I Sliced My SIEM: Finally Getting Value Out Of Your SIEM!

emanuelle you go thank you thank you very much for being here thank you for having me so I'm gonna stop my turquoise two things one sorry and one other thing so the first one is thank you for all the guys with the blue t-shirts for organizing besides the example it's super great conference I proposed to give them a big round of applause for organizing thank you my second thank you would before there would be only one female speaker today and it's for her because I think we are missing many many women in our teams so thank you for all the ladies are two buttons this this besides you can't have them in the forever and if you are yeah thanks for

and if you are looking for more women in your team you can look at this project cyber way friend dot-com it's managed by one of my good friends Patrick wheeler and actually it's a three-year programs to bring more women into our industry and so if you want to is somebody and they have not necessary IT security background but Patrick will take care of them and bring them to the good level for you Tim for you I can use this Mme for two different things so it's pretty cool I'm very sorry for the title of my talk today when I received the program I read all the talks and for for me in my it was like super long

super commercial signal something like this so basically put if it would have been the object of an email i would put directly to the trash because it's like very very wonder but for sure i'm not trying to sell to you anything and my last thing he would be for you for being here even if my my titles works so a little bit about myself this is me and this is a favorite picture of for my girlfriend and that on the social media you will see more something like this which is i think of best way to discover they do and trying to look for ship in middle of lommers I'm not saying that all my system means are llamas where

it's probably something that I'm trying to look for the small differences between my sis means and the attackers what I've done in my life I started my career in decathlon and then I moved to cities near al Albers vnp priorities and now I'm working for MSS B and this luck is basically that I started in big company big Company B Company B Company and then to MSSP well now I can see many many different type of companies from the very small ones with like ten service but they still want security monitoring and for the very big ones that start their journey to to the cloud and say okay because we are moving to the cloud

we need to have more security and then security monitoring but about my current employer today I'm off I'm on our days it's not I'm not representing anyone I'm here by myself and all opinions that I will share today is not related to my current employer so let's start with a very very short history of our industry anyone knows the very first malware virus when it happened and the name of the virus I can take it here for me it's the wabbit virus in 1974 it's a very very simple virus what he did it was just implicates himself and at this time the computer was very very low in memory so at some point it will just break the

system creating a daniela service and after that malware gets more more trendy sorry and we had to add certain years to get the first antivirus and we have the very known magazine they are still here and basically what is interesting is that in this very same year Fred Cohen wrote an article this is that signature-based technology will never work and you cannot very predict and a malware because you know it from the past and this is true because in 1990 you have dark Avenger mutation engine that has been released so three years after the first antivirus we have already as a solution by the Red Team the circus I will shuffle just my coat and bypass all the antivirus and it

works and then we say okay so now let's look at the at the network and implement Marbury four for the attacker so the first state food firewall 1989 Application Firewall in 1994 and app shield which is a web application firewall in the in this very twenty year where internet start to bloom what we had after was okay so we block them but still they they they can go through our firewall on very common ports so why not just another eyes in the traffic and see what is wrong in the in the traffic so we had broke twenty years ago which is now Zeke it's not and ANSI ricotta in 2010 and and then basically what we have

done as an industry is to create more and more complexity because the the system that we were monitoring we're also more and more complex so in 22 2005 Gardner said okay so now we need something to just bring all the complexities that we are putting since fifteen years to a single tool so that it will resolve all our problems and then we say okay but now I have everything in my seam but I don't know what to look for so I say okay so let's start to share IOC Lester to shop at I got techniques and we creates a threatened agent in 2010 but in the same time in 2010 is the first time that we

see Stuxnet and it's pretty interesting because when I first time I read about Stuxnet I was fighting another worm color configure sorry another coffee cursor I was fighting configure in the Catalan in the same time I read the words Texans which is like two different firm that sir so so different compared to the size the complexity and so on and so on but what we forget a little bit is that in our security industry we were people fighting since 1960s which is for me the very first time we we had the thread enter that has documented this red hint and it was actually in the MIT and yeah they had a problem with between the students that

were calling and the bill that they were giving to the student was different from the bill that to receive from AT&T and they say okay so we have a problem where I'm losing money and they track down all the students that were exploiting vulnerability in their systems to give them the bill and it was a very first intact we are the first n documented and basically my talk today is about having the good people with a good process to find the bad guys okay and I don't cover the last ten years but we went to broken okay I guys you missed something a very good talk a keynote that's that is just reviewing the last ten years and so I

give you the the youtube link here so go go there and check out so when I talk to my friends at honest in the security field I thought that that I'm kind of a spider building my web trying to to have my my web right and as soon as I have one of the the string of my web that is shaking I go out and check our what's happening this is the the beautiful picture but in reality it's more like this so first we are more less after spider because we are always understaffed we have many many unknown on our network we have yes so basically when you reach this is I mean say yeah

probably it's doing like this you record that so yeah probably it's working like this but you don't right now and this is what I see now from my MSSP standpoint sir I really saw that people that will contract our services there would be like okay we never took think about security and and we won't say you to come and do the security but actually there is many many companies that say oh we tried and we end up with this results but at the end of the day we don't know how to do so could you please I'll pass and and do the work for us and this to come from this paper basically in a in

late me and honestly uh how can we have something like this like you've lost control of your seem like it's like a car you lost control you are going to the world and the I'm not changing the paper the paper is really good but I think it's a training in this industry from one or two years we are more more criticizing the scene and we have to it's like this like you are no longer being poisoned by your toxic fault Oh after you get rid of that see me sober for three years get running would never offer you any value so it's one one one to it but there is autism if you go on Twitter you're gonna find many

many people criticizing the same or this one this one is pretty interesting because it starts to give them an answer like organization elf Mike seemed apparent fail who your same is all the dead taken son answer well are you try using it what should I just deployed it to and directly but now it's not that easy and my favorite tweets about seem is this one plus one thousand point for the rectum strong like far too many InfoSec project security issues are first at people and the process problem technology is a decent sir I cannot agree more so today we're going to talk about the process and the people we and the same and when it comes to process I

worked in a very very good company very very good at process is Abbas having appointed to be working on a fantastic project s3 30 and basically what I've done what I've been doing is fixing this piece of the aircraft that is adding all the connection between the wings and the body and so I started my my day at 6 a.m. in the morning and I have my my buzzard gave me like the paper and so ok so today you're gonna screw 12 screws okay so and what I do next protect 20 minutes you know instead of for your day so I was very skeptic okay so the first point in the procedure was scheduled to rise do you know how

many screws there is on a aircraft and how many different screws there is on on an aircraft the answer is way too many we're way too many and the problem is this part of the aircraft here is very on the outside and is is like a lot of strengths that is going in all direction in this piece so you need to to set it right because otherwise if it girls during your flight unit varies can have a P of that so you get 2 2 right and then you have a procedure for that and should be sure that you have the right skills because one millimeter can cause a disaster then because you're gonna work on the on

the wing of the aircraft you get you to prepare yourself and to be right some are on the safety then you are being controlled by your body so your butt is busy on another part of the aircraft do you ask him to come you check you you can go then you screw your chuckles 20 minutes and then you ask you very to control again to control again your your your work and then at the end of the day you need to chase the certification body that is filling all the forms and saying okay this aircraft is good for flying because they have checked it completely so basically at the end of the day it's eight hours to cruise 12 screws but if

you look at if you want to to travel they are reaching this very very very low level and I think it's kind of inspiration inspirational to say okay this industry they have put so many serving so many controls and at the end of the day they they can claim that you are the safest way to travel and it's kind of interesting and I even read a study that say if you eat peanuts drink all the flights you will probably more you have more luck to die because you have diabetes then because you have travel in the aircraft I don't know let's take if it's true okay but I think one of them the domain problems as I see

from our Agana MSS with some principles that say oh we need security we're gonna jump directly to a security monitoring because super-trendy is Baku but basically here you have security monitoring but you have five other controls before according to CIS and if you don't start to know what you have in your network if you don't have your vulnerability scanning if you don't manage your administrators and you don't have a secure configuration then I think you you have some homework to do before going for security monitoring and we've seen so many so many companies come in so please monitor my network I don't know what is inside I don't know if it's secured already but still monitor nephew

if you find something those looters I think it's the wrong guy version if you want to consider security monitoring start first by doing your arm drop your own work sorry and and get right the fight first cas controls so let's assume now sorry i want you to to reference a very good tool to know where you are against the cs controls it has been done by security in cliff so it's very easy excel fight you fill in your own sort of questions and at the end you have a risk or it's super well-made you have one for managers non-technical and one for for security professionals so let's assume now we are right and we are rich Control

Number six whew Congrats so we start our journey for security monitoring and I have been lucky enough to study journey with my with my current employer so yeah we we know nothing about security monitoring please start something so I started what I go to pyramid of joy so and I start to sliced all what I was what I will do in the near future and I start by saying okay so what we need first is a platform platform to collect all of our logs but it's not enough okay so most companies start here like we have the platform layer but what you need is to have the device layer 2 device layer is the configuration and

the maintenance of all the device and be sure that all your devices is talking to your sim but it's not enough you will have the data layer because your device is talking to your sim but do you have the right that is interesting for you and at the end only you have you the detection layer which is all your your whole such as getting a value out of your out of your data and basically having this approach it reserves a lot a lot a lot of problem because every time we had a problem say we're weights a second step back well the problem is coming from is it coming from the detection layer data layer diverse layer or platform layer

and then we apply that to choose three broad category people process and technology so we're gonna start with the people so first what type of people you need for detection layer for sure security program because they will create the detection but also they will respond to the alarms to the security incident you need to be curious because they will create the the new detection and you will rely on them pretty much heavily for for the new threats and so for the new techniques the second is a data layer and I think it's the most complicated layer because you need to go outside of your sock and start to talk to to all the all the manager of the

company to get your data so you need somebody from the company probably if it still exists ten years in the company and start to say ok come in my team and you will talk to people so that we can get the data that we need and the device layer it will work mostly on tickets but you will have to know more less all all the type of IT component that you can have like network or systems and at the end platform and job just like our sis admin yeah and you will have all the skills you need so after depending of the budgets that you gonna have you have like more or less stuffs and what is this is

different scenarios that I I would propose if you have two staffs I hoped the secure channel is in the cyst season mean and you circuit security analyst take care of the detection area season mean take care of the data device and platform layer Swiss stuff tagged with the data manager because one of the key successor of a Security Operations Center is to be able to talk to everybody to be to have the good connections I think it's a very key person in your sock first half double the security analyst five start to have a device manager that will monitor permanently if the device is talking to your sim six more security analysts because pouring more incidents seven snap I think you

reach them the level where actually you need a second assignment because if one goes on holidays then you want probably to have somebody else to to back it let's talk about process so we won't go like like this uncommon this big pitches but we're gonna slice it from the detection layer the data layer the device layer and the platform layer and just this lady is about showing all the connections and that all the connections are integrated I will publish it on my my get her back end right after the talk with the presentation and also this this image but we're gonna go quickly on the the for the folios the first one the first thing that you need is to allow

your your analyst to have time to go and watch YouTube videos this cool this talk is recorded Thank You Cooper and many many talks are recorded by a security enthusiastic so if you can allow them like one hour two hours going to you to watch videos it's a super cool job you can watch video YouTube's doing your working hours but then let them explore all the new techniques could be Red Team Blue Team and so this is the start of your process you have a bright guys that has a good idea the second way to start the process is to have a business use case and then the first thing that we ask to our security analysts is to

record it even if it's just an ID okay you go to the denies database you recall your ID and then you don't lose track of it then you look at the data do we have already does that has that we need in the same if not trigger the other layer and call the data layer honor and talk to him say okay basically we need this that to make our detection work can you get it yes no and then it's a kind of feedback session between the two the two analysts then you implement it in your same and then with deformation you ask a query to review from somebody else in the team to be sure that the detection

is aligned with the objectives that you have stage where when you are created and started the process here you did the final change and you communicate to all the team then you move to operational daily operations the reoperation is a bit out of the scope of my talk but still if you are interesting there is a very very good book I do recommend everyone to go and have a look of it it's crafting the InfoSec play work it's starting to be a bit old it's missing the part where you need more controls about your detection so the tools like caldera and automated teaming I think this is one part missing but still a very good tool so then your whole of the

detection is thought to new when it's only the ID you move to in progress when you are older peer review deployed when it's in production and I think what is interesting is if it gets from being too noisy not very aligned with the objectives that they each state at the beginning move it to a sign and the guys are designed the rule has to fix it so that you're not suffering from a lot a lot of alarms that nobody cares about but just you are sign it and you ask people to fix it you can retire it if it's very related to a campaign and say okay we have this bench on fire see but

probably in one month it will be another bunch of fire cease or retired the play and add waypoints you cannot reject it but you keep track of it for audit perspective the data layer it's more simple so we see that it started from the ozone layer which is the detection layer and you have this peer review it's kind of important because your determination here your data manager you will know exactly what my data is inside then I think whatever the most difficult job is to standardize and to level of all your data because if one of your and I say okay I gonna work on failed logins but what is fail logins for Windows system what is a fail lookin for

a web application firewall so it's every time different type of vlogs but you need to standardize it and and and level it properly then very key having everything documented in the knowledge base so that's you can easily push it directly to the acetone out save basically if you are the windows that mean this is what we need to make our detection work and also you can push it to the to your control number Five's that should be already implemented and to say ok please check that the configuration is correct for our detection to work and then you have this connection to the bottom layer which is device so every time you scan and you find a new asset you can have a

PV view with with the Data Manager say ok do we know already that we have this technology in place do we have the data for that yes or no initially we put it directly here but then we kind of start to discover shadow IT and then you don't want your data manager to start vm spending time instances that will be shut down in a question of weeks process layer so here C is number one and to a certain software inventory you prioritize your assets you have a strong procedure about unloading and avoiding your devices and then you your human so that is always talking to your sim and also push triggers the secure configuration if you

see that some data is missing from your devices finally the platform in string has an access to this layer to say for any let's say too noisy devices that put at risk your platform you can say please of garlic finally the platform layer I got a very quickly on this because it's it's where everybody succeeds initial installation you monitor their else and the of your platform you have the change management incident management and it's pretty basic IT just in case of a very noisy device or not responding device just talk to the to the device layer finally the technology um basically the technology I think if you have a bunch of money this is not where you should

spend too much money but among the people level and ask for more stuff than fortunes because honestly you can do many many things for not that many that much on your system you can deploy bit were su OS query please collide feet it will money tells you or your end point and all type of service or network you can have Civic attic or snow or snot and even open open firewall e if you need it you put everything in in an elastic and luck / database which is a kind of splint but cheaper is which is which is not not difficult or gridlock Gregg is free and still five gigabytes 50 gigabytes per day Avenue knowledge

database super important you can use media Mickey it works well because it's super scalable and also as soon as you bring somebody in your team in a so it works its Wikipedia presentation system well I got this a visitor on on-boarded but if you use the LSD stack you can use Cabana and then you need a ticketing and a case management system and you know anyone knows very good case management system the I've sorry I saw there was some French here so yeah I'll try again so a very good sweat intelligence platform for free miss thank you yeah and you have your miss platform and basically if you have this it would cost you a lot so this is the end of my talk

just it's a process it works for us doesn't mean it will work for you but it's just if you have problems applied the pyramid strategy I think is the best way to solve your problems try the process implements its try if it's work right your procedure and if doesn't fraudsters change it and just to conclude this this talk I'm not very good at conclusion sir I just say like far too mean for sex projects most security issues first people and process problem technology is a distant third thank you [Applause] okay so there is there any question so as I explained during the introduction we have 15 minutes we asked a different speaker to reserve 15 minutes to have

interaction with the audience good morning all right first a quick feedback note unwelcome or welcome I don't know the last ten minutes of this presentation were approaching valuable to me the first part of it was totally I could have stayed in bed sorry the last part of last 10 minutes where we got into actual shock and sim talks and and content was getting almost relevant especially the last slide with the different tools is interesting and we can debate that you skipped on the slide before that or the slide before that for go back a step and one more and one more that one on this one you have device on-boarding and off-boarding but you on

the next slide you had change management and this one you don't and then this one you skip the concept of cloud and self provisioning or to provisioning entirely please comment on change management in the context of this slide and on cloud okay so for your first remark so you know that time for the very first picking of the day and when I designed this talk and say ok probably people will be late I mean because I'm coming from Spain and people don't survive at time so if I put directly interesting topics at the very beginning then probably people that arrive late they will miss the interesting things so it's always difficult to be the first speaker

of the day because you don't know if the the room and people will be here people will take will be taking coffee so but honestly it has been well managed by the gay because we are all on time but I cannot break that so indeed it's it's on purpose that I spent time and doing history as things that's probably you already know then the question about change management here so either for me to change management's you do it here ok so because you are pushing your your new configurations to to the asset owners and then the asset owners has the responsibility to implement the right settings to get the information that you are that you need it's a problem of of

this Tim okay and for the cloud I think doesn't free change am anything because you're here at the beginning of the process oh sorry wrong direction at the beginning of the process when you scan you can also scan us scan your your cloud and see if there is any new assets any new sorry I didn't get right here your question but every time you provision something you're gonna be built for so basically you can also look at how much you're built and see what is in the system and I think if something is not labeled or you don't know what it is then it's a unit take action on it the challenge is once you start using

cloud systems that can auto provision scale up scale down then how do you do configuration management how do you have that single asset repository will up-to-date information on every asset you have even if you ought to scan it will be out of date or wrong within minutes even seconds how do you do some kind of vulnerability scanning do you even need to do vulnerability scanning on a server that is provisioned and maybe runs 24 hours and then it's gone forever after and these are really important questions at least to me in the context of your presentations yeah so far will it be the management's I think I mean you can scan the depending of what you have defined as the right

interval between your scans but I ended it it's a problem I'm not challenging that and I it's difficult to do but for for Asset Management's I do think that even if you are in the cloud you do have one advantage is that you're going to be built for the assets every time you start in you a new a new server in the cloud you will be built for it so you can wait the end of the month until it's one month but you will know exactly what you have and the second point is yet there is one disadvantage there you don't have any gatekeeper because everybody that doesn't mean access to your cloud can set up at any point of

time and you a new a new server and in this case it's a kind of process and be sure that people follows this process to to be aware that any new server will be will be recorded and you will be in form of that and I don't think that you have very convinced well it's very good question and I can talk more about it

hello so I really appreciated your torque on on the other end because I started my first job as a steam engineer in in the bank at like Slovakia and people told me ok you need to implement the sim but I had no process to start with so you here trying to think ok in term of technology which technol I choose and so on and you forget the most important aspect which is the people because integrated seem is speaking to all the different team in IT deciding how will you keep the log share the rocket because it can be interesting for other teams and I think in our in up and for for us for this feedback we worked

to engineer working on this project I was working only on the process and people and my other colleague was working on technology aspects that is to say what is fully important so that's why I think and meant back then I was I would have really appreciated talk to detail the step and I hope that you put it online but then only aspect is I think it's big a lot about the process but the real difficult aspect is really to go to the gym to sell your projects to see immigrants is a point and to make them buy the project and I think that's enough Dakota's missing in your presentation but overall I like the procedure to detail thank you very much

for the good feedback in it and I think probably everybody explains it we are in a job that is so so political and I think it's something that we need to change as an industry completely and we need to get rid of all these kitchens our start of with because of the Acker uh because it's bad or just saying no to projects and more to Twitter so here I understand what you what you want to do what you want to achieve I am breast completely the the goal of the of the company but I just want to give you like good practice guidelines and we can work together and you can challenge us and we probably and then

the objective for you is to get like your 80% so really what you want to be achieve and let down like 20 persons sets will make the difference between thing that this security team in the corner that is all I think no and we don't want to talk to them to somebody like yeah you will be inside the team and consider as as a somebody that is adding value thank you for for a nice time what no more question I also like it and for me when one key aspect is the data layer because it's something that you know we often say your system is as good as the data you put in it and for me it still

we are in another loop because if you take the last slide with all those technologies we have this issue of data quality at every single tool like miss piece a great platform but if someone put eight eight eight eight in your East even then your theme is going to go crazy and trust me it happens a lot we got in our everyday job like Microsoft comm google.de eight eight eight eight in events they are pushed and so what would you do to avoid that kind of issue yeah so I didn't talk too much about certain Terry Johnson and go into detail but what I think and I think miss B's grateful for that you need to have

communities at different levels here if you build a trusted communities and you know personally the people and you can go and say yeah I know this analyst push this I can trust it 100% and you have like this top community and you don't check anything and you push it directly to the same because you have built this community with companies that are similar to use and behaving the same type of industry and then you can trust it and push it directly for others that you don't know it's open source it's somebody in the other side of the planets then there is always a quality review and it's more used for incident response and clearing the the cert

Intelligence Platform then for doing data enrichment more water just an SPECT I will add these when I was implementing the seam and so we hit that on on our enough team but at some point somebody say hey did you check as a walking concern so sandy get the company because they may react something to say because you're collecting data from zero employees well and after one year of development people were saying yeah we need to take care of PII so personal didn't see fire information so you know the name custom and so on so four people will not complain that you know when we login of the machine basically and back then get the feedback saying okay you

need to remove every IP from your sim and yeah and that was clear and it has to be done so yeah just saying that was service aspect is important because maybe to enter this plan technically but develop architecture where to for every component we are we have to send the actual version of the IP the real version and to set up an alarm but if someone connects to this seam of the real IP you should allow the security team but just to serve as a regulation and the people within the company our so you just rigueur to go increment the sim so to say that this technology's really see a spot its release everything which

is the wrong which is if you could get yeah and from the legal perspective I think then yeah we need to get out of all the emotional expect oh we are there is a sim now in the company so I am being spied and so that's a new procedure and your process there is very strict guidelines that respect the law and if there is still problems you can just mask and replace the value by something else and this is what also what we do in the cloud so you avoid to you just swap the data by another one but we are still able to to recover

thanks for sharing that that was us as fantastic as GDP are acquiring and the Whois databases to stop showing the email addresses of the people registering domains it's something that when implemented actually hurts security for any company or any researcher and in the context of GDP are I would not recommend from my personal experience and everything I've been reading and I read a lot that you actually go ahead and remove the eyepiece instead if you're talking to lawyers in a situation like this go with all the other ways that gdpr has for you to get approval to do this because you need IPS and your sim how are you going to correlate anything with your perimeter devices if

you don't have IP addresses what what use is a forward or reverse proxy if you don't have the IP addresses you will be stuck stuck and stuck multiple times throughout the subprocesses if you don't have the IPS so gdpr gives you ways to do this if you have a valid business reason contract your contract your base consent you can go ahead and you can stall of this you can even like get some kind of security clearance for your suc operators the system administrators who can log onto the server as well and there's so many ways to get approval for storing some kind of PII that I would definitely pursue instead of just giving in to some lawyer and telling him okay

we'll remove IP addresses and use a hash

thank you