Leveraging Compliance for Security with SIEM and Log Management
-
Upload
tripwire -
Category
Technology
-
view
1.704 -
download
7
description
Transcript of Leveraging Compliance for Security with SIEM and Log Management
![Page 1: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/1.jpg)
Leveraging Compliance for Security with SIEM and Log Management
![Page 2: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/2.jpg)
Leveraging Compliance for Security with SIEM and Log ManagementDr. Anton Chuvakin, Security Warrior ConsultingCindy Valladares, Tripwire, Inc.
![Page 3: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/3.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Outline
• Compliance Basics• SIEM and Log Management Defined• Why SIEM and LM?• SIEM: A Perfect Compliance Technology• Pragmatic Approach to SIEM/LM• Moving Beyond Compliance!• Conclusions
![Page 4: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/4.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
So, what are we doing?Aka “What is Security?”
• Protecting the data • Defending the network• Guarding the IT environment • Reducing “risk” (what risk?)
However, we are also:• Checking the boxes
![Page 5: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/5.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
In Reality …
Compliance budget
Security budget
![Page 6: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/6.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance Reigns Supreme!
… even though the purpose of these:
… is to make sure organization care about security!
![Page 7: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/7.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance Mystery Solved!!
Compliance is the “floor” of security
And a motivator to DO IT!
However, many prefer to treat it as a “ceiling”
Result: breaches, 0wnage, mayhem!
![Page 8: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/8.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Compliance is NOT All!!!
YOUR DATA: Key Organization Data, IP, “Secrets”, Trade Secrets
CUSTODIAL DATA: SSN, PAN, ID, Addresses, Health records
Usually not regulated Usually regulated: PCILoss causes pain to you! Loss causes pain to
others!You are responsible for protection
You are responsible for protection
Cannot be “killed” Can be “killed”
![Page 9: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/9.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Big 3 for SIEM/LM
Compliance
Security
SIEM
LM
Operations
Compliance
SecurityOps
![Page 10: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/10.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM vs LM
SIEM = SECURITY information and event management
vs
LM = LOG management
![Page 11: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/11.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting (“SIM”)
7. Security role workflow
![Page 12: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/12.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Just What Is “Correlation”?
• Dictionary: “establishing relationships”• SIEM: “relate events together for security
benefit”
• Why correlate events?• Automated cross-device data analysis!
• Simple correlation rule:• If this, followed by that, take some action
![Page 13: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/13.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Pragmatic Approach to SIEM
1. List regulations
2. Identify other “use cases”
3. Review whether SIEM/LM is needed
4. Map features to controls
5. Select and deploy
6. Operationalize regulations
7. Expand use
![Page 14: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/14.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
What is a “Best Practice”?
• A process or practice that–The leaders in the field
are doing today–Generally leads to
useful results with cost effectiveness
![Page 15: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/15.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP1 Evolve to SIEM
Steps of a journey• Establish response process• Deploy a SIEM• Think “use cases”• Start filtering logs from LM to SIEM
– Phases!• Prepare for the initial increase in workload
![Page 16: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/16.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP2 SIEM First Steps
First step = BABY steps!• Compliance monitoring
– Log collection– Log retention– Log review– Using logs to attest to other controls
• PCI DSS, HIPAA, ISO, ITIL and others
![Page 17: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/17.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
BP3 Evolve Beyond Compliance
Walk before you run!• Focus on “Traditional” SIEM uses
– Authentication tracking– IPS/IDS + firewall correlation– Web application hacking
• Simple use cases – based on your risk
• Now, what else can SIEM do for you?
![Page 18: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/18.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Example SIEM Use Case
Cross-system authentication tracking• Scope: all systems with authentication (!)• Purpose: detect unauthorized access to
systems• Method: track login failures and successes• Rule details: multiple login failures followed
by login success• Response plan: user account investigation,
suspension, communication with suspect user
![Page 19: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/19.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM Usage Scenarios
1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate– Configure and forget, investigate alerts
4. Compliance status reporting– Review reports/views weekly/monthly
![Page 20: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/20.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
![Page 21: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/21.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
SIEM and Compliance Mistakes
• Log collection is NOT compliance– Many regulations prescribe log review!
• Obsess about letter, forget the spirit!– Regulations compel you to do the right thing,
not check the box• Address regulations in silo’ fashion
– Expand and adopt your SIEM across mandates
![Page 22: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/22.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
How To “Profit” From Compliance?
Everything you do for compliance, MUST have security benefit for your
organization!
SIEM and Log Management MUST work!
![Page 23: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/23.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Conclusions: SIEM and Compliance
• Use compliance to get SIEM/LM• Start USING SIEM for compliance
– Operationalize!• Slowly expand beyond compliance• Address common use cases for log data
– Celebrate success after each phase!
![Page 24: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/24.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
![Page 25: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/25.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
![Page 26: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/26.jpg)
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Released December 2009!
![Page 27: Leveraging Compliance for Security with SIEM and Log Management](https://reader035.fdocuments.us/reader035/viewer/2022062405/554fd9dbb4c905c7488b4a84/html5/thumbnails/27.jpg)
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!