SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise...
![Page 1: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/1.jpg)
SIEMs - Decoding The Mayhem
Bill DeanDirector of Computer Forensics
Sword & Shield Enterprise Security Inc.
![Page 2: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/2.jpg)
Outline• Today’s Threat Landscape• Why Do I Need a SIEM?• Choosing and Deploying a SIEM• This Will Not Be Boring
![Page 3: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/3.jpg)
Computer Security LandScape• You Are Being Blamed• Your Money Isn’t Safe• Your Information Isn’t Safe• Your Reputation Is at Stake• More Threats, Less People
![Page 4: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/4.jpg)
Your Are Being Blamed• BotNets• Pivoting
![Page 5: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/5.jpg)
Stealing Your $$
![Page 6: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/6.jpg)
Stealing Your Information• Computers Are No Longer for “Productivity”• You Have Valuable Information• You ARE A Target• You Aren’t Dealing With “Amateurs”
![Page 7: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/7.jpg)
Hactivists – Exposing Your Secrets
![Page 8: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/8.jpg)
Hactivists – Exposing Your Secrets
![Page 9: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/9.jpg)
Hactivists – Business Disruption
![Page 10: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/10.jpg)
Your Challenge
![Page 11: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/11.jpg)
SIEMS
![Page 12: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/12.jpg)
You Need An “Oracle”• Know The Past• Knows The Present• Knows The Future• Knows How to CYA
![Page 13: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/13.jpg)
![Page 14: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/14.jpg)
SIEM Basics• Provides “Instant Replay”• 24 X 7 Security Guard• SIEMs v. Firewall v. IDS v. IPS• SIEM v. SEIM v. SIM• Typically Compliance Driven
![Page 15: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/15.jpg)
Compliance • HIPAA• PII• Data Breach Notification Laws
![Page 16: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/16.jpg)
![Page 17: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/17.jpg)
Why Do I Need A SIEM?• Infrastructure Monitoring• Reporting• Threat Correlation• Instant Replay• Incident Response
![Page 18: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/18.jpg)
What Is Monitored?• Account Activity• Availability• IDS/Context Correlation• Data Exfiltration• Client Side Attacks• Brute Force Attacks
![Page 19: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/19.jpg)
19
Windows Accounts• Accounts Created, By Whom,
and When • New Accounts That Aren’t
Standard• New Accounts Created At Odd
Time• New Workstation Account
Created• Key Group Membership Change• Accounts Logon Hours
![Page 20: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/20.jpg)
Availability• System Uptime Statistics• Availability Reporting• Uptime is “Relative”
![Page 21: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/21.jpg)
21
IDS Context/Correlation• Place Value On Assets• Context Is Essential• Maintain Current Vulnerability DBs
• Create Priority Rules
![Page 22: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/22.jpg)
22
Data Exfiltration
• You Must Know What Is “Normal”• Deviations From The Norm Warrant
An Alert• Some Events Are “Non-Negotiable”• “You” Typically Initiate Data Transfers
![Page 23: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/23.jpg)
23
Client Side Attacks
• Windows Event Logs Information• Process Status Changes• New Services Created• Scheduled Tasks Creations • Changes to Audit Policies
![Page 24: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/24.jpg)
24
Brute-force Attacks
• Detailed Reports of Failed Logins• Source Of Failed Login Attempts• Locked Accounts Report
![Page 25: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/25.jpg)
Incident Response
![Page 26: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/26.jpg)
Incident Response Scenario #1• Law Firm With Dealings In China• Law Firm Was “Owned” More Than A Year• Access To Every Machine On Network• Thousands of “Responsive” Emails Obtained•“Privilege” Was Not Observed
![Page 27: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/27.jpg)
Incident Response Scenario #2• VP of Finance Promoted to CFO • Attack on the “Weakest” Link
![Page 28: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/28.jpg)
![Page 29: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/29.jpg)
![Page 30: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/30.jpg)
![Page 31: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/31.jpg)
AV Will Save Us!!
![Page 32: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/32.jpg)
Incident Response Scenario #3
http://mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
![Page 33: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/33.jpg)
How SIEMs Would Have Helped• Accounts Enabled • Services Created• Firewall Changes• Data Exfiltration• Network Communications• Incident Response Costs
![Page 34: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/34.jpg)
Choosing A SIEM• Not a Replacement for Security Engineers• Must Support Disparate Devices (Agentless)• Don’t Plan To Monitor? DON’T BOTHER
![Page 35: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/35.jpg)
Deploying a SIEM• Architecture Options • Tuning Out The “Noise”
![Page 36: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/36.jpg)
SIEM Option$• OutSourced Options• SecureWorks• High-Cost• ArcSight, Q1 Labs Radar, RSA, Tripwire•Lower-Cost• Q1 Labs FE, TriGEO, Splunk• No-Cost• OSSIM• OSSEC
![Page 37: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/37.jpg)
Summary• You Must Anticipate Today’s Threats• SIEMs Are Extremely Valuable• SIEMs Are Not A Silver Bullet
![Page 38: SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.](https://reader030.fdocuments.in/reader030/viewer/2022032703/56649d2e5503460f94a05dd9/html5/thumbnails/38.jpg)
Questions?
Bill DeanDirector of Computer Forensics
Sword & Shield Enterprise Security Inc.
[email protected]://www.twitter.com/
BillDeanCCE