Overview
Syllabus
SIEMple technology A guide on setting up an SIEM in your environment
1. Researching options and setting goals 2. Implementing in your environment
What is a SIEM? Security Information Event Management, but what does that mean? • Log Collection • Log Correlation • Alerting • Log Retention
What value are you trying to create? Faster incident response?
Collecting network logs Firewalls, IDS/IPS, Netflow, WAFs, Web Proxies
Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history
Collecting security logs Endpoint "protection", App Whitelisting, Vulnerability scanners, Honeypots
Correlating logs 2 successful logins from same person in the same day from two different countries
What resources will you need? How many events per second/hour? • How many of those events do you need to store/process/correlate in a given time period? • How long do you need to store everything?
Phased Approach Options • Most critical systems • Compliance requirements • Least amount of visibility • Annoying ones that need professional service hours to resolve.
Tweak, alter, test, & more tweaking Dont let your SIEM • Cry wolf • Nag you repeatedly • Do nothing
Have department liaisons and have them communicate: • Downtime • Upgrades • Major config changes • System replacements and additions
Periodic reviews True for internal or external SIEMS Are your alerts still relevant? Are you still getting logs from required sources? • Did you miss a system, device, or application? • Are you getting the value you expected.
Wrap up Find the solution that meets your needs (Supported devices, time and people resources)
Russell Butturini @tcstoolhaxor My wife: Andrea BSides LV You guys!
Taught by
BSidesLV