Play all

SIEMple technology A guide on setting up an SIEM in your environment

1. Researching options and setting goals 2. Implementing in your environment

What is a SIEM? Security Information Event Management, but what does that mean? • Log Collection • Log Correlation • Alerting • Log Retention

What value are you trying to create? Faster incident response?

Collecting network logs Firewalls, IDS/IPS, Netflow, WAFs, Web Proxies

Collecting end user logs EMET, Sysmon, Local Firewall, Installed Apps, Event Logs, Command line history

Collecting security logs Endpoint "protection", App Whitelisting, Vulnerability scanners, Honeypots

Correlating logs 2 successful logins from same person in the same day from two different countries

What resources will you need? How many events per second/hour? • How many of those events do you need to store/process/correlate in a given time period? • How long do you need to store everything?

Phased Approach Options • Most critical systems • Compliance requirements • Least amount of visibility • Annoying ones that need professional service hours to resolve.

Tweak, alter, test, & more tweaking Dont let your SIEM • Cry wolf • Nag you repeatedly • Do nothing

Have department liaisons and have them communicate: • Downtime • Upgrades • Major config changes • System replacements and additions

Periodic reviews True for internal or external SIEMS Are your alerts still relevant? Are you still getting logs from required sources? • Did you miss a system, device, or application? • Are you getti…

Wrap up Find the solution that meets your needs (Supported devices, time and people resources)

Russell Butturini @tcstoolhaxor My wife: Andrea BSides LV You guys!

Description:

Explore the fundamentals of Security Information Event Management (SIEM) implementation in this informative BSidesLV conference talk. Discover the key components of SIEM technology, including log collection, correlation, alerting, and retention. Learn how to research options, set goals, and implement SIEM in your environment effectively. Understand the value creation process, focusing on faster incident response. Gain insights into collecting network, end-user, and security logs from various sources. Explore log correlation techniques and determine the necessary resources for your SIEM implementation. Follow a phased approach to deployment, starting with critical systems and compliance requirements. Master the art of tweaking and testing your SIEM to avoid common pitfalls. Establish effective communication channels with department liaisons for seamless integration. Conduct periodic reviews to ensure ongoing relevance and value. By the end of this talk, acquire the knowledge to select and implement a SIEM solution that meets your organization's specific needs and resources. Read more

SIEMple Technology

BSidesLV

Add to list

#Conference Talks #Security BSides #Information Security (InfoSec) #Cybersecurity #Network Security #Incident Response #Endpoint Security

-01:36

SIEMple Technology

1 SIEMple technology A guide on setting up an SIEM in your environment