kevin savoy director of hospital and it audits university of virginia
TRANSCRIPT
Security Information and Event Management (SIEM) and Audit
Kevin SavoyDirector of Hospital and IT AuditsUniversity of Virginia
SIEM – just another acronym? What is it Why UVA approach Audit Objectives Audit Program
AGENDA
Depends on who you talk to but usually defined as a holistic approach to security management.
Security event management was the world of real time monitoring (Firewalls, IDS, etc.), detection, notification, and action.
Security information management was the world of log retention, analysis, and reporting.
Some have the two terms flipped. But put both together and you have SIEM!
What is it?
Used to be “good enough” to put the fire out then worry as an afterthought about what went wrong or was prevented.
Controls were always either preventive, detective, or corrective.
Compliance with laws such as notification of affected parties, E-discovery and the related preservation of data, and due diligence requires a strong SIEM as well.
Why
SIEM
Firewall
Routers
IDS
Unix App
Database
Preserved Data
Personal DevicesSyslogs
Legal/Audit/IT Security
Mgmt. Console
Correlation EngineWarnings
Think of every step that should be performed in managing events:
◦ Determining risks◦ Blocking or Quarantining◦ Detecting issue or anomaly or pattern◦ Event Correlation◦ Logging◦ Alerting◦ Analysis◦ Data integrity◦ Correcting or recovery◦ Reporting and debriefing
Why
If we don’t catch or properly handle attacks or other issues we may mess up the end game such as correcting, and notifying affected parties.
Just as bad is if we have the tools and logs and other devices but fail to use them. The laws and courts may say that we failed in our due diligence to our patients, employees, and other stakeholders.
Why
Should not be thought of as just appliances and software, although that is certainly what makes it easier.
SIEM should be thought of as the total process. From detection (or prevention) all the way to providing enough information for lawyers, courts, stakeholders, law enforcement, and ourselves (auditors).
SIEM
Vendors are creating new appliances and software to do log parsing, correlation and anomaly analysis, continuous monitoring, and spot file integrity issues and more.
The systems take input from firewalls, IDS, routers, operating system, databases, applications, authentication servers and on and on to check for issues and collect and store information for later processing.
All or nothing?
Most SIEM systems are a myriad of components that feed into others. For instance a dashboard may be presented through a central SIEM console.
However analyzing may take place within other servers and the saving of log information in other servers.
Its like anything in life you can go piece meal or big bang!
All or nothing?
We have automated payroll, AR, EMR, manufacturing, insurance claims and on and on.
Why not security management. (Don’t worry there will still be security folks).
One day your console may blink that a risky Internet Protocol based on known patterns got through your router, firewall, and a Unix server directory permissions are now different, and that all e-backups have been locked down for secure restoration.
Utopia
Definition of an APT is a concerted effort with the resources to attack you often and in force (manpower and brainpower).
Often foreign governments or criminal entities.
Banking and defense were initial targets. Now everyone is fair game including Universities and Health Care..
New age of Advanced Persistent Threats (APTs)
Your university and/or hospital may be Fort Knox, so those performing APTs often are going after smaller entities.
They know that defenses may have had been implemented to a lesser degree at smaller operations. (think smaller higher education, outpatient clinics and physician offices)
College at Wise story
APTs attack weak spots
Think of all the data that is present every second that can be a potential signal that something is amiss.
SIEMs attempt to take that overwhelming information and make sense of it in addition to preservation.
SIEM is a new defender against APTs
Cost Standardization Myriad of protocols to deal with from
appliances feeding information What data to keep and where to keep it
Challenges
To misquote a recently deceased dictator: the audit of SIEM could be the “mother of all audits…”
You are in essence doing an audit of an automated IT audit function…..
May want to attack it piece meal or swallow it whole. It depends on how much time you have.
AUDIT
Two main audit objectives:
◦ NUMBER 1 Objective - An audit of the SIEM automation itself and what it provides and is it useful to the organization
Policies Procurement of SIEM infrastructure (cost/benefit of control) Configuration diagram (what’s talking to what and how) Prevention (the usual, do you stop, allow with warning etc.) Warnings (how soon, who receives, what technology) Response Follow-up Legal and operational log retention (does it meet legal obligations) Legal actions
AUDIT
Two main audit objectives:
◦ NUMBER 2 Objective - An audit of the Security of the SIEM automation
Access to electronic and paper logs Security over audit tripwires (what causes logging or
alarm) Security over interfaces between component appliances
(who controls, encrypted?) Security of the component appliances (physical and
logical). Some of these may be covered in some of your other audits such as database, operating system, network audits.
AUDIT
Objective 1◦ Determine the effectiveness of the SIEM automation
Step 1. Obtain policies and procedures to gain an
understanding of the SIEM strategy of your organization.
Step 2.Determine that procurement of appliances are in
line with organization strategy and that costs do not exceed benefit of the control either singularly or in combination with other controls. (Use NPV etc.)
Audit Program
Step 3.Obtain a diagram of all components with
their functions labeled (prevention, warning, logging, retention). Also diagram should show all data flows between components. Manual processes should be noted as well.
Step 4.Determine that all components and data flows
are used efficiently to attain prevention (if possible), logging, warning, response, and preservation of data.
Audit Program
Step 5.Determine that warning tripwires have been
planned ahead of time and escalation procedures are appropriate. What technology is used and is it appropriate: email, text message, phone call etc. and at what level is authority given to stop the alarm from being reported higher and is that appropriate based on risk.
Audit Program
Step 6.Determine that events are acted upon (could be part of another audit such as incident response). Determine that responses to events were appropriate.
Step 7.Determine that legal actions were sufficient for any incident (again could be part of another audit such as incident response). Affected parties should have been notified if your organization was responsible for doing so.
Audit Program
Step 8.Determine that any SIEM generated data that must be preserved by law has been stored appropriately.
Objective 2◦ Determine the security over the SIEM automation
Step 9.Determine that access to paper and electronic logs is well thought out and that procedures exist for the granting, provisioning and removal of access to logs.
Audit Program
Step 10.Determine the appropriateness of who determines what protocols and events are logged and acted upon. Usually this is a group effort as firewall administrators have their concerns, a Unix administrator would have concerns, an application owner would have their concerns etc…
Step 11.Determine that access to audit tripwire configuration is controlled by proper access procedures.
Audit Program
Step 12.Determine what interfaces move data between components. Be vigilant of data that can be modified or read in clear text.
Step 13.Determine that security over warning transmissions is appropriate and that high risk messages can not be read or stopped during the escalation process.
Audit Program
Step 14.Determine that individual appliances are secure at the operating system, database level, network level, and application level. This may be done in other audits.
Audit Program
SIEM may be old thinking in new packaging, but technology has advanced where audit needs to take advantage of any components that have been installed.
In the past we have looked at IDS, Firewalls, Routers, Servers, Interfaces, but the more SIEM appliances that coordinate these functions exist we need to stay on top of the extra control our organizations may be achieving without our knowledge. So ask is the first step!!!
In conclusion
