With the fast changing regulatory and threat landscape, organizations need to gain quick knowledge of how log management and SIEM solutions help them meet their compliance and security needs. The 2010 Data Breach Investigations Report highlights this issue, revealing that 86 percent of organizations breached had evidence of the breach in their logs. Had they found this evidence in a timely manner, they likely could have prevented much of the damage associated with a breach from occurring.
In this webcast, security and compliance expert Anton Chuvakin and Tripwire's Cindy Valladares offer practical strategies organizations can apply to meet their compliance needs and improve security with log management and SIEM solutions.
The difference between log management and SIEM solutions and why you need both.
How defining the problem you are trying to solve helps you choose the right solution.
A pragmatic approach to SIEM that ensures a successful compliance audit, but also improves security.
How SIEM and log management requirements tie in to various regulations and standards like PCI, HIPAA and NERC.
Additional steps organizations can take to improve security through the solutions they use for compliance.
Mistakes organizations make that undermine the organization's security.
Learn how solutions in the Tripwire VIA suite are a perfect fit for this pragmatic approach.
3. Outline
• Compliance Basics
• SIEM and Log Management Defined
• Why SIEM and LM?
• SIEM: A Perfect Compliance Technology
• Pragmatic Approach to SIEM/LM
• Moving Beyond Compliance!
• Conclusions
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
4. So, what are we doing?
Aka “What is Security?”
• Protecting the data
• Defending the network
• Guarding the IT environment
• Reducing “risk” (what risk?)
However, we are also:
• Checking the boxes
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
5. In Reality …
Compliance budget
Security budget
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
6. Compliance Reigns Supreme!
… even though the purpose of these:
… is to make sure organization care about
security!
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
7. Compliance Mystery Solved!!
Compliance is the
“floor” of security
And a motivator to DO IT!
However, many prefer to
treat it as a “ceiling”
Result: breaches, 0wnage, mayhem!
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
8. Compliance is NOT All!!!
YOUR DATA: Key CUSTODIAL DATA: SSN,
Organization Data, IP, PAN, ID, Addresses, Health
“Secrets”, Trade Secrets records
Usually not regulated Usually regulated: PCI
Loss causes pain to you! Loss causes pain to
others!
You are responsible for You are responsible for
protection protection
Cannot be “killed” Can be “killed”
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
9. Big 3 for SIEM/LM
Compliance
Compliance
SIEM
Security LM
Ops
Security Operations
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
10. SIEM vs LM
SIEM = SECURITY information and
event management
vs
LM = LOG management
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
11. What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting (“SIM”)
7. Security role workflow
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
12. Just What Is “Correlation”?
• Dictionary: “establishing relationships”
• SIEM: “relate events together for security
benefit”
• Why correlate events?
• Automated cross-device data analysis!
• Simple correlation rule:
• If this, followed by that, take some action
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
13. Pragmatic Approach to SIEM
1. List regulations
2. Identify other “use cases”
3. Review whether SIEM/LM is needed
4. Map features to controls
5. Select and deploy
6. Operationalize regulations
7. Expand use
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
14. What is a “Best Practice”?
• A process or practice that
–The leaders in the field
are doing today
–Generally leads to
useful results with cost
effectiveness
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
15. BP1 Evolve to SIEM
Steps of a journey
• Establish response process
• Deploy a SIEM
• Think “use cases”
• Start filtering logs from LM to SIEM
– Phases!
• Prepare for the initial increase in workload
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
16. BP2 SIEM First Steps
First step = BABY steps!
• Compliance monitoring
– Log collection
– Log retention
– Log review
– Using logs to attest to other controls
• PCI DSS, HIPAA, ISO, ITIL and others
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
17. BP3 Evolve Beyond Compliance
Walk before you run!
• Focus on “Traditional” SIEM uses
– Authentication tracking
– IPS/IDS + firewall correlation
– Web application hacking
• Simple use cases
– based on your risk
• Now, what else can SIEM do for you?
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
18. Example SIEM Use Case
Cross-system authentication tracking
• Scope: all systems with authentication (!)
• Purpose: detect unauthorized access to
systems
• Method: track login failures and successes
• Rule details: multiple login failures followed
by login success
• Response plan: user account investigation,
suspension, communication with suspect user
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
19. SIEM Usage Scenarios
1. Security Operations Center (SOC)
– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”
– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate
– Configure and forget, investigate alerts
4. Compliance status reporting
– Review reports/views weekly/monthly
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
20. Secret to SIEM Magic!
“Operationalizing” SIEM
(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
21. SIEM and Compliance Mistakes
• Log collection is NOT compliance
– Many regulations prescribe log review!
• Obsess about letter, forget the spirit!
– Regulations compel you to do the right thing,
not check the box
• Address regulations in silo’ fashion
– Expand and adopt your SIEM across
mandates
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
22. How To “Profit” From Compliance?
Everything you do for
compliance, MUST have
security benefit for your
organization!
SIEM and Log Management MUST work!
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
23. Conclusions: SIEM and Compliance
• Use compliance to get SIEM/LM
• Start USING SIEM for compliance
– Operationalize!
• Slowly expand beyond compliance
• Address common use cases for log data
– Celebrate success after each phase!
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
24. Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Email: anton@chuvakin.org
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
25. More on Anton
• Now: independent consultant
• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know
Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA,
CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc
• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others
• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
26. Want a PCI DSS Book?
“PCI Compliance” by Anton
Chuvakin and Branden
Williams
Useful reference for
merchants, vendors – and
everybody else
Released December 2009!
Security Warrior Consulting
www.securitywarriorconsulting.com
Dr. Anton Chuvakin
2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences"PCI technology" or "PCI industry"Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs "your risk"Might be protecting CC > your key data!
Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
Security Information and Event Management covers relevant log collection, aggregation, normalization, retention; context data collection; alerting; analysis (correlation, prioritization); presentation (reporting, visualization); security-related workflow and relevant security content. Typical uses for SIEM tools center around network security, data security as well as regulatory compliance. On the other hand, Log Management includes comprehensive log collection, original log retention; analysis; presentation (search, reporting, and visualization); related workflow and relevant content such as reports and search queries. Log management usage is broad and covers all possible applications for log data across IT and even beyond information technology – but certainly includes security and compliance use. To summarize this, SIEM focuses on security while log management focuses on a broad use for log data. Most specifically, SIEM tools include correlation and other real time analysis functionality, useful for real-time monitoring. Log tools often focus on advanced search across all log data. Today, many tools combine select capabilities of SIEM and log management in a single product or product suite.
Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.UPDATE - see infoBoom Let’s further define what features can be called defining SIEM features; most organization will look for most of these features while choosing a SIEM product. The features are:1. Log and Context Data Collection includes being able to collect logs and context data using a combination of agent-based and agent-based methods.2. Normalization covers being able to convert most original logs into a universal format, usable for cross-source reporting and correlation.3. Correlation is used to describe rule-based correlation, statistical or algorithmic correlation as well as other methods that include relating different events to each other and events to context data.4. Notification/alerting includes being able to trigger notifications or alerts to operators or managers. Common alerting mechanisms include email, SMS, or even SNMP messages.5. Prioritization includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or asset and identity information.6. Real-time views cover over security-monitoring dashboards and displays, used for security operations personnel. Such views are handy when looking at current system and user activity.7. Reporting and scheduled reporting cover all the historical views of data collected by the SIEM product. Some products also have a mechanism for distributing reports to security personnel, either over e-mail or using a dedicated web portal. SIEM reporting relies on parsing and normalizing log data.8. Security role workflow covers over incident management features such as being able to open incident cases, perform investigative triage, as well as automatically or semi-automatically perform other security operations tasks.
What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
First, compile a list of regulations that you have to comply with, focus in particular attention to areas where a SIEM or log management tool can be useful. In many cases, the list will contain only one regulation – but the one you absolutely must handle. Next, if possible, review other possible goals that SIEM can help you achieve. Deciding whether SIEM satisfies a critical business need – such as by as an enabling technology for your SOC– is an essential step. Third, at this point you must decide whether you are prepared to work to make SIEM solve your problem – whether compliance or other. Despite help from the vendor and possibly consultants, there are areas where you have to work to make SIEM work. Now, acquire and implement the SIEM solution. This is where you work jointly with the vendor in order to build your initial implementation for regulatory compliance, such as PCI DSS.Now, start actually using SIEM for both “letter and spirit “ of the regulation. This is the most important step in the approach – one of the biggest mistakes organizations make in this area is thinking that simply owning a SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM is the only way to do that. Sadly, few people remember that PCI DSS prescribes a large set of periodic tasks, from annual to daily (log review being the most well-known example of a daily practice) and not just “having logs.” Finally, expand the use case to beyond compliance. Only at this step you can plan for expanding deployment and solving other problems. The tips for that are provided in the next section. One way to quickly grow your security capability is on the incident response side. This is due to the fact that the easiest and most common security use for log management and SIEM tools - beyond compliance - is related to incident response and forensics.
Happy with LM? Then go -> SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!
SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
SIEM use casesSOC – full real-time monitoringMini-SOC / ”morning after”Remote monitoring + investigationsCompliance status reporting
SIEM for Compliance Mistakes The most burning logging, SIEM and compliance mistake is simply this: thinking that to be compliant you have to have logs collected in a log management tool – and do nothing else. This mistake is as egregious as they come – simply reading the text of most regulations will uncover such items as log review, log protection, logging specific details for various events, handling exceptions and many other items. PCI DSS prescribes log review and log protection, HIPAA calls so monitoring, NERC asks for incident process ease; not a single regulations is only about storing logs. A second common mistake is focusing on the letter of regulations – and not their intended spirit. The best way to summarize it is: if you focus on security, you have a shot at being compliant and secure; if you only focus on compliance, you will likely not be secure and not compliant. Just us could the victims of recent breaches who were justifiably found to not be compliant. Finally, silo’d approach to regulations is unfortunately the norm today. Still, it does not make it right – it is still a mistake. Given a large overlap across regulations in what the mandate in regards to look logging, security monitoring, change detection, incident response and other security practices, it makes sense to implement this super set of requirements and not try to “chew” on regulations one by one, wasting resources and causing delays.
OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER <- This is the enemy!This is NOT the enemy! -> QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
Conclusions While some organizations, continue to try to degrade sensible security choir events to some minimum baseline, this and not a recipe to create customer trust and protect the data. Some of the recent challenges with SIEM and log frequently stem from the fact that powerful SIEM technology is purchased to address a compliance mandate – and to do so in narrow and short-sighted fashion. Following our roadmap to effective use of SIEM for compliance in beyond will allow you to avoid the mistakes and gain all the benefits you paid for when procuring a SIEM or log management tool. Next, you can then expand the use of a SIEM beyond compliance to security and operational use cases happens, focusing on improved incident response practices and then going to near-real-time automated security monitoring. This is the only way to gain visibility and thus control over your ever growing IT environments. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what information and IT assets needs to be protected. The final word on succeeding with SIEM is hereby this: start using the regulatory guidance, take it to heart, operationalize it, then expand to solving “bigger and better“ problems.