SIEMple Technology

SIEMple Technology

BSidesLV via YouTube Direct link

Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history

6 of 15

6 of 15

Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

SIEMple Technology

Automatically move to the next video in the Classroom when playback concludes

  1. 1 SIEMple technology A guide on setting up an SIEM in your environment
  2. 2 1. Researching options and setting goals 2. Implementing in your environment
  3. 3 What is a SIEM? Security Information Event Management, but what does that mean? • Log Collection • Log Correlation • Alerting • Log Retention
  4. 4 What value are you trying to create? Faster incident response?
  5. 5 Collecting network logs Firewalls, IDS/IPS, Netflow, WAFs, Web Proxies
  6. 6 Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history
  7. 7 Collecting security logs Endpoint "protection", App Whitelisting, Vulnerability scanners, Honeypots
  8. 8 Correlating logs 2 successful logins from same person in the same day from two different countries
  9. 9 What resources will you need? How many events per second/hour? • How many of those events do you need to store/process/correlate in a given time period? • How long do you need to store everything?
  10. 10 Phased Approach Options • Most critical systems • Compliance requirements • Least amount of visibility • Annoying ones that need professional service hours to resolve.
  11. 11 Tweak, alter, test, & more tweaking Dont let your SIEM • Cry wolf • Nag you repeatedly • Do nothing
  12. 12 Have department liaisons and have them communicate: • Downtime • Upgrades • Major config changes • System replacements and additions
  13. 13 Periodic reviews True for internal or external SIEMS Are your alerts still relevant? Are you still getting logs from required sources? • Did you miss a system, device, or application? • Are you getti…
  14. 14 Wrap up Find the solution that meets your needs (Supported devices, time and people resources)
  15. 15 Russell Butturini @tcstoolhaxor My wife: Andrea BSides LV You guys!

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.