You Have a SIEM! And Now?

InfoSecurity.be March 2014 - Xavier Mertens

TrueSec

$ whoami

• Xavier Mertens (@xme)

!

• Consultant @ day

!

• Blogger, Hacker @ night

!

• BruCON co-organizer���2

TrueSec

$ cat ~/.profile

• I like (your) logs

• Security vizualisation

• Playing with SIEM’s for >5y

• ArcSight, OSSEC, Splunk, … (Used as tools, I’m not an evangelist ;-)

���3

TrueSec

$ cat disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

���4

TrueSec

Agenda

• Today’s situation

• Issues

• How to improve

• Conclusions

���5

TrueSec

Market Overview

���6

• Products are mature

• A SIEM must be on $VENDORS portfolio

• ArcSight HP

• Nitro McAfee

• Q1Labs IBM

• SaaS Model (“SIEM as a Service”) / MSSP

• Sliding to the “bigdata” buzz

TrueSec

The Triggers

���7

Business compliance Action / Reaction

TrueSec

Manager’s Perspective

���8

TrueSec

Be Happy!

���9

No worries, we have a SIEM…

TrueSec

IT Guy’s Perspective

���10

TrueSec

Outsourcing?

���11

Easy as choosing your level?

TrueSec

Agenda

• Today’s situation

• Issues

• How to improve

• Conclusions

���12

TrueSec

The “Unknown”

���13

“We can only fight what we know or learned”

TrueSec

The SIEM Value…

���14

… is directly related to the value of events collected, processed and stored in its database

TrueSec

Cause != Effect

���15

A classic SIEM is good to detect the effect of an incident but detecting the cause is more valuable…

TrueSec

More SIEM Killers

���16

• Complexity of modern architecture

• Recurrent process(es)

• Lack of assigned resources (people|time|money)

• Attackers are devious

• What are you looking for?

• It’s only a “dumb” toolbox

TrueSec

Two Approaches

���17

Business CasesOpportunism

TrueSec

Business Cases

���18

• Goal: Solve specific requirements(Ex: compliance)

• Collect relevant events

• Process them tosolve the businesscase

TrueSec

Opportunistic

���19

• Goal: Be ready toinvestigate

• Collect as much events as possible

TrueSec

So what?

���20

Pro Con

Business Cases

Easier to implement, Quick ROI, keep control,

accurate results

Missed events, Limited investigations

Opportunism Forensic, Complex, flood of data, sizing difficult, longer ROI

TrueSec

But we “correlate”!?

���21

“A mutual relationship or connection between two or more things.”

TrueSec

An Endless Game

���22

• Step 1: Define sensitive assets@users = (“root”, “admin”, “administrator”, “webadmin”, “operator”); @hosts = (“10.0.0.1”, “192.168.2.1”, “192.168.1.1”);

• Step 2: Write your correlation rule if (grep /$dstip/, @hosts && grep /$user/, @users) { alert(“Mayday!”); }

TrueSec

And Easily Broken…

���23

Wait…

And what if a user “root2” is created by a rogue admin?

TrueSec

Looking (Ab)normal?

���24

Mar 4 21:05:02 shiva sshd[16449]: Accepted publickey for alice from 111.112.113.114 port 62510 ssh2

• Timestamp

• Source IP

• User

• Authentication mechanism

TrueSec

Let’s Derive!

���25

• Alice might login from 10.0.0.1

• Alice might login on Sunday

• Alice might login with a password

• Bob might replace Alice

TrueSec

Challenge?

���26

“Managing the unmanageable”

TrueSec

Agenda

• Today’s situation

• Issues

• How to improve

• Conclusions

���27

TrueSec

Home VS. Guest

���28

Defensive security has the greatest advantage: The “home-field” advantage.

TrueSec

Knowledge

���29

• Your network

• The business

• The processes

• Your enemy!

TrueSec

Mapping!

���30

• Mapping your assets is a critical step

• Mapping must be in accordance with the business

• Mapping the actual exposures and issues

• Don’t forget the humans!

Critical

TrueSec

Early warning signs

���31

• It’s not only a question of IT

• Increase calls received by the call center

• Increase resource usages (CPU, bandwidth)

TrueSec

Surveillance by Algorithm

���32

• Daily, our activity is watched by algorithms

• Amazon tracks books we buy and suggests others based on our habits

• Google returns search results based on our previous activity

• Ads are personalised

• …

© B. Schneier

TrueSec

Anomaly Detection

���33

• Mathematics can help

• Detection systems look for deviations from normal or established patterns

(Source: http://minds.cs.umn.edu/publications/chapter.pdf)

TrueSec

Anomaly Detection

���34

TrueSec

Threat Intelligence

���35

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging

menace or hazard”

(Source: http://www.gartner.com/document/2487216)

TrueSec

Threat Intelligence

���36

• What? Where? When?

• How?

• Who? Why? (Motivations)

TrueSec

Threat Intelligence

���37

• Two types: Strategic & Tactical

• File bb83737167a951b3390bbea04ddd5991 is part of malware “X” (Tactical)

• Users “U” from Country “C” search for documents “D” (Strategic)

• Use threat intelligence that focus on your business

TrueSec

“IOC”

���38

• URLs

• IP addresses

• Domains

• Users, emails

• Hashes

TrueSec

Best of both worlds!

���39

Events Assets Smoke Signals

Threat Intelligence

SIEM

Anomaly Detection

Alerts Reporting Forensic

TrueSec

Agenda

• Today’s situation

• Issues

• How to improve

• Conclusions

���40

TrueSec

Conclusions

���41

• Before, Security == Ability to resist to attacks

• Now, Security == Ability to predict attacks

• Classic SIEM deployment (driven usually by product vendors) focus on the reactive element of the spectrum

• Looking forward at such an approach to defensive security

TrueSec

Conclusions

���42

TrueSec

Thank you! More info?

@xme

xavier@truesec.be

http://blog.rootshell.be

https://www.truesec.be

���43