Presentation by: Peter Thomas Blue Lance, Inc

1. Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements Presentation by: Peter Thomas Blue Lance, Inc

2. Outline • SIEM Overview • Why SIEM Implementations Fail? • SIEM Strategies for Security, Audit and Compliance • Recommended Events & Reports • Q & A

3. SIEM Overview • Definition – “SIEM technology is used to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report in log data for regulatory compliance and forensics” • Key Objectives • Identify threats and possible breaches • Collect audit logs for security and compliance • Conduct investigations and provide evidence

4. SIEM Process Flow

5. SIEM Architecture SIEM

6. Why SIEM Implementations Fail? • Lack of Planning • No defined scope • Faulty Deployment Strategies • Incoherent log management data collection • High volume of irrelevant data can overload the system • Operational • Lack of management oversight • Assume plug and play

7. EFFECTIVE SIEM STRATEGIES

8. Output-driven Log Management Strategy • High quality in  High quality out • Reduces costs and improves efficiency • Requires upfront planning

9. Data Interpretation • Ability to interpret log and event data • Capture critical information • User name/ID • Host name • Station address (IP) • Destination/target address

10. Examples of Data Interpretation • Jan 5 16:50:38 OES3R1 sshd[30645]: Failed keyboard-interactive/pam for invalid user jsmith from 10.4.0.4 port 49384 ssh2 • Jan 5 16:55:16 OES3R1 sshd[21721]: Accepted keyboard-interactive/pam for jsmith from 10.4.0.4 port 49379 ssh2 • Jan 5 17:32:17 OES3R1 sudo: jsmith : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jsmith ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd

11. Adding Value or Context to data • Examples of context • Add geo-location information • Get information from DNS servers • Get User details (Full Name, Job Title & Description) • Add context aids in identifying • Access from foreign locations • Suspect data transfer

12. Case Management • Issue Tracking and Metrics • Capability to create and track tickets on core assets • Document and validate tickets are handled and processed to comply with organizational SLAs • Track number of threats detected

13. Typical Events to Alert • Repeat Attacks (Brute force) • 3 or more failed login attempts • Network Attacks (Port scans, worm propagation) • Numerous firewall drop/reject/deny events from a single source IP address • Numerous IDS alerts from a single source • Alert for multiple connections from a single host • Application Attacks • Cross-site scripting / SQL Injection • Unauthorized file activity on We Servers

14. Common Reports for Compliance • User Activity Reports • Track authentication activity (VPN, Active Directory, Access to devices (Firewalls, routers ..) • Track when users are created, deleted and modified • Track access by privileged accounts • Track usage of service accounts • Track escalation of privileges • Configuration Change Reports • Changes made to operating system configurations • Track device configuration changes

15. Conclusion • SIEM requires constant oversight to give value. • Adopt "output-driven" SIEM approach. • Look for data quality (interpreted data) • Define/Refine incident response process.

16. Q & A