SlideShare a Scribd company logo

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Tripwire
Tripwire

Too often, organizations purchase SIEM and log management solutions to check a compliance checkbox. These organizations miss a huge opportunity to improve security while meeting compliance requirements. In this white paper, security and compliance eWPxpert Dr. Anton Chuvakin explains how to take advantage of this opportunity. Whitepaper here: http://www.tripwire.com/register/a-pragmatic-approach-to-siem-buy-for-compliance-use-for-security/

BusinessTechnology
1 of 9
Download to read offline
Dr. Anton Chuvakin, Author and IT Security Instructor A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security WHITE PAPER
Introduction Recent economic troubles might have something to do with In more recent years, several different trends—namely the fact that many organizations today seek to establish changes in the regulatory landscape and a shift of attacks only the bare minimum level of security. To be more pre- to the application level—have led to the evolution of the cise, they try to do what they think is the bare minimum. SIEM and log management space. These tools are now used In fact, their belief that security “due diligence” can be for overall compliance management, user tracking, applica- reduced to the level prescribed by regulations such as the tion security monitoring, compliance auditing and even Payment Card Industry Data Security Standard (PCI DSS) is fraud detection. They also continue to be used for opera- more common than ever. Unfortunately, the results of this tional monitoring and issue troubleshooting. flawed thinking include security breaches and other damag- Let’s define what SIEM and log management tools are and ing events. what they do. This trend toward establishing the minimum required level Security information and event management covers of security has affected many security safeguards, including relevant log collection, aggregation, normalization and Security Information and Event Management (SIEM) and log retention, context data collection, alerting, analysis (cor- management. Most organizations simply deploy these tech- relation and prioritization), presentation (reporting and nologies to place a check in the compliance check box. In visualization), security-related workflow, and relevant secu- this paper we will take a look at this disturbing trend and rity content. Typical uses for SIEM tools center on network provide useful guidance for maximizing the value of SIEM security, data security and regulatory compliance. and log management tools, while focusing on protecting On the other hand, log management includes compre- systems and data—not on simply checking the compliance hensive log collection, original log retention, analysis, check box. presentation (search, reporting, and visualization), related But first, let’s get more familiar with the background of workflow, and relevant content such as reports and search SIEM products. Even though organizations have had the queries. Log management usage is broad and covers all pos- need to collect, manage and analyze computer log data sible applications for log data across IT and even beyond for as long as computers have existed, dedicated Security information technology—but certainly includes security and Information and Event Management (SIEM) products only compliance use. emerged on the market in the late 1990s. Later, dedicated To summarize, SIEM focuses on security while log manage- log management tools emerged to address broad log reten- ment focuses on broad use of log data. More specifically, tion and log review requirements across all of IT, and not SIEM tools include correlation and other real-time analysis just the traditional security space. functionality, which is useful for real-time monitoring. In Although the primary purpose for SIEM was to reduce comparison, log tools often focus on advanced search across network IDS “false positives” and to make sense of other all log data. Today, select tools combine select capabilities security alerts and event records, these products often did of SIEM and log management in a single product or product so at the cost of increased product and integration complex- suite. ity. As a result, these tools were only used by the largest organizations because they were willing to invest time in learning how to operate their SIEM frameworks. In addition, such use was mostly limited to network security. 2 | WHITE PAPER | A Pragmatic Approach to SIEM
Which One Is For you? At this point you may be asking, “Which product is for Let’s further examine the defining features of SIEM. me?” The answer is easy: if you have logs (which you do Most organization will look for these features when if you have computers), you need a log management tool. choosing an SIEM product. The features include: And if you want to make use of these logs for security monitoring, you also need SIEM capabilities. However, 1. Log and Context Data Collection. The ability to col- you will learn later in this paper that trying to use lect logs and context data using a combination of advanced and near real-time monitoring features of SIEM agent-based and agent-less methods. tools before you’re able to reliably collect log data rarely 2. Normalization. The ability to convert most original results in success. logs into a universal format, usable for cross-source When choosing a tool, it may be helpful to first begin by reporting and correlation. identifying the problem you’re trying to solve with it. Over 3. Correlation. Rules-based, statistical or algorithmic the years, the following areas where SIEM and log manage- and other methods of relating different events to each ment tools can deliver value have emerged: other and events to contextual data. 1. Security, detective, and investigative. Sometimes also 4. Notification/alerting. The ability to trigger notifica- called threat management, this area focuses on detecting tions or alerts to operators or managers. Common and responding to attacks, malware infection, data theft alerting mechanisms include email, SMS, or even and other security issues. It may be useful to divide this Simple Network Management Protocol (SNMP) area into monitoring and detection of security issues, and messages. investigation and forensic analysis of security incidents. 5. Prioritization. Different features that help distinguish 2. Compliance, regulatory (global) and policy (local). This important events from less critical security events, area focuses on satisfying the requirement of various for example by correlating security events with vul- laws, mandates and frameworks. Most of these mandates nerability data, or asset and identity information. have the intent of improving security, so there is a lot of 6. Real-time View of Security. Security-monitoring overlap between this area and the previous one. dashboards and displays that security operations per- 3. Operational, system and network troubleshooting and sonnel use to easily review current system and user administration. This area applies mostly to log manage- activity. ment, and has to do with investigating system problems 7. Reporting. The ability to generate scheduled and as well as monitoring the availability of systems and as-needed reports to gain historical views of data applications. collected by the SIEM product. Some products also The above three drivers likely cover nearly 100 percent of have a mechanism for distributing reports to security SIEM and log management deployments today. It is worth personnel, either by e-mail or a dedicated web portal. noting that the most common scenarios for SIEM deploy- SIEM reporting relies on parsing and normalizing log ments today are “buy for compliance, use for compliance” data. and “buy for compliance, use for security,” or a combina- 8. Security Role Workflow. Incident management fea- tion of the two. When used in combination, the SIEM or tures that allow security personnel to open incident log management tool is purchased for a tactical compliance cases, perform investigative triage, and perform project, and over time is used to solve many other problems. other security operations tasks using automation or Let’s review this in detail. partial automation. A Pragmatic Approach to SIEM | WHITE PAPER | 3
Deploying and Using SIEM As organizations face complex security, regulatory and oper- ational issues, the tools that help them address those issues Pragmatic Approach to SIEM have grown in complexity as well. As a result, companies Given the trend of focusing on bare minimum security, the sometimes have trouble planning, deploying and then using pragmatic approach to SIEM for many organizations can be SIEM and log management tools effectively. In this paper summarized as “buy for compliance, use for security (and we will share a few proven strategies for implementing and IT operations as well).” Let’s review how you follow this deploying SIEM and log management tools, both for satisfy- approach for achieving security success and not just auditor ing regulatory compliance mandates and beyond. approval. So, how can you use SIEM effectively? You have to do Many Chief Security Officers (CSOs) have found out that some planning before you can answer this question. This compliance initiatives and other projects driven by “the planning includes the most important concept for deploying fear of auditors” can be funded more easily than pure data and utilizing a SIEM—the concept of a “use case.” protection and “the fear of hackers” projects. Even though Originating in the software development industry, the this trend may reverse itself in the future, today it is a fact term “use case”1 simply denotes a description of how the of life. Recent analyst estimates show that 70 percent to 80 user uses a system to solve a particular problem. For exam- percent of SIEM and log management implementations are ple, a use case for SIEM can center on satisfying the PCI driven by compliance needs. DSS requirements or enabling the incident response team to Here is how to follow the pragmatic approach in instances track down a compromised IT asset. where compliance drives SIEM and log management Since SIEM and log management tools are useful for solv- implementation: ing a wide range of IT problems, it makes sense to approach First, compile a list of regulations you must comply with, your SIEM purchase with your particular problem set in focusing particular attention on areas where an SIEM or log mind. For example, if your organization wants to build a management tool can be useful. In many cases, the list may security operations center (SOC), your choice of SIEM will contain only one regulation, but that one regulation is one be very different from an organization that wants to sim- you absolutely must address. ply review server logs for evidence of unauthorized access Second, whenever practical, you should then review other in order to comply with a regulation. Similarly, speeding possible goals that SIEM can help you achieve. Deciding up your incident response routines calls for a different log whether SIEM satisfies a critical business need, such as “buy management tool than one you’d use for HIPAA reporting as an enabling technology for your SOC,” is an essential step. (though better incident handling practices would almost Third, you must decide whether you are prepared to work certainly help you safeguard health information). to make your SIEM tool solve your problem, whether for The entire range of SIEM use cases fits in the three cat- compliance or other needs. Despite help from the vendor egories we mention above: and possibly consultants, there are additional tasks you’ll have to perform to make SIEM work. 1. Security, detective, and investigative; Now, acquire and implement the SIEM solution. This is 2. Compliance, regulatory (global) and policy (local); and where you work jointly with the vendor in order to build 3. Operational, system and network troubleshooting and your initial implementation for regulatory compliance, such administration. as PCI DSS. Before we consider a few SIEM use cases in detail, let’s Now, start actually using SIEM for both the “letter and define what we called a pragmatic approach to SIEM. spirit” of the regulation. This step is the most important one in the approach—one of the biggest mistakes organiza- tions make in this area is thinking that simply owning an SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM 4 | WHITE PAPER | A Pragmatic Approach to SIEM
is the only way to do that. Sadly, few people remember that environment, you need to focus on protecting the data and PCI DSS prescribes a large set of periodic tasks, from annual monitoring all access to it. to daily. Reviewing logs daily is the most well known exam- Even though logging is present in all PCI requirements, ple of such a practice, not just “having logs.” the PCI DSS also contains Requirement 10, which is dedicat- Finally, expand the use case beyond compliance. Tips for ed to logging and log management. Under this requirement, expanding deployment and solving other problems with your logs for all system components must be reviewed at least SIEM tool are provided in the next section. For example, daily—a key operational procedure that is necessary for you can quickly improve your security capability for inci- compliance! These reviews must include logs of servers that dent response and forensics—the easiest and most common perform security functions, such as intrusion-detection security use of log management and SIEM tools beyond systems and authentication, authorization, and account- compliance. ing protocol servers. PCI Requirement 10 is a very common Given the obvious benefits to this approach, it is surpris- reason why organizations research and look into purchasing ing that more organizations don’t follow it. Some simply SIEM and log management tools today. choose to procure a tool, connect it to the network and Further, the PCI DSS states that the organization must never actually use it—whether for security or compliance ensure the integrity of its logs by implementing file integ- purposes. Such organizations will be surprised to discover rity monitoring and using change detection software on logs they are neither compliant nor secure, as this level of imple- (in addition to other key files) to ensure that existing log mentation provides none of the benefits of SIEM. It’s also data cannot be changed without alerting security personnel. interesting to note that many of the organizations studied It also states that logs from in-scope systems must be stored in the Verizon Data Breach report2 that were breached had for at least one year. Broader security monitoring is also all the evidence of the breach in their logs and available present in Requirement 11 of the PCI DSS. since the day of the breach. So, build the urgency for SIEM using regulatory compli- ance, then start taking the regulation to heart by using the HIPAA/HITECH The Health Insurance Portability and Accountability Act tools for compliance and data security. From that point, of 1996 (HIPAA) outlines relevant security standards for expand the use case to solve more problems within your health information. As with PCI, the intent of HIPAA is to organization. Remember, a box in the datacenter rack does reduce risks, but in this case to sensitive health informa- not make you compliant; a tool combined with people dili- tion. Unlike payment data, however, health information gently following operational procedures does. cannot simply be deleted from storage, which certainly As we mentioned above, compliance is often the main complicates compliance with the regulation. The following driver for SIEM deployment today. Let’s delve deeper in the HIPAA requirements apply broadly to logging, log review regulations and their impact on SIEM technology. and security monitoring: Section 164.308(a)(5)(ii)(C) “Log-in Monitoring” calls PCI DSS for monitoring the systems touching patient information The Payment Card Industry Data Security Standard applies for login and access. The requirement applies to “login to all organizations that handle credit card transactions. attempts,” and implies login attempts that failed or Since we talk about the letter and spirit of regulations, succeeded. the spirit of PCI is in reducing the overall risk associated Section 164.312(b) “Audit Controls” broadly covers audit with payment card transactions. While complete elimina- logging and other audit trails on systems that deal with tion of sensitive payment card data for risk reduction is sensitive health information. Review of such audit logs a noble goal, achieving it today is unlikely for most mer- seem to be implied by this requirement. chants. As a result, after appropriately scoping your PCI DSS A Pragmatic Approach to SIEM | WHITE PAPER | 5
Section 164.308(a)(1)(ii)(D) “Information System Activity Review” prescribes review of various records of IT activi- ISO2700x ties such as logs, systems utilization reports, incident ISO27001, formally known as “Information technology— reports and other indications of security-related activities. Security techniques—Information security management systems—Requirements,” is a direct descendant of ISO17799 In addition, the NIST SP 800-66 document titled “An and British Standard 7799. ISO specifies requirements for Introductory Resource Guide for Implementing the Health managing the security of information systems. The stan- Insurance Portability and Accountability Act Security Rule” dard also prescribes audit logging and audit log review and details more specific log management requirements for retention. securing electronic protected health information. Section For example, ISO27001 mentions that “audit logs should 4.1 of this document describes the need for regular review be turned on for security events, user activities, and excep- of information system activity, such as audit logs, access tions. They should be kept for a predetermined period of reports and security incident-tracking reports. time.” (section A.10.10.1 of ISO/IEC 27001 Information A recent enhancement to HIPAA is called the Health Security Management Systems – Requirements). However, Information Technology for Economic and Clinical Health the standard provides no further guidance regarding what Act or HITECH Act. The act seeks to further “address the details must be recorded in logs or how long the logs should privacy and security concerns associated with the electronic be retained. transmission of health information.” The standard does make references to reviewing audit logs and security monitoring without providing operational level NERC details about them. Despite that, organizations that plan to North American Electric Reliability Corporation (NERC) pub- certify their compliance with ISO27001 are likely to deploy lishes Critical Infrastructure Protection (CIP) standards that SIEM or log management tools. contain important information security requirements. The Overall, this summary indicates that many mandates have spirit of NERC is in maintaining the operation of the critical similar requirements with regards to log management and bulk electric system. In the case of NERC, clearly the focus security monitoring. This simply means that complying is on system uptime and not on information confidentiality with one regulation will get you a long way toward comply- as it is in PCI DSS and HIPAA. ing with other current and future regulations. Also, one Among the CIPs, there are requirements about logging, of the most important things to remember from reviewing alerting and log review, as well as broader security monitor- these regulations is that simply deploying a tool, even an ing. For example, Requirement CIP-005-1 R3.2 states that advanced SIEM tool, does nothing for compliance unless “security monitoring process(es) shall detect and alert for you use it. Good auditors will check for processes and pro- attempts at or actual unauthorized accesses. These alerts cedures built around tools in order to satisfy the spirit of shall provide for appropriate notification to designated regulations; they won’t just look at blinking lights in the response personnel. Where alerting is not technically fea- datacenter. sible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.” In most cases, the effort focuses on issue detection and rapid investigation, and not on the long-term data theft breach investigation. Additional security monitoring requirements are also defined in the NERC CIP standards. 6 | WHITE PAPER | A Pragmatic Approach to SIEM
“Compliance+”: Where to Go of skilled personnel with effective SIEM tools. Fortunately, most organizations have monitoring tools for operational Next? visibility—uptime monitoring. It is important to note that After the initial regulatory challenges are addressed, what many organizations will not ever be large enough to justify do you do next? Given the scope of regulations shown having a full Security Operations Center (SOC). At the same above, your organization would already have a fairly robust time, having a person or a team dedicated to ongoing peri- security monitoring program, backed up by periodic process- odic security monitoring will likely help most organizations. es, review procedures and an exception handling process. We can benefit from the past experiences of organiza- It is likely that you would not be surprised that unau- tions that have gone beyond compliance to learn about the thorized access to servers is covered by a particular numerous possible mistakes and pitfalls that might occur. regulation. It is also likely that unauthorized changes in We will first present a few general tips for succeeding based your environment will be reduced to a minimum. Deploying on these past experiences, and then categorize common integrity checking systems mandated by PCI DSS, and then mistakes that organizations committed while doing so. diligently using them, will allow your organization to be First, if you deploy for compliance, make sure your tools constantly aware of what happens in your environment. If operationalize and adopt the regulation as the framework. unauthorized changes are detected that indicate an inci- Don’t simply put a checkmark in the compliance checkbox. dent, your incident response process will be triggered into Second, always operationalize SIEM and log management action. tools in phases. One common approach is to go from tradi- In addition, complying with regulations has likely enabled tional server and firewall logs to application logs, and from you to keep an eye on the sensitive data that flows in and collection to review to near real-time monitoring. out of your environment. Hopefully, you have applied the Third, always keep the use cases—what you’re trying safeguards not only to regulated data but also to data inter- to achieve with an SIEM tool—in mind. Think about them nally considered sensitive. when using and expanding the use of your SIEM. Even if For example, an organization may choose to fully adopt compliance is a primary SIEM driver, focusing on outcomes PCI DSS compliance and invest time in developing their useful for your business will give you more success on your daily log review practices, tying them to incident response journey to better data security. plans and educating developers on writing better software that deals with payment data. In fact, some organizations Common Pitfalls in Using have been known to build their entire security programs on top of PCI DSS guidance. Clearly this approach will allow SIEM for Regulatory them to benefit from SIEM and log management tools that Compliance they already own. The biggest logging, SIEM and compliance mistake is simply The next step is to improve the incident response process this: thinking that to be compliant you must only collect so that it can react even faster. While regulations prescribe logs in a log management tool. This is one of the most egre- some incident response practices such as having an inci- gious errors you can make. Simply reading the text of most dent response plan, being ready for any incident, including regulations will reveal the additional items you need to a zero-day attack, takes more work and more operational address, such as log review, log protection, logging specific maturity that goes beyond compliance. details for various events, handling exceptions and many The next step beyond compliance might be to improve others. the security monitoring process. Simply buying a tool that PCI DSS prescribes log review and log protection, HIPAA is capable of enabling such monitoring does not create a calls for monitoring, NERC asks for incident process ease. monitoring capability; this capability requires a combination Not a single regulation is solely about storing logs. A Pragmatic Approach to SIEM | WHITE PAPER | 7
A second common mistake is focusing on the letter of regulations, and not their intended spirit. The best way to About the Author summarize it is: if you focus on security, you have a shot Dr. Anton Chuvakin (http://www.chuvakin.org) is a recog- at being compliant and secure; if you only focus on compli- nized security expert in the field of log management and ance, you probably will not be secure and will be out of PCI DSS compliance. He is an author of the books “Security compliance. Just ask the victims of recent breaches who Warrior” and “PCI Compliance” and a contributor to were justifiably found to be out of compliance. “Know Your Enemy II,” “Information Security Management Finally, although the siloed approach to regulations is the Handbook” and others. Anton has published dozens of unfortunate norm today, that does not make it the right papers on log management, correlation, data analysis, PCI approach. Given the large overlap across regulations in what DSS, and security management (see the list at www.info- they mandate relative to audit logging, security monitor- secure.org). His blog http://www.securitywarrior.org is one ing, change detection, incident response and other security of the most popular in the industry. practices, it makes sense to implement this superset of In addition, Anton teaches classes and presents at many requirements. By not tackling regulations one-by-one, you security conferences across the world. He recently addressed avoid wasting resources and causing delays. audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security stan- dards and serves on the advisory boards of several security Conclusion start-ups. While some organizations continue to try to reduce security Currently, Anton is developing his security consulting to some minimum baseline, this approach is not a recipe practice www.securitywarriorconsulting.com, focusing on for customer trust and data protection. Many of the recent logging and PCI DSS compliance for security vendors and challenges with SIEM and log management stem from the Fortune 500 organizations. Dr. Anton Chuvakin was formerly fact that powerful SIEM technology is purchased to address a Director of PCI Compliance Solutions at Qualys. Previously, a compliance mandate—and does so in a narrow and short- Anton worked at LogLogic as a Chief Logging Evangelist, sighted fashion. Following our roadmap for effective use tasked with educating the world about the importance of of SIEM tools for compliance and beyond will allow you to logging for security, compliance and operations. Before avoid mistakes and gain all the benefits of your investment LogLogic, Anton was employed by a security vendor in a in your SIEM or log management tool. strategic product management role. Anton earned his Ph.D. In addition, you can expand the use of an SIEM tool degree from Stony Brook University. beyond compliance to security and operational use cases, focusing on improved incident response practices and mov- ing to automated security monitoring that occurs in near real-time. This approach is the only way to gain visibility, and therefore control, over your ever-growing IT environ- ment. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what specific information and IT assets need to be protected. The final word on succeeding with SIEM is this: start by using regulatory guidance, take it to heart, operational- ize it, and then expand it to solve “bigger and better“ problems. 1 For example, see http://en.wikipedia.org/wiki/Use_case 2 www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf 8 | WHITE PAPER | A Pragmatic Approach to SIEM
ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPSIEM1a

Recommended

Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not EnoughTripwire
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 

Recommended

Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not EnoughTripwire
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)Vijilan IT Security solutions
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
I.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to ManagementI.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to ManagementTripwire
 
IT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan HuwylerIT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan HuwylerHernan Huwyler, MBA CPA
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event ManagementEnterprise Technology Management (ETM)
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 

More Related Content

What's hot

Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)Vijilan IT Security solutions
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
I.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to ManagementI.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to ManagementTripwire
 
IT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan HuwylerIT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan HuwylerHernan Huwyler, MBA CPA
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 

What's hot (20)

SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security Framework
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
I.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to ManagementI.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to Management
 
IT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan HuwylerIT Governance Roles and Data Governance - Hernan Huwyler
IT Governance Roles and Data Governance - Hernan Huwyler
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 

Similar to A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystInfosecTrain
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
Centralizing security on the mainframe
Centralizing security on the mainframeCentralizing security on the mainframe
Centralizing security on the mainframeArun Gopinath
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?Adlan Hussain
 

Similar to A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security (20)

.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analyst
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
Centralizing security on the mainframe
Centralizing security on the mainframeCentralizing security on the mainframe
Centralizing security on the mainframe
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?
 

More from Tripwire

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksTripwire
 

More from Tripwire (20)

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
 

Recently uploaded

Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdftbatkhuu1
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsMichael W. Hawkins
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...Any kyc Account
 
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 DelhiCall Girls in Delhi
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 

Recently uploaded (20)

Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdf
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

  • 1. Dr. Anton Chuvakin, Author and IT Security Instructor A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security WHITE PAPER
  • 2. Introduction Recent economic troubles might have something to do with In more recent years, several different trends—namely the fact that many organizations today seek to establish changes in the regulatory landscape and a shift of attacks only the bare minimum level of security. To be more pre- to the application level—have led to the evolution of the cise, they try to do what they think is the bare minimum. SIEM and log management space. These tools are now used In fact, their belief that security “due diligence” can be for overall compliance management, user tracking, applica- reduced to the level prescribed by regulations such as the tion security monitoring, compliance auditing and even Payment Card Industry Data Security Standard (PCI DSS) is fraud detection. They also continue to be used for opera- more common than ever. Unfortunately, the results of this tional monitoring and issue troubleshooting. flawed thinking include security breaches and other damag- Let’s define what SIEM and log management tools are and ing events. what they do. This trend toward establishing the minimum required level Security information and event management covers of security has affected many security safeguards, including relevant log collection, aggregation, normalization and Security Information and Event Management (SIEM) and log retention, context data collection, alerting, analysis (cor- management. Most organizations simply deploy these tech- relation and prioritization), presentation (reporting and nologies to place a check in the compliance check box. In visualization), security-related workflow, and relevant secu- this paper we will take a look at this disturbing trend and rity content. Typical uses for SIEM tools center on network provide useful guidance for maximizing the value of SIEM security, data security and regulatory compliance. and log management tools, while focusing on protecting On the other hand, log management includes compre- systems and data—not on simply checking the compliance hensive log collection, original log retention, analysis, check box. presentation (search, reporting, and visualization), related But first, let’s get more familiar with the background of workflow, and relevant content such as reports and search SIEM products. Even though organizations have had the queries. Log management usage is broad and covers all pos- need to collect, manage and analyze computer log data sible applications for log data across IT and even beyond for as long as computers have existed, dedicated Security information technology—but certainly includes security and Information and Event Management (SIEM) products only compliance use. emerged on the market in the late 1990s. Later, dedicated To summarize, SIEM focuses on security while log manage- log management tools emerged to address broad log reten- ment focuses on broad use of log data. More specifically, tion and log review requirements across all of IT, and not SIEM tools include correlation and other real-time analysis just the traditional security space. functionality, which is useful for real-time monitoring. In Although the primary purpose for SIEM was to reduce comparison, log tools often focus on advanced search across network IDS “false positives” and to make sense of other all log data. Today, select tools combine select capabilities security alerts and event records, these products often did of SIEM and log management in a single product or product so at the cost of increased product and integration complex- suite. ity. As a result, these tools were only used by the largest organizations because they were willing to invest time in learning how to operate their SIEM frameworks. In addition, such use was mostly limited to network security. 2 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 3. Which One Is For you? At this point you may be asking, “Which product is for Let’s further examine the defining features of SIEM. me?” The answer is easy: if you have logs (which you do Most organization will look for these features when if you have computers), you need a log management tool. choosing an SIEM product. The features include: And if you want to make use of these logs for security monitoring, you also need SIEM capabilities. However, 1. Log and Context Data Collection. The ability to col- you will learn later in this paper that trying to use lect logs and context data using a combination of advanced and near real-time monitoring features of SIEM agent-based and agent-less methods. tools before you’re able to reliably collect log data rarely 2. Normalization. The ability to convert most original results in success. logs into a universal format, usable for cross-source When choosing a tool, it may be helpful to first begin by reporting and correlation. identifying the problem you’re trying to solve with it. Over 3. Correlation. Rules-based, statistical or algorithmic the years, the following areas where SIEM and log manage- and other methods of relating different events to each ment tools can deliver value have emerged: other and events to contextual data. 1. Security, detective, and investigative. Sometimes also 4. Notification/alerting. The ability to trigger notifica- called threat management, this area focuses on detecting tions or alerts to operators or managers. Common and responding to attacks, malware infection, data theft alerting mechanisms include email, SMS, or even and other security issues. It may be useful to divide this Simple Network Management Protocol (SNMP) area into monitoring and detection of security issues, and messages. investigation and forensic analysis of security incidents. 5. Prioritization. Different features that help distinguish 2. Compliance, regulatory (global) and policy (local). This important events from less critical security events, area focuses on satisfying the requirement of various for example by correlating security events with vul- laws, mandates and frameworks. Most of these mandates nerability data, or asset and identity information. have the intent of improving security, so there is a lot of 6. Real-time View of Security. Security-monitoring overlap between this area and the previous one. dashboards and displays that security operations per- 3. Operational, system and network troubleshooting and sonnel use to easily review current system and user administration. This area applies mostly to log manage- activity. ment, and has to do with investigating system problems 7. Reporting. The ability to generate scheduled and as well as monitoring the availability of systems and as-needed reports to gain historical views of data applications. collected by the SIEM product. Some products also The above three drivers likely cover nearly 100 percent of have a mechanism for distributing reports to security SIEM and log management deployments today. It is worth personnel, either by e-mail or a dedicated web portal. noting that the most common scenarios for SIEM deploy- SIEM reporting relies on parsing and normalizing log ments today are “buy for compliance, use for compliance” data. and “buy for compliance, use for security,” or a combina- 8. Security Role Workflow. Incident management fea- tion of the two. When used in combination, the SIEM or tures that allow security personnel to open incident log management tool is purchased for a tactical compliance cases, perform investigative triage, and perform project, and over time is used to solve many other problems. other security operations tasks using automation or Let’s review this in detail. partial automation. A Pragmatic Approach to SIEM | WHITE PAPER | 3
  • 4. Deploying and Using SIEM As organizations face complex security, regulatory and oper- ational issues, the tools that help them address those issues Pragmatic Approach to SIEM have grown in complexity as well. As a result, companies Given the trend of focusing on bare minimum security, the sometimes have trouble planning, deploying and then using pragmatic approach to SIEM for many organizations can be SIEM and log management tools effectively. In this paper summarized as “buy for compliance, use for security (and we will share a few proven strategies for implementing and IT operations as well).” Let’s review how you follow this deploying SIEM and log management tools, both for satisfy- approach for achieving security success and not just auditor ing regulatory compliance mandates and beyond. approval. So, how can you use SIEM effectively? You have to do Many Chief Security Officers (CSOs) have found out that some planning before you can answer this question. This compliance initiatives and other projects driven by “the planning includes the most important concept for deploying fear of auditors” can be funded more easily than pure data and utilizing a SIEM—the concept of a “use case.” protection and “the fear of hackers” projects. Even though Originating in the software development industry, the this trend may reverse itself in the future, today it is a fact term “use case”1 simply denotes a description of how the of life. Recent analyst estimates show that 70 percent to 80 user uses a system to solve a particular problem. For exam- percent of SIEM and log management implementations are ple, a use case for SIEM can center on satisfying the PCI driven by compliance needs. DSS requirements or enabling the incident response team to Here is how to follow the pragmatic approach in instances track down a compromised IT asset. where compliance drives SIEM and log management Since SIEM and log management tools are useful for solv- implementation: ing a wide range of IT problems, it makes sense to approach First, compile a list of regulations you must comply with, your SIEM purchase with your particular problem set in focusing particular attention on areas where an SIEM or log mind. For example, if your organization wants to build a management tool can be useful. In many cases, the list may security operations center (SOC), your choice of SIEM will contain only one regulation, but that one regulation is one be very different from an organization that wants to sim- you absolutely must address. ply review server logs for evidence of unauthorized access Second, whenever practical, you should then review other in order to comply with a regulation. Similarly, speeding possible goals that SIEM can help you achieve. Deciding up your incident response routines calls for a different log whether SIEM satisfies a critical business need, such as “buy management tool than one you’d use for HIPAA reporting as an enabling technology for your SOC,” is an essential step. (though better incident handling practices would almost Third, you must decide whether you are prepared to work certainly help you safeguard health information). to make your SIEM tool solve your problem, whether for The entire range of SIEM use cases fits in the three cat- compliance or other needs. Despite help from the vendor egories we mention above: and possibly consultants, there are additional tasks you’ll have to perform to make SIEM work. 1. Security, detective, and investigative; Now, acquire and implement the SIEM solution. This is 2. Compliance, regulatory (global) and policy (local); and where you work jointly with the vendor in order to build 3. Operational, system and network troubleshooting and your initial implementation for regulatory compliance, such administration. as PCI DSS. Before we consider a few SIEM use cases in detail, let’s Now, start actually using SIEM for both the “letter and define what we called a pragmatic approach to SIEM. spirit” of the regulation. This step is the most important one in the approach—one of the biggest mistakes organiza- tions make in this area is thinking that simply owning an SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM 4 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 5. is the only way to do that. Sadly, few people remember that environment, you need to focus on protecting the data and PCI DSS prescribes a large set of periodic tasks, from annual monitoring all access to it. to daily. Reviewing logs daily is the most well known exam- Even though logging is present in all PCI requirements, ple of such a practice, not just “having logs.” the PCI DSS also contains Requirement 10, which is dedicat- Finally, expand the use case beyond compliance. Tips for ed to logging and log management. Under this requirement, expanding deployment and solving other problems with your logs for all system components must be reviewed at least SIEM tool are provided in the next section. For example, daily—a key operational procedure that is necessary for you can quickly improve your security capability for inci- compliance! These reviews must include logs of servers that dent response and forensics—the easiest and most common perform security functions, such as intrusion-detection security use of log management and SIEM tools beyond systems and authentication, authorization, and account- compliance. ing protocol servers. PCI Requirement 10 is a very common Given the obvious benefits to this approach, it is surpris- reason why organizations research and look into purchasing ing that more organizations don’t follow it. Some simply SIEM and log management tools today. choose to procure a tool, connect it to the network and Further, the PCI DSS states that the organization must never actually use it—whether for security or compliance ensure the integrity of its logs by implementing file integ- purposes. Such organizations will be surprised to discover rity monitoring and using change detection software on logs they are neither compliant nor secure, as this level of imple- (in addition to other key files) to ensure that existing log mentation provides none of the benefits of SIEM. It’s also data cannot be changed without alerting security personnel. interesting to note that many of the organizations studied It also states that logs from in-scope systems must be stored in the Verizon Data Breach report2 that were breached had for at least one year. Broader security monitoring is also all the evidence of the breach in their logs and available present in Requirement 11 of the PCI DSS. since the day of the breach. So, build the urgency for SIEM using regulatory compli- ance, then start taking the regulation to heart by using the HIPAA/HITECH The Health Insurance Portability and Accountability Act tools for compliance and data security. From that point, of 1996 (HIPAA) outlines relevant security standards for expand the use case to solve more problems within your health information. As with PCI, the intent of HIPAA is to organization. Remember, a box in the datacenter rack does reduce risks, but in this case to sensitive health informa- not make you compliant; a tool combined with people dili- tion. Unlike payment data, however, health information gently following operational procedures does. cannot simply be deleted from storage, which certainly As we mentioned above, compliance is often the main complicates compliance with the regulation. The following driver for SIEM deployment today. Let’s delve deeper in the HIPAA requirements apply broadly to logging, log review regulations and their impact on SIEM technology. and security monitoring: Section 164.308(a)(5)(ii)(C) “Log-in Monitoring” calls PCI DSS for monitoring the systems touching patient information The Payment Card Industry Data Security Standard applies for login and access. The requirement applies to “login to all organizations that handle credit card transactions. attempts,” and implies login attempts that failed or Since we talk about the letter and spirit of regulations, succeeded. the spirit of PCI is in reducing the overall risk associated Section 164.312(b) “Audit Controls” broadly covers audit with payment card transactions. While complete elimina- logging and other audit trails on systems that deal with tion of sensitive payment card data for risk reduction is sensitive health information. Review of such audit logs a noble goal, achieving it today is unlikely for most mer- seem to be implied by this requirement. chants. As a result, after appropriately scoping your PCI DSS A Pragmatic Approach to SIEM | WHITE PAPER | 5
  • 6. Section 164.308(a)(1)(ii)(D) “Information System Activity Review” prescribes review of various records of IT activi- ISO2700x ties such as logs, systems utilization reports, incident ISO27001, formally known as “Information technology— reports and other indications of security-related activities. Security techniques—Information security management systems—Requirements,” is a direct descendant of ISO17799 In addition, the NIST SP 800-66 document titled “An and British Standard 7799. ISO specifies requirements for Introductory Resource Guide for Implementing the Health managing the security of information systems. The stan- Insurance Portability and Accountability Act Security Rule” dard also prescribes audit logging and audit log review and details more specific log management requirements for retention. securing electronic protected health information. Section For example, ISO27001 mentions that “audit logs should 4.1 of this document describes the need for regular review be turned on for security events, user activities, and excep- of information system activity, such as audit logs, access tions. They should be kept for a predetermined period of reports and security incident-tracking reports. time.” (section A.10.10.1 of ISO/IEC 27001 Information A recent enhancement to HIPAA is called the Health Security Management Systems – Requirements). However, Information Technology for Economic and Clinical Health the standard provides no further guidance regarding what Act or HITECH Act. The act seeks to further “address the details must be recorded in logs or how long the logs should privacy and security concerns associated with the electronic be retained. transmission of health information.” The standard does make references to reviewing audit logs and security monitoring without providing operational level NERC details about them. Despite that, organizations that plan to North American Electric Reliability Corporation (NERC) pub- certify their compliance with ISO27001 are likely to deploy lishes Critical Infrastructure Protection (CIP) standards that SIEM or log management tools. contain important information security requirements. The Overall, this summary indicates that many mandates have spirit of NERC is in maintaining the operation of the critical similar requirements with regards to log management and bulk electric system. In the case of NERC, clearly the focus security monitoring. This simply means that complying is on system uptime and not on information confidentiality with one regulation will get you a long way toward comply- as it is in PCI DSS and HIPAA. ing with other current and future regulations. Also, one Among the CIPs, there are requirements about logging, of the most important things to remember from reviewing alerting and log review, as well as broader security monitor- these regulations is that simply deploying a tool, even an ing. For example, Requirement CIP-005-1 R3.2 states that advanced SIEM tool, does nothing for compliance unless “security monitoring process(es) shall detect and alert for you use it. Good auditors will check for processes and pro- attempts at or actual unauthorized accesses. These alerts cedures built around tools in order to satisfy the spirit of shall provide for appropriate notification to designated regulations; they won’t just look at blinking lights in the response personnel. Where alerting is not technically fea- datacenter. sible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.” In most cases, the effort focuses on issue detection and rapid investigation, and not on the long-term data theft breach investigation. Additional security monitoring requirements are also defined in the NERC CIP standards. 6 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 7. “Compliance+”: Where to Go of skilled personnel with effective SIEM tools. Fortunately, most organizations have monitoring tools for operational Next? visibility—uptime monitoring. It is important to note that After the initial regulatory challenges are addressed, what many organizations will not ever be large enough to justify do you do next? Given the scope of regulations shown having a full Security Operations Center (SOC). At the same above, your organization would already have a fairly robust time, having a person or a team dedicated to ongoing peri- security monitoring program, backed up by periodic process- odic security monitoring will likely help most organizations. es, review procedures and an exception handling process. We can benefit from the past experiences of organiza- It is likely that you would not be surprised that unau- tions that have gone beyond compliance to learn about the thorized access to servers is covered by a particular numerous possible mistakes and pitfalls that might occur. regulation. It is also likely that unauthorized changes in We will first present a few general tips for succeeding based your environment will be reduced to a minimum. Deploying on these past experiences, and then categorize common integrity checking systems mandated by PCI DSS, and then mistakes that organizations committed while doing so. diligently using them, will allow your organization to be First, if you deploy for compliance, make sure your tools constantly aware of what happens in your environment. If operationalize and adopt the regulation as the framework. unauthorized changes are detected that indicate an inci- Don’t simply put a checkmark in the compliance checkbox. dent, your incident response process will be triggered into Second, always operationalize SIEM and log management action. tools in phases. One common approach is to go from tradi- In addition, complying with regulations has likely enabled tional server and firewall logs to application logs, and from you to keep an eye on the sensitive data that flows in and collection to review to near real-time monitoring. out of your environment. Hopefully, you have applied the Third, always keep the use cases—what you’re trying safeguards not only to regulated data but also to data inter- to achieve with an SIEM tool—in mind. Think about them nally considered sensitive. when using and expanding the use of your SIEM. Even if For example, an organization may choose to fully adopt compliance is a primary SIEM driver, focusing on outcomes PCI DSS compliance and invest time in developing their useful for your business will give you more success on your daily log review practices, tying them to incident response journey to better data security. plans and educating developers on writing better software that deals with payment data. In fact, some organizations Common Pitfalls in Using have been known to build their entire security programs on top of PCI DSS guidance. Clearly this approach will allow SIEM for Regulatory them to benefit from SIEM and log management tools that Compliance they already own. The biggest logging, SIEM and compliance mistake is simply The next step is to improve the incident response process this: thinking that to be compliant you must only collect so that it can react even faster. While regulations prescribe logs in a log management tool. This is one of the most egre- some incident response practices such as having an inci- gious errors you can make. Simply reading the text of most dent response plan, being ready for any incident, including regulations will reveal the additional items you need to a zero-day attack, takes more work and more operational address, such as log review, log protection, logging specific maturity that goes beyond compliance. details for various events, handling exceptions and many The next step beyond compliance might be to improve others. the security monitoring process. Simply buying a tool that PCI DSS prescribes log review and log protection, HIPAA is capable of enabling such monitoring does not create a calls for monitoring, NERC asks for incident process ease. monitoring capability; this capability requires a combination Not a single regulation is solely about storing logs. A Pragmatic Approach to SIEM | WHITE PAPER | 7
  • 8. A second common mistake is focusing on the letter of regulations, and not their intended spirit. The best way to About the Author summarize it is: if you focus on security, you have a shot Dr. Anton Chuvakin (http://www.chuvakin.org) is a recog- at being compliant and secure; if you only focus on compli- nized security expert in the field of log management and ance, you probably will not be secure and will be out of PCI DSS compliance. He is an author of the books “Security compliance. Just ask the victims of recent breaches who Warrior” and “PCI Compliance” and a contributor to were justifiably found to be out of compliance. “Know Your Enemy II,” “Information Security Management Finally, although the siloed approach to regulations is the Handbook” and others. Anton has published dozens of unfortunate norm today, that does not make it the right papers on log management, correlation, data analysis, PCI approach. Given the large overlap across regulations in what DSS, and security management (see the list at www.info- they mandate relative to audit logging, security monitor- secure.org). His blog http://www.securitywarrior.org is one ing, change detection, incident response and other security of the most popular in the industry. practices, it makes sense to implement this superset of In addition, Anton teaches classes and presents at many requirements. By not tackling regulations one-by-one, you security conferences across the world. He recently addressed avoid wasting resources and causing delays. audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security stan- dards and serves on the advisory boards of several security Conclusion start-ups. While some organizations continue to try to reduce security Currently, Anton is developing his security consulting to some minimum baseline, this approach is not a recipe practice www.securitywarriorconsulting.com, focusing on for customer trust and data protection. Many of the recent logging and PCI DSS compliance for security vendors and challenges with SIEM and log management stem from the Fortune 500 organizations. Dr. Anton Chuvakin was formerly fact that powerful SIEM technology is purchased to address a Director of PCI Compliance Solutions at Qualys. Previously, a compliance mandate—and does so in a narrow and short- Anton worked at LogLogic as a Chief Logging Evangelist, sighted fashion. Following our roadmap for effective use tasked with educating the world about the importance of of SIEM tools for compliance and beyond will allow you to logging for security, compliance and operations. Before avoid mistakes and gain all the benefits of your investment LogLogic, Anton was employed by a security vendor in a in your SIEM or log management tool. strategic product management role. Anton earned his Ph.D. In addition, you can expand the use of an SIEM tool degree from Stony Brook University. beyond compliance to security and operational use cases, focusing on improved incident response practices and mov- ing to automated security monitoring that occurs in near real-time. This approach is the only way to gain visibility, and therefore control, over your ever-growing IT environ- ment. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what specific information and IT assets need to be protected. The final word on succeeding with SIEM is this: start by using regulatory guidance, take it to heart, operational- ize it, and then expand it to solve “bigger and better“ problems. 1 For example, see http://en.wikipedia.org/wiki/Use_case 2 www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf 8 | WHITE PAPER | A Pragmatic Approach to SIEM
  • 9. ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPSIEM1a