SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby
Topics Threat landscape Breaches and hacks Leadership and accountability Evolution of security technology What is SIEM? SIEM overview and use cases Pitfalls of SIEM implementations Is SIEM a nice to have or need?
Director of Commercial Cybersecurity for Vertek, based out of Colchester VT 20 Years of IT solutioning, telecom and security experience I ve been both a buyer and a supplier of telecom and security related services Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek Vertek provides BPO, BI, Order Management, Network Migration Services, enoc, MSSP/SOC and Consulting services to CP, MSPs, SMB, and Large Enterprise MSSP Division provides managed SOC services, including 24x7 network monitoring, security intelligence and breach detection Background
Can your IT Department detect a breach today?
Attacker machine running client program Command and control (C2) Infect and control clients Compromised hosts (botnet clients) - Millions of devices Target of attack Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack DDoS Attack Distributed denial-of-service attack
Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface
Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC) Special shout out to #39 on this list
Pwned?
Verizon DBIR 2017
Many organizations don t have the basics covered Shodan.io
VNC is a graphical desktop sharing program that allows someone to remotely control another computer Workstation running VNC Viewer Workstation running VNC Server VNC Virtual Network Computing
Foot-in-the door through a vendor Supply Chain Attacks Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software. https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleanercybersecurity-app-infected-with-backdoor/#abf997e316a8
Among other things, our obligation is to protect CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it
Leveraging Frameworks Sample Requirements Assess and classify assets and information according to risk Continuously scan and assess unpatched software and system vulnerabilities Identify malicious entities probing systems and network Continuously monitor network traffic and system events for potential unsecure behaviors Respond to identified malicious events to remediate them Audit and report effectiveness http://www.27000.org/ Cybersecurity Framework As suppliers we see this language on contracts. We also require it.
Evolution of security technology
Desperate security log and event sources Manual correlation of events Single pane of glass for security log and events Cross correlation of events Log retention Router Threat Feeds Scans Switch Router IDS IDS Server SIEM Switch FW Threat Feeds Scans Server FW SIEM Security Information Event Management SIEM Components: Sensor - Logger - Server
Security Information Event Management SIEM The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments TRADITIONAL SIEM LOG MANAGEMENT ASSET DISCOVERY EVENT CORRELATION FORENSIC ANALYSIS TICKETING REPORTING THREAT FEEDS VENDER FEATURES NETWORK VULNERABILITY SCANNING NETWORK IDS HOST IDS / FIM NETFLOW PACKET CAPTURE OTX / FEED / IOC INTERGRATION POLICY VIOLATIONS
Sample SIEM Dash
Assets and Groups
Plugin Normalized Data Raw log mapped to a taxonomy subtype = SIEM can read it.
Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Internet IDS Critical SIEM Log Source Sort (Sourcefire) Signatures Firewall VLAN 20 VLAN 10 IDS Server Workstation Signature vs. Anomaly Based
Internet Vuln Scanning Critical SIEM Log Source OpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures VLAN 20 Server Firewall Vulnerability Scanner VLAN 10 Workstation NVT s
Many technologies support OTX Open Threat Exchange Key SIEM IoC source https://www.alienvault.com/open-threat-exchange
Correlation Suspicious Inbound Connections Suspicious Outbound Connections Critical Vulnerabilities Policy Violations Attacks Brute Force DDOS Malware Network Scanning User Contributed
Informationisbeautiful.net
Alarm and Forensics
IR BPM Ticket and Triage
Reporting Security Incidents / Events Action Items Vulnerabilities Change SIEM Lifecycle Policy Items Tuning Performance Trends
Pitfalls of SIEM Implementations 01 02 03 04 05 Scope Business drivers for implementing Developing use cases Planning Sizing, EPS and retention Log sources Features Policy Monitoring to much or too little Generating Alerts on nonpriority events Alert Fatigue / Lack of Context Alerts may be generating that staff may not understand A certain # of false positives is good, too many can lead to alert fatigue, false negative Inadequate staffing A SIEM needs to be monitored, maintained, and tuned to be effective
Striking the balance Is a SIEM nice or have or need? Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network IDS provide a way to monitor traffic in and out of your network IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic Vulnerability scanning provides a way to scan and detect vulnerabilities Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)
Among other things, our obligation is to protect CPNI, SPI, PII, PCI,PHI, Non-Public, etc. Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it 3 rd party testing Combination of red team blue team tactics Checks and balance
1+1 should be >2 SIEM does not implement itself. It knows nothing about your environment, your assets or your risks Business requirements should drive directives and tuning Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews Signatures, directives and threat feeds are extremely important to detect new and emerging threats Ultimately the team managing the SIEM and reviewing the reports will make or break its success Technology (SIEM)+ People (Sr. Security Analyst)
Don t bet on luck Be well prepared rhruby@vertek.com ManagedThreatIntelligence.com