Upload
others
View
20
Download
2
Embed Size (px)
Citation preview
Topic: SECURITY and RISK
SIEM (Security Information Event Management)
Presenter: Ron Hruby
Topics
• Threat landscape • Breaches and hacks• Leadership and accountability• Evolution of security technology • What is SIEM?• SIEM overview and use cases • Pitfalls of SIEM implementations• Is SIEM a nice to have or need?
Background
Director of Commercial Cybersecurity for Vertek,
based out of Colchester VT
20 Years of IT solutioning, telecom and security
experience
I’ve been both a buyer and a supplier of telecom and security related services
Co-Founder of the MSSP (Managed Security Service Provider) Division at Vertek
Vertek provides BPO, BI, Order Management, Network
Migration Services, eNOC, MSSP/SOC and Consulting
services to CP, MSPs, SMB, and Large Enterprise
MSSP Division provides managed SOC services, including 24x7 network
monitoring, security intelligence and breach
detection
Can your IT Department detect a breach today?
DDoS Attack Distributed denial-of-service attack
Compromised hosts (botnet clients) - Millions of devices
Attacker machine running client program
Command and control (C2) Infect and control clients
Target of attack
Multiple compromised hosts are used by an attacker to send incoming traffic, flooding their target causing a Denial of Service (DoS) attack
Defcon.pro website also lists the following features: 24/7 Support, Private Methods, Skype Resolver, 99% uptime, Dedicated Servers, PayPal/Bitcoin, Stop Button, IP Geolocation, Cloudfare resolver, Domain Resolver, Amazing Power, Easy to use Interface
Pastebin is a txt storage site where users can store plain text. Most commonly used to share short source code snippets for code review via Internet Relay Chat (IRC)
Special shout out to #39 on this list
Pwned?
Verizon DBIR 2017
Shodan.io Many organizations don’t have the basics covered
VNC Virtual Network Computing
VNC is a graphical desktop sharing program that allows someone to remotely control another computer
Workstation running VNC ServerWorkstation running VNC Viewer
Supply Chain Attacks
“Foot-in-the door” through a vendor
“CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.”
Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#abf997e316a8
Among other things, our obligation is to protect
Simple Principles Where is it on your network Who has access to it How is it secured Who is monitoring it Who is periodically reviewing it
CPNI, SPI, PII, PCI,PHI, Non-Public, etc.
Leveraging Frameworks
Sample Requirements• Assess and classify assets and information according to risk • Continuously scan and assess unpatched software and
system vulnerabilities • Identify malicious entities probing systems and network • Continuously monitor network traffic and system events for
potential unsecure behaviors • Respond to identified malicious events to remediate them • Audit and report effectiveness
http://www.27000.org/ Cybersecurity Framework
As suppliers we see this language on contracts. We also require it.
Evolution of security technology
SIEM
Router
Switch
IDS
FW
Server
Scans
ThreatFeeds
SIEM
Security Information Event Management
• Desperate security log and event sources• Manual correlation of events
Router
Switch
IDS
FW
Server
Scans
ThreatFeeds
Single pane of glass for security log and events Cross correlation of events Log retention
SIEM Components: Sensor - Logger - Server
Security Information Event Management
The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments
SIEM
TRADITIONAL SIEM •LOG MANAGEMENT•ASSET DISCOVERY•EVENT CORRELATION •FORENSIC ANALYSIS•TICKETING •REPORTING •THREAT FEEDS
VENDER FEATURES• NETWORK VULNERABILITY
SCANNING• NETWORK IDS• HOST IDS / FIM• NETFLOW • PACKET CAPTURE• OTX / FEED / IOC
INTERGRATION • POLICY VIOLATIONS
SampleSIEMDash
Assets and Groups
PluginNormalized Data
Raw log mapped to a taxonomy subtype = SIEM can read it.
IDSCritical SIEM Log Source
Firewall
VLAN 20 VLAN 10
Server Workstation
IDS
Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.
Internet
Sort (Sourcefire) Signatures
Signature vs. Anomaly Based
Firewall
VLAN 20 VLAN 10
Server Workstation
Vulnerability Scanner
Internet
NVT’s
VulnScanningCritical SIEM Log SourceOpenVas - Network Vulnerability Testing (NVT) Definitions/Signatures
Open Threat Exchange
Key SIEM IoC sourcehttps://www.alienvault.com/open-threat-exchange
Many technologies support OTX
Correlation
Policy Violations
Attacks
Brute Force
DDOS
Malware
Network
Scanning
User Contributed
Suspicious Inbound Connections Suspicious Outbound Connections Critical Vulnerabilities
Informationisbeautiful.net
Alarm and Forensics
Ticket and Triage
IR | BPM
Reporting
SIEM Lifecycle
Security Incidents /
Events
Vulnerabilities
Policy Items
Performance
Trends
Tuning
Change
Action Items
Pitfalls of SIEM Implementations
Scope •Business drivers for implementing
•Developing use cases
01Planning •Sizing, EPS and retention•Log sources •Features
02Policy •Monitoring to much or too little
•Generating Alerts on non-priority events
03Alert Fatigue / Lack of Context •Alerts may be generating that staff may not understand
•A certain # of false positives is good, too many can lead to alert fatigue, false negative
04Inadequate staffing•A SIEM needs to be monitored, maintained, and tuned to be effective
05
Striking the balance Is a SIEM nice or have or need?
Technologies like Firewalls, IDS/IPS, Content Filtering, and Vulnerability Scanning, ARE NOT a replacement for SIEM Firewalls provide a way to allow traffic in and out of your network… IDS provide a way to monitor traffic in and out of your network… IPS sits inline to prevent traffic based on IDS events. Under tuned it can block legitimate
traffic. Over suppressed it has the potential to miss events. URL filtering provides a way to monitor and control web traffic…Vulnerability scanning provides a way to scan and detect vulnerabilities…
Manual tasks required to correlate events Checks and balance within security roles (engineering, administration, analyst) Responsibilities (assigned, concerned, responsible)
Among other things, our obligation is to protect
Simple Principles Where is it on your network
Who has access to it
How is it secured
Who is monitoring it
Who is periodically reviewing it
3rd party testing Combination of red team blue team tactics
Checks and balance
CPNI, SPI, PII, PCI,PHI, Non-Public, etc.
1+1 should be >2
Technology (SIEM)+ People (Sr. Security Analyst) SIEM does not implement itself. It knows
nothing about your environment, your assets or your risks
Business requirements should drive directives and tuning
Turn industry advisories into actionable Indicators of Compromise (IoCs) and or action items to discuss during security reviews
Signatures, directives and threat feeds are extremely important to detect new and emerging threats
Ultimately the team managing the SIEM and reviewing the reports will make or break its success