Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Transcription

1 Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

2 TODAY S AGENDA Describe the need for SIEM Explore different options available for SIEM Demonstrate a few Use Cases Cover some caveats

3 ABOUT ME Information Security Officer for Wayne State University Firewalls Intrusion Detection Vulnerability Management Incident Response Compliance Security Guidance Network and Security Projects CISSP, CISM, ITILv3, JNCIS-SEC

4 PROBLEMS WITH HIGHER ED IT SECURITY Low amount of staffing Varying levels of staff skill levels No typical donors to IT Infrastructure & Security Must accomplish more with less Audits Compliance Projects Troubleshooting Proper Time Management is critical

5 WHAT IS SIEM Security Incident & Event Management Single Point for Security Information Reduce number of systems needed to retrieve information Centralize creation and resolution of security incidents Provide intelligence previously difficult or impossible to obtain

6 WHY SIEM Gain comprehensive visibility Everything is normalized Build alerting rules for specific security threats Drastically reduce time needed for operational tasks Only two-ish dedicated FTE staff for 32,000 students and 3,000 faculty

7 NEED INPUT Identify Client Machines Identify Relevant Activity Network Traffic Logs Firewall Permit/Drop Network Flow (with or without payload) DHCP Logs Wireless Association Logs Authentication Logs Directory Services Access Logs ERP System Critical Systems and Services VPN & Remote Access

8 RECEIVING INPUT Numerous ways to transport data to SIEM system SYSLOG NetFlow / Jflow Network Tap Database Connection & Query Read Remote File

9 REQUIREMENTS Good Understanding of Network & System Design and Interaction Identify Key Data Sources Identify Typical Use Cases and Monitoring Thresholds Time for Implementation

10 SIEM TOOLS Wayne State University Deployment: IBM Qradar (Formerly Q1 Labs QRadar) 1 Event Collector 3 Flow Collectors 1 Event Processor 1 Administration Console Each Server has 16TB Disk Current Capacity for ~8 months Retention

11 Qradar SIEM System Layout Review Security Offenses Generate Event & Flow Queries Create Security Reports System has 16TB of Storage 90 Day Minimum 180 Day Typical Use NES Security Personnel QRadar Console Secure Web Interface for SIEM Solution Event Processor Correlates & Stores Collected Data Security Devices Security Data Security Data Servers Firewalls Current Events Logged: All Firewall Logs Permitted Traffic Denied Traffic Configuration Logs Wireless Logs User Authentication AP Associations DHCP Logs Remote Access/VPN Logs Linux Server Administrative Logs Med School Windows Server Logs Event Collector Collects Logged Events Capable of: 10,000 Events Per Second Current Usage: 2,000 Events Per Second Network Tap Internet Traffic QFlow Collector Collects Network Traffic Copy of Network Traffic Network Flow Records Core Routers Building Traffic Capturing Capabilities: 2x 10Gig Fiber (Internet Connection) 6x 1Gig Copper (Extra Connections) Forwarded NetFlow Records (All Routers)

12 OVERALL SECURITY DASHBOARD

13 SIEM TOOLS Commercial Solutions IBM QRadar Juniper STRM Enterasys DSCC HP ArcSight McAfee Enterprise Security Manager Splunk Commercial solutions often have partners for security feeds and reputation data

14 SIEM TOOLS Free / Open Source OSSIM LOGalyze Create Your Own Argus FlowTools Syslog-NG Custom watch scripts Free Tools typically have less built-in functionality Understand your comfort level with your security staff and developers to choose the right fit of products.

15 USE CASE EXAMPLES Phishing Campaigns Possible Data Breaches DMCA Handling Troubleshooting Root Cause Analysis 24-Hour Monitoring

16 USE CASE PHISHING/FRAUD RESPONSE Identified fraud associated with stolen account credentials Checked network logs for correlation Investigate phishing website Analyze POST Form Data Identify people that actually submitted credentials, not just visiting website Contact affected individuals Rapid Response Within Hours

17 USE CASE INVESTIGATION SUPPORT Scenarios where rapid response is needed in knowing account activity Instant knowledge of all account activity for selected timeframe Webmail access POP/IMAP account access Wireless AP associations Build a detailed timeline for a client or user

18 USE CASE DATA BREACH RESPONSE Several PDFs with protected information disclosed Not on a central managed system Able to identify exact time and point of disclosure Able to identify exact records accessed Later Apache web logs confirmed analysis Saved several days of waiting time

19 USE CASE DMCA HANDLING Approximately 20 Digital Millennium Copyright Act (DMCA) notices per day Single console combining identity: DHCP Leases & Names ARP Entries Wireless Logins Flow Data confirming reported activity Mostly automated via API scripts Easy administrator usage for exceptions

20 USE CASE SYSTEM TROUBLESHOOTING Its always the Firewall/Network Identify specific traffic flows and logs pertinent to the non-working application Discover related information that may point to true cause Watch security events occur real-time

21 REPORTING Able to provide standardized metrics and Key Performance Indicators Run comprehensive, periodic queries where immediate timeliness is not required Understand overall trends for entire IT environment Create baselines which Offenses can be generated on

22

23 OFFENSES Take collected security data to next level Define specific rules with normalized data What do you really care about? Peer-to-Peer connections Authentication rejects Remote Access Foreign Countries Repeated Attempts Take Automatic Actions , SNMP Trap, Run Script

24 OFFENSE EXAMPLE Detecting Botnet Clients This rule will fire when the system detects a potential connection to a BotNet command and control host. To remove false positives, we have removed connections on port 25 and 53. If you are paranoid you might want to add those back in. Offenses can and should be tuned!

25 CAVEATS With Great Power Comes Great Responsibility Secure your SIEM Setup Implement proper Access Control & Provide training Publish specific policies Privacy Data Retention & Disclosure System Administrator Responsibilities Increased demand for security services

26 CONCLUSION SIEM Can Multiply Your Effectiveness Automate Menial Tasks Accelerate Incident Handling Process Provide Actionable Reporting Watch for possible security incidents 24x7

27 CONCLUSION Thanks for Attending! Kevin Hayes, CISSP, CISM Wayne State University