ACTIVATING DEFENCE IN RESPONSE Ankur Vats EMPLOYEE-PERSONAL
Employee-Personal
ACTIVATING DEFENCE IN RESPONSE Ankur Vats
Employee-Personal
BUZZ WORDS Incident – Something Happened Breach – Someone came inside and accessed data Response – What are we doing once something happened? Visibility – Do we have the right set of tools to view what is happening in out premises? Alerts – Do we get notified when something happens? Threats – Are there any incidents that can cause disturbance to business continuity?
Employee-Personal 3
TYPICAL CORPORATE ENVIRONMENT
Employee-Personal 4
LOG MANAGEMENTLog management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). LM covers
Log collection,Centralized aggregation, Long-term retention, Log analysis (in real-time and in bulk after storage) as well as Log search and Reporting.
Employee-Personal 5
LOG MANAGEMENT
Employee-Personal 6
LOG MANAGEMENT CHALLENGESAnalyzing Logs for Relevant Security IntelligenceCentralizing Log CollectionMeeting IT Compliance RequirementsConducting Effective Root Cause AnalysisMaking Log Data More MeaningfulTracking Suspicious User Behavior
Employee-Personal 7
INTRODUCTION TO SIEMThe term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005.Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM).The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM).The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).
Employee-Personal 8
KEY OBJECTIVES Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence
Employee-Personal 9
WHY IS SIEM NECESSARY?Rise in data breaches due to internal and external threatsAttackers are smart and traditional security tools just don’t sufficeMitigate sophisticated cyber-attacksManage increasing volumes of logs from multiple sourcesMeet stringent compliance requirements
Employee-Personal 10
TYPICAL FEATURES OF SIEM
Employee-Personal 11
SIEM PROCESS FLOW
Log/Data Collection
Extract Intelligen
t Informati
on (Normaliz
ation)
Correlation
Incidence Response
Presentation
Dashboards & Reports
Employee-Personal 12
TYPICAL WORKING OF AN SIEM SOLUTION
Employee-Personal
System Inputs
Event DataOperating Systems
ApplicationsDevices
Databases
Contextual DataVulnerability ScansUser InformationAsset InformationThreat Intelligence
Data Collection
Normalization
Correlation Logic/RulesAggregation
SIEM
System Outputs
Analysis Reports
Real Time Monitoring
SIEM ARCHITECTURE
Employee-Personal 14
CONTEXT“User Broberts Successfully Authenticated to 10.100.52.105 from client 10.10.8.22 “
“10.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success”Long story short: what needs to be done is to break down every known log message out there, and put it into a normalized format, like this:
“User [USERNAME] [STATUS] Authenticated to [DESTIP] from client [SOURCEIP]”
“10.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success”
Employee-Personal 15
LOGS INGEST IN SIEMLogs from your security controls:
IDS Endpoint Security (Antivirus, antimalware)
Data Loss Prevention VPN Concentrators Web filters Honeypots Firewalls
Logs from your network infrastructure:
Routers Switches Domain Controllers Wireless Access Points Application Servers Databases Intranet Applications
Non-log Infrastructure Information
Configuration Locations Owners Network Maps Vulnerability Reports Software Inventory
Non-log Business Information Business Process Mappings Points of Contact Partner Information
Employee-Personal 16
8 CRITICAL FEATURES OF SIEM
Employee-Personal 17
#1. LOG COLLECTIONUniversal Log Collection To collect logs from heterogeneous sources
(Windows systems, Unix/Linux systems, applications, databases, routers, switches, and other devices).
Log collection method - agent-based or agentless Both Recommended
Centralized log collectionEvents Per Second (EPS) – Rate at which your IT infrastructure sends events If not calculated properly the SIEM solution will
start dropping events before they are stored in the database leading to incorrect reports, search results, alerts, and correlation.
Employee-Personal 18
#2. USER ACTIVITY MONITORINGSIEM solutions should have Out-of-the-box user activity monitoring, Privileged user monitoring and audit (PUMA) reporting feature.Ensure that the SIEM solution gives the ‘Complete audit trail’ Know which user performed the action, what
was the result of the action, on what server it happened, and user workstation/device from where the action was triggered.
Employee-Personal 19
#3. REAL TIME EVENT CORRELATION
AB
CD
Real-time event correlation is all about proactively dealing with threats.Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the network.Correlation can be based on log search, rules and alerts Predefined rules and alerts are not sufficient.
Custom rule and alert builder is a must for every SIEM solution.
Ensure that the process of correlating events is easy.
Employee-Personal 20
#4. LOG RETENTIONSIEM solutions should automatically archive all log data from systems, devices & applications to a ‘centralized’ repository.Ensure that the SIEM solution has ‘Tamper Proof’ feature which ‘encrypts’ and ‘time stamps’ them for compliance and forensics purposes.Ease of retrieving and analyzing archived log data.
Employee-Personal 21
#5. IT COMPLIANCE REPORTSIT compliance is the core of every SIEM solution.Ensure that the SIEM solution has out-of-the-box regulatory compliance reports such as PCI DSS, FISMA, GLBA, SOX, HIPAA, etc.SIEM solutions should also have the capability to customize and build new compliance reports to comply with future regulatory acts.
Employee-Personal 22
#6. FILE INTEGRITY MONITORINGFile integrity monitoring helps security professionals in monitoring business critical files and folders. Ensure that the SIEM solution tracks and reports on all changes happening such as when files and folders are created, accessed, viewed, deleted, modified, renamed and much more.The SIEM solution should also send real-time alerts when unauthorized users access critical files and folders.
Employee-Personal 23
#7. LOG FORENSICSSIEM solutions should allow users to track down a intruder or the event activity using log search capability.The log search capability should be very intuitive and user-friendly, allowing IT administrators to search through the raw log data quickly.
Employee-Personal 24
#8. DASHBOARDSDashboards drive SIEM solutions and help IT administrators take timely action and make the right decisions during network anomalies. Security data must be presented in a very intuitive and user-friendly manner. The dashboard must be fully customizable so that IT administrators can configure the security information they wish to see.
Employee-Personal 25
SIEM PRODUCTS IN MARKETLicensed versions: •IBM X-Force•HP ArcSight•LogRhythm•Splunk•Alien Vault•And others
Open Source:• Elastic Search +
Kibana• MozDef• And many more
Employee-Personal 26
PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. Private label cards – those which aren't part of a major card scheme – are not included in the scope of the PCI DSS.The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Employee-Personal 27
USE CASES ON PCI DSSScenario Threat Use Case Rule
Log Source(
s)Requirement(
s) Mapping
Unapproved network connections to/from your critical assets
Unauthorized access
Detect all the unapproved/unauthorized network connections to/from your critical IT assets and coorelate with the rules documented in your change management process.
Group all the connections by dst port and include your critical assets in the filter
Routers, switches and firewalls
PCI Requirement # 1.1.1, 1.2.1
Identify most vulnerable systems
Exploitation of vulnerabilities
Identify all the vulnerable systems running in the organization
Integrate VM with an exiting SIEM solution
VM Solution
PCI Requirement # 6.1
Detect all the default accounts
Unauthorized access
Identify all the systems using default accounts
Create a list of default accounts and check for authentication events related to those accounts
Any system
PCI Requirement # 6.3.1, 6.4.4
Employee-Personal 28
WHY SIEM IMPLEMENTATION FAILS?Lack of Planning
No defined scope
Faulty Deployment Strategies Incoherent log management data collection High volume of irrelevant data can overload the system
Operational Lack of management oversight Assume plug and play
“Security is a process, not a product”
Employee-Personal 29
BUSINESS BENEFITSReal-time MonitoringFor operational efficiency and IT security purposes
Cost SavingComplianceReportingRapid ROI(Return on Investment)
Employee-Personal 30
TOP CHALLENGES OF IMPLEMENTING SIEMSIEM is to Complex.SIEM takes too long to deploy.SIEM is too expensive.SIEM’s are too noisy.SIEM’s aren’t typically “cloud friendly”.
Employee-Personal 31
SUCCESSFUL IMPLEMENTATION CRITERIAMalware Control.Boundary Defenses.Access Control.Acceptable Use Monitoring(AUP).Application Defenses.Compliance and Audit Data Requirements.
Monitoring and Reporting Requirements.Deployment and Infrastructure Activation.Network and Host Defenses.Network and System Resource Integrity.
Employee-Personal 32
Q & A
Employee-Personal 33