Post on 26-Dec-2014
description
transcript
SIEM: Нужная Штука или Дорогая Игрушка
Dr. Anton Chuvakin
RISSPA
December 2009
Security Warrior ConsultingDr. Anton Chuvakin
Outline
• Brief: What is SIEM?• Implementation Choices:
Build/Outsource/Buy• Detailed Analysis of Choices• SIEM and Log Management “Worst
Practices”• Conclusions
Security Warrior ConsultingDr. Anton Chuvakin
SIEM vs LM
SIEM = SECURITY information and event management
vs
LM = LOG management
Security Warrior ConsultingDr. Anton Chuvakin
What SIEM MUST Have?
1. Log and Context Data Collection
2. Normalization
3. Correlation (“SEM”)
4. Notification/alerting (“SEM”)
5. Prioritization (“SEM”)
6. Reporting (“SIM”)
7. Security role workflow
Security Warrior ConsultingDr. Anton Chuvakin
SIEM Use Cases
1. Security Operations Center (SOC)– RT views, analysts 24/7, chase alerts
2. Mini-SOC / “morning after”– Delayed views, analysts 1/24, review and
drill-down
3. “Automated SOC” / alert + investigate– Configure and forget, investigate alerts
4. Compliance status reporting– Review reports/views weekly/monthly
Security Warrior ConsultingDr. Anton Chuvakin
Secret to SIEM Magic!
“Operationalizing” SIEM(e.g. SOC building)
Deployment Service
SIEM Software/Appliance
Security Warrior ConsultingDr. Anton Chuvakin
APPROACHES
Build / Buy / Outsource
Security Warrior ConsultingDr. Anton Chuvakin
How Do You Do It?
• Now that you are convinced about SIEM…
1. Outsource
2. Built
3. Buy
• Combined strategies are also possible
Security Warrior ConsultingDr. Anton Chuvakin
Outsource
Risks• Somebody else will
worry about your problems!
• Requirements not met• SLA risks and lost
control of data• Volume and log
access challenges
Advantages Somebody else will
worry about your problems!
Likely, no need to run any equipment in house
Less staff needed Management will
like it
Security Warrior ConsultingDr. Anton Chuvakin
What to Be Aware Of?
• Will all your log and context data be going to the MSSP?
• Does MSSP have skills to analyze your site-specific logs?
• Can you still take a peek at your original logs?–Do you need to call for that?–Can you access them directly?
• Cloud SIEM?
Security Warrior ConsultingDr. Anton Chuvakin
Build
Risks• Ongoing maintenance
will KILL you• No support, apart from
you• Does it pass the “bus
test”?• Handling log volume• Will it scale with you?
Advantages Likely will get
exactly what you want (*)
You can do things that no vendor has
Choose platform, tools, methods
No up front cost Its fun to do!
Security Warrior ConsultingDr. Anton Chuvakin
Open-Source Tools to the Rescue!• Log collection
– Syslog-ng, kiwi, Snare, LASSO, Apache2syslog, logger, etc
• Secure centralization– Stunnel, ssh, OpenSSL
• Pre-processing– LogPP
• Storage– MySQL or design your own file-based storage
• Analysis – a tough one! – OSSEC and OSSIM for [some] intelligence– Swatch, logwatch, logsentry, other match-n-bug scripts
Security Warrior ConsultingDr. Anton Chuvakin
Example: How to Deal with A Trillion Log Messages?
• How to analyze a trillion (~1000 billions) of log messages for some specific goal?
• Hundreds of terabytes (1/2 of a petabyte …) of data
Which tool to pick?• “Sorry, buddy, you are writing some code
here!”
See loganalysis list or my blog for details about this case
Security Warrior ConsultingDr. Anton Chuvakin
Buy
Risks• “Cash and carry” –
pay and get a tool you need to use now
• Skilled staff needed to get value out of a purchase
• Requirements not met
• Vendor longevity
Advantages “Cash and carry” –
pay and get a “solution”
Support for log sources
Ongoing improvements, support
“Have a face(s) to scream at!”
Security Warrior ConsultingDr. Anton Chuvakin
Finally, How to Choose?
• Breadth/depth of project requirements– Just how unusual you are?– Unique needs or volumes
• Size of organization• Available resources
– Money, development talent• Organization culture and management support• Deployed hardware and software
– Run any Tandem?
Security Warrior ConsultingDr. Anton Chuvakin
WORST PRACTICES
Lessons Learned: SIEM “Worst Practices”
Security Warrior ConsultingDr. Anton Chuvakin
So, You Decided to Acquire a SIEM
• What’s next?• What do you want, specifically?• How to choose a product?• How not to screw it up?• How to make sure that it goes smoothly,
now and later?
How to be happy with your SIEM?
Security Warrior ConsultingDr. Anton Chuvakin
What is a “Worst Practice”?
• As opposed to the “best practice” it is …–What the losers in the
field are doing today–A practice that generally
leads to disastrous results, despite its popularity
Security Warrior ConsultingDr. Anton Chuvakin
SIEM or LM Project Lifecycle
1. Determine the need
2. Define scope of log management
3. Select and evaluate the vendor
4. Run proof of Concept – POC
5. Deploy (in phases)
6. Run the tool
7. Expand deployment
Security Warrior ConsultingDr. Anton Chuvakin
1. Determine the Need
• WP1: Skip this step altogether – just buy something– “John said that we need a correlation engine”– “I know this guy who sells log management tools
…”
• WP2: Define the need in general– “We need, you know, ‘do SIEM’ and stuff”
• Questions: Real-time? Platform? Appliance? Service? Correlation? Indexing? RDBMS vs files? Volume of logs? Agents? Collectors? Connectors? Users? Your use cases?
Security Warrior ConsultingDr. Anton Chuvakin
Case Study A – Just Buy a SIEM!
• Medium-sized financial company
• New CSO comes in from a much larger organization
• “We need a SIEM! ASAP!”• Can you spell “boondoggle? • Lessons learned: which
problem did we solve? Huh!? None?
Security Warrior ConsultingDr. Anton Chuvakin
2. Define scope
• WP3: Postpone scope until after the purchase– “The vendor says ‘it scales’ so we will just feed
ALL our logs”– Windows, Linux, i5/OS, OS/390, Cisco –
send’em in!• WP4: Assume you will be the only user of the
tool– “Steakholders”? What’s that? – Common consequence: two or more
simiilar tools are bought
Security Warrior ConsultingDr. Anton Chuvakin
Case Study B: “We Use’em All”
At SANS Log Management Summit 200X…• Vendors X, Y and Z claim “Big Finance” as
a customer• How can that be?• Well, different teams purchased different
products …• About $2.3m wasted on tools
that do the same!
Security Warrior ConsultingDr. Anton Chuvakin
3. Initial vendor selection
• WP5: Choose by price alone– Ignore hardware, extra modules,
training, service, support, etc costs– “OMG, this tool is 30% cheaper. And it is only
twice as bad.” – Advanced version: be suckered by the vendor’s
TCO and ROI “formulas”• WP6: Choose by relationship or
“PowerPoint power”– “We got it with the latest router
purchase…”
Security Warrior ConsultingDr. Anton Chuvakin
4. Vendor evaluation and POC
• WP7: Don’t ask for and don’t check references– “Our environment is unique”
• WP8: Don’t do a POC– “We can save time!”– “We can just choose the best product, right?”– “The vendor said it works just peachy”
• WP9: If doing a POC, let vendor dictate how OR ignore what the vendor says– “Windows? Sure, we will test on Windows!”– “Proof of concept!? Why prove what we already
know!”
Security Warrior ConsultingDr. Anton Chuvakin
Case Study C: Performance-Shmerformance
• Retail organization deciding between two log management products, A and B
• Vendor A: “We scale like there is no tomorrow” • Vendor B: “We scale like we invented scaling” Q: “Can you prove it?!”
A: Results:– Vendor A claims 75,000 MPS, dies at 2300 (!)– Vendor B claims 75,000 MPS, runs at 85000 (!!)
Security Warrior ConsultingDr. Anton Chuvakin
5. Deployment• WP10: Expect The Vendor To Write Your
Logging Policy OR Ignore Vendor Recommendations– “Tell us what we need – tell us what you have”
forever…• WP11: Unpack the boxes and go!
– “Coordinating with network and system folks is for cowards!”
– Do you know why LM projects take months sometimes?
• WP12: Don’t prepare the infrastructure – “Time synchronization? Pah, who needs it”
• WP13: Ignore legal team– Pain …
Security Warrior ConsultingDr. Anton Chuvakin
Case Study D: Shelfware Forever!
• Financial company gets a SIEM tool after many months of “evaluations”
• Vendor SEs deploy it• One year passes by
• A new CSO comes in; looks for what is deployed• Finds a SIEM tool – which database contains
exactly 53 log records (!)– It was never connected to a production
network…
Security Warrior ConsultingDr. Anton Chuvakin
6. Running the Tool• WP14: Deploy Everywhere At Once
– “We need log management everywhere!”• WP15: “Save Money” on Vendor Support
Contract– “ We Have to Pay 18% for What?”
• WP16: Ignore Upgrades– “It works just fine – why touch it?”
• WP17: Training? They said it is ‘intuitive’!– “’A chance to “save” more money here?
Suuure.”
Security Warrior ConsultingDr. Anton Chuvakin
Case Study E: Intuitive? To Me It Isn’t!
• A major retailer procures a log management tool from an integrator
• A classic “high-level” sales, golf and all • “Intuitive UI” is high on the list of criteria• The tool is deployed in production• Security engineers hate it – and don’t touch it• Simple: UI workflow doesn’t match what they
do every day
Security Warrior ConsultingDr. Anton Chuvakin
7. Expanding Deployment
• WP18: Don’t Bother With A Product Owner– “We all use it – we all run it (=nobody does)”
• WP19: Don’t Check For Changed Needs – Just Buy More of the Same– “We made the decision – why fuss over it?”
• WP20: If it works for 10, it will be OK for 10,000– “1,10,100, …, 1 trillion –
they are just numbers”
Security Warrior ConsultingDr. Anton Chuvakin
Case Study F: Today - Datacenter, Tomorrow … Oops!
• Log management tool is tested and deployed at two datacenters – with great success!
• PCI DSS comes in; scope is expanded to wireless systems and POS branch servers
• The tool is prepared to be deployed in 410 (!) more locations
• “Do you think it will work?” - “Suuuuure!”, says the vendor
• Security director resigns …
Security Warrior ConsultingDr. Anton Chuvakin
Conclusions – Serious!
• Turn ON logging!• Learn about SIEM and log management
– Read NIST 800-92 and other industry document; do the research!
– Read some of the stuff I wrote on SIEM too • Match what you need with what they have
– Not doing it as a key source of PAIN• Plan carefully – and plan your planning too • Work WITH the vendor – not ‘against’, not
‘without’, not ‘for’
Security Warrior ConsultingDr. Anton Chuvakin
Final Word
Final word: do big IT projects have “shortcuts” to easy and effortless success – what are they?
The answer is …
NO!
Security Warrior ConsultingDr. Anton Chuvakin
Questions
Dr. Anton Chuvakin
Email: anton@chuvakin.org
Google Voice: 510-771-7106
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Twitter: @anton_chuvakin
Security Warrior ConsultingDr. Anton Chuvakin
Security Warrior Consulting Services
• Logging and log management policy– Develop logging policies and processes, log review procedures, workflows and
periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business
cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• Content development
– Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
Security Warrior ConsultingDr. Anton Chuvakin
More on Anton
• Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager, Consultant