SIEMple Technology

Explore the fundamentals of Security Information Event Management (SIEM) implementation in this informative BSidesLV conference talk. Discover the key components of SIEM technology, including log collection, correlation, alerting, and retention. Learn how to research options, set goals, and implement SIEM in your environment effectively. Understand the value creation process, focusing on faster incident response. Gain insights into collecting network, end-user, and security logs from various sources. Explore log correlation techniques and determine the necessary resources for your SIEM implementation. Follow a phased approach to deployment, starting with critical systems and compliance requirements. Master the art of tweaking and testing your SIEM to avoid common pitfalls. Establish effective communication channels with department liaisons for seamless integration. Conduct periodic reviews to ensure ongoing relevance and value. By the end of this talk, acquire the knowledge to select and implement a SIEM solution that meets your organization's specific needs and resources.

SIEMple technology A guide on setting up an SIEM in your environment
1. Researching options and setting goals 2. Implementing in your environment
What is a SIEM? Security Information Event Management, but what does that mean? • Log Collection • Log Correlation • Alerting • Log Retention
What value are you trying to create? Faster incident response?
Collecting network logs Firewalls, IDS/IPS, Netflow, WAFs, Web Proxies
Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history
Collecting security logs Endpoint "protection", App Whitelisting, Vulnerability scanners, Honeypots
Correlating logs 2 successful logins from same person in the same day from two different countries
What resources will you need? How many events per second/hour? • How many of those events do you need to store/process/correlate in a given time period? • How long do you need to store everything?
Phased Approach Options • Most critical systems • Compliance requirements • Least amount of visibility • Annoying ones that need professional service hours to resolve.
Tweak, alter, test, & more tweaking Dont let your SIEM • Cry wolf • Nag you repeatedly • Do nothing
Have department liaisons and have them communicate: • Downtime • Upgrades • Major config changes • System replacements and additions
Periodic reviews True for internal or external SIEMS Are your alerts still relevant? Are you still getting logs from required sources? • Did you miss a system, device, or application? • Are you getting the value you expected.
Wrap up Find the solution that meets your needs (Supported devices, time and people resources)
Russell Butturini @tcstoolhaxor My wife: Andrea BSides LV You guys!