1 00:00:01,200 --> 00:00:02,510 Security information 2 00:00:02,510 --> 00:00:05,513 and event management systems, SIEMs. 3 00:00:06,410 --> 00:00:10,350 Now, log review is a critical part of security assurance. 4 00:00:10,350 --> 00:00:13,040 We're going to gather logs from all sorts of different systems, 5 00:00:13,040 --> 00:00:15,060 but gathering logs does you no good 6 00:00:15,060 --> 00:00:17,210 if you don't actually look at those logs. 7 00:00:17,210 --> 00:00:20,050 Now, logs shouldn't be reviewed just after an incident. 8 00:00:20,050 --> 00:00:22,070 You shouldn't use them just as part of an instant response, 9 00:00:22,070 --> 00:00:24,290 for example, but you should look at them regularly 10 00:00:24,290 --> 00:00:26,310 and routinely as part of your threat hunting 11 00:00:26,310 --> 00:00:28,090 and proactive system management. 12 00:00:28,090 --> 00:00:29,540 To do this effectively though, 13 00:00:29,540 --> 00:00:31,540 you really do need to use a SIEM. 14 00:00:31,540 --> 00:00:34,160 Now, a SIEM is a solution that provides real-time 15 00:00:34,160 --> 00:00:36,660 or near-real-time analysis of security alerts 16 00:00:36,660 --> 00:00:39,570 generated by network hardware and applications. 17 00:00:39,570 --> 00:00:42,510 Now, as we look at a SIEM, there's a lot of uses for one, 18 00:00:42,510 --> 00:00:43,770 but one of the best things they do 19 00:00:43,770 --> 00:00:46,090 is they help us correlate events. 20 00:00:46,090 --> 00:00:47,860 Let's take a simple example. 21 00:00:47,860 --> 00:00:49,080 You're looking through the logs 22 00:00:49,080 --> 00:00:52,530 and you see that somebody has logged in over VPN from Asia, 23 00:00:52,530 --> 00:00:55,300 it's John Smith, and he's logging in from Asia 24 00:00:55,300 --> 00:00:56,690 because he's on a business trip. 25 00:00:56,690 --> 00:00:58,290 Well, there's nothing wrong with that. 26 00:00:58,290 --> 00:01:00,120 But if you look at just moments later 27 00:01:00,120 --> 00:01:02,130 you see the John Smith's ID has been used 28 00:01:02,130 --> 00:01:04,980 to log in to the server room in your building. 29 00:01:04,980 --> 00:01:07,160 Well, that's an issue because he can't both be 30 00:01:07,160 --> 00:01:09,830 in your server room and on a business trip in Asia. 31 00:01:09,830 --> 00:01:11,680 So one of those two things is wrong. 32 00:01:11,680 --> 00:01:13,680 Now, either one by itself is fine, 33 00:01:13,680 --> 00:01:14,640 but putting those together 34 00:01:14,640 --> 00:01:16,460 and correlating them flags as something 35 00:01:16,460 --> 00:01:17,530 that we need to look into 36 00:01:17,530 --> 00:01:19,470 and figure out where is this person 37 00:01:19,470 --> 00:01:21,660 and how is he in two very different places, 38 00:01:21,660 --> 00:01:23,270 both at the same time 39 00:01:23,270 --> 00:01:27,100 a SIEM helps you do this very quickly and very easily. 40 00:01:27,100 --> 00:01:29,640 Now a security and information event management system 41 00:01:29,640 --> 00:01:32,440 or a SIEM, can be implemented in many different ways. 42 00:01:32,440 --> 00:01:35,150 You could do this as software, hardware appliances, 43 00:01:35,150 --> 00:01:37,350 or even as an outsource managed service. 44 00:01:37,350 --> 00:01:39,080 Now, to effectively deploy a SIEM, 45 00:01:39,080 --> 00:01:41,610 you have to consider a lot of different things. 46 00:01:41,610 --> 00:01:44,130 First, you need to be able to log all relevant events 47 00:01:44,130 --> 00:01:46,670 and filter out anything that is not considered relevant, 48 00:01:46,670 --> 00:01:48,740 anything that's irrelevant data. 49 00:01:48,740 --> 00:01:50,880 Second, you need to make sure you can establish 50 00:01:50,880 --> 00:01:53,240 and document the scope of the events. 51 00:01:53,240 --> 00:01:54,810 Exactly what are you going to log? 52 00:01:54,810 --> 00:01:57,480 What is inside and outside of your scope. 53 00:01:57,480 --> 00:02:01,030 Third, you need to develop, use cases to define a threat. 54 00:02:01,030 --> 00:02:03,440 This will help you to find exactly what you do 55 00:02:03,440 --> 00:02:04,860 and do not consider a threat 56 00:02:04,860 --> 00:02:07,170 and then what you may take action on later. 57 00:02:07,170 --> 00:02:09,250 Speaking of that, that brings us to number four. 58 00:02:09,250 --> 00:02:12,540 You need to plan instant responses before given events. 59 00:02:12,540 --> 00:02:15,450 If you know that when you see this type of thing happen, 60 00:02:15,450 --> 00:02:17,800 you're going to take those type of actions, 61 00:02:17,800 --> 00:02:18,770 that's what we're talking about here. 62 00:02:18,770 --> 00:02:21,200 It's preplanned responses for any kind of given threat 63 00:02:21,200 --> 00:02:22,700 you might face. 64 00:02:22,700 --> 00:02:25,160 Fifth, we want to establish a ticketing process 65 00:02:25,160 --> 00:02:28,130 so we can track all these different events that we flag, 66 00:02:28,130 --> 00:02:29,290 this way as we go in the SIEM 67 00:02:29,290 --> 00:02:30,630 and we see something that's unusual 68 00:02:30,630 --> 00:02:33,050 like my example earlier with somebody logging in from Asia 69 00:02:33,050 --> 00:02:36,260 and at the local office at the same time, you can flag that 70 00:02:36,260 --> 00:02:37,920 and have it tracked throughout the process 71 00:02:37,920 --> 00:02:39,320 to make sure it doesn't get dropped. 72 00:02:39,320 --> 00:02:42,220 Sixth, we want to schedule regular threat hunting. 73 00:02:42,220 --> 00:02:43,880 Now, by doing this, we want to make sure 74 00:02:43,880 --> 00:02:45,650 we're not missing any important events 75 00:02:45,650 --> 00:02:47,200 that may have escaped alerts. 76 00:02:47,200 --> 00:02:48,980 By going through and doing threat hunting, 77 00:02:48,980 --> 00:02:51,640 we're going to be able to catch bad guys doing bad things 78 00:02:51,640 --> 00:02:53,490 that may have escaped our alerts. 79 00:02:53,490 --> 00:02:56,690 And finally, our seventh item is providing auditors 80 00:02:56,690 --> 00:02:58,820 and analysts an evidence trail. 81 00:02:58,820 --> 00:03:01,670 A SIEM is a great place with a centralized repository 82 00:03:01,670 --> 00:03:03,120 of lots of different data. 83 00:03:03,120 --> 00:03:04,750 And so it's a great place for auditors 84 00:03:04,750 --> 00:03:06,040 and analysts to look through 85 00:03:06,040 --> 00:03:07,790 as they're doing their analysis. 86 00:03:07,790 --> 00:03:09,800 Now, when I talk about a SIEM solution 87 00:03:09,800 --> 00:03:12,720 there are lots of different seams solutions out there. 88 00:03:12,720 --> 00:03:13,820 There are many commercial 89 00:03:13,820 --> 00:03:15,570 and open-source solutions available 90 00:03:15,570 --> 00:03:18,079 and it's up to you to decide which one you want to use. 91 00:03:18,079 --> 00:03:19,920 As we go through the rest of this lesson, 92 00:03:19,920 --> 00:03:21,180 I'm going to bring up a couple of them 93 00:03:21,180 --> 00:03:22,550 and show you what they look like. 94 00:03:22,550 --> 00:03:26,980 We're going to cover things like Splunk, ELK, or Elastic Stack 95 00:03:26,980 --> 00:03:31,980 ArcSight, QRadar, Alien Vault, and OSSIM and GrayLog. 96 00:03:33,820 --> 00:03:35,460 Let's start with Splunk. 97 00:03:35,460 --> 00:03:38,390 Splunk is a market-leading big data information gathering 98 00:03:38,390 --> 00:03:41,810 and analysis tool and it can import machine generated data 99 00:03:41,810 --> 00:03:44,450 via a connector or a visibility add-on. 100 00:03:44,450 --> 00:03:46,750 Now, Splunk is really good at connecting 101 00:03:46,750 --> 00:03:48,830 lots of different data systems. 102 00:03:48,830 --> 00:03:51,010 In fact, it has different connectors built 103 00:03:51,010 --> 00:03:52,800 for most network operating systems 104 00:03:52,800 --> 00:03:54,910 and different application formats. 105 00:03:54,910 --> 00:03:57,420 Essentially all the data from all the different systems 106 00:03:57,420 --> 00:04:00,070 can be indexed as it's taken off those systems 107 00:04:00,070 --> 00:04:02,440 and then written to a centralized data store. 108 00:04:02,440 --> 00:04:04,770 This allows Splunk to be able to go through historical 109 00:04:04,770 --> 00:04:07,130 or real time data and be able to search through it 110 00:04:07,130 --> 00:04:09,370 using its proprietary search algorithms 111 00:04:09,370 --> 00:04:11,800 called the search processing language. 112 00:04:11,800 --> 00:04:13,240 Now, once you get those results, 113 00:04:13,240 --> 00:04:15,810 you can start visualizing it using different tools. 114 00:04:15,810 --> 00:04:18,160 So when you use Splunk, it looks something like this. 115 00:04:18,160 --> 00:04:20,480 Notice here I have what looks like a dashboard, 116 00:04:20,480 --> 00:04:22,410 on here, I can see the important information. 117 00:04:22,410 --> 00:04:23,370 I see a lot of data, 118 00:04:23,370 --> 00:04:25,920 I see the trends going up or going down, 119 00:04:25,920 --> 00:04:27,350 I can see events over time 120 00:04:27,350 --> 00:04:29,930 and I can actually drill down by clicking into each one 121 00:04:29,930 --> 00:04:32,860 by going in and looking at the data behind it as well. 122 00:04:32,860 --> 00:04:34,630 Splunk is a really great tool 123 00:04:34,630 --> 00:04:36,090 and it can be installed locally 124 00:04:36,090 --> 00:04:38,370 or as a cloud-based solution. 125 00:04:38,370 --> 00:04:40,740 When you buy Splunk, it comes with a lot of templates 126 00:04:40,740 --> 00:04:42,380 and pre-configured dashboards, 127 00:04:42,380 --> 00:04:43,810 security intelligence searches, 128 00:04:43,810 --> 00:04:45,570 and instant response workflows. 129 00:04:45,570 --> 00:04:47,790 Splunk is a big player in the marketplace 130 00:04:47,790 --> 00:04:50,290 and it is a great SIEM to consider. 131 00:04:50,290 --> 00:04:53,820 The next one we want to talk about is ELK or Elastic Stack. 132 00:04:53,820 --> 00:04:56,520 Now ELK and Elastic Stack is a collection of free 133 00:04:56,520 --> 00:04:59,120 and open-source SIEM tools that provide storage, 134 00:04:59,120 --> 00:05:01,250 search and analysis functions. 135 00:05:01,250 --> 00:05:03,860 Now, ELK and Elastic Stack is actually made up 136 00:05:03,860 --> 00:05:05,700 of four different components. 137 00:05:05,700 --> 00:05:07,360 These are the Elasticsearch 138 00:05:07,360 --> 00:05:09,389 which covers the query and analytics. 139 00:05:09,389 --> 00:05:13,630 Logstash, which is your log collection and normalization. 140 00:05:13,630 --> 00:05:15,910 Kibana, which does your visualization 141 00:05:15,910 --> 00:05:18,180 and Beats, which is your endpoint collection agents 142 00:05:18,180 --> 00:05:20,010 that are installed on the machines. 143 00:05:20,010 --> 00:05:21,310 The way these all work together 144 00:05:21,310 --> 00:05:22,970 is you're going to have the different Beats 145 00:05:22,970 --> 00:05:25,090 installed on different servers or hosts. 146 00:05:25,090 --> 00:05:27,270 And they can then send out either directly back 147 00:05:27,270 --> 00:05:31,440 to the Elastic Stack, or it can go into Logstash first. 148 00:05:31,440 --> 00:05:33,340 Now, when it goes into Logstash first 149 00:05:33,340 --> 00:05:35,920 it's going to do the parsing and the normalization for you, 150 00:05:35,920 --> 00:05:37,950 and then send it into elastic. 151 00:05:37,950 --> 00:05:39,330 If you go directly to elastic, 152 00:05:39,330 --> 00:05:41,850 it has to be in a format that it already understands. 153 00:05:41,850 --> 00:05:44,500 Now, elastic is that centralized data store, 154 00:05:44,500 --> 00:05:47,490 but you don't really go into Elastic to look at the data 155 00:05:47,490 --> 00:05:49,210 instead you use Kibana 156 00:05:49,210 --> 00:05:52,520 and Kibana, goes into elastic and then visualizes that data 157 00:05:52,520 --> 00:05:55,000 in a way that you can see and understand. 158 00:05:55,000 --> 00:05:57,710 Just like Splunk, ELK Stack maybe install locally 159 00:05:57,710 --> 00:05:59,940 or as a cloud-based solution. 160 00:05:59,940 --> 00:06:02,820 Our third SIEM tool we're going to discuss is ArcSight. 161 00:06:02,820 --> 00:06:04,530 ArcSight is a SIEM log management 162 00:06:04,530 --> 00:06:06,350 and analytics software that can be used 163 00:06:06,350 --> 00:06:07,480 for compliance reporting, 164 00:06:07,480 --> 00:06:10,790 for legislation and regulations like HIPAA, SOX, 165 00:06:10,790 --> 00:06:12,720 and PCI DSS. 166 00:06:12,720 --> 00:06:14,960 When you look at ArcSight, it looks like another dashboard. 167 00:06:14,960 --> 00:06:16,370 And again, 168 00:06:16,370 --> 00:06:17,203 you can drill down into that information 169 00:06:17,203 --> 00:06:19,290 and display it in lots of different ways. 170 00:06:19,290 --> 00:06:21,640 The fourth one we're going to talk about is QRadar. 171 00:06:21,640 --> 00:06:24,380 And QRadar is a SIEM log management, analytics, 172 00:06:24,380 --> 00:06:27,310 and compliance reporting platform created by IBM. 173 00:06:27,310 --> 00:06:29,560 It does a lot of the same stuff we've just talked about. 174 00:06:29,560 --> 00:06:32,080 And again, it comes with a nice dashboard. 175 00:06:32,080 --> 00:06:33,260 As you look at the dashboard, 176 00:06:33,260 --> 00:06:35,200 you get different things that you can be looking at 177 00:06:35,200 --> 00:06:37,305 and considering those for your network. 178 00:06:37,305 --> 00:06:40,820 Our fifth one is Alien Vault and OSSIM, 179 00:06:40,820 --> 00:06:44,020 the open-source security information management system. 180 00:06:44,020 --> 00:06:45,600 Now, this is a SIEM solution 181 00:06:45,600 --> 00:06:47,230 that was originally developed by Alien Vault 182 00:06:47,230 --> 00:06:48,900 which is why it's called Alien Vault, 183 00:06:48,900 --> 00:06:50,740 but now it's owned by AT and T 184 00:06:50,740 --> 00:06:52,200 and they've been rebranding it recently 185 00:06:52,200 --> 00:06:54,500 as AT and T Cybersecurity. 186 00:06:54,500 --> 00:06:55,440 Just like the other ones, 187 00:06:55,440 --> 00:06:57,820 it does come with a dashboard where you can search 188 00:06:57,820 --> 00:06:59,300 and dig into the different information 189 00:06:59,300 --> 00:07:00,628 that could be presented here. 190 00:07:00,628 --> 00:07:04,000 Now, one of the nice things about Alien Vault and OSSIM 191 00:07:04,000 --> 00:07:07,060 is that OSSIM can integrate other open-source tools 192 00:07:07,060 --> 00:07:10,470 such as Snort IDs and OpenVAS vulnerability scanners 193 00:07:10,470 --> 00:07:13,470 and it can provide an integrated web administration tool 194 00:07:13,470 --> 00:07:15,880 for you to manage the entire security environment. 195 00:07:15,880 --> 00:07:18,720 So it does give you this nice all in one solution. 196 00:07:18,720 --> 00:07:21,090 Also, because you're using a lot of open source tools here, 197 00:07:21,090 --> 00:07:23,130 it does keep your costs low. 198 00:07:23,130 --> 00:07:25,403 The final one we want to talk about is GrayLog 199 00:07:25,403 --> 00:07:27,380 and GrayLog is an open-source SIEM 200 00:07:27,380 --> 00:07:29,700 with an enterprise version that's focused on compliance 201 00:07:29,700 --> 00:07:32,220 and supporting IT operations and DevOps. 202 00:07:32,220 --> 00:07:34,970 And again, it has a nice dashboard where you can drill down 203 00:07:34,970 --> 00:07:36,120 and search for things. 204 00:07:36,120 --> 00:07:38,560 The big difference with GrayLog is that it's really focused 205 00:07:38,560 --> 00:07:41,080 on DevOps and supporting IT operations, 206 00:07:41,080 --> 00:07:43,070 as opposed to doing more of the log analysis 207 00:07:43,070 --> 00:07:45,050 and the incident response that some of the things 208 00:07:45,050 --> 00:07:47,710 like Splunk are much better suited for. 209 00:07:47,710 --> 00:07:49,930 Now, let's talk about the exam for just a moment. 210 00:07:49,930 --> 00:07:51,860 You do not need to know specific tools 211 00:07:51,860 --> 00:07:53,810 like the ones I mentioned in this lesson. 212 00:07:53,810 --> 00:07:55,290 We covered them here simply to make sure 213 00:07:55,290 --> 00:07:56,720 you were introduced to the brand names 214 00:07:56,720 --> 00:07:57,960 and the different tools. 215 00:07:57,960 --> 00:08:00,100 If you hear any of these names you should know, 216 00:08:00,100 --> 00:08:02,240 they have the ability to act as a SIEM, 217 00:08:02,240 --> 00:08:04,500 but beyond that, you don't need to know how to use them 218 00:08:04,500 --> 00:08:06,640 or operate them for the exam. 219 00:08:06,640 --> 00:08:09,650 Now that said, a lot of these open source tools 220 00:08:09,650 --> 00:08:11,900 make a great addition to your own practice labs 221 00:08:11,900 --> 00:08:13,220 and your own home networks. 222 00:08:13,220 --> 00:08:15,050 Because if you're building out your home network 223 00:08:15,050 --> 00:08:18,250 this will give you experience using these tools hands on. 224 00:08:18,250 --> 00:08:21,150 This will make you a much better analyst in the real world. 225 00:08:21,150 --> 00:08:24,200 Now in the real world, which of these tools should you use? 226 00:08:24,200 --> 00:08:25,780 Well, that depends, 227 00:08:25,780 --> 00:08:27,540 which company are you trying to get a job at? 228 00:08:27,540 --> 00:08:29,550 Or which company do you already work for? 229 00:08:29,550 --> 00:08:30,850 As I've worked at different companies 230 00:08:30,850 --> 00:08:32,070 and organizations over the years, 231 00:08:32,070 --> 00:08:34,180 we have used several of these different tools 232 00:08:34,180 --> 00:08:37,220 including Splunk, ELK Stack, and Alien Vault 233 00:08:37,220 --> 00:08:39,080 in some of the different organizations I've worked with. 234 00:08:39,080 --> 00:08:40,980 So I have experience with all of those. 235 00:08:40,980 --> 00:08:42,390 Is one better than the other? 236 00:08:42,390 --> 00:08:44,380 Well, it really does depend on your use case, 237 00:08:44,380 --> 00:08:45,740 but really when it comes down to it, 238 00:08:45,740 --> 00:08:46,790 it's what your boss likes 239 00:08:46,790 --> 00:08:48,690 and what your company's already using.