SlideShare une entreprise Scribd logo

SIEM 101: Get a Clue About IT Security Analysis

Télécharger en tant que PPTX, PDF
AlienVault
AlienVault

How real-time network sleuthing can help you lock down IT. Everyone in IT knows that security is a big deal, but did you know that SIEM (security information and event management) can help protect your network from data breaches, even when traditional defenses fail? If SIEM a mystery to you, lets grab Colonel Mustard, the candlestick and head to the library because this mystery is about to be solved. We'll be giving out more than just clues in this webinar: you'll discover explanations of security concepts, tools, tips and tricks as we unravel the mystery of how to better protect your network. Bring your magnifying glass, because you’ll also learn about event correlation, EPS, normalization and other things that will surely impress your friends. Sign up now to learn from our chief gumshoe and noted SIEM Enthusiast Joe Schreiber. He’ll explain the reasons that SIEM exists, how it works, and most importantly - what you can do with it. IT WAS MR. BODDY ALL ALONG!!!

Technologie
1  sur  46
GET A CLUE ABOUT IT SECURITY ANALYSIS: SIEM 101 Presenters: Joe Schreiber, Solutions Architect Garrett Gross, Sr. Technical PMM
About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
Your Presenter… Who’s Joe? • Solutions Architect @ AlienVault • SIEM Enthusiast • Former SOC Manager/Analyst/Programmer w/ AT&T Managed Security Services Resources • Blog Posts - Open Source Intrusion Detection Tools: A Quick Overview - MSSP – The New Acceptance • Webinars - Data Sources, Policies, and more… • Webinar Series: Practitioners Guide - Practitioners Guide to SOC - The One-Man SOC - SIEM 101 -- in progress **Help Joe select his next webinar topic! Tweet: @pkt_inspector
What is SIEM The Problem Before SIEM How does it work? • Normalization • Prioritization • Correlation Context Enhancement Who cares?
WHAT IS SIEM?
Acronyms are Fun! Fancy lettering makes it look cool But what about? • SEM – Security Event Management • SIM – Security Information Management • SIEM – Security Incident & Event Management • Log Management • ESM • Central Loghost • Indexing • ??Big Data??
Why I Like SIEM Automation Security
THE PROBLEM FOR SIEM
The Beginning Not much happening here…. The Interwebs Administrator Crash Override
Add Some Servers Still not really interesting… The Interwebs Administrator Crash Override Servers
Add Some Threats Starting to get interesting… The Interwebs Administrator Crash Override Servers IDS
Maybe You Are Here? Oh Noze! The Interwebs Administrator Crash Override Servers IDS WAF IPS UTM
Where You Really Are This isn’t good... The Interwebs Administrator Crash Override Servers IDS WAF IPS UTM
BEFORE SIEM
What they did back in the ol’ days Logs? What are those? Oh Logs? Yeah we just keep those on the server. Logs? We send those to a central server. Why are we storing these log? Maybe we search the logs? Now I’m bored.
We’ve come a long way The Evolution server#tail –f messages [boring stuff…] logserver#tail –f messages [boring stuff from all servers] logserver#tail –f messages | grep “[Interesting Stuff]” [secretly hoping for no results] logserver#mysql database>SELECT boring FROM stuff WHERE server = ‘myserver’; Siem#mysql database>SELECT source_ip FROM stuff WHERE [Magic];
All Search and No Intelligence Why SIEM? You can do more than just write logs to disk Patterns of events are as important as a single event Search can not easily answer • What is this server? • How important is this server? • Why is this data being exchanged? • Who is responsible for this server?
How SIEM Works It’s Magic!
ARCHITECTURE
The Building Blocks Collection Normalization Correlation Notification Database Reporting Storage
Log Lifecycle Log goes in…Event comes out
NORMALIZATION
Normalization Making logs useful Logs are usually unstructured pieces of information Normalization adds structure Databases are structured There are different methods of normalization The output is the same no matter the method
Turning Chaos Into Order Start 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 End Date 10/10/2000 13:55:36 Source IP 127.0.0.1 Username frank URL /apache_pb.gif Status 200 Bytes 2326
Aren’t All Logs Just The Same? May 21 20:22:28 slacker sshd[21487]: Failed password for root from 192.168.20.10 port 1045 ssh2 source_IP: 192.168.200.10 source_port: 1045 user: root May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]):2023 USER root (Login failed): Incorrect password. source_IP: 192.168.200.10 source_port: 2023 user: root Account For Which Logon Failed: Security ID: NULL SID Account Name: root Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Network Information: Workstation Name: WIN-R9H529RIO4Y Source Network Address: 192.168.20.10 Source Port: 53176 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM source_IP: 192.168.200.10 source_port: 53176 user: root
PRIORITIZATION
Prioritization What’s more important? One of the biggest use cases for SIEM It’s Subjective IDS largely responsible
The Numbers Unique number of log types IDS Rules UTM Device Firewall Windows Database 65939 11042 766 563 183
What Would You Do? So which is more important? o Jul 7 10:55:56 srbarriga sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.20.111 user=root o 2007-03-03 10:23:40 24.252.248.163 - W3SVC3 SERVER55 192.168.1.15 80 GET /images/9a.jpg - 200 0 32022 324 47 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - http://www.yahoo.com/ o Sep 7 06:25:28 PIXName %PIX-6-302013: Built inbound TCP connection 141968 for db:10.0.0.1/60749 (10.0.0.1/60749) to NP Identity Ifc: 10.0.0.2/22 (10.0.0.2/22) o 200.96.104.241 - - [12/Sep/2006:09:44:28 -0300] "GET /modules.php?name=Downloads&d_op=modifydownloadrequest&%20lid=- 1%20UNION%20SELECT%200,username,user_id,user_password,name,%20user_email,user_level,0,0%20FROM%20nuke_u sers HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)” o Sep 1 10:38:36 10.10.10.1 614: *Sep 1 17:36:34.303: %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59633 -> 10.10.10.10:80]
Is There Any Easier Way? Math! Assign a numerical priority to an Event Make comparison 5 > 2 • Easy Button Risk Algorithms
CORRELATION
Correlation Don’t confuse me with your words Correlation – The process of creating new information from one or more possibly disparate information sources.
Correlation: Aggregation Not actually Correlation but… Happens after Normalization Generally occurs in the Correlation Engine Some SIEMS do their “counting” during Aggregation Aggregation can lose information
Correlation: Aggregation Not actually Correlation but… May 21 20:22:28 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:29 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:30 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:31 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:32 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:33 Multiple Failed Logins from 192.168.20.185 for user root
Correlation: Thresholds An extension of Aggregation Something happens N times Something happens in X timeframe Something is of X priority or higher Thresholds can be applied to any Normalized data field
Correlation: Thresholds An Extension of Aggregation May 3 05:15:42.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3737) -> 10.0.4.101(22), 1 packet May 3 05:15:44.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3738) -> 10.0.4.101(445), 1 packet May 3 05:15:44.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3739) -> 10.0.4.101(80), 1 packet May 3 05:15:45.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3740) -> 10.0.4.101(135), 1 packet May 3 05:15:46.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3741) -> 10.0.4.101(143), 1 packet May 3 05:15:47.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3742) -> 10.0.4.101(123), 1 packet May 3 05:15:48.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3743) -> 10.0.4.101(79), 1 packet May 3 05:15:49.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3744) -> 10.0.4.101(443), 1 packet Rule: If Unique(dest_port) > 5 then Alert: Portscan detected from host 10.131.5.17
Correlation: Logical (Not(P)) if and only if (not(Q)) IF [this] && [that] • THEN [dothis] IF “User_Login” && TimeOfDay > 20:00 • THEN ‘Possible Account Compromise’ IF count(SRC_IP) > 100 && event(‘SYN’) • THEN ‘DDOS’
WAIT THERE’S MORE!
Context Enrichment It’s not what I said, it’s where I said it… Adding Context to events helps you examine risk Context Enhancement is still “new” to SIEM
Context Before GET /checkin.php?flood=1 Host: 192.168.100.45 Host: 34.123.123.123
Context After Host: 192.168.100.45 Hostname: prodweb01 Role: Server Ports: 22, 80, 1337 OS: Windows XP (Really?) Host: 34.123.123.123 Threat Intel: Known C&C No Events in last Month Web Server: [Unknown] Location: EvilAxisCountry GET /checkin.php?flood=1
Threat Intelligence
Why Use SIEM? Security – duh Compliance Monitoring Operations
EPS !$%@#$ Events Per Second Like the Cake, it’s a lie [most of the time] Real-Time Batch Processing (collection)
AlienVault Unified Security Management
Now for some Q&A Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site Questions? Email: hello@alienvault.com Contact us on Twitter: • Joe Schreiber @pkt_inspector • Garrett Gross @garretthgross

Recommandé

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 

Recommandé

Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdf
AbhishekChaudhary518667
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Ppt.1
Ppt.1Ppt.1
Ppt.1
veeresh35
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
Cyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKCyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CK
EyesOpen Association
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
AlienVault
 

Contenu connexe

Tendances

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 

Tendances (20)

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdf
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Ppt.1
Ppt.1Ppt.1
Ppt.1
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Cyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKCyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CK
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

En vedette

The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
AlienVault
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
AlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
What's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data SheetWhat's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data Sheet
jordagro
 
LogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data SheetLogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data Sheet
jordagro
 
LogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data SheetLogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data Sheet
jordagro
 

En vedette (20)

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
 
Demo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_ggDemo how to detect ransomware with alien vault usm_gg
Demo how to detect ransomware with alien vault usm_gg
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction sw
 
What's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data SheetWhat's New Logrhythm 5.1 Data Sheet
What's New Logrhythm 5.1 Data Sheet
 
LogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data SheetLogRhythm Web Rhythm Data Sheet
LogRhythm Web Rhythm Data Sheet
 
LogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data SheetLogRhythm Advanced Agent Data Sheet
LogRhythm Advanced Agent Data Sheet
 
Securityanalytics
SecurityanalyticsSecurityanalytics
Securityanalytics
 

Similaire à SIEM 101: Get a Clue About IT Security Analysis

Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
Simone Onofri
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
NCCOMMS
 
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
MongoDB
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
MySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to HaveMySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to Have
Sveta Smirnova
 

Similaire à SIEM 101: Get a Clue About IT Security Analysis (20)

Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF Observability
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
What you wanted to know about MySQL, but could not find using inernal instrum...
What you wanted to know about MySQL, but could not find using inernal instrum...What you wanted to know about MySQL, but could not find using inernal instrum...
What you wanted to know about MySQL, but could not find using inernal instrum...
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
 
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
MongoDB World 2019: Becoming an Ops Manager Backup Superhero!
 
Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
MySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to HaveMySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to Have
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 

Plus de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 

Plus de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

SIEM 101: Get a Clue About IT Security Analysis

  • 1. GET A CLUE ABOUT IT SECURITY ANALYSIS: SIEM 101 Presenters: Joe Schreiber, Solutions Architect Garrett Gross, Sr. Technical PMM
  • 2. About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
  • 3. Your Presenter… Who’s Joe? • Solutions Architect @ AlienVault • SIEM Enthusiast • Former SOC Manager/Analyst/Programmer w/ AT&T Managed Security Services Resources • Blog Posts - Open Source Intrusion Detection Tools: A Quick Overview - MSSP – The New Acceptance • Webinars - Data Sources, Policies, and more… • Webinar Series: Practitioners Guide - Practitioners Guide to SOC - The One-Man SOC - SIEM 101 -- in progress **Help Joe select his next webinar topic! Tweet: @pkt_inspector
  • 4. What is SIEM The Problem Before SIEM How does it work? • Normalization • Prioritization • Correlation Context Enhancement Who cares?
  • 6. Acronyms are Fun! Fancy lettering makes it look cool But what about? • SEM – Security Event Management • SIM – Security Information Management • SIEM – Security Incident & Event Management • Log Management • ESM • Central Loghost • Indexing • ??Big Data??
  • 7. Why I Like SIEM Automation Security
  • 9. The Beginning Not much happening here…. The Interwebs Administrator Crash Override
  • 10. Add Some Servers Still not really interesting… The Interwebs Administrator Crash Override Servers
  • 11. Add Some Threats Starting to get interesting… The Interwebs Administrator Crash Override Servers IDS
  • 12. Maybe You Are Here? Oh Noze! The Interwebs Administrator Crash Override Servers IDS WAF IPS UTM
  • 13. Where You Really Are This isn’t good... The Interwebs Administrator Crash Override Servers IDS WAF IPS UTM
  • 15. What they did back in the ol’ days Logs? What are those? Oh Logs? Yeah we just keep those on the server. Logs? We send those to a central server. Why are we storing these log? Maybe we search the logs? Now I’m bored.
  • 16. We’ve come a long way The Evolution server#tail –f messages [boring stuff…] logserver#tail –f messages [boring stuff from all servers] logserver#tail –f messages | grep “[Interesting Stuff]” [secretly hoping for no results] logserver#mysql database>SELECT boring FROM stuff WHERE server = ‘myserver’; Siem#mysql database>SELECT source_ip FROM stuff WHERE [Magic];
  • 17. All Search and No Intelligence Why SIEM? You can do more than just write logs to disk Patterns of events are as important as a single event Search can not easily answer • What is this server? • How important is this server? • Why is this data being exchanged? • Who is responsible for this server?
  • 18. How SIEM Works It’s Magic!
  • 20. The Building Blocks Collection Normalization Correlation Notification Database Reporting Storage
  • 21. Log Lifecycle Log goes in…Event comes out
  • 23. Normalization Making logs useful Logs are usually unstructured pieces of information Normalization adds structure Databases are structured There are different methods of normalization The output is the same no matter the method
  • 24. Turning Chaos Into Order Start 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 End Date 10/10/2000 13:55:36 Source IP 127.0.0.1 Username frank URL /apache_pb.gif Status 200 Bytes 2326
  • 25. Aren’t All Logs Just The Same? May 21 20:22:28 slacker sshd[21487]: Failed password for root from 192.168.20.10 port 1045 ssh2 source_IP: 192.168.200.10 source_port: 1045 user: root May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]):2023 USER root (Login failed): Incorrect password. source_IP: 192.168.200.10 source_port: 2023 user: root Account For Which Logon Failed: Security ID: NULL SID Account Name: root Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Network Information: Workstation Name: WIN-R9H529RIO4Y Source Network Address: 192.168.20.10 Source Port: 53176 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM source_IP: 192.168.200.10 source_port: 53176 user: root
  • 27. Prioritization What’s more important? One of the biggest use cases for SIEM It’s Subjective IDS largely responsible
  • 28. The Numbers Unique number of log types IDS Rules UTM Device Firewall Windows Database 65939 11042 766 563 183
  • 29. What Would You Do? So which is more important? o Jul 7 10:55:56 srbarriga sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.20.111 user=root o 2007-03-03 10:23:40 24.252.248.163 - W3SVC3 SERVER55 192.168.1.15 80 GET /images/9a.jpg - 200 0 32022 324 47 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) - http://www.yahoo.com/ o Sep 7 06:25:28 PIXName %PIX-6-302013: Built inbound TCP connection 141968 for db:10.0.0.1/60749 (10.0.0.1/60749) to NP Identity Ifc: 10.0.0.2/22 (10.0.0.2/22) o 200.96.104.241 - - [12/Sep/2006:09:44:28 -0300] "GET /modules.php?name=Downloads&d_op=modifydownloadrequest&%20lid=- 1%20UNION%20SELECT%200,username,user_id,user_password,name,%20user_email,user_level,0,0%20FROM%20nuke_u sers HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)” o Sep 1 10:38:36 10.10.10.1 614: *Sep 1 17:36:34.303: %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59633 -> 10.10.10.10:80]
  • 30. Is There Any Easier Way? Math! Assign a numerical priority to an Event Make comparison 5 > 2 • Easy Button Risk Algorithms
  • 32. Correlation Don’t confuse me with your words Correlation – The process of creating new information from one or more possibly disparate information sources.
  • 33. Correlation: Aggregation Not actually Correlation but… Happens after Normalization Generally occurs in the Correlation Engine Some SIEMS do their “counting” during Aggregation Aggregation can lose information
  • 34. Correlation: Aggregation Not actually Correlation but… May 21 20:22:28 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:29 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:30 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:31 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:32 slacker sshd[21487]: Failed password for root from 192.168.20.185 port 1045 ssh2 May 21 20:22:33 Multiple Failed Logins from 192.168.20.185 for user root
  • 35. Correlation: Thresholds An extension of Aggregation Something happens N times Something happens in X timeframe Something is of X priority or higher Thresholds can be applied to any Normalized data field
  • 36. Correlation: Thresholds An Extension of Aggregation May 3 05:15:42.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3737) -> 10.0.4.101(22), 1 packet May 3 05:15:44.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3738) -> 10.0.4.101(445), 1 packet May 3 05:15:44.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3739) -> 10.0.4.101(80), 1 packet May 3 05:15:45.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3740) -> 10.0.4.101(135), 1 packet May 3 05:15:46.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3741) -> 10.0.4.101(143), 1 packet May 3 05:15:47.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3742) -> 10.0.4.101(123), 1 packet May 3 05:15:48.790 UTC: %SEC-6-IP: list 199 permitted tcp 10.131.5.17(3743) -> 10.0.4.101(79), 1 packet May 3 05:15:49.404 UTC: %SEC-6-IP: list 199 denied tcp 10.131.5.17(3744) -> 10.0.4.101(443), 1 packet Rule: If Unique(dest_port) > 5 then Alert: Portscan detected from host 10.131.5.17
  • 37. Correlation: Logical (Not(P)) if and only if (not(Q)) IF [this] && [that] • THEN [dothis] IF “User_Login” && TimeOfDay > 20:00 • THEN ‘Possible Account Compromise’ IF count(SRC_IP) > 100 && event(‘SYN’) • THEN ‘DDOS’
  • 39. Context Enrichment It’s not what I said, it’s where I said it… Adding Context to events helps you examine risk Context Enhancement is still “new” to SIEM
  • 40. Context Before GET /checkin.php?flood=1 Host: 192.168.100.45 Host: 34.123.123.123
  • 41. Context After Host: 192.168.100.45 Hostname: prodweb01 Role: Server Ports: 22, 80, 1337 OS: Windows XP (Really?) Host: 34.123.123.123 Threat Intel: Known C&C No Events in last Month Web Server: [Unknown] Location: EvilAxisCountry GET /checkin.php?flood=1
  • 43. Why Use SIEM? Security – duh Compliance Monitoring Operations
  • 44. EPS !$%@#$ Events Per Second Like the Cake, it’s a lie [most of the time] Real-Time Batch Processing (collection)
  • 46. Now for some Q&A Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site Questions? Email: hello@alienvault.com Contact us on Twitter: • Joe Schreiber @pkt_inspector • Garrett Gross @garretthgross