Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
-
Upload
source-conference -
Category
Technology
-
view
1.890 -
download
1
Transcript of Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
![Page 1: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/1.jpg)
So You Got That SIEM.
NOW What Do You Do?
Dr. Anton Chuvakin
SecurityWarrior LLC
www.securitywarriorconsulting.com
![Page 2: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/2.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
DIRE WARNING:
This presentation does
NOT mention PCI DSS…
…oh wait
www.pcicompliancebook.info
![Page 3: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/3.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Outline
• Brief: What is SIEM?
• “You got it!”
• SIEM Pitfalls and Challenges
• Useful SIEM Practices
– From Deployment Onwards
• SIEM “Worst Practices”
• Replacing a SIEM and Other Tips
• Conclusions
![Page 4: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/4.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
About Anton: SIEM Builder and
User• Former employee of SIEM and log
management vendors
• Now consulting for SIEM vendors and
SIEM users
• SANS Log Management SEC434 class
author
• Author, speaker, blogger, podcaster (on
logs, naturally )
![Page 5: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/5.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
SIEM?
Security Information and Event
Management!
(sometimes: SIM or SEM)
![Page 6: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/6.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
SIEM and Log Management
SIEM:
Security Information
and Event Management
Focus on security use
of logs and other data
LM:
Log Management
Focus on all uses
for logs
![Page 7: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/7.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting and report delivery (“SIM”)
7. Security role workflow (IR, SOC, etc)
![Page 8: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/8.jpg)
What SIEM Eats: Logs
<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for
anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit
ENTERPRISE Account Logon
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ANTON Source Workstation: ENTERPRISE Error
Code: 0xC000006A 4574
<57> Dec 25 00:04:32:%SEC_LOGIN-5-
LOGIN_SUCCESS:Login Success [user:anton]
[Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb
28 2006
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp
system-warning-00515: Admin User anton has logged on via Telnet from
10.14.98.55:39073 (2002-12-17 15:50:53)
![Page 9: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/9.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
What SIEM Eats: Context
http://chuvakin.blogspot.com/2010/01/on-log-context.html
![Page 10: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/10.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
How SIEM Got Here!?
• 1996-2002 IDS and Firewall
– Worms, alert overflow, etc
– Sold as “SOC in the box”
• 2003 – 2007 Above + Server + Context
– PCI DSS, SOX, users
– Sold as “SOC in the box”++
• 2008+ Above + Applications + …
– Fraud, insiders, cybercrime
– Sold as “SOC in the box”+++++
![Page 11: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/11.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
What do we know about SIEM?
Ties to many technologies, analyzes
data, requires process around it,
overhyped
What does it actually mean?
Many people think “SIEM is complex”
Thinking Aloud Here…
![Page 12: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/12.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
I will tell you how to do SIEM
RIGHT!
Useless Consultant Advice Alert!!
![Page 13: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/13.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
The Right Way to SIEM
1. Figure out what problems you want to solve with SIEM
2. Confirm that SIEM is the best way to solve them
3. Define and analyze your use cases
4. Gather stakeholders and analyze their use cases
5. Research SIEM functionality
6. Create requirements for your tool, including process requirements
7. Choose scope for SIEM coverage (with phases)
8. Assess data volume over all Phase 1 log sources and plan ahead
9. Perform product research, vendor interviews, references, peer groups
10. Create a tool shortlist
11. Pilot top 2-3 products in your environment
12. Test the products for features, usability and scalability vs requirements
13. Select a product for deployment and #2 product for backup
14. Update or create procedures, IR plans, etc
15. Create SIEM operational procedures
16. Deploy the tool (phase 1)
![Page 14: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/14.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
The Popular Way to SIEM…
1. Buy a SIEM appliance
![Page 15: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/15.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
… Backed by Online “Research”
15
![Page 16: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/16.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Got Difference?
What people
WANT to know
and have before
they deploy a
SIEM?
What people
NEED to know
and have before
they deploy a
SIEM?
![Page 17: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/17.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Got SIEM?Have you inherited it?
Now what?
![Page 18: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/18.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Popular #SIEM_FAIL
… in descending order by frequency:
1. Misplaced expectations (“SOC-in-a-box”)
2. Missing requirements (“SIEM…huh?”)
3. Wrong project sizing
4. Political challenges with integration
5. Vendor deception
6. And only then: product not working
![Page 19: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/19.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that
–The leaders in the field
are doing today
–Generally leads to useful
results with cost
effectiveness
P.S. If you still hate it – say
“useful practices”
![Page 20: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/20.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
BP0 How to Plan Your Project?
1.Goals and requirements (WHY)
2.Functionality / features (HOW)
3.Scope of data collection (WHAT)
4.Sizing (HOW MUCH)
5.Architecting (WHERE)
![Page 21: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/21.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
BP1 LM before SIEM!
If you remember one thing from this, let it
be:
Deploy Log Management
BEFORE SIEM!
Q: Why do you think MOST 1990s SIEM
deployments FAILED?
A: There was no log management!
![Page 22: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/22.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
SIEM/LM Maturity Curve
![Page 23: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/23.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Graduating from LM to SIEM
Are you ready? Well, do you have…
1. Response capability and process
– Prepared to response to alerts
2. Monitoring capability
– Has an operational process to monitor
3. Tuning and customization ability
– Can customize the tools and content
![Page 24: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/24.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
BP2 Initial SIEM Use
Steps of a journey …
1. Establish response process
2. Deploy a SIEM
3. Think “use cases”
4. Start filtering logs from LM to SIEM
– Phases: features and information sources
Prepare for the initial increase in workload
![Page 25: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/25.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Example LM->SIEM Filtering
3D: Devices / Network topology / Events
• Devices: NIDS/NIPS, WAF, servers
• Network: DMZ, payment network, other
“key domains”
• Events: authentication, outbound firewall
access, IPS
Later: proxies, more firewall data, web
servers
![Page 26: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/26.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
BP3 Expanding SIEM Use
First step, next BABY steps!
1. Compliance monitoring often first
2. “Traditional” SIEM uses
– Authentication tracking
– IPS/IDS + firewall correlation
– Web application hacking
3. Your simple use cases
– What problems do YOU want solved?
![Page 27: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/27.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Example: Use Case
Example: cross-system authentication tracking
• Scope: all systems with authentication
• Purpose: detect unauthorized access to
systems
• Method: track login failures and successes
• Rule details: multiple login failures followed by
login success
• Response plan: user account investigation,
suspension, communication with suspect user
![Page 28: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/28.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
“Quick Wins” for Phased Approach
Phased
approach #1
• Collect problems
• Plan architecture
• Start collecting
• Start reviewing
• Solve problem 1
• Solve problem n
Phased
approach #2
• Focus on 1 problem
• Plan architecture
• Start collecting
• Start reviewing
• Solve problem 1
• Plan again
![Page 29: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/29.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
10 minutes or 10 months?
Our log
management
appliance can
be racked,
configured and
collecting logs in
10 minutes
A typical large
customer takes
10 months to
deploy a log
management
architecture
based on our
technology
?
![Page 30: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/30.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
What is a “Worst Practice”?
• As opposed to the “best
practice” it is …
–What the losers in the
field are doing today
–A practice that generally
leads to disastrous
results, despite its
popularity
![Page 31: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/31.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
WP for SIEM Planning
• WP1: Skip this step altogether – just buy
something
– “John said that we need a correlation engine”
– “I know this guy who sells log management tools”
• WP2: Postpone scope until after the purchase
– “The vendor says „it scales‟ so we will just feed ALL
our logs”
– Windows, Linux, i5/OS, OS/390, Cisco – send‟em
in!
![Page 32: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/32.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Case Study: “We Use‟em All”
At SANS Log Management Summit …
• Vendors X, Y and Z claim “Big Finance” as
a customer
• How can that be?
• Well, different teams purchased different
products …
• About $2.3m wasted on tools
that do the same!
![Page 33: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/33.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
WPs for Deployment
• WP3: Expect The Vendor To Write Your
Logging Policy OR Ignore Vendor
Recommendations
– “Tell us what we need – tell us what you
have” forever…
• WP4: Don’t prepare the infrastructure
– “Time synchronization? Pah, who needs it”
![Page 34: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/34.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Misc Useful SIEM Tips
34
![Page 35: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/35.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
On SIEM Resourcing
NEWSFLASH! SIEM costs money.
But …
Or…
![Page 36: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/36.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
“Hard” Costs - Money
• Initial
– SIEM license, hardware, 3rd party software
– Deployment and integration services
• Ongoing
– Support and ongoing services
– Operations personnel (0.5 - any FTEs)
• Periodic
– Vendor services
– Specialty personnel (DBA, sysadmin)
– Deployment expansion costs
![Page 37: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/37.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
“Soft” Costs - Time
• Initial
– Deployment time
– Log source configuration and integration (BIG!)
– Initial tuning, content creation
• Ongoing
– Report and log review
– Alert response and escalation
• Periodic
– Tuning and content creation
– Expansion: same as initial
![Page 38: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/38.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
![Page 39: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/39.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
On Replacing a SIEM
39
![Page 40: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/40.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
How to Do It?
1. Prepare to run both products for some
time
2. Draft the new vendor to help you migrate
the data
3. Be prepared to keep the old SIEM or
keep the data backups
4. BIG! Migrate SIEM content: reports,
rules, views, alerts, etc
40
![Page 41: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/41.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Tip: When To AVOID A SIEM
In some cases, the best “SIEM strategy” is
NOT to buy one:
1. Log retention focus
2. Investigation focus (log search)
If you only plan to look BACKWARDS – no
need for a SIEM!
![Page 42: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/42.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Conclusions
• SIEM will work and has value … but
BOTH initial and ongoing time/focus
commitment is required
• FOCUS on what problems you are trying
to solve with SIEM: requirements!
• Phased approach WITH “quick wins” is
the easiest way to go
• Operationalize!!!
![Page 43: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/43.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
SIEM Reminders
Cost countless sleepless night and boatloads
of pain….
• No SIEM before IR plans/procedures
• No SIEM before basic log management
• Think "quick wins", not "OMG ...that SIEM
boondoggle"
• Tech matters! But practices matter more
• Things will get worse before better.
Invest time before collecting value!
![Page 44: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/44.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
And If You Only …
… learn one thing from this….
… then let it be….
![Page 45: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/45.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements! Requirements! Requirements! Requirements! Requirements!
Requirements
Requirements
Requirements
Requirements
Requirvements
Requirements
![Page 46: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/46.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
![Page 47: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/47.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
More Resources
• Blog: www.securitywarrior.org
• Podcast: look for “LogChat” on iTunes
• Slides: http://www.slideshare.net/anton_chuvakin
• Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
• Consulting: http://www.securitywarriorconsulting.com/
![Page 48: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/48.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com
• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know
Your Enemy II”, “Hacker‟s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA,
CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc
• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others
• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
![Page 49: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/49.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Security Warrior Consulting
Services• Logging and log management / SIEM strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and
periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business
cases; develop specific components such as log data collection, filtering,
aggregation, retention, log source configuration as well as reporting, review and
validation
– Customize industry “best practices” related to logging and log review to fit your
environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations
• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log
management product more useful to you and more applicable to your risk profile
and compliance needs
– Create and refine policies, procedures and operational practices for logging
and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA
and other regulations
Others at www.SecurityWarriorConsulting.com
![Page 50: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/50.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Misc Resource Slides
50
![Page 51: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/51.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Best Reports? SANS Top 7
DRAFT “SANS Top
7 Log Reports”1. Authentication
2. Changes
3. Network activity
4. Resource access
5. Malware activity
6. Failures
7. Analytic reports
![Page 52: Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?](https://reader034.fdocuments.us/reader034/viewer/2022052410/554c9342b4c905b80b8b4894/html5/thumbnails/52.jpg)
Security Warrior Consulting
Dr. Anton Chuvakin
Best Correlation Rules? Nada
• Vendor default rules?
• IDS/IPS + vulnerability
scan?
Anton fave rules:
1. Authentication
2. Outbound access
3. Safeguard failure