SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
How to Run a SIEM
Dr Anton Chuvakin
Disclaimer: HISTORICAL INTEREST ONLY
This material is at least several years old and
is preserved here for HISTORICAL INTEREST
Advice may not reflect current conditions
(but then again, it may reflect yours…)
• You can buy a SIEM tool — but you cannot buy a security monitoring
capability or a SIEM operation.
• You have to buy the tools, grow the people and mature
• Security monitoring is an eternal commitment, not a project. You start
today and you end ... never!
Program, NOT a Project!
• Key processes and practices are needed for a successful SIEM
• Avoid common mistakes that plague SIEM operations
• Other technologies to be linked with SIEM to make your SOC better
Security Information and Event Management (SIEM)
Data Loss Prevention
File Integrity Monitor
Log Management Lives Here Too
Taking aspirin is about the headache, not about low aspirin
content in your blood!
What problem are you trying to solve?
• Threat Oriented: Use cases implemented to identify a specific threat or
• Control Oriented: Use cases required as a control from a framework or
other regulatory document.
• Asset Oriented: Use Cases about activities touching specific data assets
– payment card data, patient information, product designs
Identifying Use Cases
1. Authentication monitoring by using login logs.
2. Compromised- and infected-system tracking; malware detection by
using outbound firewall logs, NIPS and proxy logs.
3. Validating IDS/IPS (IDS/IPS) alerts by using context data.
4. Monitoring for suspicious outbound connectivity and data transfers.
5. Tracking system changes and other administrative actions across internal
systems and matching them to allowed policy.
6. Tracking of Web application attacks and their consequences by using
Web server, WAF and application server logs.
Top Starter Use Cases
Prioritizing Use Cases
Problems you want
Problems you can easily
solve with available tools,
data and vendor content
Go here first!
SIEM Use Case Example: Authentication
Use-Case Selection Focus on tracking authentication across systems to detect
Data Collection Have a list of systems: Servers, VPN concentrators, network
devices, and others.
Log Source Configuration Contact the team that operates the systems and make them
modify the logging configurations.
SIEM Content Preparation Review vendor's content, check it for suitability; modify the
reports and rules until satisfied.
Definition of Operational Processes Review operational processes (e.g., a process for suspending
or disabling user accounts).
Refinement of the Content Review dashboards and test rules to see whether incidents
will be detected.
Use Output-Driven SIEM: Start Backwards!
Essential SIEM Operational Processes
Collector and log source configuration
SIEM uptime and performance monitoring
Escalation and collaboration
Content tuning and customization process
SIEM program checkpoint
• Incident response
• Detection focus:
• Alert triage process
• Activity baselining process
• Response focus:
• Indicator analysis process
• Remediation process
• Report review process
• Report refinement based on changing
• Compliance issue remediation process
More Essential SIEM Processes
Mature security operations only: Data exploration process/"hunting"
Suggested SIEM Alert Workflow
Out of Baseline Issue:
Follows Daily Baseline
Known Bad Issue:
Indication of Problems
(Not to Incident)
Incident Response Workflow
No Action Required
SIEM Skills for Success
Core SIEM Team Skills
Shorthand Description Common Job Titles for This Role
Run Maintain an SIEM product in operational
status, monitor its uptime, optimize
performance, deploy updates, and perform
other system management tasks
SIEM administrator and SIEM engineer
Watch Use the SIEM product for security monitoring,
investigate alerts and review activity reports
Security analyst, SIEM analyst, and incident
Tune Refine and customize SIEM content and
create content specific to new use cases
Content developer and SIEM consultant
• Use cases are not “set and forget”.
• Many situations where a use case has to be reviewed:
• New tool implementation review
• Periodic review (quarterly)
• Triggered by:
• Performance issues
• Effectiveness issues (False positives, False negatives, number of alerts)
• Changes to business, enviroment, threats or technology
Reviewing Your SIEM Use Cases
SIEM Maturity Roadmap
No. Maturity Stage Key Processes That Must Be in Place
1 SIEM deployed and collecting some log data • SIEM infrastructure monitoring process
• Log collection monitoring process
2 Periodic SIEM usage, dashboard/report review • Incident response process
• Report review process
3 SIEM alerts and correlation rules enabled • Alert triage process
4 SIEM tuned with customized filters, rules, alerts,
• Real-time alert triage process
• Content tuning process
5 Advanced monitoring use cases, custom SIEM
content use cases
• Threat intelligence process
• Content research and development
Sample Metrics For Use Case Management
Use Cases in Production vs Use Cases Waiting for Implementation
Number of Use Cases reviewed per time period
Number of Use Cases optimized/changed per time period, including reasons for changes.
Number of Use Cases removed per time period, including reasons for removal
Number of Use Cases implemented per monitoring tool
Number of Use Cases not implemented due to Technology limitations
SIEM and Friends
TI SIEM Detection
• Deploy User and Entity Behavior Analytics (UEBA) — "add-on" SIEM brain
for user-centric analysis:
• Detect compromised accounts "automatically"
• Enrich alerts with user behavior profiles
• Utilize vendor-provided anomaly algorithms
• Eventually refine/define own algorithms
Quick Win: Graduating Beyond SIEM
• Have to solve security problems that SIEM is suboptimal for?
• Want to apply more algorithms to log, flow and context data?
• Have higher volume or diversity of data?
• Need to postprocess alerts?
SIEM and/or/vs/with Security Analytics?
• Skip the planning stage and just buy some SIEM tool
• Define the need for a SIEM in vague terms
• Fail to define the initial deployment scope, starter use cases
• Assume that the SIEM effort would run itself, skimp on the people side
• Practice “input-driven” SIEM
• Not refining the evolving requirements
Top SIEM Pitfalls
Think "security monitoring capability," not "SIEM box."
SIEM requires "care and feeding" to give value:
• Prepare to be involved with the tool indefinitely.
Use "output-driven" SIEM approach.
Define processes and dedicate personnel to use the tool:
• Define/Refine and incident response process.
Follow the maturity levels — or suffer!
Review your route beyond SIEM — UBA, analytics, etc.