SlideShare une entreprise Scribd logo
1  sur  45
Télécharger pour lire hors ligne
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily      Barcelona, 21/09/2010




                               L ogs




Sunday 3 October 2010
Disclaimer

                           the views and opinions expressed in this
                         presentation are those of the speaker alone
                        and do not necessarily represent those of his
                              past, current or future employers,
                                  clients and/or associates.




Sunday 3 October 2010
The SIEM Daily                             Barcelona, 21/09/2010




                         10 things we’re doing wrong !
                           About me             About this talk
                             Wim Remes
                                                 SIEM is on the floor
                         Infosec Consultant
                                                  the reason is tech
                            Ernst & Young
                                                   the reason is me
                                 Geek
                                                  the reason is you
                              I talk a lot
                                                 why do we f**k up?
                          I <3 beer cerveza
                                               how can we f**k up less?
                          I <3 conversation

                         wremes@gmail.com
                        @wimremes on twitter




Sunday 3 October 2010
The SIEM Daily                              Barcelona, 21/09/2010




                        Security Information and Event Management


                                          SIEM


                            People                       Product

                                          Process




Sunday 3 October 2010
The SIEM Daily               Barcelona, 21/09/2010




                                     1
                        It’s the information silly !



Sunday 3 October 2010
The SIEM Daily                 Barcelona, 21/09/2010




                           DATA

                                  FILTER



                                  RELATIONSHIP?


                        INFORMATION




Sunday 3 October 2010
The SIEM Daily                                Barcelona, 21/09/2010




                        DATA                         INFORMATION
                               (psstt... this isn’t the end !)


Sunday 3 October 2010
The SIEM Daily      Barcelona, 21/09/2010




                           KNOWLEDGE

Sunday 3 October 2010
The SIEM Daily    Barcelona, 21/09/2010




                         UNDERSTANDING

Sunday 3 October 2010
The SIEM Daily     Barcelona, 21/09/2010




                             WISDOM

Sunday 3 October 2010
The SIEM Daily               Barcelona, 21/09/2010




                                      2
                        cuz that’s the way we roll ...



Sunday 3 October 2010
The SIEM Daily                     Barcelona, 21/09/2010




                                          PLAN

                                    ACT              DO

                                          CHECK
                                           (study)




Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily                                 Barcelona, 21/09/2010




                        Wendy at the last SIEM team team-building weekend ...

Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily             Barcelona, 21/09/2010




                                    3
                        Cylinders of excellence ...



Sunday 3 October 2010
The SIEM Daily                          Barcelona, 21/09/2010




                                       NETWORK




                                                 INFOSEC
                        INFRA


                                APPS




Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily         Barcelona, 21/09/2010




                                   4
                        COMPLIANCE DRIVEN SECURITY



Sunday 3 October 2010
The SIEM Daily                                                            Barcelona, 21/09/2010




                                           I want to   I’m ready        I have to




                                                                   5%
                        - regulatory
                        - internal audit

                        - higher forces
                                           80%                     15%
                                                                               * I err on the side of optimism




Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010
The SIEM Daily        Barcelona, 21/09/2010




                                 5
                        FEAR DRIVEN SECURITY



Sunday 3 October 2010
The SIEM Daily                                        Barcelona, 21/09/2010




                        Manage your defenses based on reality, not on publicity !
                                                 Verizon DBIR 2010




Sunday 3 October 2010
The SIEM Daily                              Barcelona, 21/09/2010




                                         6
                              WYAFIWYG
                          (what you ask for is what you get)




Sunday 3 October 2010
The SIEM Daily                   Barcelona, 21/09/2010




                            Detect APT Hackers !!


                                Correlation !


                             Log Management ...



Sunday 3 October 2010
The SIEM Daily                                        Barcelona, 21/09/2010




                                          Log Management ...


                              We need to centralize and retain all log data from
                        all of our boxes and we’ve been told SIEM is the way to go.

                          What box can help us to get all that stuff centralized ?




Sunday 3 October 2010
The SIEM Daily                                        Barcelona, 21/09/2010




                                               Correlation !


                        We have heard of this thing called correlation and apparently
                               $solution from $vendor can do that for us.

                                       When can you ship that box ?




Sunday 3 October 2010
The SIEM Daily                         Barcelona, 21/09/2010




                             Detect APT Hackers !!


                              Hackers are dangerous!

                           We need SIEM to catch them !

                             (Gimme, gimme, gimme)




Sunday 3 October 2010
The SIEM Daily                                         Barcelona, 21/09/2010




                        Fraud alerts are the leading method of discovering breaches
                                                  Verizon DBIR 2010




Sunday 3 October 2010
The SIEM Daily                                                          Barcelona, 21/09/2010




                          Build YOUR use case !

                               a. React Faster
                           b. Improve Efficiency
                        c. Automate Compliance
                             Securosis : Understanding and Selecting SIEM/Log Management




Sunday 3 October 2010
The SIEM Daily           Barcelona, 21/09/2010




                                  7
                         In the beginning ...



Sunday 3 October 2010
The SIEM Daily           Barcelona, 21/09/2010




                        FLAT   HIERARCHY   MESH


Sunday 3 October 2010
The SIEM Daily
               Data Sources
                                                               Barcelona, 21/09/2010




                                                          Who?


                                                Why?                    What?

                               src ip address   Where?               When?
                 Data Points




                               dst ip address
                                 username
                                 host name
                                 app name                Use Cases
                                   action



Sunday 3 October 2010
The SIEM Daily              Barcelona, 21/09/2010




                                  8
                           Linking it up ...



Sunday 3 October 2010
The SIEM Daily                                    Barcelona, 21/09/2010




                                          Change Management     Network
                         Vulnerability   CMDB                                                V
                                                                Behaviour
                         Management                                                          M
                                                                 Analysis
                        CONTEXT              SIEM


                                    Incident Response Process        Infosec
                                                                        BI
                                          Incident Data

Sunday 3 October 2010
The SIEM Daily           Barcelona, 21/09/2010




                                  9
                        Reporting for duty ...



Sunday 3 October 2010
The SIEM Daily                        Barcelona, 21/09/2010




                  1. Choose the right metrics
                  2. Choose the right charts
                  3. Learn how to interprete and visualize data
                  4. Reports/Scorecards are not only for management !




Sunday 3 October 2010
The SIEM Daily         Barcelona, 21/09/2010




                                10
                            Standards ?



Sunday 3 October 2010
The SIEM Daily                                 Barcelona, 21/09/2010




                               CEF                       CEE
                        (common event format)   (common event expression)




Sunday 3 October 2010
The SIEM Daily                                       Barcelona, 21/09/2010




                                           CEE
                            (common event expression)




                                               m y/
                                            no ar
                                                y
                            event           &                     log




                                         xo on
                                    CELR              CLS   CLT




                                       Ta icti
                                        D
                         Common Event Log Recommendations
                               Common Log Syntax
                              Common Log Transport



Sunday 3 October 2010
The SIEM Daily                      Barcelona, 21/09/2010




                                      CEE
                                Common Log Syntax
                                                     Name

                                             Field
                                                     Entry


                        Event      Details
                                                      Name

                                             Set
                                                      Entry




Sunday 3 October 2010
The SIEM Daily            Barcelona, 21/09/2010




                           Who to follow ?
                           @anton_chuvakin
                               @zrlram
                            @andrewsmhay
                              @rockyd
                             @securosis


Sunday 3 October 2010
The SIEM Daily   Barcelona, 21/09/2010




Sunday 3 October 2010

Contenu connexe

En vedette

NUKI Crowdfundingkampagne auf Kickstarter
NUKI Crowdfundingkampagne auf KickstarterNUKI Crowdfundingkampagne auf Kickstarter
NUKI Crowdfundingkampagne auf KickstarterElfriede Sixt
 
Matchfixnig power point
Matchfixnig power pointMatchfixnig power point
Matchfixnig power pointMarco Buus
 
õPpe ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapina
õPpe  ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapinaõPpe  ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapina
õPpe ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapinarita Nevidemskaja
 
The Internet Conundrum
The Internet ConundrumThe Internet Conundrum
The Internet Conundrumbtrichardson
 
Social media, sousveillance and civil unrest in the United Kingdom
Social media, sousveillance and civil unrest in the United KingdomSocial media, sousveillance and civil unrest in the United Kingdom
Social media, sousveillance and civil unrest in the United KingdomPaul Reilly
 
A new OSRP business model
A new OSRP business modelA new OSRP business model
A new OSRP business modelArthur Weglein
 
Ict killers e.b.pdf
Ict killers e.b.pdfIct killers e.b.pdf
Ict killers e.b.pdfiteclearners
 
Microsoft power point presentation
Microsoft power point presentationMicrosoft power point presentation
Microsoft power point presentationgorgor2020
 

En vedette (13)

NUKI Crowdfundingkampagne auf Kickstarter
NUKI Crowdfundingkampagne auf KickstarterNUKI Crowdfundingkampagne auf Kickstarter
NUKI Crowdfundingkampagne auf Kickstarter
 
Presentation1
Presentation1Presentation1
Presentation1
 
130111 shuvaev brief
130111 shuvaev brief130111 shuvaev brief
130111 shuvaev brief
 
Matchfixnig power point
Matchfixnig power pointMatchfixnig power point
Matchfixnig power point
 
õPpe ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapina
õPpe  ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapinaõPpe  ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapina
õPpe ja kasvatustöö käsitlemine õpetajatöö kolme järjestiku etapina
 
Dr Chens Talks Excerpt 0709
Dr Chens Talks Excerpt 0709Dr Chens Talks Excerpt 0709
Dr Chens Talks Excerpt 0709
 
The Internet Conundrum
The Internet ConundrumThe Internet Conundrum
The Internet Conundrum
 
Social media, sousveillance and civil unrest in the United Kingdom
Social media, sousveillance and civil unrest in the United KingdomSocial media, sousveillance and civil unrest in the United Kingdom
Social media, sousveillance and civil unrest in the United Kingdom
 
A new OSRP business model
A new OSRP business modelA new OSRP business model
A new OSRP business model
 
Ict killers e.b.pdf
Ict killers e.b.pdfIct killers e.b.pdf
Ict killers e.b.pdf
 
Strata jem pty ltd
Strata jem pty ltdStrata jem pty ltd
Strata jem pty ltd
 
Microsoft power point presentation
Microsoft power point presentationMicrosoft power point presentation
Microsoft power point presentation
 
6855
68556855
6855
 

Plus de wremes

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)wremes
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson kokenwremes
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Responsewremes
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talkwremes
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Securewremes
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Serviceswremes
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummieswremes
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter ruleswremes
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011wremes
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshopwremes
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentationwremes
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Teaser
TeaserTeaser
Teaserwremes
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.orgwremes
 

Plus de wremes (20)

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson koken
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Secure
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshop
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Teaser
TeaserTeaser
Teaser
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
 

10 things we're doing wrong with SIEM

  • 1. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 2. The SIEM Daily Barcelona, 21/09/2010 L ogs Sunday 3 October 2010
  • 3. Disclaimer the views and opinions expressed in this presentation are those of the speaker alone and do not necessarily represent those of his past, current or future employers, clients and/or associates. Sunday 3 October 2010
  • 4. The SIEM Daily Barcelona, 21/09/2010 10 things we’re doing wrong ! About me About this talk Wim Remes SIEM is on the floor Infosec Consultant the reason is tech Ernst & Young the reason is me Geek the reason is you I talk a lot why do we f**k up? I <3 beer cerveza how can we f**k up less? I <3 conversation wremes@gmail.com @wimremes on twitter Sunday 3 October 2010
  • 5. The SIEM Daily Barcelona, 21/09/2010 Security Information and Event Management SIEM People Product Process Sunday 3 October 2010
  • 6. The SIEM Daily Barcelona, 21/09/2010 1 It’s the information silly ! Sunday 3 October 2010
  • 7. The SIEM Daily Barcelona, 21/09/2010 DATA FILTER RELATIONSHIP? INFORMATION Sunday 3 October 2010
  • 8. The SIEM Daily Barcelona, 21/09/2010 DATA INFORMATION (psstt... this isn’t the end !) Sunday 3 October 2010
  • 9. The SIEM Daily Barcelona, 21/09/2010 KNOWLEDGE Sunday 3 October 2010
  • 10. The SIEM Daily Barcelona, 21/09/2010 UNDERSTANDING Sunday 3 October 2010
  • 11. The SIEM Daily Barcelona, 21/09/2010 WISDOM Sunday 3 October 2010
  • 12. The SIEM Daily Barcelona, 21/09/2010 2 cuz that’s the way we roll ... Sunday 3 October 2010
  • 13. The SIEM Daily Barcelona, 21/09/2010 PLAN ACT DO CHECK (study) Sunday 3 October 2010
  • 14. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 15. The SIEM Daily Barcelona, 21/09/2010 Wendy at the last SIEM team team-building weekend ... Sunday 3 October 2010
  • 16. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 17. The SIEM Daily Barcelona, 21/09/2010 3 Cylinders of excellence ... Sunday 3 October 2010
  • 18. The SIEM Daily Barcelona, 21/09/2010 NETWORK INFOSEC INFRA APPS Sunday 3 October 2010
  • 19. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 20. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 21. The SIEM Daily Barcelona, 21/09/2010 4 COMPLIANCE DRIVEN SECURITY Sunday 3 October 2010
  • 22. The SIEM Daily Barcelona, 21/09/2010 I want to I’m ready I have to 5% - regulatory - internal audit - higher forces 80% 15% * I err on the side of optimism Sunday 3 October 2010
  • 23. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010
  • 24. The SIEM Daily Barcelona, 21/09/2010 5 FEAR DRIVEN SECURITY Sunday 3 October 2010
  • 25. The SIEM Daily Barcelona, 21/09/2010 Manage your defenses based on reality, not on publicity ! Verizon DBIR 2010 Sunday 3 October 2010
  • 26. The SIEM Daily Barcelona, 21/09/2010 6 WYAFIWYG (what you ask for is what you get) Sunday 3 October 2010
  • 27. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Correlation ! Log Management ... Sunday 3 October 2010
  • 28. The SIEM Daily Barcelona, 21/09/2010 Log Management ... We need to centralize and retain all log data from all of our boxes and we’ve been told SIEM is the way to go. What box can help us to get all that stuff centralized ? Sunday 3 October 2010
  • 29. The SIEM Daily Barcelona, 21/09/2010 Correlation ! We have heard of this thing called correlation and apparently $solution from $vendor can do that for us. When can you ship that box ? Sunday 3 October 2010
  • 30. The SIEM Daily Barcelona, 21/09/2010 Detect APT Hackers !! Hackers are dangerous! We need SIEM to catch them ! (Gimme, gimme, gimme) Sunday 3 October 2010
  • 31. The SIEM Daily Barcelona, 21/09/2010 Fraud alerts are the leading method of discovering breaches Verizon DBIR 2010 Sunday 3 October 2010
  • 32. The SIEM Daily Barcelona, 21/09/2010 Build YOUR use case ! a. React Faster b. Improve Efficiency c. Automate Compliance Securosis : Understanding and Selecting SIEM/Log Management Sunday 3 October 2010
  • 33. The SIEM Daily Barcelona, 21/09/2010 7 In the beginning ... Sunday 3 October 2010
  • 34. The SIEM Daily Barcelona, 21/09/2010 FLAT HIERARCHY MESH Sunday 3 October 2010
  • 35. The SIEM Daily Data Sources Barcelona, 21/09/2010 Who? Why? What? src ip address Where? When? Data Points dst ip address username host name app name Use Cases action Sunday 3 October 2010
  • 36. The SIEM Daily Barcelona, 21/09/2010 8 Linking it up ... Sunday 3 October 2010
  • 37. The SIEM Daily Barcelona, 21/09/2010 Change Management Network Vulnerability CMDB V Behaviour Management M Analysis CONTEXT SIEM Incident Response Process Infosec BI Incident Data Sunday 3 October 2010
  • 38. The SIEM Daily Barcelona, 21/09/2010 9 Reporting for duty ... Sunday 3 October 2010
  • 39. The SIEM Daily Barcelona, 21/09/2010 1. Choose the right metrics 2. Choose the right charts 3. Learn how to interprete and visualize data 4. Reports/Scorecards are not only for management ! Sunday 3 October 2010
  • 40. The SIEM Daily Barcelona, 21/09/2010 10 Standards ? Sunday 3 October 2010
  • 41. The SIEM Daily Barcelona, 21/09/2010 CEF CEE (common event format) (common event expression) Sunday 3 October 2010
  • 42. The SIEM Daily Barcelona, 21/09/2010 CEE (common event expression) m y/ no ar y event & log xo on CELR CLS CLT Ta icti D Common Event Log Recommendations Common Log Syntax Common Log Transport Sunday 3 October 2010
  • 43. The SIEM Daily Barcelona, 21/09/2010 CEE Common Log Syntax Name Field Entry Event Details Name Set Entry Sunday 3 October 2010
  • 44. The SIEM Daily Barcelona, 21/09/2010 Who to follow ? @anton_chuvakin @zrlram @andrewsmhay @rockyd @securosis Sunday 3 October 2010
  • 45. The SIEM Daily Barcelona, 21/09/2010 Sunday 3 October 2010