Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Generic siem how_2017

734 vues

Publié le

Some tips on how to run a SIEM

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

Generic siem how_2017

  1. 1. How to Run a SIEM Operation? Dr Anton Chuvakin @anton_chuvakin
  2. 2. Disclaimer: HISTORICAL INTEREST ONLY This material is at least several years old and is preserved here for HISTORICAL INTEREST ONLY Advice may not reflect current conditions (but then again, it may reflect yours…)
  3. 3. • You can buy a SIEM tool — but you cannot buy a security monitoring capability or a SIEM operation. • You have to buy the tools, grow the people and mature the processes. • Security monitoring is an eternal commitment, not a project. You start today and you end ... never! Program, NOT a Project!
  4. 4. • Key processes and practices are needed for a successful SIEM implementation • Avoid common mistakes that plague SIEM operations • Other technologies to be linked with SIEM to make your SOC better Outline
  5. 5. Security Information and Event Management (SIEM) Reminder SIEM Analysis Repository Query Reports Data Collection SIM Incident Management CorrelationNormalization Real-Time Monitoring SEM Threat Intelligence Data Asset Vulnerability User Context Network Firewall Application FirewallApplication Database Server Network Device NIDS/NIPS Endpoint Protection Data Loss Prevention File Integrity Monitor Event Data Log Management Lives Here Too
  6. 6. Conditions for SIEM WIN: Goals and Use Cases
  7. 7. USE CASES! Taking aspirin is about the headache, not about low aspirin content in your blood! What problem are you trying to solve?
  8. 8. • Threat Oriented: Use cases implemented to identify a specific threat or threat actor. • Control Oriented: Use cases required as a control from a framework or other regulatory document. • Asset Oriented: Use Cases about activities touching specific data assets – payment card data, patient information, product designs Identifying Use Cases
  9. 9. 1. Authentication monitoring by using login logs. 2. Compromised- and infected-system tracking; malware detection by using outbound firewall logs, NIPS and proxy logs. 3. Validating IDS/IPS (IDS/IPS) alerts by using context data. 4. Monitoring for suspicious outbound connectivity and data transfers. 5. Tracking system changes and other administrative actions across internal systems and matching them to allowed policy. 6. Tracking of Web application attacks and their consequences by using Web server, WAF and application server logs. Top Starter Use Cases
  10. 10. Prioritizing Use Cases Importance Feasibility Problems you want solved first Problems you can easily solve with available tools, data and vendor content Go here first!
  11. 11. SIEM Use Case Example: Authentication Abuse Tracking Step Details Use-Case Selection Focus on tracking authentication across systems to detect unauthorized access. Data Collection Have a list of systems: Servers, VPN concentrators, network devices, and others. Log Source Configuration Contact the team that operates the systems and make them modify the logging configurations. SIEM Content Preparation Review vendor's content, check it for suitability; modify the reports and rules until satisfied. Definition of Operational Processes Review operational processes (e.g., a process for suspending or disabling user accounts). Refinement of the Content Review dashboards and test rules to see whether incidents will be detected.
  12. 12. Use Output-Driven SIEM: Start Backwards! Data Sources, Logs, Flows, Context, Etc. SIEM Tool Alerts, Actions, Reports, Investigation
  13. 13. Running SIEM: People and Processes
  14. 14. Essential SIEM Operational Processes Collector and log source configuration SIEM uptime and performance monitoring Escalation and collaboration Content tuning and customization process Analyst training SIEM program checkpoint
  15. 15. • Incident response • Security: • Detection focus: • Alert triage process • Activity baselining process • Response focus: • Indicator analysis process • Remediation process • Compliance: • Report review process • Report refinement based on changing requirements process • Compliance issue remediation process More Essential SIEM Processes Mature security operations only: Data exploration process/"hunting"
  16. 16. Suggested SIEM Alert Workflow Individual Alert Investigate Out of Baseline Issue: Unknown Status Routine Entry: Follows Daily Baseline Known Bad Issue: Documented as Indication of Problems Unknown (After Analysis) GoodBad Verify Impact/ Prioritize Additional Investigation (Not to Incident) Document as "Good"; Tune Rules Accordingly Incident Response Workflow No Action Required
  17. 17. SIEM Skills for Success "Run" Skill Set "Tune" Skill Set SIEM Win! "Watch" Skill Set
  18. 18. Core SIEM Team Skills Shorthand Description Common Job Titles for This Role Run Maintain an SIEM product in operational status, monitor its uptime, optimize performance, deploy updates, and perform other system management tasks SIEM administrator and SIEM engineer Watch Use the SIEM product for security monitoring, investigate alerts and review activity reports Security analyst, SIEM analyst, and incident responder Tune Refine and customize SIEM content and create content specific to new use cases Content developer and SIEM consultant
  19. 19. Growing SIEM: Review and Optimize
  20. 20. • Use cases are not “set and forget”. • Many situations where a use case has to be reviewed: • New tool implementation review • Periodic review (quarterly) • Triggered by: • Performance issues • Effectiveness issues (False positives, False negatives, number of alerts) • Changes to business, enviroment, threats or technology Reviewing Your SIEM Use Cases
  21. 21. Evolving SIEM: Maturity and Integrations
  22. 22. SIEM Maturity Roadmap State No. Maturity Stage Key Processes That Must Be in Place 1 SIEM deployed and collecting some log data • SIEM infrastructure monitoring process • Log collection monitoring process 2 Periodic SIEM usage, dashboard/report review • Incident response process • Report review process 3 SIEM alerts and correlation rules enabled • Alert triage process 4 SIEM tuned with customized filters, rules, alerts, and reports • Real-time alert triage process • Content tuning process 5 Advanced monitoring use cases, custom SIEM content use cases • Threat intelligence process • Content research and development
  23. 23. Sample Metrics For Use Case Management Metric Use Cases in Production vs Use Cases Waiting for Implementation Number of Use Cases reviewed per time period Number of Use Cases optimized/changed per time period, including reasons for changes. Number of Use Cases removed per time period, including reasons for removal Number of Use Cases implemented per monitoring tool Number of Use Cases not implemented due to Technology limitations
  24. 24. SIEM and Friends TI SIEM Detection SIEM Alerts EDR Confirmed alert SIEM UEBA New insight
  25. 25. • Deploy User and Entity Behavior Analytics (UEBA) — "add-on" SIEM brain for user-centric analysis: • Detect compromised accounts "automatically" • Enrich alerts with user behavior profiles • Utilize vendor-provided anomaly algorithms • Eventually refine/define own algorithms Quick Win: Graduating Beyond SIEM
  26. 26. • Have to solve security problems that SIEM is suboptimal for? • Want to apply more algorithms to log, flow and context data? • Have higher volume or diversity of data? • Need to postprocess alerts? SIEM and/or/vs/with Security Analytics?
  27. 27. SIEM Pitfalls
  28. 28. • Planning: • Skip the planning stage and just buy some SIEM tool • Define the need for a SIEM in vague terms • Fail to define the initial deployment scope, starter use cases • Operation: • Assume that the SIEM effort would run itself, skimp on the people side • Practice “input-driven” SIEM • Not refining the evolving requirements Top SIEM Pitfalls
  29. 29.  Think "security monitoring capability," not "SIEM box."  SIEM requires "care and feeding" to give value: • Prepare to be involved with the tool indefinitely.  Use "output-driven" SIEM approach.  Define processes and dedicate personnel to use the tool: • Define/Refine and incident response process.  Follow the maturity levels — or suffer!  Review your route beyond SIEM — UBA, analytics, etc. Advice