Security Information and Event Management(SIEM)

Iman Mansouri –Sr. Security Solutions Consultant

CCIE,CEH,CHFI,ECSA,NSE4,JNCIP,ArcSight ATP, Splunk Architect

@Cisco_in_persian_channel Telegram.me/SOC24x7
Agenda
Agenda

• Instructor Introduction
• Information Security Risk
• Why we need SIEM
• SIEM Components
• Demo - Splunk

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Good Facts

Cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Information Security Risk

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
CIA Triad

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Asset Value

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Risk Definition

From the IT security perspective, risk management is the process of

understanding and responding to factors that may lead to a failure in the
confidentiality, integrity or availability of an information system

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Risk Definition

Process Malware AV
Systems Exploit Kits Firewall
Network Bots IPS
Application APT Sandbox
Etc. Etc. Etc.

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Risk Definition

Confidentiality Integrity Availability

• Password • Watering the • Resource

Compromise hole Exhaustion
• Data Leakage • Backdoor • Ransomware
• Data Exposure • Data
Injection

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Risk Identification

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Risk Prioritization

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Wrap Up

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Why?

Why We need SIEM?

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 The Answer
SIEM, is an evolved concept
• SIEM is a concept evolved within last few years
• We started we simple data collection and are now facing advanced capabilities
• SIEM concept main job is turn our data into knowledge and from knowledge to
wisdom
• Basically SIEM job is to provide situational awareness and priority based incident
detection and alerting
• To perform this, SIEM handles both mentioned functions
– Data Collection
– Data Processing, analyzing and making decision
• SIEM is not and smart entity and can only analyze and make decision based on what
is told
• Perfect feeding, tuning and optimization of SIEM is the key factor into SIEM
successful optimization
• WE DON’T SOC TO RUN SIEM

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 SIEM Vendors
• We have number of domestic and international role players in SIEM
• Vendors:
– Ravin, Correlog, Parham, Mavara and etc.
– HP ArcSight, Splunk, Log Point, Qradar and etc.

• Capabilities and features provided differentiates between these products

• Gartner and forester are great references to study pros and cons of each products

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
HOW

SIEM Components

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 SIEM Main components

• Every SIEM should include number of component and modules

• These modules can be categorized into 6 groups:

– Data Collection
– Parser and Normalizer and sometimes enrichment
– Analyzer
– Visualization and dashboard
– Reporting
– Storage

• Each component will be explained separately in following slides

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Collect My Data !

• Data Collection module is made of two elements

– Sensors sending data
– Collector daemons collecting the received data

• Data collection can be done in two way:

– Pull-Based ( Data based queries, Remote Windows Log Collection or Etc.)
– Pushed-Based ( Agents, Syslog and Etc.)

• The more collection method we support the better SIEM we have

• Example agents include :
– SmartConnector from ArcSight
– Forwarding Agent of Splunk
– Wincollect from Qradar

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Parse and Normalize !

• First step to process and make data meaning is data parsing and normalization
• Here we extract data from our data (logs) and map into what we can understand
• Mostly, Regex is used for parsing
• Mapping our extracted to a field is called normalization
• Here is the example:

Sep 29 23:49:20 SRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.1/54924-

>192.168.1.1/53 junos-dns-udp 17(0) default-deny(global) trust trust UNKNOWN UNKNOWN N/A(N/A) ge-
0/0/0.0 UNKNOWN policy deny

regexp="(?P<date>\w{3}\s+\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P<device>\S+)\s+\S+\s+\S+\s+RT_FLOW\s+-
\s+(?P<module>\S+).*source-address=\"(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"\s+source-
port=\"(?P<src_port>\d+)\"\s+destination-address=\"(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"\s+destination-
port=\"(?P<dst_port>\d+)\"\s+service-name=\"(?P<service>\S+)\"\s+protocol-id=\"(?P<protocol>\S+)\"\s+icmp-
type=\"(?P<icmp>\S+)\"\s+policy-name=\"(?P<policy>\S+)\"\s+source-zone-
name=\"(?P<src_zone>\S+)\"\s+destination-zone-name=\"(?P<dst_zone>\S+)\".*"

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Analyze and Decide !

• In Analyzer module we used different technique to detect cyber attacks, footprint of

attacks, breaches and anomalies from the logs
• We have events rules, statistical calculation , pattern discovery and AI to help us find
these data
• Here we decide to alert, report or event generate more events
• In rules, we used conditions to identify indictors in our logs
• We have simple conditioning , Correlation and Complex Event Processing (CEP)
– Destination IP address equals xxx (C&C detection)
– Port equals 3389 and connection from non-admin zones (Unauthorized Access/Malware/Breach)
– Antivirus detects a virus and then high amount of traffic from that machine
• We have statistical calculations
– Moving average of firewall changes +50 percent (Traffic spikes)
– High number of login failures from same machine (Account harvesting, Bruteforce authentication)

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Analyze and Decide !

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
Analyze and Decide !

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Visualization and Dashboarding

• Here I visualize both my raw data and processed data

• Here I can used tables, graphs, trends, charts and maps help me:

– View my data
– Find anomalies
– situational awareness

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Alerting and Reporting

• In the final step, SIEM will alert regarding the detected or suspicious incident
• Alerts can be sent via Email, syslog message or an Event
• Event generation helps SIEM to perform multiple event chaining
• Here our alerts our prioritized and evaluated based on :
– Attack severity
– Asset Value
– Relevance
– Risk rating

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)
 Iman Mansouri –Sr. Security Solutions Consultant

[email protected]
Tel: +98 9126139728

Telegram.me/SOC24x7
@cisco_in_persian_channel

@cisco_in_persian_channel SECURITY INFORMATION AND EVENT

Telegram.me/SOC24x7 MANAGEMENT(SIEM)