SIEMs - Decoding The Mayhem
Bill DeanDirector of Computer Forensics
Sword & Shield Enterprise Security Inc.
Outline• Today’s Threat Landscape• Why Do I Need a SIEM?• Choosing and Deploying a SIEM• This Will Not Be Boring
Computer Security LandScape• You Are Being Blamed• Your Money Isn’t Safe• Your Information Isn’t Safe• Your Reputation Is at Stake• More Threats, Less People
Your Are Being Blamed• BotNets• Pivoting
Stealing Your $$
Stealing Your Information• Computers Are No Longer for “Productivity”• You Have Valuable Information• You ARE A Target• You Aren’t Dealing With “Amateurs”
Hactivists – Exposing Your Secrets
Hactivists – Exposing Your Secrets
Hactivists – Business Disruption
Your Challenge
SIEMS
You Need An “Oracle”• Know The Past• Knows The Present• Knows The Future• Knows How to CYA
SIEM Basics• Provides “Instant Replay”• 24 X 7 Security Guard• SIEMs v. Firewall v. IDS v. IPS• SIEM v. SEIM v. SIM• Typically Compliance Driven
Compliance • HIPAA• PII• Data Breach Notification Laws
Why Do I Need A SIEM?• Infrastructure Monitoring• Reporting• Threat Correlation• Instant Replay• Incident Response
What Is Monitored?• Account Activity• Availability• IDS/Context Correlation• Data Exfiltration• Client Side Attacks• Brute Force Attacks
19
Windows Accounts• Accounts Created, By Whom,
and When • New Accounts That Aren’t
Standard• New Accounts Created At Odd
Time• New Workstation Account
Created• Key Group Membership Change• Accounts Logon Hours
Availability• System Uptime Statistics• Availability Reporting• Uptime is “Relative”
21
IDS Context/Correlation• Place Value On Assets• Context Is Essential• Maintain Current Vulnerability DBs
• Create Priority Rules
22
Data Exfiltration
• You Must Know What Is “Normal”• Deviations From The Norm Warrant
An Alert• Some Events Are “Non-Negotiable”• “You” Typically Initiate Data Transfers
23
Client Side Attacks
• Windows Event Logs Information• Process Status Changes• New Services Created• Scheduled Tasks Creations • Changes to Audit Policies
24
Brute-force Attacks
• Detailed Reports of Failed Logins• Source Of Failed Login Attempts• Locked Accounts Report
Incident Response
Incident Response Scenario #1• Law Firm With Dealings In China• Law Firm Was “Owned” More Than A Year• Access To Every Machine On Network• Thousands of “Responsive” Emails Obtained•“Privilege” Was Not Observed
Incident Response Scenario #2• VP of Finance Promoted to CFO • Attack on the “Weakest” Link
AV Will Save Us!!
Incident Response Scenario #3
http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
How SIEMs Would Have Helped• Accounts Enabled • Services Created• Firewall Changes• Data Exfiltration• Network Communications• Incident Response Costs
Choosing A SIEM• Not a Replacement for Security Engineers• Must Support Disparate Devices (Agentless)• Don’t Plan To Monitor? DON’T BOTHER
Deploying a SIEM• Architecture Options • Tuning Out The “Noise”
SIEM Option$• OutSourced Options• SecureWorks• High-Cost• ArcSight, Q1 Labs Radar, RSA, Tripwire•Lower-Cost• Q1 Labs FE, TriGEO, Splunk• No-Cost• OSSIM• OSSEC
Summary• You Must Anticipate Today’s Threats• SIEMs Are Extremely Valuable• SIEMs Are Not A Silver Bullet
Questions?
Bill DeanDirector of Computer Forensics
Sword & Shield Enterprise Security Inc.
[email protected]://www.twitter.com/
BillDeanCCE