Don t let your SIeM become your Nightmare!

Transcription

1 Don t let your SIeM become your Nightmare! Herwig Köck, Thomas Bleier

2 What is SIEM? Combining Security Components Intrusion Detection Endpoint Security Service Logs Asset Management Packets Protocols IP-Adresses Files Usernames Hosts User Logins Service Activity Configuration Changes Apps Business Processes Business Owners 2

3 What is Siem? Security Information and event Management SIEM is only as useful as the information you put in Garbage IN SIEM Garbage OUT Management Layer Management Layer above existing systems security controls Unifies Information Unifies and connects information of an existing System to be analyzed and cross-referenzed from a single interface 3

4 Input Data? Where Usable data is generated 4

5 What S SpecIal? More than simple Log Management Log Management Functionality search and parse data for Trends Anomalies Other relevant information SIEM Collecting and analyzing network data Security events Operational events Application events Functionality specialized on information security Event reduction Real time alerting Workflow to address security breaches Incorporation of non event based data (e.g. reports) Source: 5

6 What S SpecIal? More than simple Log Management Workflow Comprehensive incident management Real-time identification and notification of threats Important part of regulatory compliance Allows analysts to document threat response Prioritization Highlights important events over minor ones Easily keep track of security situation Includes input from reports Updated frequently Correlation Important tool to identify relevant security events Can compute massive amounts of logged data Analysis of event data Real-time historical Source: 6

7 What S SpecIal? Example: Correlation Workflow Prioritization Correlation Important tool to identify relevant security events Can compute massive amounts of logged data Analysis of event data Real-time historical Source: 7

8 SIEM Integration? How to not Integrate your siem Buy SIEM appliance Connect all your IDS, Logs, Everything, etc with SIEM Get high amount of security events/notifications No qualified personal to handle events and/or adjust the system SIEM gets abandoned, alarms are ignored High financial expenses without additional value 8

9 SIEM Integration? How to do things right Define Scope Connect Point Solutions (IDS, Central Logging, Firewalls, etc) Filter logs Establish criteria (when, who, what, where, why) Progressive rollout to assimilate generated information with internal processes Additional value for your enterprise Source: SANS 9

10 Security Visibility? Considering the following divergent goals Senior Management Needs a concise view How do we compare with our peers? Are we spending the right amount of money? Are we better off than we were this time last year? Operational Security Needs high level (near real time) view plus ability to see details quickly Are we going to pass PCI compliance? Are there signs of malware in our systems? Are our insiders misusing their access? Front line analysts Need even greater detail Which devices are trying to communicate with known malicious sites on the internet? What systems are probing our networks? Are we seeing any indication of? Source: SANS 10

11 What to do with the information from your SIEM? SOC Security Operations Center What is it? Someone has to handle the information from SIEM Centrally monitors, detects and handles security incidents based on the information from SIEM Evaluate and measure the efficiency of securityprocesses Operate security tools (SIEM + other) Operative security tasks in contrast to ISMS (strategic tasks) Organisation Someone has to handle the information from SIEM Role taken over by a person May not be the only role of this person Define use-cases, tasks, scope and responsibilities SOP Standard Operation Procedures Interface to other roles Sourcing Strategy - Multi-Level SOC 11

12 Security Operations Center Primary functions Compliance Vulnerabilities Security Controls Control Monitor Logs, Events Incidents Threat Intelligence Devices, Tools Security Devices Security Systems Security Tools Operate 12

13 Security Operations Center? Control Compliance Testing Development of operational IT security operational controls based on control objectives from governance / ISMS Verification of control implementation Vulnerability Assessment Continous automated assessment of systems Against known vulnerabilities Broad scope / coverage Penetration Testing Manual testing of systems for security vulnerabilities Validation and complementation of automated assessment Defined samples (small scale) Steering and priorization of the development of operational security measures based on cyber risk exposure 13

14 Security Operations Center? Monitor Logs, Events Log Management SIEM (-> Events) Broad coverage Security Incidents Handle security incidents Track and monitor incident resolution Detect systematic misuse cases ( Problem Management) Threats Monitor threat landscape (Threat Intelligence) Derive necessary measures Interface with IT Govermance/ISMS Gaining visibility of the current cyber risk exposure 14

15 Security Operations Center? Operate Design Definition of functional areas Definition of tooling Existing Tools vs. New Tools Needs vs. Nice to Have Implementation Setup and rollout of toolset Operation Configuration Management Change Management Incident Management Problem Management Support Operating the necessary tools and systems 15

16 Staffing Tasks & Qualifications Tasks Incident Response Tool Operations Audits & Assessments Monitoring & Reporting Training of IT Staff Qualifications Incident Handler Operator Auditor Document Writer Trainer 16

17 SUMMARY A SIEM should combine data from different sources to derive more usable information. Careful selection of sources, reduction of data and priorization of events is key! The implementation process is a critical success factor (Scoping, Rollout Process, etc.)! The SOC has to control, monitor and operate the SIEM! Somebody needs to use the SIEM and handle the information it produces! SOC 17

18 Thank You! Questions? Herwig Köck BSc ACSA ACSE MCP Fachlead Security Consulting T-Systems Austria GesmbH Rennweg A-1030 Wien Phone: Thomas Bleier DI MSc CISSP CISA CISM CEH zpm Teamlead Security Professional Services T-Systems Austria GesmbH Rennweg A-1030 Wien Phone: T-Systems Austria GesmbH 2014 All Rights reserved. This document and all contained information and picture are protected by copyright. Propagation or duplication of this documents or parts of it is forbidden. Any usage in any form without written permission by T-Systems Austria GesmbH is chargeable. 18