SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

Outline Today’s Threat Landscape Why Do I Need a SIEM? Choosing and Deploying a SIEM This Will Not Be Boring

Computer Security LandScape You Are Being Blamed Your Money Isn’t Safe Your Information Isn’t Safe Your Reputation Is at Stake More Threats, Less People

Your Are Being Blamed BotNets Pivoting

Stealing Your $$

Stealing Your Information Computers Are No Longer for “Productivity” You Have Valuable Information You ARE A Target You Aren’t Dealing With “Amateurs”

Hactivists – Exposing Your Secrets

Hactivists – Business Disruption

Your Challenge

SIEMS

You Need An “Oracle” Know The Past Knows The Present Knows The Future Knows How to CYA

SIEM Basics Provides “Instant Replay” 24 X 7 Security Guard SIEMs v. Firewall v. IDS v. IPS SIEM v. SEIM v. SIM Typically Compliance Driven

Compliance HIPAA PII Data Breach Notification Laws

Why Do I Need A SIEM? Infrastructure Monitoring Reporting Threat Correlation Instant Replay Incident Response

What Is Monitored? Account Activity Availability IDS/Context Correlation Data Exfiltration Client Side Attacks Brute Force Attacks

19 Windows Accounts Accounts Created, By Whom, and When New Accounts That Aren’t Standard New Accounts Created At Odd Time New Workstation Account Created Key Group Membership Change Accounts Logon Hours

Availability System Uptime Statistics Availability Reporting Uptime is “Relative”

21 IDS Context/Correlation Place Value On Assets Context Is Essential Maintain Current Vulnerability DBs Create Priority Rules

22 Data Exfiltration You Must Know What Is “Normal” Deviations From The Norm Warrant An Alert Some Events Are “Non-Negotiable” “You” Typically Initiate Data Transfers

23 Client Side Attacks Windows Event Logs Information Process Status Changes New Services Created Scheduled Tasks Creations Changes to Audit Policies

24 Brute-force Attacks Detailed Reports of Failed Logins Source Of Failed Login Attempts Locked Accounts Report

Incident Response

Incident Response Scenario #1 Law Firm With Dealings In China Law Firm Was “Owned” More Than A Year Access To Every Machine On Network Thousands of “Responsive” s Obtained “Privilege” Was Not Observed

Incident Response Scenario #2 VP of Finance Promoted to CFO Attack on the “Weakest” Link

AV Will Save Us!!

Incident Response Scenario #3

How SIEMs Would Have Helped Accounts Enabled Services Created Firewall Changes Data Exfiltration Network Communications Incident Response Costs

Choosing A SIEM Not a Replacement for Security Engineers Must Support Disparate Devices (Agentless) Don’t Plan To Monitor? DON’T BOTHER

Deploying a SIEM Architecture Options Tuning Out The “Noise”

SIEM Option$ OutSourced Options SecureWorks High-Cost ArcSight, Q1 Labs Radar, RSA, Tripwire Lower-Cost Q1 Labs FE, TriGEO, Splunk No-Cost OSSIM OSSEC

Summary You Must Anticipate Today’s Threats SIEMs Are Extremely Valuable SIEMs Are Not A Silver Bullet

Questions? Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.