1. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
2. The SIEM Daily Barcelona, 21/09/2010
L ogs
Sunday 3 October 2010
3. Disclaimer
the views and opinions expressed in this
presentation are those of the speaker alone
and do not necessarily represent those of his
past, current or future employers,
clients and/or associates.
Sunday 3 October 2010
4. The SIEM Daily Barcelona, 21/09/2010
10 things we’re doing wrong !
About me About this talk
Wim Remes
SIEM is on the floor
Infosec Consultant
the reason is tech
Ernst & Young
the reason is me
Geek
the reason is you
I talk a lot
why do we f**k up?
I <3 beer cerveza
how can we f**k up less?
I <3 conversation
wremes@gmail.com
@wimremes on twitter
Sunday 3 October 2010
5. The SIEM Daily Barcelona, 21/09/2010
Security Information and Event Management
SIEM
People Product
Process
Sunday 3 October 2010
6. The SIEM Daily Barcelona, 21/09/2010
1
It’s the information silly !
Sunday 3 October 2010
7. The SIEM Daily Barcelona, 21/09/2010
DATA
FILTER
RELATIONSHIP?
INFORMATION
Sunday 3 October 2010
8. The SIEM Daily Barcelona, 21/09/2010
DATA INFORMATION
(psstt... this isn’t the end !)
Sunday 3 October 2010
9. The SIEM Daily Barcelona, 21/09/2010
KNOWLEDGE
Sunday 3 October 2010
10. The SIEM Daily Barcelona, 21/09/2010
UNDERSTANDING
Sunday 3 October 2010
11. The SIEM Daily Barcelona, 21/09/2010
WISDOM
Sunday 3 October 2010
12. The SIEM Daily Barcelona, 21/09/2010
2
cuz that’s the way we roll ...
Sunday 3 October 2010
13. The SIEM Daily Barcelona, 21/09/2010
PLAN
ACT DO
CHECK
(study)
Sunday 3 October 2010
14. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
15. The SIEM Daily Barcelona, 21/09/2010
Wendy at the last SIEM team team-building weekend ...
Sunday 3 October 2010
16. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
17. The SIEM Daily Barcelona, 21/09/2010
3
Cylinders of excellence ...
Sunday 3 October 2010
18. The SIEM Daily Barcelona, 21/09/2010
NETWORK
INFOSEC
INFRA
APPS
Sunday 3 October 2010
19. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
20. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
21. The SIEM Daily Barcelona, 21/09/2010
4
COMPLIANCE DRIVEN SECURITY
Sunday 3 October 2010
22. The SIEM Daily Barcelona, 21/09/2010
I want to I’m ready I have to
5%
- regulatory
- internal audit
- higher forces
80% 15%
* I err on the side of optimism
Sunday 3 October 2010
23. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010
24. The SIEM Daily Barcelona, 21/09/2010
5
FEAR DRIVEN SECURITY
Sunday 3 October 2010
25. The SIEM Daily Barcelona, 21/09/2010
Manage your defenses based on reality, not on publicity !
Verizon DBIR 2010
Sunday 3 October 2010
26. The SIEM Daily Barcelona, 21/09/2010
6
WYAFIWYG
(what you ask for is what you get)
Sunday 3 October 2010
27. The SIEM Daily Barcelona, 21/09/2010
Detect APT Hackers !!
Correlation !
Log Management ...
Sunday 3 October 2010
28. The SIEM Daily Barcelona, 21/09/2010
Log Management ...
We need to centralize and retain all log data from
all of our boxes and we’ve been told SIEM is the way to go.
What box can help us to get all that stuff centralized ?
Sunday 3 October 2010
29. The SIEM Daily Barcelona, 21/09/2010
Correlation !
We have heard of this thing called correlation and apparently
$solution from $vendor can do that for us.
When can you ship that box ?
Sunday 3 October 2010
30. The SIEM Daily Barcelona, 21/09/2010
Detect APT Hackers !!
Hackers are dangerous!
We need SIEM to catch them !
(Gimme, gimme, gimme)
Sunday 3 October 2010
31. The SIEM Daily Barcelona, 21/09/2010
Fraud alerts are the leading method of discovering breaches
Verizon DBIR 2010
Sunday 3 October 2010
32. The SIEM Daily Barcelona, 21/09/2010
Build YOUR use case !
a. React Faster
b. Improve Efficiency
c. Automate Compliance
Securosis : Understanding and Selecting SIEM/Log Management
Sunday 3 October 2010
33. The SIEM Daily Barcelona, 21/09/2010
7
In the beginning ...
Sunday 3 October 2010
34. The SIEM Daily Barcelona, 21/09/2010
FLAT HIERARCHY MESH
Sunday 3 October 2010
35. The SIEM Daily
Data Sources
Barcelona, 21/09/2010
Who?
Why? What?
src ip address Where? When?
Data Points
dst ip address
username
host name
app name Use Cases
action
Sunday 3 October 2010
36. The SIEM Daily Barcelona, 21/09/2010
8
Linking it up ...
Sunday 3 October 2010
37. The SIEM Daily Barcelona, 21/09/2010
Change Management Network
Vulnerability CMDB V
Behaviour
Management M
Analysis
CONTEXT SIEM
Incident Response Process Infosec
BI
Incident Data
Sunday 3 October 2010
38. The SIEM Daily Barcelona, 21/09/2010
9
Reporting for duty ...
Sunday 3 October 2010
39. The SIEM Daily Barcelona, 21/09/2010
1. Choose the right metrics
2. Choose the right charts
3. Learn how to interprete and visualize data
4. Reports/Scorecards are not only for management !
Sunday 3 October 2010
40. The SIEM Daily Barcelona, 21/09/2010
10
Standards ?
Sunday 3 October 2010
41. The SIEM Daily Barcelona, 21/09/2010
CEF CEE
(common event format) (common event expression)
Sunday 3 October 2010
42. The SIEM Daily Barcelona, 21/09/2010
CEE
(common event expression)
m y/
no ar
y
event & log
xo on
CELR CLS CLT
Ta icti
D
Common Event Log Recommendations
Common Log Syntax
Common Log Transport
Sunday 3 October 2010
43. The SIEM Daily Barcelona, 21/09/2010
CEE
Common Log Syntax
Name
Field
Entry
Event Details
Name
Set
Entry
Sunday 3 October 2010
44. The SIEM Daily Barcelona, 21/09/2010
Who to follow ?
@anton_chuvakin
@zrlram
@andrewsmhay
@rockyd
@securosis
Sunday 3 October 2010
45. The SIEM Daily Barcelona, 21/09/2010
Sunday 3 October 2010