you have a siem! and now?
DESCRIPTION
You have a SIEM? That's great but now? What can you expect from it? How to improve its value?TRANSCRIPT
You Have a SIEM! And Now?
InfoSecurity.be March 2014 - Xavier Mertens
TrueSec
$ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger, Hacker @ night
!
• BruCON co-organizer���2
TrueSec
$ cat ~/.profile
• I like (your) logs
• Security vizualisation
• Playing with SIEM’s for >5y
• ArcSight, OSSEC, Splunk, … (Used as tools, I’m not an evangelist ;-)
���3
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
���4
TrueSec
Agenda
• Today’s situation
• Issues
• How to improve
• Conclusions
���5
TrueSec
Market Overview
���6
• Products are mature
• A SIEM must be on $VENDORS portfolio
• ArcSight HP
• Nitro McAfee
• Q1Labs IBM
• SaaS Model (“SIEM as a Service”) / MSSP
• Sliding to the “bigdata” buzz
TrueSec
The Triggers
���7
Business compliance Action / Reaction
TrueSec
Manager’s Perspective
���8
TrueSec
Be Happy!
���9
No worries, we have a SIEM…
TrueSec
IT Guy’s Perspective
���10
TrueSec
Outsourcing?
���11
Easy as choosing your level?
TrueSec
Agenda
• Today’s situation
• Issues
• How to improve
• Conclusions
���12
TrueSec
The “Unknown”
���13
“We can only fight what we know or learned”
TrueSec
The SIEM Value…
���14
… is directly related to the value of events collected, processed and stored in its database
TrueSec
Cause != Effect
���15
A classic SIEM is good to detect the effect of an incident but detecting the cause is more valuable…
TrueSec
More SIEM Killers
���16
• Complexity of modern architecture
• Recurrent process(es)
• Lack of assigned resources (people|time|money)
• Attackers are devious
• What are you looking for?
• It’s only a “dumb” toolbox
TrueSec
Two Approaches
���17
Business CasesOpportunism
TrueSec
Business Cases
���18
• Goal: Solve specific requirements(Ex: compliance)
• Collect relevant events
• Process them tosolve the businesscase
TrueSec
Opportunistic
���19
• Goal: Be ready toinvestigate
• Collect as much events as possible
TrueSec
So what?
���20
Pro Con
Business Cases
Easier to implement, Quick ROI, keep control,
accurate results
Missed events, Limited investigations
Opportunism Forensic, Complex, flood of data, sizing difficult, longer ROI
TrueSec
But we “correlate”!?
���21
“A mutual relationship or connection between two or more things.”
TrueSec
An Endless Game
���22
• Step 1: Define sensitive assets@users = (“root”, “admin”, “administrator”, “webadmin”, “operator”); @hosts = (“10.0.0.1”, “192.168.2.1”, “192.168.1.1”);
• Step 2: Write your correlation rule if (grep /$dstip/, @hosts && grep /$user/, @users) { alert(“Mayday!”); }
TrueSec
And Easily Broken…
���23
Wait…
And what if a user “root2” is created by a rogue admin?
TrueSec
Looking (Ab)normal?
���24
Mar 4 21:05:02 shiva sshd[16449]: Accepted publickey for alice from 111.112.113.114 port 62510 ssh2
• Timestamp
• Source IP
• User
• Authentication mechanism
TrueSec
Let’s Derive!
���25
• Alice might login from 10.0.0.1
• Alice might login on Sunday
• Alice might login with a password
• Bob might replace Alice
TrueSec
Challenge?
���26
“Managing the unmanageable”
TrueSec
Agenda
• Today’s situation
• Issues
• How to improve
• Conclusions
���27
TrueSec
Home VS. Guest
���28
Defensive security has the greatest advantage: The “home-field” advantage.
TrueSec
Knowledge
���29
• Your network
• The business
• The processes
• Your enemy!
TrueSec
Mapping!
���30
• Mapping your assets is a critical step
• Mapping must be in accordance with the business
• Mapping the actual exposures and issues
• Don’t forget the humans!
Critical
TrueSec
Early warning signs
���31
• It’s not only a question of IT
• Increase calls received by the call center
• Increase resource usages (CPU, bandwidth)
TrueSec
Surveillance by Algorithm
���32
• Daily, our activity is watched by algorithms
• Amazon tracks books we buy and suggests others based on our habits
• Google returns search results based on our previous activity
• Ads are personalised
• …
© B. Schneier
TrueSec
Anomaly Detection
���33
• Mathematics can help
• Detection systems look for deviations from normal or established patterns
(Source: http://minds.cs.umn.edu/publications/chapter.pdf)
TrueSec
Anomaly Detection
���34
TrueSec
Threat Intelligence
���35
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging
menace or hazard”
(Source: http://www.gartner.com/document/2487216)
TrueSec
Threat Intelligence
���36
• What? Where? When?
• How?
• Who? Why? (Motivations)
TrueSec
Threat Intelligence
���37
• Two types: Strategic & Tactical
• File bb83737167a951b3390bbea04ddd5991 is part of malware “X” (Tactical)
• Users “U” from Country “C” search for documents “D” (Strategic)
• Use threat intelligence that focus on your business
TrueSec
“IOC”
���38
• URLs
• IP addresses
• Domains
• Users, emails
• Hashes
TrueSec
Best of both worlds!
���39
Events Assets Smoke Signals
Threat Intelligence
SIEM
Anomaly Detection
Alerts Reporting Forensic
TrueSec
Agenda
• Today’s situation
• Issues
• How to improve
• Conclusions
���40
TrueSec
Conclusions
���41
• Before, Security == Ability to resist to attacks
• Now, Security == Ability to predict attacks
• Classic SIEM deployment (driven usually by product vendors) focus on the reactive element of the spectrum
• Looking forward at such an approach to defensive security
TrueSec
Conclusions
���42
TrueSec
Thank you! More info?
@xme
http://blog.rootshell.be
https://www.truesec.be
���43