1. How to Run a SIEM
Operation?
Dr Anton Chuvakin
@anton_chuvakin
2. Disclaimer: HISTORICAL INTEREST ONLY
This material is at least several years old and
is preserved here for HISTORICAL INTEREST
ONLY
Advice may not reflect current conditions
(but then again, it may reflect yours…)
3. • You can buy a SIEM tool — but you cannot buy a security monitoring
capability or a SIEM operation.
• You have to buy the tools, grow the people and mature
the processes.
• Security monitoring is an eternal commitment, not a project. You start
today and you end ... never!
Program, NOT a Project!
4. • Key processes and practices are needed for a successful SIEM
implementation
• Avoid common mistakes that plague SIEM operations
• Other technologies to be linked with SIEM to make your SOC better
Outline
5. Security Information and Event Management (SIEM)
Reminder
SIEM
Analysis
Repository
Query Reports
Data Collection
SIM
Incident
Management
CorrelationNormalization
Real-Time
Monitoring
SEM
Threat Intelligence
Data
Asset
Vulnerability
User
Context
Network Firewall
Application FirewallApplication
Database
Server
Network Device
NIDS/NIPS
Endpoint Protection
Data Loss Prevention
File Integrity Monitor
Event Data
Log Management Lives Here Too
7. USE CASES!
Taking aspirin is about the headache, not about low aspirin
content in your blood!
What problem are you trying to solve?
8. • Threat Oriented: Use cases implemented to identify a specific threat or
threat actor.
• Control Oriented: Use cases required as a control from a framework or
other regulatory document.
• Asset Oriented: Use Cases about activities touching specific data assets
– payment card data, patient information, product designs
Identifying Use Cases
9. 1. Authentication monitoring by using login logs.
2. Compromised- and infected-system tracking; malware detection by
using outbound firewall logs, NIPS and proxy logs.
3. Validating IDS/IPS (IDS/IPS) alerts by using context data.
4. Monitoring for suspicious outbound connectivity and data transfers.
5. Tracking system changes and other administrative actions across internal
systems and matching them to allowed policy.
6. Tracking of Web application attacks and their consequences by using
Web server, WAF and application server logs.
Top Starter Use Cases
10. Prioritizing Use Cases
Importance Feasibility
Problems you want
solved first
Problems you can easily
solve with available tools,
data and vendor content
Go here first!
11. SIEM Use Case Example: Authentication
Abuse Tracking
Step Details
Use-Case Selection Focus on tracking authentication across systems to detect
unauthorized access.
Data Collection Have a list of systems: Servers, VPN concentrators, network
devices, and others.
Log Source Configuration Contact the team that operates the systems and make them
modify the logging configurations.
SIEM Content Preparation Review vendor's content, check it for suitability; modify the
reports and rules until satisfied.
Definition of Operational Processes Review operational processes (e.g., a process for suspending
or disabling user accounts).
Refinement of the Content Review dashboards and test rules to see whether incidents
will be detected.
12. Use Output-Driven SIEM: Start Backwards!
Data Sources,
Logs, Flows,
Context, Etc.
SIEM Tool
Alerts,
Actions,
Reports,
Investigation
14. Essential SIEM Operational Processes
Collector and log source configuration
SIEM uptime and performance monitoring
Escalation and collaboration
Content tuning and customization process
Analyst training
SIEM program checkpoint
15. • Incident response
• Security:
• Detection focus:
• Alert triage process
• Activity baselining process
• Response focus:
• Indicator analysis process
• Remediation process
• Compliance:
• Report review process
• Report refinement based on changing
requirements process
• Compliance issue remediation process
More Essential SIEM Processes
Mature security operations only: Data exploration process/"hunting"
16. Suggested SIEM Alert Workflow
Individual Alert
Investigate
Out of Baseline Issue:
Unknown Status
Routine Entry:
Follows Daily Baseline
Known Bad Issue:
Documented as
Indication of Problems
Unknown
(After Analysis)
GoodBad
Verify Impact/
Prioritize
Additional
Investigation
(Not to Incident)
Document
as "Good";
Tune Rules
Accordingly
Incident Response Workflow
No Action Required
17. SIEM Skills for Success
"Run"
Skill Set
"Tune"
Skill Set
SIEM
Win!
"Watch"
Skill Set
18. Core SIEM Team Skills
Shorthand Description Common Job Titles for This Role
Run Maintain an SIEM product in operational
status, monitor its uptime, optimize
performance, deploy updates, and perform
other system management tasks
SIEM administrator and SIEM engineer
Watch Use the SIEM product for security monitoring,
investigate alerts and review activity reports
Security analyst, SIEM analyst, and incident
responder
Tune Refine and customize SIEM content and
create content specific to new use cases
Content developer and SIEM consultant
20. • Use cases are not “set and forget”.
• Many situations where a use case has to be reviewed:
• New tool implementation review
• Periodic review (quarterly)
• Triggered by:
• Performance issues
• Effectiveness issues (False positives, False negatives, number of alerts)
• Changes to business, enviroment, threats or technology
Reviewing Your SIEM Use Cases
22. SIEM Maturity Roadmap
State
No. Maturity Stage Key Processes That Must Be in Place
1 SIEM deployed and collecting some log data • SIEM infrastructure monitoring process
• Log collection monitoring process
2 Periodic SIEM usage, dashboard/report review • Incident response process
• Report review process
3 SIEM alerts and correlation rules enabled • Alert triage process
4 SIEM tuned with customized filters, rules, alerts,
and reports
• Real-time alert triage process
• Content tuning process
5 Advanced monitoring use cases, custom SIEM
content use cases
• Threat intelligence process
• Content research and development
23. Sample Metrics For Use Case Management
Metric
Use Cases in Production vs Use Cases Waiting for Implementation
Number of Use Cases reviewed per time period
Number of Use Cases optimized/changed per time period, including reasons for changes.
Number of Use Cases removed per time period, including reasons for removal
Number of Use Cases implemented per monitoring tool
Number of Use Cases not implemented due to Technology limitations
24. SIEM and Friends
TI SIEM Detection
SIEM
Alerts
EDR
Confirmed
alert
SIEM UEBA
New
insight
25. • Deploy User and Entity Behavior Analytics (UEBA) — "add-on" SIEM brain
for user-centric analysis:
• Detect compromised accounts "automatically"
• Enrich alerts with user behavior profiles
• Utilize vendor-provided anomaly algorithms
• Eventually refine/define own algorithms
Quick Win: Graduating Beyond SIEM
26. • Have to solve security problems that SIEM is suboptimal for?
• Want to apply more algorithms to log, flow and context data?
• Have higher volume or diversity of data?
• Need to postprocess alerts?
SIEM and/or/vs/with Security Analytics?
28. • Planning:
• Skip the planning stage and just buy some SIEM tool
• Define the need for a SIEM in vague terms
• Fail to define the initial deployment scope, starter use cases
• Operation:
• Assume that the SIEM effort would run itself, skimp on the people side
• Practice “input-driven” SIEM
• Not refining the evolving requirements
Top SIEM Pitfalls
29. Think "security monitoring capability," not "SIEM box."
SIEM requires "care and feeding" to give value:
• Prepare to be involved with the tool indefinitely.
Use "output-driven" SIEM approach.
Define processes and dedicate personnel to use the tool:
• Define/Refine and incident response process.
Follow the maturity levels — or suffer!
Review your route beyond SIEM — UBA, analytics, etc.
Advice