SIEM toolsets, any way of getting experience with these?

chickenlicken09

Hi,

I see this as being one of the main things to have experience in when looking at job specs.
Any free software/simulators out there to get some hands on?

Thanks

BlackBeret

BLUF: Learn the underlying information and don't worry too much about the tools. Learn TCP/IP in depth, then learn to use wireshark or TCPdump to analyze it. Learn network design or engineering, then learn the tools commands, etc.

I had this issue at first too. I couldn't find any way of getting experience with any of the major sets until I got a job doing it. There are usually jobs ranging from Analyst - Engineer and all the policy makers and technicians in between. The tools themselves are quickly and easily taught, if you can annotate on a resume that you have experience with the underlying information then it's not an issue.

Example - You want to be an ArcSight engineer, but you've never touched ArcSight. You have however engineered and installed various other security appliances, SNMP connectors, and managers, etc. This would be acceptable experience and the ArcSight tool could be taught quickly and easily as far as most employers are concerned.

Or when working as an analyst, regardless of the tool used, the most important part is being able to analyze the traffic. Tools can be taught in a few days, but the underlying traffic analysis is the part that really makes a difference. Even in large corporate or government environments with 6 different SIEM tool sets that do 500 million different things, the job of the analyst is to look at the event, download a .pcap from whatever device, open it in wireshark, analyze the traffic in comparison to the rule it fired on, and decide weather it was a false positive or to take further action.

If you're working in response to an event, you need to know the ins and outs of forensics and how to analyze the complete traffic. You can learn how to pull this data from the various tool sets without much effort.

JoJoCal19

Aside from ones that are known to have a free version like xmalachi posted, I would contact vendors of some of the more popular ones and ask if it's possible to get an evaluation version.

chickenlicken09

must check them out.

yeah yeah

I'm with BlackBeret on this one. Once you're familiar with one SIEM, it's not too difficult to navigate your way around any other one. Some are difficult, some are not. Splunk isn't too bad out of the box...but can be a very steep learning curve if you really want to use it for what it really does. The theory behind SIEM's are the things that are important though. Do you understand how the network works? Can you break down a packet? Where do you place your sensors to get the most bang for your buck? Do you understand APT's? Can you identify if the network is responding to a possible attack? There's a lot of material that I would read up on regarding SIEMs and how they work. As BlackBeret stated, you need to figure out what you want to do with the SIEM. If you can speak on all of these points, then get some quick hands-on, you should be good.

There are a bunch of free SIEM's out there that you can get your hands on. The only thing with those, you won't be using them in the DoD. Not sure what market you're looking for work in. Here's a couple that you can pick up right away. Youtube them as well, you'd be surprised on the results.

- Logalyze (free)
- Solarwinds Log and Event Manager (eval)
- Blackstratus Log Storm (eval)
- Arcsight (eval)

the_Grinch

Build your own Amazing what you will learn when you have to piece together your own SIEM and it looks great on the resume.

wes allen

Setup Splunk free, or for bonus points, the ELK stack, and start sending logs to it. Any logs will do, really - your windows workstations (can't send, have to pull), wireless routers, etc. Then start building searches and dashboards to model the data. Create a few alerts as well. SIEMs are in mostly just advanced log collection - so get used to dealing with the logs, then you will understand what the SIEM rules are doing to sort, parse and alert on events.. Learn what windows event codes mean, how syslog works, etc. Then you can work on ways to pull and analyze logs without the SIEM, like with powershell, or even grep.

BlackBeret

For traffic analysis I used TCP/IP Illustrated and WireShark mainly. The real idea is that you know what you're looking at when you look at traffic. Larger environments will have separate host and network teams, as well as signature writers for both. I've seen analysts that didn't know what a 3-way handshake was, we have some now that can point it out but still don't understand what it really is or what's being exchanged it it. Another thing that has helped a ton as an analyst is to study penetration testing as well. If you know how to attack you'll better understand how to spot an attack. A large part of traffic analysis in a SIEM environment is ruling out false positives. When you get an alert titled "directory traversal" you have to be able to look at the traffic and tell whether it's an actual attempt, or if some external web server just has a unique referral method for it's site.

My first IT security job was as an analyst, the technical portion of the interview went like this: "We've hired people before without experience but we need to know that you're not just a guy that got some certs, turns on a windows machine, and says he knows computers. What do you know about networking?" "Well sir, I know I have never worked in this field before, but I have been studying it while working other jobs. I obtained my A.S. in network security and studied for the certs by building my own virtual lab at home. I use Ubuntu Server to host Virtual box which I use to run Ubuntu desktop, Kali, and a few other VM's. I use wireshark to analyze the traffic generated and snort to work with monitoring the environment."

markulous

the_Grinch wrote: »

Build your own Amazing what you will learn when you have to piece together your own SIEM and it looks great on the resume.

Where do you put it on your resume to make it so it is aesthetically pleasing? I just deployed Splunk and I'm playing around with wireshark and snort for some data sources in that.

Feedback I've gotten from last two interviews was that I should do something more hands on for them to take a chance with me in an Analyst role so I definitely want to incorporate that.

the_Grinch

I would put it under technical skills and then list what you deployed. At my place we utilize all open source software so I list the tools we use and typically that should lead to questions. Thus:

Deployment of OSSEC for endpoint/server monitoring
Logstash for data scrubbing
Elasticsearch/Kibana for data visualizations and analysis


People in the industry know the terms and the ones they don't know stand out enticing them to ask you about them. Then you can elaborate on their function, how you utilize them and your experience thus far with them.

markulous

Thanks! I need to think of more stuff to add in there. So far just:

*Deployment of Splunk SIEM for endpoint/server monitoring
*Wireshark and Snort for log generation and network interface monitoring

Just applied to a bunch of places, but wish I'd had that in there. Oh well.

dmoore44

markulous wrote: »

Thanks! I need to think of more stuff to add in there. So far just:

*Deployment of Splunk SIEM for endpoint/server monitoring
*Wireshark and Snort for log generation and network interface monitoring

Just applied to a bunch of places, but wish I'd had that in there. Oh well.

You might want to be careful about referring to Splunk as a SIEM... There are some that would debate the point with you. I've asked people in interviews why they refer to Splunk as a SIEM, and if they're not able to articulate their reasoning, I tend to dock them points. This isn't to say that Splunk can't mimic a SIEM, or provide much of the same functionality... but it's really missing the correlation engine on top of it (though the Enterprise Security app does a great job).

markulous

So you think just take the word SIEM out and it'll look okay? If I got that question I'm not sure how I'd answer it.

renacido

Part of the equation here that hasn't been mentioned is what your role is. SIEM is a powerful tool that has different uses depending on what your focus is.

Also, the SIEM products out there vary in capability and feature set. Most aggragate logs and flows and have some sort of correlation engine to normalize the events, put related events from disparate platforms together in a meaningful way, parse out the ones that could indicate possible intrusion, etc. But some do caching of live traffic for near-real-time analysis, or can do packet captures, and some do not. Some also have user behavior analytics, permissions/privilege/policy auditing, automated response/remediations, data loss prevention, file integrity monitoring, etc., and some don't.

What you need to know, and what a SIEM can do to make your job easier, depends on where you sit.

If you do system security then logs from your servers, endpoint protection, HIPS, unauthorized changes, introduction of risky files, permissions/privilege/policy abuse, and file disclosure from sensitive storage areas, those are your main set of concerns and a SIEM is more or less helpful depending on the features it provides and the risk/threat landscape of your company or institution.

If your focus is more perimeter defense, then you are more interested in analyzing traffic patterns, communications inbound/outbound/between segments, risky types of traffic, you're going to spend a lot more time with a packet analyzer like Wireshark and analyzing the logs from your network IPS and firewall.

Understand why all those things are important and how those help your harden the network and respond to intrusion attempts before they become persistent threats or breaches and you'll be someone who can help any company maximize the return on investment for any SIEM product. Anyone IT guy can learn how to navigate the GUI of a SIEM, but you need those underlying skills and knowlege areas to be able to set up, tune, and take advantage of it's features.

Analysts use SIEM to detect and respond earlier to incidents, engineers use it to inform them on improving the security posture of the network.

Matt2

Security Onion, full SIEM, main weakness is reporting.

smkrbnsn

I see a lot of people saying that it is easy to teach someone how to use the SIEM and navigate through the GUI....ummm not the case at all. I was shocked when I first saw the ArcSight console for the first time. I do agree that having a knowledge of networking is a good start. You have to understand how traffic works between devices. But a SIEM is all about logs. Find out as much as you can about logs and how firewalls, IDS, Windows Security Events from Windows Servers, DC, DHCP and antivirus logs look and work. Look on amazon about books describing log management because the first step to a successful SIEM is log management. Lastly, realize that most organizations do not know what their baseline is. So you really can't sit down in front of a SIEM or firewall and see abnormal events or behavior. That comes with time and SIEM tunning, things you are not going to be expected to know during a job interview. My two cents.....