course https://medium.com/anton-on-security ● and https://cloud.withgoogle.com/cloudsecurity/podcast/
Notes de l'éditeur
- https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/ https://medium.com/anton-on-security/20-years-of-siem-celebrating-my-dubious-anniversary-f1cda2b453d3
- https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/ Well-known as a SANS instructor and SIEM expert, Anton Chuvakin recently celebrated 20 years of architecting, deploying, maintaining, and tuning SIEMs. In this webinar, he’ll review the future of SIEM – and how many of the problems that plagued early SIEM users are still with us today, such as: The difficulty of operating SIEMs effectively with limited staff (e.g., "We have a small team and just enough people to keep the SIEM running – but no time left to go beyond basic use cases.") Data collection and data quality issues (“We don’t have enough people to check that our collectors are still configured properly – so we don’t have visibility into blind spots.”) Trusting that SIEM data structures, taxonomies, and out of the box detection rules (from SIEM vendors and MSSPs) will be effective and usable in your environment. Hoping your custom detection rules are written correctly (e.g., hoping nobody mistyped “context.asset.vulnerability.severity” as “asset.context.vulnerability.severity” in a rule they wrote). At the same time, let’s not forget that our essential SIEM mission – detecting and responding to threats – is a difficult one in today’s complex and messy environments (endpoints, cloud, micro-services, SaaS, rogue systems, etc.) with constantly-evolving security stacks (CASB, CSPM, CIEM, EASM, etc.). So where are we going with SIEM? Anton will discuss how the scale and power of the cloud, plus how more contextual telemetry, global-scale threat intelligence, and new automation approaches have the potential of addressing some of these challenges in a meaningful way. Anton will be joined by Yair Manor, CTO and co-founder of CardinalOps. Yair will describe data collected from real-world SIEM deployments showing answers to common challenges such as: % of MITRE ATT&CK techniques covered by the average SIEM Comparison with top 14 techniques actually used by adversaries in real-world attacks % of broken or misconfigured rules in the average SIEM The top missing log source type in the average SIEM % of SIEMs that disable default out-of-the-box SIEM content Log4 Shell: On average, how long did it take organizations to add new rules to detect it Sponsored by CardinalOps: CardinalOps brings cloud-based analytics and API-driven automation enabling SOC engineering teams to stay ahead of constant change in their threat landscape and attack surface – and close the riskiest detection gaps that leave their organizations exposed. Leveraging a proprietary, crowd-sourced, graph database of thousands of best practice detection rules — backed by human experts with nation-state expertise – the CardinalOps platform continuously delivers AI-based detection recommendations for your existing SIEM/XDR, mapped to MITRE ATT&CK and customized to your infrastructure and organizational priorities.
- DECEMBER 7, 2001 https://web.archive.org/web/20011217055225/http://www.netforensics.com/netforensics.html https://web.archive.org/web/20020208033727/http://www.intellitactics.com/html/products.html
- https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization (I only found my 2003 slide on log management challenges, but not on SIEM) [also, I was wrong about some stuff:-)]
- https://medium.com/anton-on-security/modern-siem-mysteries-80fcd699da68
- A: Hard challenge, market forces, tendency to go broad, messy environments, BUT … … security telemetry analysis is needed, alternatives are comparable in challenges
- Use https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/
- https://medium.com/anton-on-security/today-you-really-want-a-saas-siem-1b980b627ba9
- https://medium.com/anton-on-security/today-you-really-want-a-saas-siem-1b980b627ba9
- https://medium.com/anton-on-security/can-we-have-detection-as-code-96f869cfdc79
- SIEM - if you do / don't have a SIEM, advice on this, so this in 7 30 90 days, share with CO team
- Holistic detection measurement is really hard BTW We don’t really know what GOOD is Link to Twitter thread