1. Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements

2. SIEM Overview Why SIEM Implementations Fail? SIEM Strategies for Security, Audit and Compliance Recommended Events & Reports Q & A Outline

3. SIEM Overview Definition – “ SIEM technology is used to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report in log data for regulatory compliance and forensics ” Key Objectives Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence

4. Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports SIEM Process Flow

5. System Inputs Event Data Operating Systems Applications Devices Databases Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence Data Collection Normalization Correlation Logic/Rules Aggregation SIEM System Outputs Analysis Reports Real Time Monitoring SIEM Architecture

6. Lack of Planning No defined scope Faulty Deployment Strategies Incoherent log management data collection High volume of irrelevant data can overload the system Operational Lack of management oversight Assume plug and play Why SIEM Implementations Fail?

7. EFFECTIVE SIEM STRATEGIES

8. Output-driven Log Management Strategy Collect events relevant for desired outcomes Other data Context data Log data High quality in  High quality out Reduces costs and improves efficiency Requires upfront planning

9. Ability to interpret log and event data Capture critical information User name/ID Host name Station address (IP) Destination/target address Data Interpretation

10. Jan 5 16:50:38 OES3R1 sshd[30645]: Failed keyboard-interactive/pam for invalid user jsmith from 10.4.0.4 port 49384 ssh2 Jan 5 16:55:16 OES3R1 sshd[21721]: Accepted keyboard-interactive/pam for jsmith from 10.4.0.4 port 49379 ssh2 Jan 5 17:32:17 OES3R1 sudo: jsmith : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jsmith ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd Examples of Data Interpretation

11. Examples of context Add geo-location information Get information from DNS servers Get User details (Full Name, Job Title & Description) Add context aids in identifying Access from foreign locations Suspect data transfer Adding Value or Context to data

12. Issue Tracking and Metrics Capability to create and track tickets on core assets Document and validate tickets are handled and processed to comply with organizational SLAs Track number of threats detected Case Management

13. Repeat Attacks (Brute force) 3 or more failed login attempts Network Attacks (Port scans, worm propagation) Numerous firewall drop/reject/deny events from a single source IP address Numerous IDS alerts from a single source Alert for multiple connections from a single host Application Attacks Cross-site scripting / SQL Injection Unauthorized file activity on We Servers Typical Events to Alert

14. User Activity Reports Track authentication activity (VPN, Active Directory, Access to devices (Firewalls, routers..) Track when users are created, deleted and modified Track access by privileged accounts Track usage of service accounts Track escalation of privileges Configuration Change Reports Changes made to operating system configurations Track device configuration changes Common Reports for Compliance

15. SIEM requires constant oversight to give value. Adopt "output-driven" SIEM approach. Look for data quality (interpreted data) Define/Refine incident response process. Conclusion

16. Q & A