December 23, 2022 | Author: Anonymous | Category: N/A
Download Security Information and Event Management...
Security Information and Event Management Craig Pennington Sr.. Network Information Security Analyst Sr Wabash Valley Power Association
[email protected]
Show of Hands….Which describes describes you….
Have a SIEM in place
Fully Implemented, and is the Cornerstone of your SOC
Doing lots of good stuff for you and have even more in the works
I can’t possibly keep up with all the alarms and I wish that thing would just shut up
Paid someone else to deal with it and tell me what to do (Hosted or On-Premise?)
Nothing yet but plan to get one soon
Not sure I need one, or too much to deal with right now
Other?
2
To SIEM or not to SIEM
Challenges
Analysts say for every dollar you spend directly on the SIEM you will spend 3 more to manage it
Requires a lot of planning and a complete understanding of your environment (network, server and workstation levels)
Useful implementations require good security processes and take a long time initially and remains ongoing, forever
Vendors over promise and under deliver
Unrealistic expectations of a SIEM being the answer to all your problems
Benefits
Bad guys have the upper hand and there is too much information to handle with manual processes
Verizon’s Data Breach Investigation Report over the last several years says that 97
percent of attacks could have been prevented by using simple security controls including log management and analysis
A mature SOC depends on a mature SIEM implementationrd Most SIEMs have lots of capabilities and integrations to 3 party feeds
3
My Opinion…YES you must SIEM
There is so much information inf ormation needing analyzed, so many compliance requirements, and due care standards, that realistically it is impossible to faithfully perform it all without these tools. You are probably already performing most (Hopefully at least some) of these activities. Look for ways the SIEM can automate it so you can reclaim at least some of the time investment it takes to run the SIEM
4
Why do People Struggle with SIEM’s?
Not prepared for the commitment of money and time up front and the ongoing needs
Don’t understand their environment and their needs
Vikas Bhatia, CEO of the New York-based York-based cyber security consultancy Kalki Consulting,
"Almost all vendors want to sell you a big bang approach. but the best way to deploy is a phased approach .“
“It is essential to identify in advance what system log files will be required for monitoring…and know what level of security each asset requires.”
“Security is a process and not a one-and-done tactical operation”
Mike Spencer with Accuvant, "Many organizations do not know what their critical assets are and therefore do not know how to protect them,"
5
Features
Basic Features
Event Consolidation and Normalization
Log Retention
Alerting\Correlation
Dashboards
Reporting
Advanced
Threat Feeds
Compliance
Situational Awareness
User Analytics
Reduce False Positives Packet Capture
File Integrity Monitoring
Geo Location
Work flows
Forensic Analysis Ticketing
6
Long Term Retention
Determi ne Your Your Use Cases Cases Determine
Gather information on your possible uses:
Compliance (control-centric use cases)
Threat assessment results and threats lists (threat-centric use cases)
Asset lists (asset-centric use cases)
Generate a big list of candidate use cases from the information you collect
Determine the relevance of the above threats, controls and assets to your
specific needs Initially prioritize the use cases focused on importance AND “doability” then prioritize and select top use cases by value to you
7
Compliance Examples
PCI 10.7:
Retain audit trail history for f or at least one year, year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
NERC CIP 007-6 Table R4:
4.1 - Log events at the BES Cyber System level (per BES Cyber Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: events: 4.1.1. Detected successful login login attempts; 4.1.2. Detected failed access attempts and failed login attempts; 4.1.3. Detected malicious code.
4.2 - Generate alerts for security security events that the Responsible Responsible Entity determines determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1. Detected malicious code from Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging.
4.3 - Where technically feasible, feasible, retain applicable event event logs identified in Part Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. 8
Choosing a Deployment Model
Outsourced
Benefits
Less training is required
Higher level of expertise available
Can be more of an operating rather than a capital expenditure
Staff turnover is less of a concern
24/7 analysis
Concerns
Your data leaves the premises
Reliance on the Internet in order to manage the network
Alarms still need investigated
Limited visibility to data for custom or additional analysis
Less opportunity to tune out false alarms (vendor decides what is important)
Inability to move between vendors and maintain the older logs
9
Choosing a Deployment Model (cont.)
On-Premise
Benefits
Control over the your data and system functions
Maximum ability to configure the correlation rules, reporting, retention periods, and other settings to meet your needs
Easier to create custom feeds and input custom IOCs (such as IPs, URLs, etc. from sources like E-ISAC alerts)
Concerns
Tend to suffer from low staffing rates
Staff being pulled off SIEM work to work on projects or other duties (hard to do part-time)
Requires specialized training
Often oversized versus actual needs 10
Sizing the SIEM
Avoid playing “feature bingo”
Compare the list of use cases features to the features from each product
Look for the ability to deploy an evaluation or a proof of concept in your environment
Licensed by endpoint or message volume? If hosted, are there additional costs for volume of storage to satisfy your retention requirements?
If you only need basic features like log correlation and reporting don’t pay for
advanced enterprise features Do you require redundancy?
How does the system scale? Do I have to throw away existing hardware investment if I need to scale up? 11
Questions To Ask SIEM SIEM Vendors Questions To
What log sources does it handles out of the box? How to create custom maps?
What Out of the box reports for security and compliance are included?
What is the cost of maintenance?
What is the cost of the SIEM product? How is it i t licensed?
What is the cost of training?
How is post-sale technical support handled? Stats? (time to first contact, ticket priorities, average time to resolution)
Require hardware? Support virtualization? Support hybrid?
Will it integrate with your current ticketing system?
How much report/dashboard/alert customization options are available? 12
Questions To Ask SIEM Vendors (cont. (cont.)) Questions To
How will it help with operational roles and not just security? se curity?
Is there a packet capture or flow option?
How does the product handle older data that has been archived off-box?
How thorough is the product documentation?
What does the product do in the event of a license violation?
How much staffing will I need for a deployment of this size?
13
Your SIEM Uses Versus What’s Built-in
14
The Path to SIEM Success
Collect logs from standard security sources (Firewalls, IPS, Domain Controllers, Anti-virus/Anti-malware, Netflow, Web Proxy, etc.)
Enrich logs with supplemental data (Vulnerabilities, (Vulnerabilities, Software versions, etc.)
Global Threat Intelligence Feeds
Correlate - finding the proverbial needles in the log haystacks
Investigate - follow up and fix data source and normalization normalization issues
Document - Standard Operating Procedures, Service Level Agreements, Forensics/Investigation Procedures
Incorporate – Expanded log collection (more servers, workstations), additional uses such as application monitoring and analysis
Continuously Improve Your Processes 15
Gartner Magic Quadrant
16
A SIEM can help with CIS Critical Security Controls
CSC 1: Inventory of Authorized and Unauthorized Devices Devic es
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 14: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 18: Application Software Security
CSC 19: Incident Response and Manageme Management nt 17
What to Look for on Linux
Successful user login: “Accepted password”, “Accepted publickey”, "session opened”
Failed user login: “authentication failure”, “failed password” User log-off: “session closed”
User account change or deletion:
“password changed”, “new user”,
“delete user”
Sudo Sud o act action ions: s: “sudo: … COMMAND=…”, “FAILED su”
Service failure:
“failed” or “failure”
18
Top Windows 10 Event Eve nt ID’s ID’s to t o Monitor Mo nitor
and Alarm on (according to MalwareArchaeology.com)
Process ess –Look for the obvious malicious m alicious executables like cscript.exe, 4688 - New Proc sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe, powershell.exe or new odd .exe’s
4624 - Some account account logged logged in. What is is normal?
5140 - A share was was accessed. They most likely likely connected to the C$ share
5156 – Windows Firewall Network connection by process. Can see the process connecting to an IP that you can use GEOIP to resolve Country, Region and City.
7040 - A new service has changed. changed. Static systems don't change details of services
7045 - A new service is installed. Static systems don't get new services except at
patch time and new installs.
4663 - File auditing must be enabled on directories you want to monitor
auditing will give more Registry Registry details than 4663 for for Reg items 4657 – Registry auditing
501 – PowerS PowerShell hell execution
4104 – PowerS PowerShell hell Scriptblockmodule loading
19
What to Look for f or on Cisco ASA
Traffic allowed on firewall: “Built … connection”, “access-list … permitted”
Traffic blocked on firewall: “access-list … denied”, “deny inbound”; “Deny … by”
Bytes transferred (large files?): “T “Teardown eardown TCP connection … duration … bytes …”
Bandwidth and protocol usage: “limit … exceeded”, “CPU utilization”
Detected attack activity:
User account changes: “user added”, “user deleted”, “User pr priv iv le leve vell changed”
Administrator access : “AAA user …”, “User … locked out”, “login “ login failed”
“attack from”
20
What to Look for f or on Web Servers
Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool p ool
Error code 200 on files that are not yours Failed user authentication: Error code 401, 403
Invalid request:
Internal Inter nal server erro error: r: Erro Errorr code 500
Error code 400
21
A Few Informational Sites
NRECA Managed Cybersecurity Services Provider Provider List http://newsletters.email.nreca.org/c/19p1I http://newsletters.e mail.nreca.org/c/19p1ImXIAyFp mXIAyFpetrhuOiT etrhuOiTycmVZ ycmVZ
Ultimatewindowssecurity.com
Windows Security Log Quick Reference Guide -
https://www.ultimatewindowssecurity https://www.ultimatewindowsse curity.com/securitylog .com/securitylog/quickref/download /quickref/downloads/quickref.zip s/quickref.zip Windows Security Log Events Encyclopedia http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Windows event event ID lookup - www www.eventid.net .eventid.net
Petri.com
Monitoring Windows Event Logs for Security Breaches - https://www https://www.petri.com/monitoring.petri.com/monitoringwindows-event-logs-for-security-breaches SANS reading room - https://www https://www.sans.org/reading-roo .sans.org/reading-room/whitepapers/for m/whitepapers/forensics/windowsensics/windowslogon-forensics-34132
Information Assurance Directorate Directorate - iad.gov (lots of secure config config advice in Library) Library)
Spotting the Adversary with Windows Event Log Monitoring https://www.iad.gov/iad/librar https://www .iad.gov/iad/library/ia-guidance/security-co y/ia-guidance/security-configuration/applica nfiguration/applications/spottingtions/spottingthe-adversary-with-windows-event-log-monitoring.cfm Assess the Mess - https://www https://www.iad.gov/iad/libra .iad.gov/iad/library/ia-guidance/secur ry/ia-guidance/securityityconfiguration/industrial-control-systems/assess-the-mess.cfm
22
A Few Informational Sites Site s (cont.)
IASE Information Assurance Support Support Environment - iase.disa.mil
Security Technical Implementation Guides (STIGs) https://iase.disa.mil/stigs/Pages/index.aspx
MalwareArchaeology.com
Windows Logging Cheat Sheets - https://www https://www.malwarearchaeolo .malwarearchaeology gy.com/cheat-sheets .com/cheat-sheets Preso Pr eso from 2015 Splunk Conf Conferen erence ce - Findin Findingg Advanced Advanced Attack Attackss and Malware With Only 6 Windows EventID’shttps://conf.splunk.com/session/2015/conf2015_MGough_Malw https://conf.splunk.com/ session/2015/conf2015_MGough_MalwareArchaelogy areArchaelogy_SecurityC _SecurityC ompliance_FindingAdvnacedAttacksAnd.pdf
Australian Government Department of Defense
Australian Signals Directorate - https://www https://www.asd.gov .asd.gov.au/ .au/ Critical Log Review Checklist Checklist for Security Incidents - https://zeltser https://zeltser.com/security.com/securityincident-log-review-checklist/
Identity and Access in Windows Server 2016 Appendix Appendix L: Events to Monitor https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendixl--events-to-monitor Log analysis references - www www.loganalysis.org .loganalysis.org
23
Q&A
24
