Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

On Content-Aware SIEM by Dr. Anton Chuvakin

2.490 visualizaciones

Publicado el

On Content-Aware SIEM by Dr. Anton Chuvakin

Publicado en: Tecnología
  • Sé el primero en comentar

On Content-Aware SIEM by Dr. Anton Chuvakin

  1. 1. Content-Aware SIEM<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />February 2010<br />
  2. 2. Outline<br />Brief SIEM History<br />SIEM Today<br />Today’s SIEM Use Cases<br />Evolution of SIEM: Content-Aware SIEM<br />What SIEM “Eats”? <br />Logs + context + content!<br />Legacy SIEM vs Content-Aware SIEM<br />Why Deploy a CA-SIEM?<br />
  3. 3. SIEM?<br />Security Information and Event Management!<br />(sometimes: SIM or SEM) <br />
  4. 4. SIEM Evolution<br />1997-2002 IDS and Firewall<br />Worms, alert overflow, etc<br />2003 – 2007 Above + Server + Context <br />PCI DSS, SOX, users<br />2008+ Above + Applications+ Content <br />Fraud, activities, cybercrime<br />
  5. 5. SIEM Today<br />Log and Context Data Collection<br />Normalization<br />Correlation (“SEM”)<br />Notification/alerting (“SEM”)<br />Prioritization (“SEM”)<br />Reporting and report delivery (“SIM”)<br />Security role workflow<br />
  6. 6. SIEM Use Cases<br />Security Operations Center (SOC)<br />RT views, analysts 24/7, chase alerts<br />Mini-SOC / “morning after”<br />Delayed views, analysts 1/24, review and drill-down<br />“Automated SOC” / alert + investigate<br />Configure and forget, investigate alerts<br />Compliance status reporting<br />Review reports/views weekly/monthly<br />
  7. 7. What SIEM Eats?<br />Logs<br />Context<br />Content (NEW)<br />
  8. 8. One: Logs<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User anton has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon  account:  ANTON    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
  9. 9. Two: Context<br />http://chuvakin.blogspot.com/2010/01/on-log-context.html<br />
  10. 10. Three: Content<br />Emails<br />Attachment<br />IM chats<br />Facebook posts<br />Videos<br />Images<br />
  11. 11. Note: Content is NOT Just Packets<br />Drilldown to packets<br />Drilldown to emailed document <br />
  12. 12. Legacy SIEM vs CA-SIEM?<br />
  13. 13. Secret to SIEM Magic!<br />
  14. 14. Conclusions<br />SIEM is evolving to today’s needs, while still solving the old needs<br />Note: no old IT security threat has gone away yet…<br />SIEMs that can consume content and not just logs can win the battle<br />Note: logs are voluminous, but content is EVEN LARGER<br />
  15. 15. Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />Consulting Services: SIEM, Log management<br />http://www.securitywarriorconsulting.com<br />
  16. 16. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />

×