SOC or SIEM?
Download
Report
Transcript SOC or SIEM?
So, you wanna build a SIEM?
Laconic Security, LLC
11001 West 120th Avenue, Suite 400
Broomfield, CO 80021
[email protected]
www.laconicsecurity.com
1
About Us
• Boulder based company specializing in SOC, security and data
protection services.
• Founded 4 years ago as a professional services company
• We have built security operations centers for many industries
(healthcare, retail, finance, telecommunications)
• Rigorous and systematic approach to building SOCs
• Soon to release our first software product (not a SIEM)
2
Agenda
• SEIM Defined
• Why Build a SEIM?
• $$$
• Choosing the Right One
• It’s ALIVE! … Now What?
• Tips for Success
3
SIEM 101
Terminology and level-set
4
SIEM Defined
• Security Information and Event Management (SIEM)
– AKA: SEM, SIM, SEIM
• A system to manage large amounts of security data
– Aggregation, centralization, correlation, normalization
• SIEMs are typically appliances, software or both
– SIEM architectures can even be mixed-vendor
• Help turn raw data into actionable information
– Needle in the haystack
• Help people visualize data
5
What SIEMs Do
•
•
•
•
Aggregate & normalize data to a central location
Provide a “meta-language” for which to manage data
Provide a graphical console view across all logging data
Turn the lights on…
IDS
Firewall
AV
Host
Logs
SIEM
6
What SIEMs Don’t Do
7
What SIEMs Don’t Do
• Provide what you want out of the box
– High customization is best/worst feature
• Make you compliant (on their own)
• Run themselves
– Much care and feeding required
SIEMs don’t understand your
business – people do
8
Why are you building a SIEM?
• Enterprise Security Driven
– We want to “do the right thing” for our business
– We need to get a better handle on our security logs
• Compliance Driven
– We’ve been told by legal/PCI/FTC to…
• MSS Driven
– We want to build a SOC to sell Managed Security Services to
customers
9
SOC or SIEM?
• Do you want a Security Operations Center (SOC) or SEIM?
• SOCs provide near real-time analysis of events - 8x5 or 24x7
– 4-5 people for an 8x5
– 10-12 people for 24x7
• A SIEM is present in a SOC, but SIEMs may satisfy your goal
without SOC monitoring
– Your goal may be to centralize logging. No need for a full-blown SOC.
Either way you slice it, SIEMs require operators
10
$$$$
• SOCs and SIEMs are expensive!
– Software licenses, analysts to monitor console, infrastructure upkeep
• There will be scope creep and therefore budget creep
– People will love what you do for them
• Professional Services will be a requirement (one exception)
– Bite the bullet now; you will be glad down the line
– Bet on a 6-12 month engagement; 1-2 consultants (to go from nothing
to a fully operational 24x7)
• Validate PS firm
– What your methodology? How many have you built? In what
industries? References?
11
Common Mistakes
• SIEMs will become shelfware if ignored
• No one dedicated to SIEM health
– This is a full-time job
•
•
•
•
•
Purchased to be a silver bullet
No consulting time purchased
No in-house expertise
Under-estimate amount of work SIEMs actually require
Project vs lifecycle mindset
– SIEM is a lifecycle, just like security - not a project
• Waterfall approach to project management
– Great SEIM implementations evolve
– An agile team responds quickly and effectively to threats
12
13
How to Choose
• Understand your goals before talking with vendors
• Line up your requirements with vendor features
• Understand motives, hidden fees and exactly what you get
– Maintenance fees, up-selling storage, total connections…
•
•
•
•
Can you export your data to another system (if needed)
Bake offs are valuable, but are time/resource heavy
Check analyst reports (with caution)
Talk to others using the product
– Get references and follow up with them!
• Vendor POC
14
The sales
presentation
15
16
What’s in the box…
18
Building Blocks
• Think of a SIEM as a box of Lego's or a bunch of electronic
components
– You can assemble these parts in endless configurations
• Need someone with a broad range of skills to assemble pieces
–
–
–
–
–
Understanding of SIEM capabilities and fundamentals
Training on how SIEM “meta language” functions
General security knowledge
Problem solving skills
Ability to move forward in a “good enough” mindset
19
20
It’s ALIVE! – now what?
•
•
•
•
•
•
Who’s monitoring the console / infrastructure?
When are hours of monitoring?
What are you monitoring? Is it sensitive?
Where are your consoles located? Is the room secured?
Who’s writing SIEM content?
What can you get from the logs you’re monitoring?
– Use case development
•
•
•
•
•
Who gets paged if there’s a problem?`
How do you develop new content?
Who’s testing new content for relevance?
Who’s documenting everything?
Where is your documentation? Is it backed up?
21
Viva la Wiki
• Use a wiki – start a revolution
• Used properly, this is the single most helpful tool for SIEM
users and SOC operators
• Expect a learning curve and time to adoption
• Don’t except imitators
– MS Sharepoint is NOT a wiki
• A wiki will not solve every problem
– Traditionally, wiki’s are not very good at document management
22
Use Cases
• The way we recommend documenting what you want to
accomplish with the SIEM
• Comments first, then code
– Just like an outline to a paper or book
• Provides a clear understanding of what you want and need to
do with a SIEM
23
Anatomy of a Use Case
<trigger> occurs when <condition> is met resulting in
<action> which is remediated by <team>
For example:
DDOS Likely event occurs when Arbor fires 15
SYN alarms in 10 seconds resulting in a highprority email sent to the network team for
remediation
24
Use Case - Visual Example
25
Training Program
• Ongoing training is essential for sustainability
• Analyst certification program in the wiki
– All new-hires go through the program
• Presentation skills are required
– Many times overlooked. Analyst must be able to communicate
effectively to all levels from technical to executive management.
• A culture of learning
– Brown bag lunch days, presentations
• Will be met with resistance, so be ready…
26
Tips for Success
• Show progress early and often
• Parade your wins
– Everyone likes a parade
• Use a Wiki – start a revolution
– Collaboration, process and procedure are key to longevity
• Have an internal analyst training program
• Remember: Garbage in-Garbage out
– SIEM is only as good as the content you write for it
• Develop meaningful metrics
– Know your audience
• Develop content around use cases
• Lead by example
– Use the wiki, dig around in the SEIM, don’t be afraid to try new things
27
Fred Thiele
Co-Founder, Laconic Security, LLC
303.641.3877
[email protected]
Laconic Security, LLC
11001 West 120th Avenue, Suite 400
Broomfield, CO 80021
[email protected]
www.laconicsecurity.com
28