SIEM

Rotem Mesika

System security engineering 372.2.5204

2 What we will talk today..
 What is siem?
 Why do organizations use it?
 “Crown Jewels”
 What are we protecting from? and How?
 The SIEM Process
 Implementation SIEM - “ArcSight”
 Combining SIEMs
3 What is SIEM?
 SIEM = Security Information and Event Management
 SIEM collects log files and security information from internal and external sources
 Event correlation is used to detect and alert unwanted activities within the network defined
by the organization
 An organization can use the information within the SIEM to effectively respond and detect
security incidents
 The main focus areas which define the fundaments of SIEM are:
1) Log management
2) Correlation
3) Alerting
4) Responding
4 Why do organizations use it?
 Threat management
 The ability to detect risky scenarios and common attacks, as well as attack paths defined by the
organization itself
 Relations are established between events from different sources on the network
 Compliancy
 Joining the logs and reports of multiple systems within the organization, enabling an easy access
and analysis by a built in framework in each system
 Forensic support
 The information available within SIEM is very valuable from a forensic perspective and can
greatly aid a forensic analyst in his or her investigation
 SIEM allows forensic analysts to search within logs of many systems in a centralized way,
without the need of re-collecting the log files of compromised systems
5 Defining the “Crown Jewels”
 When an organization grows, its IT environment grows as well. Services are added and
removed
 It is impossible for an organization to collect log files of all systems and at the same time
perform real-time analysis and correlation
 An organization needs to know what are the ‘crown jewels’. What is the most important
asset or information that is owned by the organization?
 “Crown jewels” can be identified by performing a risk analysis on organizational level, in
other words: an organization's strategy
6 What are we protecting from? and How?
 Risk scenarios describe undesirable actions to the “crown jewels” and include common
attacks (i.e. DDoS on online services) and attack paths (i.e. reconnaissance using a port
scan)
 An organization knows which logs to collect and from which devices, based on the
information required by “use cases” and the rules they consist of
 Every rule can require different log sources and events
 For SIEM to work correctly, all logs required by use cases and rules should be gathered,
normalized and available to the SIEM tooling
7 Example of a “use case”
8
The SIEM Process
9 Log Management

 Log management is an integral part of SIEM

because, log entries are greatest source of
information
 Though highly crucial, solely collecting and
aggregating logs at a central location is not
enough
10 Correlation

 Correlation of log entries is

performed based on use cases.
Every use case consists of one
or more rules that detect an
unwanted event, which is
defined by risk scenarios
 To trigger a use case, one
typically needs to correlate
multiple log entries from one
or more sources
11 Alerting

 Alerting abnormal
actions is the core
purpose of the SIEM,
focused on threat
management
12 Responding & Evaluating

 Most alerts require

manual analysis by a
SOC analyst
 Experience gained
from handling
incidents or false-
positives can serve as
an input for a new use
case or for fine-tuning
13 HP SIEM implementation – “ArcSight”
 The model is called “The hierarchical
managers model”
 We divide our model into 3 layers
 The first – devices that generate log file,
i.e. firewall
 The second – a centralized system of
dedicated servers that collects and stores
all the log files in a dedicated storage
 The third – the monitoring layer, to
monitor and review the logs and manage
the servers of the second layer
14 Choose the devices and their logs
 Domain controllers
 Databases
 Email servers
 IDS and IPS
 Firewall
 Network Devices
 Antivirus System
15 Define “use case”
16 Define “use case” – cont.
17
Combining SIEMs
18 SIEM of SIEMs
 Central SIEM server that acts as a parent
and communicates intermediary SIEM
servers (called Child Managers), instead of
communicating with the log sources
directly
 The parent and the child managers each
take on deferent responsibilities
 Alerting, filtering, normalization,
reporting and anything else having to do
with policy enforcement are responding
of the Child Manager
 Correlated events are forwarded from each
Child Manager to the Global Manager for
global correlation
19 sharing alarms - Collaborative Approach
 SIEMs in domains with similar services and
traffic could be vulnerable to similar attacks
 sharing alarms among these SIEMs would
benefit all
 Snort’s detection engine scans the network for
attack patterns, registers possible threats, and
issues alerts.
 SIEMs exchange directive files to correlate
events reported by federation partners.
 Each SIEM can define its own directives as well
as adopt other SIEMs’ definitions. i.e. Rules can
match packets based on source or target
addresses, source or target ports, particular
protocols or flags, or packet content.
20 Refernaces
[1] van de Moosdijk, Jarno, and Daan Wagenaar. "Addressing SIEM." (2015)
[2] Anastasov, Igor, and Danco Davcev. "SIEM implementation for global and
distributed environments." Computer Applications and Information Systems (WCCAIS),
2014 World Congress on. IEEE, 2014.
[3] Aguirre, Idoia, and Sergio Alonso. "Improving the automation of security information
management: A collaborative approach." Security & Privacy, IEEE 10.1 (2012): 55-59.
21
Questions?