1
00:00:00,000 --> 00:00:00,900
In this lesson,

2
00:00:00,900 --> 00:00:03,990
we're going to discuss the security technology known as a SIEM,

3
00:00:03,990 --> 00:00:06,990
or security information and event management system.

4
00:00:06,990 --> 00:00:09,780
Now, a SIEM is a security solution that provides realtime

5
00:00:09,780 --> 00:00:12,480
or near-realtime analysis of security alerts

6
00:00:12,480 --> 00:00:15,360
that are generated by network hardware and applications.

7
00:00:15,360 --> 00:00:17,790
In our networks, we have a lot of different devices,

8
00:00:17,790 --> 00:00:19,800
including not just our network infrastructure,

9
00:00:19,800 --> 00:00:21,270
but also all our client devices

10
00:00:21,270 --> 00:00:23,070
that we host on the network as well.

11
00:00:23,070 --> 00:00:24,990
To maintain a strong security posture,

12
00:00:24,990 --> 00:00:26,730
it is critical to understand the status

13
00:00:26,730 --> 00:00:29,370
of each of these devices by reviewing their logs,

14
00:00:29,370 --> 00:00:31,380
informational alerts, and events.

15
00:00:31,380 --> 00:00:33,000
But if we had to log into each

16
00:00:33,000 --> 00:00:34,530
of these machines individually to collect

17
00:00:34,530 --> 00:00:35,880
and analyze all that data,

18
00:00:35,880 --> 00:00:38,100
it would take us forever.

19
00:00:38,100 --> 00:00:40,920
Luckily, we have a solution known as SIEM

20
00:00:40,920 --> 00:00:42,990
that helps us overcome this challenge.

21
00:00:42,990 --> 00:00:44,760
as SIEM is able to gather logs and data

22
00:00:44,760 --> 00:00:46,470
from all sorts of different systems

23
00:00:46,470 --> 00:00:49,320
and combine them into a single combined data store.

24
00:00:49,320 --> 00:00:51,150
This allows our cybersecurity analysts,

25
00:00:51,150 --> 00:00:53,190
system administrators, and network administrators

26
00:00:53,190 --> 00:00:55,470
to review the logs and find abnormalities

27
00:00:55,470 --> 00:00:58,200
or things that are not operating within our baselines.

28
00:00:58,200 --> 00:00:59,850
When it comes to reviewing these logs,

29
00:00:59,850 --> 00:01:01,800
it shouldn't be done only after an incident

30
00:01:01,800 --> 00:01:03,330
or after breach has occurred.

31
00:01:03,330 --> 00:01:05,820
Instead, conducting law reviews should be something

32
00:01:05,820 --> 00:01:07,620
that's done regularly and routinely

33
00:01:07,620 --> 00:01:09,210
as part of your network administration

34
00:01:09,210 --> 00:01:10,830
and system management functions.

35
00:01:10,830 --> 00:01:13,440
To effectively conduct a law review and analysis though,

36
00:01:13,440 --> 00:01:15,720
you really do need to utilize a SIEM.

37
00:01:15,720 --> 00:01:17,700
A SIEM is used to help us correlate the events

38
00:01:17,700 --> 00:01:19,860
between different systems across the network,

39
00:01:19,860 --> 00:01:21,750
something that we couldn't do ourselves easily

40
00:01:21,750 --> 00:01:24,420
if we're looking at logs from each individual machine.

41
00:01:24,420 --> 00:01:25,920
Now, by using a SIEM,

42
00:01:25,920 --> 00:01:28,140
we can combine five essential functions

43
00:01:28,140 --> 00:01:30,180
that provides us with a more comprehensive view

44
00:01:30,180 --> 00:01:31,620
of our enterprise network.

45
00:01:31,620 --> 00:01:34,650
This is done by performing log collection, normalization,

46
00:01:34,650 --> 00:01:37,800
correlation, aggregation, and reporting.

47
00:01:37,800 --> 00:01:39,900
Now, first we have log collection.

48
00:01:39,900 --> 00:01:41,820
Log collection of all of our event records

49
00:01:41,820 --> 00:01:43,890
from sources throughout the network is going to happen,

50
00:01:43,890 --> 00:01:46,020
usually using something like Syslog.

51
00:01:46,020 --> 00:01:48,060
This will provide us with important forensic tools

52
00:01:48,060 --> 00:01:50,100
and help us address compliance reporting requirements

53
00:01:50,100 --> 00:01:51,060
as well.

54
00:01:51,060 --> 00:01:52,980
Second, we have normalization.

55
00:01:52,980 --> 00:01:54,930
Normalization is going to map log messages

56
00:01:54,930 --> 00:01:57,750
from different systems into a common data model.

57
00:01:57,750 --> 00:01:59,040
This will enable us to be able

58
00:01:59,040 --> 00:02:01,080
to connect and analyze related events,

59
00:02:01,080 --> 00:02:02,340
even if they're initially logged

60
00:02:02,340 --> 00:02:04,110
in different source formats.

61
00:02:04,110 --> 00:02:06,000
Third, we have correlation.

62
00:02:06,000 --> 00:02:08,070
Correlation is going to link the logs and events

63
00:02:08,070 --> 00:02:09,780
from different systems or applications

64
00:02:09,780 --> 00:02:11,310
into a single data feed,

65
00:02:11,310 --> 00:02:13,380
which speeds up our detection of threats

66
00:02:13,380 --> 00:02:15,090
as well as decreases the time for us

67
00:02:15,090 --> 00:02:17,340
to be able to respond to those threats.

68
00:02:17,340 --> 00:02:19,380
Fourth, we have aggregation.

69
00:02:19,380 --> 00:02:21,870
Aggregation is going to reduce the volume of event data

70
00:02:21,870 --> 00:02:23,790
by consolidating duplicate events

71
00:02:23,790 --> 00:02:25,260
and taking those records and merging them

72
00:02:25,260 --> 00:02:26,790
into a single record.

73
00:02:26,790 --> 00:02:28,260
Fifth, we have reporting.

74
00:02:28,260 --> 00:02:30,360
Reporting is going to be used to present the correlated,

75
00:02:30,360 --> 00:02:33,360
aggregated event data in a realtime monitoring dashboard

76
00:02:33,360 --> 00:02:34,440
if you're an analyst.

77
00:02:34,440 --> 00:02:35,760
And if you're in management,

78
00:02:35,760 --> 00:02:37,950
you're going to get some form of a long-term summary

79
00:02:37,950 --> 00:02:41,040
or report at the end, and that's also part of reporting.

80
00:02:41,040 --> 00:02:43,230
All right, let's consider a simple example.

81
00:02:43,230 --> 00:02:44,370
You're looking through the logs

82
00:02:44,370 --> 00:02:47,400
and you see that somebody has logged in over VPN from Asia.

83
00:02:47,400 --> 00:02:50,400
When you look up the user ID, you see it's John Smith.

84
00:02:50,400 --> 00:02:51,780
All right, that seems normal.

85
00:02:51,780 --> 00:02:54,240
Maybe he's in Asia because he is on a business trip.

86
00:02:54,240 --> 00:02:55,860
Now, while there may be nothing wrong with this,

87
00:02:55,860 --> 00:02:57,540
a few minutes later you're looking at your SIEM

88
00:02:57,540 --> 00:02:59,940
and you see that the access control system says

89
00:02:59,940 --> 00:03:01,890
that John Smith's ID was just used

90
00:03:01,890 --> 00:03:04,170
to log into the server room inside your building.

91
00:03:04,170 --> 00:03:06,120
All right, now we have an issue

92
00:03:06,120 --> 00:03:08,430
because if your server room is sitting in America

93
00:03:08,430 --> 00:03:10,440
and John Smith is supposedly accessing us

94
00:03:10,440 --> 00:03:11,700
from a VPN in Asia,

95
00:03:11,700 --> 00:03:13,080
something is wrong.

96
00:03:13,080 --> 00:03:14,430
Because he can't be both in the server room

97
00:03:14,430 --> 00:03:16,470
and on a business trip in Asia at the same time.

98
00:03:16,470 --> 00:03:18,630
So one of these things has to be wrong.

99
00:03:18,630 --> 00:03:19,890
Now, either of these two events

100
00:03:19,890 --> 00:03:23,490
by themself would be totally fine and not suspicious at all,

101
00:03:23,490 --> 00:03:26,580
but by seeing them correlated together at the same time

102
00:03:26,580 --> 00:03:28,320
or nearly the same time,

103
00:03:28,320 --> 00:03:30,510
this tells us that there's something wrong here

104
00:03:30,510 --> 00:03:31,980
and we need to flag that as suspicious

105
00:03:31,980 --> 00:03:33,540
and investigate it further.

106
00:03:33,540 --> 00:03:35,310
Now as we look into this situation,

107
00:03:35,310 --> 00:03:37,410
we can determine where this person really is.

108
00:03:37,410 --> 00:03:38,640
We can just walk down to the server room

109
00:03:38,640 --> 00:03:40,020
and say, "Is John here?"

110
00:03:40,020 --> 00:03:42,030
And so he says, "No, he is on a business trip in Asia."

111
00:03:42,030 --> 00:03:43,890
Now we need to go check the security footage

112
00:03:43,890 --> 00:03:45,630
and see who is logging in with John's credentials

113
00:03:45,630 --> 00:03:46,950
here in the server room.

114
00:03:46,950 --> 00:03:49,890
A SIEM allows us to do this type of correlation very quickly

115
00:03:49,890 --> 00:03:52,890
and very easily and be able to de-conflict these things.

116
00:03:52,890 --> 00:03:55,050
A security and information event management system,

117
00:03:55,050 --> 00:03:58,140
or SIEM, can be implemented in many different ways.

118
00:03:58,140 --> 00:04:00,930
A SIEM can exist as a piece of software running on a server,

119
00:04:00,930 --> 00:04:02,010
a hardware appliance,

120
00:04:02,010 --> 00:04:04,320
or even as an outsourced managed service.

121
00:04:04,320 --> 00:04:06,240
In order to effectively deploy a SIEM,

122
00:04:06,240 --> 00:04:08,730
you have to consider a lot of different things.

123
00:04:08,730 --> 00:04:11,400
First, you need to be able to log all the relevant events

124
00:04:11,400 --> 00:04:13,080
and filter out anything that's considered

125
00:04:13,080 --> 00:04:14,670
to be irrelevant data.

126
00:04:14,670 --> 00:04:16,470
Second, you need to make sure you establish

127
00:04:16,470 --> 00:04:18,540
and document the scope of the events,

128
00:04:18,540 --> 00:04:20,459
exactly what is it that you're going to log,

129
00:04:20,459 --> 00:04:23,490
what's going to be considered inside or outside of your scope.

130
00:04:23,490 --> 00:04:26,820
Third, you need to develop use cases to define a threat.

131
00:04:26,820 --> 00:04:28,650
This will help you define exactly what you do

132
00:04:28,650 --> 00:04:30,330
and do not consider a threat

133
00:04:30,330 --> 00:04:33,750
and what you may want to take action on or postpone for later.

134
00:04:33,750 --> 00:04:36,150
Fourth, you need to plan incident responses

135
00:04:36,150 --> 00:04:37,950
for given scenarios or events.

136
00:04:37,950 --> 00:04:40,230
If you know that when you see this type of thing occur,

137
00:04:40,230 --> 00:04:42,120
then you need to take those type of actions.

138
00:04:42,120 --> 00:04:43,650
That's what I'm talking about here.

139
00:04:43,650 --> 00:04:45,360
You need to have these pre-planned responses

140
00:04:45,360 --> 00:04:47,850
for any given threat that you might face.

141
00:04:47,850 --> 00:04:50,370
Fifth, we want to establish a ticketing process

142
00:04:50,370 --> 00:04:52,800
so we can track all these different events that we flag.

143
00:04:52,800 --> 00:04:54,660
This way as we go into the SIEM,

144
00:04:54,660 --> 00:04:56,460
we can see something that looks unusual,

145
00:04:56,460 --> 00:04:58,287
like my example of somebody logging in from Asia

146
00:04:58,287 --> 00:05:00,480
and at the local office at the same time,

147
00:05:00,480 --> 00:05:01,710
and then we can flag it

148
00:05:01,710 --> 00:05:04,230
and have it tracked through the process to completion

149
00:05:04,230 --> 00:05:06,450
to make sure nobody forgets about it.

150
00:05:06,450 --> 00:05:09,540
Sixth, we want to make sure we schedule regular threat hunting

151
00:05:09,540 --> 00:05:11,310
by working with our cybersecurity analysts

152
00:05:11,310 --> 00:05:12,720
and using our SIEM.

153
00:05:12,720 --> 00:05:13,553
By doing this,

154
00:05:13,553 --> 00:05:15,660
we want to make sure we're not missing any important events

155
00:05:15,660 --> 00:05:17,250
that may have escaped the automated alerts

156
00:05:17,250 --> 00:05:19,080
that we create inside the system.

157
00:05:19,080 --> 00:05:20,790
By going through and doing threat hunting,

158
00:05:20,790 --> 00:05:22,350
our cybersecurity analysts will be able

159
00:05:22,350 --> 00:05:24,420
to catch bad guys doing bad things

160
00:05:24,420 --> 00:05:26,760
that may have escaped our automated alerts.

161
00:05:26,760 --> 00:05:28,920
And seven, our final consideration

162
00:05:28,920 --> 00:05:30,360
is how we're going to provide auditors

163
00:05:30,360 --> 00:05:32,250
and analysts an evidence trail.

164
00:05:32,250 --> 00:05:35,220
By using a SIEM, we have this great centralized repository

165
00:05:35,220 --> 00:05:36,690
with lots of different data,

166
00:05:36,690 --> 00:05:38,850
and so it becomes a great place for an auditor or analyst

167
00:05:38,850 --> 00:05:40,740
to look through as they're doing their analysis

168
00:05:40,740 --> 00:05:43,020
as part of a compliance-based inspection.

169
00:05:43,020 --> 00:05:45,450
As you can see, there are a lot of great benefits

170
00:05:45,450 --> 00:05:48,420
and considerations that we have when we start using a SIEM.

171
00:05:48,420 --> 00:05:50,250
It's important for us to always properly configure

172
00:05:50,250 --> 00:05:52,590
our network devices to make sure they're feeding their data

173
00:05:52,590 --> 00:05:55,290
into our SIEM within the scope of our events.

174
00:05:55,290 --> 00:05:57,210
Remember, a SIEM is going to take data

175
00:05:57,210 --> 00:05:58,920
using the Syslog protocol.

176
00:05:58,920 --> 00:06:01,830
This means we're going to be using UDP port 514

177
00:06:01,830 --> 00:06:04,680
or TCP port 1468.

178
00:06:04,680 --> 00:06:06,690
As data is being brought into the SIEM,

179
00:06:06,690 --> 00:06:08,820
it's going to be classified based on a log level

180
00:06:08,820 --> 00:06:10,140
from zero to seven.

181
00:06:10,140 --> 00:06:12,660
Zero is our most important or most critical,

182
00:06:12,660 --> 00:06:15,900
and seven is our least important or most informational,

183
00:06:15,900 --> 00:06:19,110
just like we had with our regular devices using Syslog.

184
00:06:19,110 --> 00:06:19,943
For the exam,

185
00:06:19,943 --> 00:06:22,050
it's important to understand the purpose of a SIEM

186
00:06:22,050 --> 00:06:24,450
and that as SIEM relies on the Syslog protocol

187
00:06:24,450 --> 00:06:27,030
to collect the data from all these different network devices

188
00:06:27,030 --> 00:06:29,430
and client devices on our enterprise network,

189
00:06:29,430 --> 00:06:32,250
and then we're going to use that to normalize, correlate,

190
00:06:32,250 --> 00:06:34,080
and aggregate that logging data

191
00:06:34,080 --> 00:06:36,573
into a single repository for further analysis.