SIEM brown-bag presentation

38
SIEM : putting ya goggles on. Wednesday 22 December 2010

description

a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

Transcript of SIEM brown-bag presentation

Page 1: SIEM brown-bag presentation

SIEM : putting ya goggles on.

Wednesday 22 December 2010

Page 2: SIEM brown-bag presentation

2 rules

Wednesday 22 December 2010

Page 3: SIEM brown-bag presentation

Disclaimer

This talk != an EY talk

This talk != an [] talk

This talk == MY talk

Wednesday 22 December 2010

Page 4: SIEM brown-bag presentation

Disclaimer

This talk != an EY talk

This talk != an [] talk

This talk == MY talk

Marishka Hargitay !

Wednesday 22 December 2010

Page 5: SIEM brown-bag presentation

I. What is SIEMII. ChallengesIII. Common-Sense SIEMV. What’s the future?VI. ...

Wednesday 22 December 2010

Page 6: SIEM brown-bag presentation

What is SIEM ?

* What is it not (Log Management)* It’s about information.* It’s about your needs !

Wednesday 22 December 2010

Page 7: SIEM brown-bag presentation

SIEMLogManagement

Log CollectionRetention

SearchIndexing/Parsing

Reporting

Log CollectionContext Data Collection

NormalizationCategorization

CorrelationNotification/Alerting

PrioritizationReporting

Security role workflow

All types of log data Security relevant dataWednesday 22 December 2010

Page 8: SIEM brown-bag presentation

DATA

PROCESSING

INFORMATION

Wednesday 22 December 2010

Page 9: SIEM brown-bag presentation

May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2

Data vs. information

Wednesday 22 December 2010

Page 10: SIEM brown-bag presentation

May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2

May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2

Data vs. information

Wednesday 22 December 2010

Page 11: SIEM brown-bag presentation

May 21 20:20:15 slacker sshd[17834]: Failed password for root from 192.168.20.185 port 1058 ssh2

May 21 20:22:28 slacker2 sshd[8813]: Accepted password for root from 192.168.20.185 port 1066 ssh2

May 21 19:30:28 slacker sshd[9287]: Failed password for root from 192.168.20.185 port 1080 ssh2

May 21 19:32:30 slacker sshd[10254]: Failed password for root from 192.168.20.185 port 1045 ssh2

... (2000 of those)

Data vs. information

Wednesday 22 December 2010

Page 12: SIEM brown-bag presentation

IDS

win2K3server

10.10.10.10

SIEM

Information vs. context

Wednesday 22 December 2010

Page 13: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

SIEM

Information vs. context

1

Wednesday 22 December 2010

Page 14: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

SIEM

Information vs. context

1

Wednesday 22 December 2010

Page 15: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

Vuln Scan

SIEM

Information vs. context

1

Wednesday 22 December 2010

Page 16: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

Vuln Scan

SIEM

scan10.10.10.10

Information vs. context

12

Wednesday 22 December 2010

Page 17: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

Vuln Scan

SIEM

scan10.10.10.10

yo,wazzup ?

Information vs. context

12

3

Wednesday 22 December 2010

Page 18: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

Vuln Scan

SIEM

scan10.10.10.10

notvulnerable

yo,wazzup ?

Information vs. context

12

3

4

Wednesday 22 December 2010

Page 19: SIEM brown-bag presentation

IDS

MS08-067 !

win2K3server

10.10.10.10

Vuln Scan

SIEM

scan10.10.10.10

notvulnerable

yo,wazzup ?

Information vs. context

meh!

12

3

4

5

Wednesday 22 December 2010

Page 20: SIEM brown-bag presentation

Why SIEM ?

* React Faster !* Increase efficiency* Automate Compliance

Wednesday 22 December 2010

Page 21: SIEM brown-bag presentation

Challenges

Wednesday 22 December 2010

Page 22: SIEM brown-bag presentation

NETWORK

Wintel Unix

Virtualisation

App App App App DB

Where do we get data from ?

Wednesday 22 December 2010

Page 23: SIEM brown-bag presentation

How do we work together ?

Wednesday 22 December 2010

Page 24: SIEM brown-bag presentation

Parsing data for fun and ...(kill me now)

Wednesday 22 December 2010

Page 25: SIEM brown-bag presentation

\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

999.999.999.999

IP Addresses ...

Wednesday 22 December 2010

Page 26: SIEM brown-bag presentation

\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

999.999.999.999

IP Addresses ...

\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4]

[0-9]|[01]?[0-9][0-9]?)\b

Wednesday 22 December 2010

Page 27: SIEM brown-bag presentation

Matching an RFC 822 valid e-mail address using regular expressions ...

couldn’t be that hard !

Wednesday 22 December 2010

Page 28: SIEM brown-bag presentation

Wednesday 22 December 2010

Page 29: SIEM brown-bag presentation

(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:( ?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0 31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+ (?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?: (?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z |(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) ?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\ r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n) ?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t] )*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*) *:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ |\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r \n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?: \r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t ]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031 ]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\]( ?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(? :(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(? :\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(? :(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)? [ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]| \\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<> @,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|" (?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t] )*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\ ".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(? :[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[ \]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000- \031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|( ?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,; :\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([ ^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\" .\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\ ]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\ [\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\ r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\] |\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \0 00-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\ .|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@, ;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(? :[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])* (?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\". \[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[ ^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\] ]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*( ?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\ ".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:( ?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[ \["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t ])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t ])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(? :\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+| \Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?: [^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\ ]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n) ?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[" ()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n) ?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<> @,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@, ;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t] )*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\ ".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)? (?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\". \[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?: \r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[ "()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t]) *))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]) +|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\ .(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z |(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:( ?:\r\n)?[ \t])*))*)?;\s*)

Wednesday 22 December 2010

Page 30: SIEM brown-bag presentation

Making sense of data

0

50

100

150

200

monday wednesday friday

user 1 user 2user 3 user 4

0

17,5

35

52,5

70

monday wednesday friday

user 1 user 2user 3 user 4

0

50

100

150

200

monday wednesday friday

user 1user 2user 3user 4

Wednesday 22 December 2010

Page 31: SIEM brown-bag presentation

Making sense of data

Wednesday 22 December 2010

Page 32: SIEM brown-bag presentation

Making sense of data

Wednesday 22 December 2010

Page 33: SIEM brown-bag presentation

common-sense SIEM

Wednesday 22 December 2010

Page 34: SIEM brown-bag presentation

DATA

time/date user name source destination host name action ...D

ata

Poin

ts

Use Cases

who what when where why ? €€€ ...

common-sense SIEM!

Wednesday 22 December 2010

Page 35: SIEM brown-bag presentation

So, where do we go from here ?

Wednesday 22 December 2010

Page 36: SIEM brown-bag presentation

http://www.loggly.com

meet Hoover ;-)

!= SIEM= LaaS

currently running in betalog collection/parsing/search/visualization

(demo)

Wednesday 22 December 2010

Page 37: SIEM brown-bag presentation

Thank you!

Wednesday 22 December 2010

Page 38: SIEM brown-bag presentation

Thank you!

Marishka Hargitay !

Wednesday 22 December 2010