There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
1. DECONSTRUCTING
SIEM
What are SIEM platforms made of and why
are frameworks so important?
Harry McLaren – Senior Security Consultant at ECS
2. WHO AM I?
HARRY MCLAREN
•Alumnus of Edinburgh Napier
• Charity Trustee at Positive Realities
•Senior Security Consultant at ECS
• Splunk Consultant & Architect
• SOC Build & Use Case Development
3. Security Information & Event
Management (SIEM)
Software products and services combine
security information management (SIM)
and security event management (SEM).
They provide real-time analysis of security alerts
generated by network hardware and applications.
Source: Wikipedia & Gartner
4. SIEM USE CASES
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN
THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATION
S & FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
5. SIEM EVOLUTION
Term Initially
Coined in 2005
by Gartner
v1.0 Ticketing &
Workflow
Integrations
v1.5 Risk Based
Analysis &
“Intelligence”
v2.0 “Next-Gen SIEM”v3.0
Initial Rule Sets
& Event Queues
Environment Awareness
& Correlation
Searches
Risk Management
& Threat Data
Intelligence
Machine Learning
& Orchestration
14. A
B
C
D
INTEGRATION
Maximize cross-silo visibility by on-boarding ALL data sources.
Automate repetitive tasks and setup orchestration for the rest.
PREPARATION
Understand your project’s input and output requirements.
Champion the project and identify project dependencies.
SUCCESS CRITERIA
Identify the problem(s) you’re trying to solve.
Document the risks/threats this control mitigates or minimises.
EMBEDDING
Position SIEM project as part of transformative change.
Enable and engage SecOps to own and evolve platform.
SUCCESSFUL SIEM
15. SPLUNK USER GROUP - EDINBURGH
• When:
• August 22, 2017 5:30 PM
• Where:
• Edinburgh Napier University, 10 Colinton
Road, Edinburgh, EH10 5DT
• Register:
https://usergroups.splunk.com/group/spl
unk-user-group-edinburgh.html
Presentation Title: Deconstructing the SIEM Platform
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
1min
Short Bio:
Harry McLaren is a Senior Consultant at ECS and is responsible for service delivery, technical leadership and people development in the rapidly growing Splunk consulting practice and is responsible for growing our team of talented Splunk Consultants. ECS, a specialist in enterprise IT services, has an award-winning IT security capability which is focused on Cybersecurity Operations Centres and IT security consulting.
1min
Define ‘Big Data’
Define ’SIEM’
2mins
Few Security based use cases you have leverage big data platforms for, but how?
1mins
SIEM evolution and the (often fallacy) that is ‘next-gen’ SIEM. “Next-gen” shouldn’t even be a term as your security operational capability to grow organically and the tools should be able to keep up.
How a platform which can grow as your security maturity and technical ability also grows (not limited to only “out-of-the-box features”).
2mins
Building full featured SIEMs is hard.
Many try, many fail.
Big data platforms only provide access to (hopefully) easy to search data.
Most end up as very basic rule engines similar in function to a distributed IDS (NIDS or HIDS).
2mins
Rules
Threshold Based
Anomaly/Behaviour Based
Boolean Based
Context
Asset & Identity Awareness
Risk Profiling/Analytics
Approved Types of Activity vs Not
Frameworks
Scalability (Volume, Complexity)
User Empowerment (without being a platform expert)
Expansion and development of custom use cases.
Integration
Data Source Compatibility (Schema vs Write one, read multiple ways).
Workflow Integration & Centralised Investigation
Orchestration
3mins
Example high-level architecture of a SIEM platform.
Lots of components working together.
Inputs, procedures and outputs are covered.
Five frameworks mentioned covered in more detail.
Not going to talk all the way through each one, purpose is to show the types of frameworks required and illustrate the contents of them.
2mins
This is about what is important to you, what does your threat modelling identify as ‘at risk’ and the framework to identify, group and report of these events of interest.
Workflow management, including analyst actions and status of event/events of interest.
1min
Contextual awareness within an organisation involves telling the SIEM who your users are and what assets are within your estate.
Dynamic updates are a priority as context changes (JML).
1min
Not my favourite term… So lets pretend it says ‘Threat Data’.
Up to date information is key, various types of data provider.
Additional context, terms unknowns into knowns. From a potential threat (unlikely to be triaged), so a known threat.
1min
Correlation between contextual sources.
Custom inputs / outputs.
Useful for more mature threat assessment of behaviour.
1min
Most recent addiction to most SIEM platforms. Splunk supported calling scripts / APIs, but all were custom and not part of a ecosystem.
Major next step in rapid response to threat and taking action to halt the threat before the end of the kill-chain/attack cycle.
Builds up operational capability with the ability to gather relevant context automatically, then triage and act in a flued and informed manner.
1mins
Understand the reasons for the project, use cases, motivations and what constraints might apply.
Prepare, prepare, prepare. Ensure you have scoped all required inputs, outputs and the level of dependencies between them.
Integrate everything! Not just the data sources, but workflow, automation and orchestration.
SIEM can be very powerful tools, however if the team which is going to own it/use it doesn’t know how, it’ll go to waste. SecOps teams should be a the forefront of exploring the data, hunting and defining their own use cases.
2mins