a (slightly redacted) talk I did for a lunch session at work. Thx to Patrick for the invite :-)

1. SIEM : putting ya goggles on.
Wednesday 22 December 2010

2. 2 rules
Wednesday 22 December 2010

3. Disclaimer
This talk != an EY talk
This talk != an [] talk
This talk == MY talk
Wednesday 22 December 2010

4. Disclaimer
This talk != an EY talk
This talk != an [] talk
This talk == MY talk
Marishka Hargitay !
Wednesday 22 December 2010

5. I. What is SIEM
II. Challenges
III. Common-Sense SIEM
V. What’s the future?
VI. ...
Wednesday 22 December 2010

6. What is SIEM ?
* What is it not (Log Management)
* It’s about information.
* It’s about your needs !
Wednesday 22 December 2010

7. Log
SIEM
Management
Log Collection
Context Data Collection
Log Collection Normalization
Retention Categorization
Search Correlation
Indexing/Parsing Notification/Alerting
Reporting Prioritization
Reporting
Security role workflow
All types of log data Security relevant data
Wednesday 22 December 2010

8. INFORMATION
PROCESSING
DATA
Wednesday 22 December 2010

9. Data vs. information
May 21 20:22:28 slacker2 sshd[8813]: Accepted password for
root from 192.168.20.185 port 1066 ssh2
Wednesday 22 December 2010

10. Data vs. information
May 21 20:20:15 slacker sshd[17834]: Failed password for root from
192.168.20.185 port 1058 ssh2
May 21 20:22:28 slacker2 sshd[8813]: Accepted password for
root from 192.168.20.185 port 1066 ssh2
Wednesday 22 December 2010

11. Data vs. information
May 21 19:30:28 slacker sshd[9287]: Failed password for root from
192.168.20.185 port 1080 ssh2
May 21 19:32:30 slacker sshd[10254]: Failed password for root from
192.168.20.185 port 1045 ssh2
... (2000 of those)
May 21 20:20:15 slacker sshd[17834]: Failed password for root from
192.168.20.185 port 1058 ssh2
May 21 20:22:28 slacker2 sshd[8813]: Accepted password for
root from 192.168.20.185 port 1066 ssh2
Wednesday 22 December 2010

12. Information vs. context
SIEM
IDS
win2K3
server
10.10.10.10
Wednesday 22 December 2010

13. Information vs. context
1
SIEM
MS08-067 !
IDS
win2K3
server
10.10.10.10
Wednesday 22 December 2010

14. Information vs. context
1
SIEM
MS08-067 !
IDS
win2K3
server
10.10.10.10
Wednesday 22 December 2010

15. Information vs. context
1
SIEM
MS08-067 !
IDS
Vuln Scan
win2K3
server
10.10.10.10
Wednesday 22 December 2010

16. Information vs. context
1
SIEM
2 MS08-067 !
scan
10.10.10.10
IDS
Vuln Scan
win2K3
server
10.10.10.10
Wednesday 22 December 2010

17. Information vs. context
1
SIEM
2 MS08-067 !
scan
10.10.10.10
IDS
Vuln Scan
3 yo,
win2K3
server
wazzup ?
10.10.10.10
Wednesday 22 December 2010

18. Information vs. context
1
SIEM
2 MS08-067 !
scan
10.10.10.10
4
not IDS
vulnerable
Vuln Scan
3 yo,
win2K3
server
wazzup ?
10.10.10.10
Wednesday 22 December 2010

19. Information vs. context
5
meh!
1
SIEM
2 MS08-067 !
scan
10.10.10.10
4
not IDS
vulnerable
Vuln Scan
3 yo,
win2K3
server
wazzup ?
10.10.10.10
Wednesday 22 December 2010

20. Why SIEM ?
* React Faster !
* Increase efficiency
* Automate Compliance
Wednesday 22 December 2010

21. Challenges
Wednesday 22 December 2010

22. Where do we get data from ?
App App App App DB
Virtualisation
Wintel Unix
NETWORK
Wednesday 22 December 2010

23. How do we work together ?
Wednesday 22 December 2010

24. Parsing data for fun and ...
(kill me now)
Wednesday 22 December 2010

25. IP Addresses ...
bd{1,3}.d{1,3}.d{1,3}.d{1,3}b
999.999.999.999
Wednesday 22 December 2010

26. IP Addresses ...
bd{1,3}.d{1,3}.d{1,3}.d{1,3}b
999.999.999.999
b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?
[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4]
[0-9]|[01]?[0-9][0-9]?)b
Wednesday 22 December 2010

27. Matching an RFC 822 valid e-mail address
using regular expressions ...
couldn’t be that hard !
Wednesday 22 December 2010

28. Wednesday 22 December 2010

29. (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:r
n)?[ t]))*"(?:(?: rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:( ?:rn)?[ t])+|Z|(?=[["()<>@,;:".
[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-0 31]+(?:(?:(?:rn)?
[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)* ](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+
(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?: (?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:
rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) ?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()
<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?
[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn) ?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t] )*))*
(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:r
n)?[ t])* )(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t] )+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|
.)*](?:(?:rn)?[ t])*))*) *:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+ |Z|(?=[["()<>@,;:".
[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:r n)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?
[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t ]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[]
000-031 ]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*]( ?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()
<>@,;:".[] 000-031]+(? :(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(? :rn)?[ t])*))*>(?:(?:rn)?
[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(? :(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:
(?:rn)?[ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r
]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<> @,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[
["()<>@,;:".[]]))|" (?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:
(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(? :[^()<>@,;:".[]
000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-
031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|( ?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*
(?:@(?:[^()<>@,; :".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([ ^[]r]|.)*](?:(?:rn)?[ t])*)(?:.
(?:(?:rn)?[ t])*(?:[^()<>@,;:" .[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[ ]r]|.)*](?:(?:rn)?
[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[] r]|.)
*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^
[]r] |.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 0 00-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:
".[]]))|"(?:[^"r]| .|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@, ;:".[] 000-031]+(?:(?:(?:r
n)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(? :[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])* (?:[^()<>@,;:
".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*
(?:[ ^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[] ]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:
rn)?[ t])*)(?:,s*( ?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:r
n)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:( ?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".
[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t ])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?
[ t ])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(? :.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+
(?:(?:(?:rn)?[ t])+| Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:
(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[ ]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn) ?[ t])*(?:@(?:[^()
<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[[" ()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn) ?
[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<> @,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*
(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@, ;:".[]]))|[([^[]r]|.)*](?:(?:r
n)?[ t])*)(?:.(?:(?:rn)?[ t] )*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|[([^[]r]|
.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)? (?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".
[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?
[ t])+|Z|(?=[[ "()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t]) *))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".
[] 000-031]+(?:(?:(?:rn)?[ t]) +|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?: .(?:(?:rn)?[ t])*(?:[^
()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z |(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:( ?:rn)?
[ t])*))*)?;s*)
Wednesday 22 December 2010

30. Making sense of data
user 1 user 2 user 1 user 2
user 3 user 4 user 3 user 4
70 200
52,5 150
100
35
50
17,5
0
0 monday wednesday friday
monday wednesday friday
200
150 user 4
100 user 3
user 2
50
user 1
0
monday wednesday friday
Wednesday 22 December 2010

31. Making sense of data
Wednesday 22 December 2010

32. Making sense of data
Wednesday 22 December 2010

33. common-sense SIEM
Wednesday 22 December 2010

34. common-sense SIEM!
DATA
Use Cases
Data Points
time/date who
user name what
source when
destination where
host name why ?
action €€€
... ...
Wednesday 22 December 2010

35. So, where do we go from here ?
Wednesday 22 December 2010

36. mee
tH
oov
er ;
-)
http://www.loggly.com
!= SIEM
= LaaS
currently running in beta
log collection/parsing/search/visualization
(demo)
Wednesday 22 December 2010

37. Thank you!
Wednesday 22 December 2010

38. Thank you!
Marishka Hargitay !
Wednesday 22 December 2010