PG - SIEMple Technology - Bill Davison

[Music] okay folks we're going to go ahead and get started the name of this talk is a sim poll technology and here's dope hi everyone just out of curiosity is anyone planning or working through setting up the seam in their environment all right good start off with I said my name is Bill Davison I go by polar bill on twitter feel free to follow me on the security engineer at is C squared and of course they want me to say let's talk my comments are in my suggestion saw part of our mind that part of Isis split I'm also a board member on Central Florida Florida linux group been around for 10 min ji bu zai minimum I volunteered a

boat besides tampa i have to be quick plug for them 2016 it's actually going to be on a cruise ship yes only one stop of Cozumel see if he opened up yesterday and you get accepted that's a free cruise for you and another person so it's not too bad we're hoping to get a lot of people there anyways I'll to foster dogs from the Florida box and rescue up there in the corner you can see gnarly and the right and Luna who actually passed away on friday they were both bonnet pair so anyways I broke my book down this time with 20 minutes you can't go in too deep so is a low-tech talk inappropriate of three sections

researching options that you need implementing it in your environment and basically managing a theme and maintaining your goals I wrote this talk specifically because I was handed to see him on my previous jobs and had nowhere to go scoured sands when many other places saw a lot of how not tues but not a really good road map on how to set up a theater environment so that's my goal here is to give you golden brick road you are going to have issues along the way but at least we'll give you good path to follow all right to begin with what is the scene of course it's a security information that management or what is that same as very

restful tool mainly for me it's log collection law correlation of learning on the logs and retaining those laws they can do many other things to a lot of them do performance metrics Network process or file integrity monitoring and all those usually let you clearly the logs 23 love you forever specific things now you're building a scene you need to feed not just set it up in your environment you need to know what you're trying what value you're trying to create by getting it I you're turning a faster insert response by being alerted learn with key issues or just being able to query all centralization centralization we'll all the logs in your environment if you're trying to go

for visibility for such as yourself again are you trying to see key values in your environment or for upper management are they getting dashboards out of it in relevant metrics and truthfully are you trying to save money and time for this in many ways seen can help you automate some of those some of the sock processes that are very manual and it can help maximize productivity while hopefully not firing any guys in the process on them all right so we all hate it let's get compliance out of the way a few of them do have some logging requirements and it is a good justification for a larger budget pci and hitman and in particular pci has one

year retention HIPAA depending on your state has six or seven years you have to retain those logs that's something you'll want to focus in when you're looking at your seat or did whichever choice and if you do be a lot of with compliance i want to quick plug you see has a website the common controls hub they if you're at ISU squared member they give you a free demo account and they break down a lot of the controls / compliance and thousands of different compliance options it's pretty nice handy tool now we were talking about seeing if you had a questions of course this isn't going to be just a blue key box it's going to require man-hours of

your environment I'm glad I got a laugh out of that one now it seemed itself is only as good as its configured for your environments if you don't have too many if you don't have a good staff to run it internal might not be your best option looking at a hybrid option where it's externally managed when your environment or complete cloud might make a better choice for you because they have the expertise in place you do miss stuff because of the other day they're looking at their bottom line but it's another option to get you starting Ichigo and I didn't mention yet but seemed can be either software you want as an appliance or you run as a virtual machine now i'm

sitting here most of us are blue team trying to get stuff set up but the seam doesn't have to be just for us help desk will surely like to know it for things such as account lockouts and where and where they are being happened and who it's being happened to you network team would like to know when saturation point issues our development would probably like to be alerted on air logs quicker so they can respond to those quicker auditing of course would like all the historical transactions in one place to make their job easier in the web department will probably want to look at performance metrics and also web logs the same aspect now I put it down a

couple different arbitrary sections here if first one is net worth lakhs you can pull lots of interesting information from firewalls you can look at what blocking what's being allowed in your environment with intrusion detection prevention you can also see all 2 we have NetFlow data you can see exactly what's being happy with what's what congestion do need network and further detail on what's being processed through laughs you can see what access URLs are being done what what what urls are being processed and also any course games or sequel attempts on your network in server category here web request is get to know what web pages people are trying to pull from your website's DNS is get

to know for what websites that mean out your end users are accessing your up your authentication databases ldap 8080 will know who's trying to break in who's who keeps fat fingering the passwords all the time file integrity you put things change in your environment and things such as anything also show you any application changes are any odd issues that might occur part of that on end users ebbitt once again from show you in any time any weed applications occur might be the nine might not but still get to know in your environment system i can tell you when what processes are trying to reach out and when their view started local firewall even if you set it up for allow any

anything still tell you it when they went to this website or these went into that which will be visa blogging and it's also good to know what applications are installed what events are occurring on those any and you can even go as far as getting PowerShell command line what PowerShell commands were run on those systems security logs are is the last section here for this and we all know baby is dead but there is still some value in a detention to begin with you can see some of the well known malware when that gets installed you can all so see when someone just plugs in a random thumb drive they found off the ground beyond Mac you can also get two

more data on application whitelisting systems your vulnerability scanners can tell you which systems have a higher chance to be broken in to have a higher priority for a learning and honey pots can show you in particular internal honey pots in this case we show you any curious users sniffing around in your environment so one of the big things about the scene is not just getting as long as a correlating here we're all understaffed we're all overworked this will help you be alerted on the more important things in your environment a couple of most basic ones are two successful login attempts from the same user in two different countries and within the same within the same day or

same Alan totally unlikely that's actually going to happen real life you probably should be alerted on so many other things are good number of failed attempts trying to access an SSH shrine access server within a followed up successful attempts from that same IP address probably an issue there last but not least a little more difficult but you can also do some things such as you see an nmap scan on your environment or sequel injection and then you see large amount of traffic leagu environment towards that same place that's another thing you can be alerted on now we already slipped out man hours here there's a bit more than that you also need to be aware of most enterprises

will charge you on events per second so they'll be broken down to tears this data isn't completely there is no perfect formula for your environment because the logging changes for every single system but you can get some things you can't figure that out doing a proof of concept which I'll speak about later as part of this that's per second you also need to know not just what's coming in but also which ones you need to process which ones you need a car some of them you might just need to log in store and store away without doing anything forum prodding vs and as I mentioned earlier with HIPAA how long do you want to store them part of that also

too is that I see won't it will process the logs but it won't save all the metadata from the logs for the lifespan wearing those logs at that point it's really slowing really cumbersome most of them usually six somewhere between a week in a month depending on what processing power comes with knowing how quickly you'll need to pull data from ex-model months ago or days ago is something useful to know in your environment so now we got whisked of things we want to do we spoken other departments will be what we want to see as we said let's make the list and let's prioritize this list it's got to be important it's let's start off with

creating the top five or ten things that your environment that you want to log essentially you don't want to be like Sisyphus pushing a lock up the hill having it roll back down and feel like you're getting nowhere at the end of the day is this list is going to change as you work on stuff but you want to break it down a small bite-sized things you can accomplish and get done except we're beyond that once you get all that you need to make your decision on what see more tune your environment wikipedia has elesta seem so they don't really break down the full list of features so truthfully the better option would be speaking with friends another coworker

workers or colleagues in environment there are some pretty decent bars out there that could actually help you instead of cell you can sell you the priciest thing you can run POC in your environment which I would highly suggest you have any esoteric or odd devices that you want to make sure it get logged properly or get prop parsed properly environment at the end of a it's a roll the dice there's how much you can do about that because it's guess even going as well as what it is going to take multiple months generally but most will do what you need hopefully you'll get the better one that works well in here invite so now we know what we want how

do we get that drug first off as far as implementing as I suggested with Sisyphus comment earlier you want to do phase approach it's there now this could be the most critical systems in your environment this can be ones that have compliance requirements this will be the least amount of visibility in your network that you'd like to see or the ones that have that aren't being logged parts properly sealed fire either getting a bar in there more spending a lot of time to parse it properly so you from seeing you in line now as far as collecting logs the first part should be obvious if you can do TLS if that's not an option no for TCP if you have nothing

else no for UDP yeah we all know the UDP joke tell you would never get it so as far as unix systems they pretty much have syslog of the slums type of syslog area pretty well covered with rsyslog preferably syslog-ng or sis long it just as you the windows environment you really need to talk to you have seen provider on once they suggest you do they are agent they're ones that have agents you install on your system that push data and they're also ones that have agent list that usually do w library or maybe one this time they might start doing in some type of as a sage options there's a pros and cons for

each you kind of need to know for your environment I know a lot of people don't like love or like another agent on their systems but there are some benefits more information you get real time from it compared to pulling up from a system now as far as networks gear is concerned most of them depending on what they do neither syslog or flow data will cover what they need with our bar SNMP to which I always then and some of them do have some proprietary options but you've already covered those with your poz oh now here's the most important slide for me to tweak the altar test system nor do you this is one side of my talk this is

going to be most of your time setting this up in your environment the fact is you realize you're not logging certain things you're logging other things you don't care about and you're going to have to test something out try and break it into your environment have a red team come out do a pen test recreate what you're being alerted on making sure they're being alerted properly for everything this will take a while but that's why are against just phase approaching so you can test and help offense the goal it for this for you see means that it's not going to cry wolf it's not going to yell at you when something when someone fat fingers a

password once in a navy environment doesn't nag you repeatedly in wheres case doesn't do nothing what you want your seem to do essentially use to make your life easier you want to provide actual alerts you can have it send reports but there's no need to send this to you immediately when they happen you can have this weekly or monthly if you know you're not going to take action on those right away now after you go through the first phase or multiple phases of your approach we'll get to managing and maintaining it now we spoke about having other departments join in so they can get logs it is a good idea to have a liaison in each department

letting you know anytime there's any depth downtime and you help grades or any change of the sort that prevents them from getting alerts and prevents you from getting alerts not knowing what's happening in the environment it's always good to be proactive a theme of course will need to be updated not only will see me to be updated probably the platform will be on and usually there's also separate parsing rules for different logging each of those can change along in your environment you want to know that as it's coming in and get and also be aware that is as a little parsing changes something specific in your environment it might just start alert you thousand times just

as a way to being seen common now another important thing is the security integrity of love these logs if you're doing it for incident response you need to make sure your logs are are impacting crack than they haven't been altered you want non-repudiation on all your locks a lot of enterprise will usually off do a 10 B 5 with fingerprint or nothing or printing and okay with a good time right now they'll do an md5 hash with some other type of something else prevent it not going theory environment you want too hard on your seams prevent any issues like that because this is where all your logs going into you don't want someone breaking into this even kind of

defeats the purpose of it and with the last move of course you want to keep your logs seat as far as time is concerned if they're all showing at different times it's going to make your job harder usually you want to go for the same ntp server and usually also have them all on the same time zone whether that's Sulu time or if you're smaller environment we're all one x then they'll go off these girls in my case [Music] beyond that you'll also want to get periodic reviews in the rear visor you want to basically make sure if everything is coming in properly on the scene you want to make sure everything's been seen and you won't just make sure

essentially nothing is being missed in your environment and above all as we spoke about the value earlier are you getting the value you expect it out if not are you going to want to spend more time or money with bars and get it going or is it worth looking into another scene now to wrap up here to begin with you want to find the solution that fits your needs and your environment you also sending logs and then you want to keep it up today in environment I know I spoke a little bit quickly here so I didn't mention it earlier but beginning the slide github.com / Poehler Bill later this week will have all these slides plus

some other technical documents you can reference to dive in a little bit further and this few people I like to thank for this time Russell somewhere in the back he's been my mentor he's been valuable helping me through this whole process my wife Andrea who my wife Andrea who drove me at three thirty in the morning to get to get to my plane on time today and also just letting me spend all time dining in hi ignoring her just to get all this done I'd like to thank besides Las Vegas for doing proving grounds because it's definitely helped me step out here and get an environment and like to thank all you guys for coming out for this talk there

any other questions like correlation but red team works well and a couple of my cases because i had as i mentioned earlier when i started i used actually an external bar and they kind of just sent me a list here's the stuff we go for online all right i'll stay that for when my next company so yeah essentially if you do have read to you a pen test they're going to hopefully show you afterwards here's how we broke in and then you can correlate to okay how can we make the scene and alert us and that one knows that's occurred one thing we do a lawyer I've never ran two at the same time as

you said some are good at others and they're all different most of you what the job you daanish is how much time you put into it but if unless you have completely separate vironment i wouldn't feel comfortable having two scenes because they wouldn't really talk to each other properly for some a correlation you're probably missing Sunday learning all right if that is it I do thank you for this top