la wn i> MODULE OBJECTIVE SEM leat thehesrt of SOC. ithelpe SOC analysts in correlating and analyzing security events and ienti\ing unusual or susplelous athity fon an ergenization’s IT infrstructure. Thie medule alea presents examples of various SIEM use eates that help SOC analyst to de attempts of various kinds of anomalies In this module, you will learn ® Security nformation and Event Management (SIEM and its capabilities Diferent Types of SIEM Solutions SIEM Architecture and its Compcnents Challenges in SIEM Deployment su SIEM Dey Stages in SIEM Use Case Development and Commorly Used Us Different SIEM Dep nent Architecture e e 1@ Recommendations for Su e e @ Handling Alert Triaging and Analysis Process e Challenges in Hendling Alert TriageSecurity Information and Event Management (SIEM) Ban ‘The security infermetion and avent management [SIEM]aslution are atthe oar of SOC, wnishhalpsSOC srsyts in eveitng and analysing security ‘wants and idemiyine nasil orsusnciousstiityon anceaniztion’s T nasrcture SEM helps OCinfutling tsmain objective of providing single pint ‘omprehensive view ofan organization's Tinfasbucturesecury SHEh an tension of legmanagement Sitshave Maman components. 3 ee ayar of og Maragemant functionality and an addtional layerforeacrty altics Mai Objectives often © og managemens:Pertrmencintlogmaveserert (2 security Anais: Deter reatine security naderts SIEM SECURITY ANALYTICS LOG MANAGEMENT Sliema usSecurity Analytics C | S A |@ Security analytics involves anclyzing logs and events data to perform events correlation, real-time monitoring, alerting, reporting, incident management, and response SECURITY ANALYTICSNeed of SIEM c's A | I icc ier cig } | 1 ro cetect ana and ptrtce meets agai the oarieaton | 1 ra raprous tag seats i conpsoeeeengrneennnne | ME igsPi gM UN gD AU loca | IB To sport inpsatoryconpance | i RT NRTypical SIEM Capabilities [security tormation and | a i | Rest enaganent = po ee a SY toe| SIEM Architecture and Its Components Cs A Typical SEM environment consists of : @ Devices which sends data to SIEM: I¢tygically includes © Network devices (routers switches, ete © Sezurty devas (1P/PS firewalls, ete) © Sense |Web, mall, © Applications W Collectors/Agents/Connectors: Collects and normalizes the information obtained from various devices before forwarcingit tothe central engine. I may include 2 log collector and flow collector @ central Engine: Performs data correlations and analysis @ Database: Logs is stored for certain petiod of tine depending upon the retention policy ‘central EngineSIEM SolutionsTypes of SIEM Solutions ~”A i> In-House SIEM 1d In-House SIEM, customers buy the software and hardware and manage them on premise ‘Advantages © I provides full contol over the system © meanbea jomized as per the organization's securty neecs Disadvantages © Ins eypensive to set up and eperace loud-Based SIEM 1A inthis type of SIEM, customers aubscribe to SIEM as service Advantages © TheSIEM gletform is continuously Lodated, There is na need to depend on a third party to maintain the implementation Disadvantages © Customers may felt realize the complete SIEW functionality orbenefitsTypes of SIEM Solutions (Cont’d) Managed SIEM ‘This type of SIEM cen be implemented either on-premise or on-doud {Git includes all the technology festures that are required far do-it yourselfimplementation as wel a to satisfy security cbjectives Advantages © ttremoves theloed of hiring training, end keeping specialized personnel esit comes with advanced technology and skilled peoples © ‘It provides compliance support and data security assistance Disadvantages © bate security is managed by the third party. I the company selected is wrong, then thera is2 chance of more risks or unwanted hasslesSIEM Solutions: Micro Focus ArcSight Enterprise Security Manager (ESM) @ kiscompretensive and 1B with arcsight ESM, SOCs gain the agity to expand their syber security foctprintard respons faster so evolving treats at amassive scale 1B ic empewers SOC monitoring teams to triage detected alerts through the acsight ESM integration commandsSIEM Solutions: Splunk Enterprise Security (ES) ¢ @ Splunk Enterprise Security (€5) is the analytics- driven SEIM solution that 39K2 Tek » 9 7 397k.2 gives you what you need to quickly detectand respond to internal and external attacksia in DS SIEM Solutions: IBM Security QRadar cea| SIEM Solutions: AlienVault Unified Security Management (USM) C SA W AlienVault Unified Security Management (USM) delivers threat detection, incident response, and ‘compliance management across loud, on-premises, and hybrid environmentsAdditional SIEM Solutions ia in i> Elastic Stack Loghythm Siem ‘Micfee Enterprise Securlty Manager (ESN) ‘Micro Focus Sentinel Enterprise SolarWinds Log & Event Manager Trustwave SIEM Enterprise and Log Management Enterprise SA NetWitness SuiteSIEM DeploymentChallenges in SIEM Deployment C |@ SEM deployment can be unsuccessful because of the following reasons: | Ce ee bility of rained personnel | © conrgringat posse datasources atte SEM atone respective of considering is monitoring and operaionsneed © _sxtecting ote nomsuitable SIEM deployment architectureRecommendations for Successful SIEM Deployment Use Phased approach for SIEM deployment (DD) ceerminetne scope anduse cass, ane buld associate requirements essertis for successfulexecuion ofthe se cases a sulteble deployment architecture1. Implementing Phased SIEM DeploymentUse Phased Approach for SIEM Deployment C 7 DS @ Using a phased deployment approach, organizations can lessen the inherent complexity of the SIEM deployment Phased SIEM Deployment Approaches, (@ the ovganieation shoul first deploy log management and ccllection | Sequertial ene by ore implementation of usecase helps t reach the architecture ether by using separate central log management (CLM) esired scope and objective SEO OEE EOE Remo ry: |B The required log managemert and SIEM cormponerts should be Advantages: epleyed insupportof each use case © fasy tadeploy and greater visbility wo user and resource access Advantages: 1 Pesiible to build more complen use cores with greater scope © Improved scalability and performance © Already collected data canbe used to perform functions related t> security analytice {© Date can be used forthe fulfilment of nan-securty requirements and forensic usage2. Determining the Scope, Use Cases, and its Associated RequirementsSIEM Scope @ Thescope is the driver behind the implementation of SIEM | The organization can have compliance, security, and operations as major drivers for SIEM implementation Vinerte snr T onolares va pai tla coacion tr ‘Sererone sored ana eestor te anavslsarocsrecene © skeurtyAsats creshunattaral nerues ae poiesare towed sper sends 1 forempie 1complyea We ci-x8 xanchidar cpton ads tolog at so ofevers vied cesta Aine or © Whenthe vei scuy rsltine nonterig, and anal bgsare dane to density an suspicious ay, sciriy ‘rang, orineatororeonpromse © Vinenthe ane inapestns the man ons isan deve management tardvar/sftenre maintenance, oublezooting, 1 ancravie eaten ncaa Hon ie raeuanags SecuritySIEM Use Cases ia in > Once the scope isidentiFied for SIEM implementation, SIEM use cases are defined to create manageable SIEM environment Use cases are the goals behind the SEM implementation which enables the successful implementation of SIEM in infrastructure ‘Thaseuuse cazescan be 2 rule, report, alert,or dashboard that {ectineoten|—|* 1 ‘plement and Test ine Use Case 1 Use Case Response| Stages in Use Case Development and Implementation (Cont’d) C SA \ Seope ) corepiance; Sect, Operation } —f a aA ES Smee) Dang nano br sonoma ea wach } (Configuring nd testing the SIEM implementation Report RealTime Notification, Historical Nottet Definesthe ationsthat read to detaken and nowit needs tobetalenincidert handing and response se CaeaRespanem ID) sles centaineoliate ond aiteta theleedertsLog Data lo in i> “© Requirements state the date required for the successful eecution of the use case Use cates should determine date collection requirements. Not every log source type will ke relevant desired use cases, Only those should be collectec that supper: the desired use case “© Based on thete crterigthe sslection lag source integrations to SIEM should be done. The sequence of log scurce integration should be done based on itsimportence and feasibilty Forexample, if te use case Is monitoring account compromise activity by enalying euthenticetion events, then active directory (AD) logs should be collactee @ Typical source of log 0 SIEM includes: Network Frewalls Inwrusion detection stam ((0SVintrsion pravention system (FS) Network sanctoning Networkand host cataloss prevention( DL) solutions |Web proxy ozs Authentication server lng, sucha Windows Active Directory ard vitual priate netwoxk(VPN| access logs Intemmal UNS server logs Server activity, such as UVKand/or Windows Cloudserviceapelcaton programmingintertaces (ars) [Endpoine security logs such as ertivirus ard host PS) Web server ane webappiation Ings barabase oes -Appleatnieesia in > PCR Gg lt Me Ct eee ee cent ee| Requirements: Contextual Data C S A '@ In addition to the event and log data, SIEM systems also ingest contextual data and traffic flow data to improve situational awareness and to monitor specific use cases Ena haveRequirement: : Contextual Data (Cont'd) CSA |B The table represents the typical source of context data that can be useful for security monitoring: “hiking af formation i bsseslysbout the raw enpleyse whahave,omnadtheargaraston,anditako crests ofthe amglayeee who have jot the orgaastin.Usercontrtconsst ofthe nformaton about the umn fescurces KR ‘The asset content about thedevees tat arepresentir the nework. The asset content geeralycansuts of mforraionatoutnetwork Ee eee ee tetas een eee mee eer eee Ce ‘The ypiea source of tie vuherabity contents tetook which scan vrais “Thethrent arte corsets of niormation stout thathingthatmay csue ares to the ntware Thratinteligencessane thethrast ds ana ts thetouree ot hrestcontert ‘Thecontigaration and the deta fhe avertsaretound inthe oafguraton entee. Vulrabity sess: tok flys atypical source tor stheconfguriton cotant ‘The nformationwnich scolerted inthe deta content s rom the dtalossprerention took andather software. Theeare diferent yoesof soalewhen managethedits, they cn aco se 2styselsnurefordatecortent, The dats from thessteraanureer sich a Tet ntliganafrom diferent mein athe fscthatstoprovided by third ary court sis actas steel oure for ateraicanten. The agplatonswhch ere present inthe nemarkact an typéalsoureforsppicaton conte erdthe iratin fom dynamic securtvtestng and stat apleaton sey tests tclsaso clay an ingortant role pavidingthervarmatcn far theapoleaton contot Tatoo’ that are used to managethebusries rete sources fr Busines content. Te applications whch are ntegratedinto fetuses Matcer tal amas ontelenrtes ‘cdg globe postcning sensors n:nesystams wil provdetheleeton efine station wnknthey ae beng proaicedenaatwnienratetne physeaidats ¢ bong tanaretiad «abo feundaut, hoya 2 ypcl aurea: frleestor and physloontact ceedRequirements: Traffic Flow Data Integrating ratte iow cata with SIEM helps to maritorretworkwattc “he traffic Fon data i cole over NetFlow (RFC33EA) protocol A NetFlow colector used to collect Internat Protocol (P) waffle Information from networks SEM Log Callecor Sila Few Colector us = | Reuters have NetFlow feature enabled t generate NetFlow records ant is exported frow the routaras UDP or SCTPeackats NetFow monitoring and analysis con helpin identifying any anamaleus networt patterns, network eanaiieth consumatlen, ana fing network probems and optimizing network performancein iS EPS, Volume, and Hardware Requirements C @ Based on the scope, the SIEM size is decided {@ SIEM size depends upon majorly three factors: 1. Event Per Second (EPS) © TheSIEM sizing depends upan how fasta security device generates events and how fasta SIEM product can correlate events from those devices (© This ratio is referred io as SIEM! Velocity t's measured in terms of Events Pex Secord! (CPS) ee 1umbero securty events/ time in seconcs © EPShelps organizations to correlate the capacty af T infrastructure and plan and chaoee best-suited SEN cotin for them 2. Volume © Thearount of storage requted:o store data, Anaverage event occupies 300 bytes 3. Hardware Requirements © Hardhvareis selectedeated on EPS and storage requirementsrm” i> 3. Implementing a Suitable Deployment Architecture| SIEM Deployment Architecture cs A | There are verious architecture choices for ovganle ons to deploy thelr SEM solution | Each of tese architecture can have diferent challenges and limitations |@ The organization can optfor any SIEM deployment architecture depending upen how they wart to manage, maintain, expand the SIEM sclution ‘The cholce of architecture is generaly atectec based on: © hurseratioourss ) ) 2 Amourtatloggee cata Tyee of alecton mechaneme © Specfcentor usecase ) 1 neteorktopotegy ) @ Avaibbebardwith ) © Razustoycorplance nes ircicegog terton peri mandate ) © logretertion cats bot ysl znlgialy )SIEM Deployment Architecture Options: Self-Hosted, Self- c's A Managed ee Event SourcesSIEM Deployment Architecture Options: Self-Hosted, MSSP c's A Managed alSIEM Deployment Architecture Options: Self-Hosted, Jointly c's A Managed anis ceSIEM Deployment Architecture Options: Cloud, MSSP c's A Managed aSIEM Deployment Architecture Options: Cloud, Jointly c's A Managed |= oe Event SourcesSIEM Deployment Architecture Options: Cloud, Self- c's A Managed wane eeeSIEM Deployment Architecture Options: Hybrid Model, c's A Jointly Managed aAddit ional Recommendations for Successful SIEM c's A Deployment |@ Once the scope, use cases, requirements, and architecture are finalized, technical implementation of planned SIEM Is verfied from all possible angles (© This may include addressing the possislty of following technical requirements: \Wherhor agents versus an agentes eslaction afleg cheuld ba aeastad? Whether epslance, er software, evetual Image of cllected lg should be used? How many clectors should be use? Which typeof ealectar should be uses? ow te geal with superHighvolume end superlowevclume og sources? \Whethercovrelation can oe slstibutes? Whether storage can be dstibured? Wil there be ary network architecture constrains? VPwwrerr wwe How to manage redurdancy, availabilty, and recovery of data?Incident Detection with SIEMSIEM Incident Detection: Signature-Based vs Anomaly-Based c's A Detection oma ee (a Sothsignature.basee and ancmralytase detections ae used te detect Intuson attempts rs Jetedion, detectionsf mirtrasien stamp scavied cut bad enthe pradelined sgnstresspadiiod inthe atabace of serurtydevieat ach 3105 1 Forexample, © sharlaspravies ie owr sata reste stacng wen appesto evel arate 2 OWASr'svad_securty is Opn Source Web Aopicaton Fe wal WA proves is awn le et OWASP ModSacuiy Cove Rule SUC Signature tased Detection ‘Anomaly B2se¢ Detection Securtyanavtcs User an enttybehavior anaes (UEBA Detects sgnetrepattrn in bgagenerstes rom theverious devices Detects sapkious bétevaral ener natin dtertnsincunattale nal ndstetngunknoun stake Human drven Nechinelaarmngdrnes | 1 Alcon sacar ne umole anaplastic |pode ter ce ee reer ute Peper tamer merce cere ts io in b>bute Cuno Cost key og or Ce CCSD EC cot oeExamples of Commonly Used Use Cases Across All SIEM DeploymentsUse Case Examples for Application-Level Incident Detectionrn > Detect an Attempt of SQL Injection C oem Egraeetomeriesosees Semeeseuees Loni forthe events comprising SL mre Ss Detection of Union-Based SAL injection Attempt © Set an alerton pattern matching Reees /((\427) | (\))andon/xe © Setanalerton patern matching Reges nae 740827) (\")) (gstect junien|ineert|update [da2eta| ze rear oage place|trancate/érop) /x Anomaiy/Signatures Detection af SQL Injection Attempt on a MSSQL Server © Satan alerton pattern matching Rege> Lanne Nal Ne) (ala ptiDetect an Attempt of XSS C S A Example: Splunk SIeta ata Source IS or Apacne web server log, IDS les, WAF logs, etc. ‘nomaly/Signatures look forthe everes comprisirg signs cf XSS Detection for simple X85 attempt 12 Satan alam on pamern matching Regex / ((\82C) |<) ((\AZE) 1\/)¥[az0~ ee BNE +( (898) [>) /e PE cat a Detection of Example: AlienVault OSSIM SIEM. © Forexample, you can find reputation |P database at inossim SiewUse Case Examples for Insider Incident Detection| Monitor Abnormal Authentication Attempts cs A onto authenttion ters unusia hosts ‘romay/Signatures Monto authentiationatterptsat unusual fequency Logins at Unusual Frequency Logins at Unusual Hours cent aDctyarmuer aver occce oe LEI EETETEES EREY] Jetstream ES SE © Fader etsewcnto antes Example: Lorene SiemDetect Data Exfiltration Attempts Made through USB or CD cs A Drives | ee ‘Aneraly/Signaturot Detect ary such attempt by nesecing OS lege ample: Splurk SEMDetect Data Exfiltration Attempts Made Through FTP ¢ in BS (© ser can perform tof wansfer les over FIP DataSource FieSeree ] Poomaly/Sigretures iaay Sarena a Pan aoa we eS sample: Splunk SEMDetect Data Exfiltration Attempts Using Personal Web Mail c's A Accounts npc Monitor for attempt made towerd emailing larger amount of data to personal emeil accounts, violating pom eens baseline usage of the email serviceDetect Data Deletion Attempt ¢ | S A | @ Disgruntled users with high prvloges (rogue administrator} con delete sensitive data from the critical servers Anomaly/Signatures Monitor excessive amount of file doletion attempts on critical servers| Detect an Attempt of Account Compromise Cs A |@ Password modification activity from other then those from legitimate users can bea indication of account compromise [ere Cetect any attempt of change of password ‘anomaly/signatures vs activity from other users ae ST] esDetect Attempt of Accessing or Modifying Unusual Data @ Any attempt of accessing or macifying data ‘fom unauthorized users can be indications of ‘account compromise or an insider threat Windows Security Event Loge \rix host logs Any logs from File Integrity Monitoring (FIM) tools sesDetect Attempt of Communicating over Private Network (TOR | Network) ¢ s A |@ Users can use private network such as TOR Network to hide their malicious intent (© fyoufound cuts ests TER Network a communicate to your carporatenetark over, shan this can be ination a! an tac reconnaissance event ) (© fyoufeund wsertiom inside corporstenetwert isusng TOR Network, hiss an dleation of malkious Insider ) ‘Anamaly/Signatures Identity source IP address that are attempting to connect to TOR IP addressDetect Which IP's are Connecting to Specific Port frample:Solurk SIEM, (© Malicious insiders can try to establish connection to ‘he port orrun service hat isnot allowed or against ‘he paley votation “G Forexample, communicating aver FTP on part 21 or Telnet cn port 23 can be corsidered as suspcious connection and is net allowed in rgenizations etsat gaia Examine ard detect such toe of ‘Anomaly/Slgnatures attempts with thehost source IP aecressDetect Data Exfiltration Attempts Through Cloud Storage ta ‘a i> | Insider can use private cloud storage to transfer sensitive data Detect en attempts of unauthorized upload of data on coud storage suchas Dropbox Anomaiy/Signatures ms Lock or the usemame and|P address fram which this activity is initiatedUse Case Examples for Network Level Incident Detection| Monitor Network for Use of Insecure Protocols and Services C S A | |@ Menitoringinsecure protocols and services running cn endpoints wil helps you prevent possible future tacks | ‘Anomaly/Signatures arty Insecure port and services tat are found oper and runing onthe enépoinis Example: Splunk SIEM New SearchDetect Services Running on Non-Standard Ports W Attackers can use standard services to hide thelr command and contrel communication. And runningthese on non ancare ports can be easier for their configurationand collection purposes @ THiscenbe s indication of malware infection tats Source Network Data famne and identi the services running on ‘Anomaly/Signatures feresuednns ‘Greate an SIEM rl for such anole and generate ale forthe sare TTP rae ro using tarda prt 80 Outbound SSH trae rot on standare SSH SHEN Rule Bxamoles pon 22 Inbound $4 trafic rot using tarda SSH pen 32Detect Non-Standard Use of Standard Ports |@ Attackers can use standard protocol ports to hidethelr command and contrel communication Barrine ané dently sucn protocols used for romaanderduse Anomaly Signatures ronATe tafe ueing tandara HTTP port 80 romONS vaffcusing standard DNS port $3, {HEN Rule Cromples rons tra using standara 9m port 22 ronS8L/ walle uirg standard port 483Detect Network Scanning Attempts C Any such attempt canbe detected by examining the Anomaly/Signatures angiures ofseanning alition ‘ample: SolunksieMDetect Port Scan Attempts Example: Loghhythm SIEM a ‘ge vats served ‘Trade etl sal {Darmae niecgurerces oT Tcetice Ben nga secured tn mes Data Some tog sae Loge Asieaturestased detection technique fom 0S or ary ‘Anomaly/Signatures network monitoring to! shoulc be used to deect such type feitergte yc SE nee ieee le tes ERLE Pot ionorinncedie % W Adee (Ori): 22400282 Lop srs Tiare Sy Orphen TERUG Pt ngaced) >=20Detect Excessive Firewall Denies Attempts running nor-standard services, ete Detect any such attempt by nvastgatngtrewall denies ‘events Fem 2 angle source within» specific petled of ‘window | feiss regal nes ner nds Sci lh oes vam Sas el mdi J ample LogRythn sien ‘Anomaly /SigraturesDetect Attempt of Accessing Disabled Account C 1@ Even though the emnrloyees privileged accounts are immeciately ‘sabled once they leave their organations, ic ill sometimes imaozzile forthe adminstrators to rerove all accesses ard prviloger onsuch accounts Monitor and detect any attempts mace towarcaccessng ‘er authentestng on those azeaurts Ancraly/Signatures Sates) SST T aes maDetect Attempt of Account Creation, Usage, and Deletion Example:LogRhyehm SIEM ‘cious insiderermay Cetec the tral where user created, used then the ‘Avomaly/sigratures Stee heelPerform Registry Monitoring C “Usually ary changes in registry incicate tat some executable beirgistalec/nirstall on the host. Reglsuy monitoring will nlp in detecting any attempt of instaling/unirstalng execctables Aromaly/Signatures Datec restr evartslactions suck asst, delete, et. in Windows Reestry Lozs Examples Splunk SEM aMonitor Attempts of Ransomware Attack et system with melwere that encryp all of the Files on herd dive Datact temps oferasting 2 lige numbar of nav fles in achert amourt aftire Anomaly/Sigastures Look fer kro Rantemvara fie extents Detect aterm ofan inereasein le renames on network fle shares ‘Tpieal Extensionof Ransemware Fes| Monitor Attempts of Ransomware Attack (Cont’d) C is A xample:Splunk SIEMcat comsinwthiP sddreeshis/ner maeiour tar Morita for BNS names other than the kxewn rmaty/ _bea\/ntarnal DNS nares inthe it Such ONS name ‘Anomaly ap polly be a rouge Name server. Search for ‘Sgnatures Te>/DP $3 wth al he kreurn eel nteral DNS, Search : = Q ansle Spun SMDetect DNS Tunneling Attempts |& DNS tunreinginvolves transferring data over ONS which isnot designed 1 Atacler use DNS to transfer his/her data. It desthis ty dna the data in the ONS reques. ONS fener intended totrarfer deta, ONS Usesboth UDP rd TCPon port 3 for communications. ONS raques packet cotzins payload of maximum 3:2bytesfor UDP and more han 52 aytes of TEP. [ere croate DNS packetesnch af 12 tonide thor cata ane o> undetected Unusual Large amourt of ONS requests coming ‘Anomal/Sienatures fomatost that wants to transfer data via DNS Unusual lengtn ofthe ONS requests Example: agRiythe SEMDetect DNS Exfiltration Attempts C Leckfer DNS Exltrtion Signs lok @ 21 ONS trae for multiple levels fo multiple level of DNS strings Look for Hexadecimal stings cok for this 3 level tobe ess than 20 bytes in length... * domain.com, where *Islonger than 40 bytes Lok formalise ONS Nema leatups te ketehy feral domains, ane lack! the Fequency in tha shot te spa DNSTAT er SRV recacdquerles to any foreign erhigh entropy damaies ‘Ary DNS response to loopback or RFC 29:8 space/bogon space (5.0.0.0/8,10.0.0.0/, 192,268.0.0/36, 172.1600/32) could heleato a 2 chanras Aromaly/Signstures Lok for multisle ENS queries the ame nan-corlous or foreign demain during ef-neurs Inthe offee=chec fr frequen, and peroticty DNS queries to dynamic DNS providers (ike OpenDNS) DNS queres rat lewed bys proxy request fr canneelon ecaliyrecurig inter ar bescaving following eny ofthe abeve (2er0varlaree behavler) Lok for Teredo ve aseresssas leok for large TKT or NULLpayleads(tunneing) and TxT that srt 7-ith clean Leok for NAME cha ithey reoive intemal leo for change in authoritative nerve carve and thal (Paeevestor£€ wellDetect Other DNS-Related Anomalous Behavior C NS logs, Besline ofthe number of DS requests Look for feliowing signs of anomalous behavior © Detect anamlous ONS quay types ane volume {© Detec: DNS wai om zromalous processes cr te anamaleus DNS servers {© Detect anomeleus velume of fled DNS cueres © betectenomeleus distinct P address rexolved for demain Anomaly/Signatures Detect phishing comalns, domains with high enttapy and random werds Detect anomsloutantrot in ONS host Nie Detect cache poisoning va ONSrespenses Detect ONS bezconingto anomalous domains Detect larg nd random lbele in cubdereine and larga subdomain court Detect esoteric domains, Le, domans that only some of ou servers are resoungin iS Detect Rogue DHCP Servers C “You should be aware of the IP addresscf the legitimate DHCP server on the network, any other IP address associated with UDP port 67 would be Idertfied as 2 rogue DHCP server Monitor fr unusual large ameunt of DHCP traf LOP port 67 and 63) flowing traugh the retwerk Ancneli/Serctiome ‘ard exclude adoress of legtimate DHCP serverDetect Slow DoS Attack C @ na acc Saran rc | > te racer could exlt tis nnerenevlnerabltybypeformingsow DOS aacks | singe (CALF tags are sant a the end of header and tine gep between two requestsisless than webserver timeout as 2er the we pores sarvar configuration, then this could be incication of slow DeS attack Noval Get Hezder contaning CFL tag but rot Slow DeS Attack Slow Dos Header e/a sph icatennntsee 9058-8 ERLE) Sor cyst tne LMM heceptereodng¢2ip,aeflate, sath (ORLA) [Seat iecsssnefaugy fone oenmese seo [oR Utcagnefociners40 Curses AT Get; Mo) Arpievnkt/2357 [ERIE] Scepe rare I36-0599:2,0r- 43908.) "(ar [ERLE] fee aecanest sve [ORL] (Seasons Hosile/Ss0 Cdngbes NT 6.1; MOWER) Aonlebexte/S5.7 [ORL] [ORLELDetect Zero-Day Attack Cs A |@ Attacker inialy get into the network by infecting the target endpcint with malware through unpatched and vulnerable software and will then attempt to commence commandand control anc laterally move across he network to access sensitive dataandinftrate it rita forthe aetuity elated te command and contrel Seacaning eters moverant and dats exltrtion Determhe Milicbus Authentication attempts Avomaly/Signatures entiy compromised account activites Determine Data Extlraton ard Methods usedDetect Attempt of Covering Tracks C S A ‘sample: LogRhythm SieN “dl Attacker after successful attack, triesto hice their tracks One ne ‘Windows Security Event Logs Set coe ko Detect any activity toward removing data frm iogs, hiding rmalous fles, dlsabling audits eteDetect VPN Connections from Countries that Don't Have an C Organizational Presence aul in iS. ‘ample:LogRhnythm SIEM 1B Attacker can try to established VPN connection with Organization's private network from the courtries where they are no: operating Jy such athamate san be detec by saldatine VPN conreetons withthe customs “htt of countries whare thay ae operatingDetect Attempt of Concurrent Establishment of VPN C Connections = la If there are concurrent VPN connection from the diferent IP address then thie can be a indication of use of compromised credentials fom malicicus users Detect any attempt of cncurrart connection fwcraly/Sgnatures ram the diferent PaddrestAdditional Useful SIEM Use Cases: Router and Switches Router and Switches| la wm > fFmergency router error massages [EGP Neighbor Relationship Status Change Router Power cupply lure [Configuration Change: [ritics| messages ebsarved fem the SWITCH [alare mastagas observed from the SWITCH Detection of Antispam File Dropped dive to large size Detection of application process prow Detection of land attack Detection of Ping of death attack Detection of new policy adcition Detection of policy violation [virus tratic [content fitering detected authentication failure/successAdditional Useful SIEM Use Cases: ASA and Checkpoint C | S A Firewall wel meAdditional Useful SIEM Use Cases: Web Proxy la in i> [Access onempts on unidentified protecels @pom [Ms ware Domsin Aecose Raper [row Cateron based Summary Reaor Malware IF Access Repor. Potentially Urwanted Sefarare ace yramic ONS Host [walicious sourees/i IMs cious Outbound Dats/Soinate peero-eer (P27) row avolcance [Remete Aecess Tools acess fom unusual User Agere Pros request uncotegorzes sites ane oTTCe TOUS [Unvented ieornet Azzoze row configuration changes ory felled login attempt [cortene acess violation [anonymous pronyaccess acker cl wevsite accessAdditional Useful SIEM Use Cases: Wireless/VPN Use Cases Rouge Neawork Traffic Detected Top VPN Account Logged in from Multiple Remote Locations Top VPN Account Logged in From VPN and on Local Network Wireless unauthorized login attempts Wirelese authorisation server ie down Anonymous login from unknown IP address VPN Account logged in from multiple locations in short span of time, or from suspicious countries Simultaneous Login from Multiple Locations for Single User VPN Connection beyond 24 Hour VEN Access from internal IP Address VPN ccess from overseas Rogue AP detected. Wireless AP rebooted Wireless unsecure APaateced VPN access from onshore team Ven acres and Access cord on Onshore OoseneGAdditional Useful SIEM Use Cases: Database C SA Oracle password expired [Critical command usage [Critical commands executed on the database during non-business hours: [Oracte- Update or Insert Commands foracte user Created/Deleted Multiple login feilures observed for database Database Schema Creation/Modification frop Query Execution Failures. Monitoring login attempts on database Use of default vendor accounts against policy [Database access during non-business hours: Login failures for svs/system or privileged accounts [Connection te production database: from disallowed network sagmant= a a a ag A eS| Additional Useful SIEM Use Cases: Antivirus Use Cases C SA aUse Case Examples for Host-Level Incident DetectionTypical Events to Look For in Windows C win tb What Impact to Security Activity detected 4688/592 New Process executed Malware executed or New programs installed by malware actor trying to attecker (not by user take action -4624/528 [540 | Some sccount logged in [Attacker uthenticated to | What accounts did and whet the endpoint accounts at what times are '5180/560 ‘A share was accessed What endpoints were CS share or File share accessed accessed 5156 Windows Firewall Network Command end Contral er What epplication was used to connection by proc origin of attack communicate with external or internal 7085 /601 Service added to the endpoint Persistence to load malware | Service added or modified on restart 14653/557 File & Registry auditing Modifications to the system | Files added and Registcy Keys that create holes or payloads | added to aucited locations used at a later timeWindows: Monitor on Creation of Suspicious/Administrative c's A Processes onlaciie DataSource Windows Eretiogs Monitor eventawith Security SvenCodentES to detect theattempt of cestienar landing sfuspicousproceses such annette, feces a ip. nsoskup.ote, netsh CSOL et ingore powershelor, Splunk Semplecuery soamaly Sanatures “Splunk Semple Query soamaly/ Signatures ‘Splunk samplecueryMonitor events with Security ventCoden- 4324 to detect Logon Succes: Events Anomaly/Signatures Moritor evente with Security EventCode=- 4625 to detect Logon Fallure Events indexcwindows LogNane=Security Eventccdet€25 | table tine, Workstation Nene, Splunk Sample Query arco Necwork Addsoss, Host, Azcous‘Windows: Monitor For File Shares Data Source Windows Event joes Anomaly/signatures Monltor events with Security EventCode=S140 sysiztriz(ncet,"\") | ev ingtien_Systees: | eval Deot_sysiviover(Destinerien syst) | = Dast_sys2-Lower (Destination Sys?) | Splunk Sample QueryWindows: Monitor For Service Changes cs A ‘Anomaly/Signatures Monitor events with Security EventCode=- 7045 to detect service changesAdditional Useful SIEM Use Cases: Windows C | SA Sener thasown/ Retost Renovabs mie deteced lLognatenots withthe sene accautfion Gfeerteaurc Gens [Dsedione! Ser shutimrcbeot oir oficehows Tdinistaie Group Nenbeship Cha rahorerdOcfltAccoul es rere ue fears account Remete acces tog -svcres 8 feTure Windove Serie Stop estat Windove acount nabied OesD1 [Multiole Windows Lonas by Same User Logins ozs de nora businesshours [ete fere atenpifcon eae source wth sues lg stecionst ver occount oldeList of Windows Security Audit Events C 1O/asen [anemic 11 sam crn tach lgsen [erie esse 13 [ogee Teen 16 eerloet [essere contunrg detalles of Windows Secury Asc EventsLinux: Monitor for Logon Success and Failures Events [Monitor for “Accepted passwore", “session opened” “Accepted publickey” events Anoraly/Signatures Monitor for “auharticatin flue’, “lle patsword” events eamgle:Splune SIEM| Linux: Monitor for Logon Success and Failures Events (Cont'd) cs A xample: Splunk SIEM ailAdditional Useful SIEM Use Cases: Unix/Linux isle sere ented (Ceinea watin hen ono ers Group Crested Removed wit sherbet [Unietogn ero wi te same scout on cifeent Source destopS [Feied cgi wh aeaulecaeonE [Uno Wipe Su epnfaiutee Sado acres rom Non sudo vars asding cr Femoung uses tothe gous Voor [Unsenigh numberof login fur fore some acount OnE ding removing end noting con BPs [ie ili ecoUse Case Examples for ComplianceCompliance Relevant Use Cases: PCI-DSS Compliance Requirements SIEM Use Case Log Sour PCI DSS requirement No 1.1.4: "A formal pracess for anpraving and testing all nstwark connections ond changes to the firewall and routerconfigurations.* PCI DSS Requirement No1.2.2: “Restrict inbound and outbound traffic totinat which Is necessary for the cardholder dato environment, ord specifcaly deny al other trafic” Detecting allthe unauthorized network connections to/from an organteation’s IT assets Firewalls, Routers, Switches Compliance Requirements SIEM Use Case Log Sources PCI DSS requirement no 1.1.6: "Documentation ond business lustifcation for use ofall zervices, protocels, ond ports allowed, including documentation of security {features implemented for these protecais considered to be Insecure.” Searching for use of insecure protocols and End user systems or servers ke Windows and Unux serversCompliance Relevant Use Cases: PCI-DSS (Cont’d) cs A Use Case #3) Compliance Requirements SIEM Use Case Log Sources: PC1DSS requirement no 13.2: “Implement o M2 to limit inbound traffic to only system components that provide cuthorizes publicly accessible services, protocols, and ports” PCI DSS Requirement No 3.3.2: “Limit inbound Internet troffc to IP addresses within theovz” PCI DSS Requirement NO 1.3.5: “Do not oliow unouthorized outbound treffc from the ‘cardholder dota environment to the internet.” Checking how traffic is flowing across the Mz to/from the internal but publicly accessible services ete Routers, Switches and Firewalls Use Case H4 Compliance Requirements SIEM Use Case Log Sources PCI DSS requirement no 5.1: “Deploy ontl- rus software on all systems commonly affected by molicious software (particularly personal computers anc servers)” PCI DSS requirement no 5.3: Ensure thot antivirus mecranlems ore actively running ‘ond connot be disabled ar eltered by users, Unless specifically authorized by management ona case-by-case basis for limited time period.” Detecting malware infection when anti-virus protection is clsabled on the machines, Antivirus logeCompliance Relevant Use Cases: PCI-DSS (Cont'd) C Compliance Requirements SIEM Use Case Log Sources, development, test and/or custom application accounts, users and posswords befere applications becomeactive or orereleosed 10 customers.” PCI OSS requirement no 6.4.4: “Removal of test ata ond accounts before production systems become active.” Searching for default credentials, replicas, ec fon production systems Allservers Compliance: Requirements, SIEM Use Case Log Sources PCL SS requirement no 5.1: “Deploy ont: virus software on al systems commonly offected by malicious software perticularly personal computers ond servers).” PCI DSS requirement no'.3: “Ensure thot ont-virus mechenlame are actively running ‘and cannot be disabled or cltered by users, unless specifically authorized by management on 0 case-by-case basis for a limited time period.” Detecting melwere infection when anti-virus protection is d'sabled on the machines Antivirus loge© etrngne mttngseaen crt oideesncuet cents ehtomston mermeaitet 5 entrneset fone seutvdevees enthjngmt iat aera ne estvgntensira oe edtingsctorer sone compenHandling Alert Triaging and AnalysisAlert Triage C Ss A |W Alert triage isthe most common workflow of the $0. 1D Art triage typically includes geing through all the alerts investigatingthem, and eithe closing them or escalatingthem to an incident jente then need incident retponse Security Analyst1t Security Analyst-L2 Incident responder (rests ie coat Invesigtertege ac inact Rerasintes an coset,Challenges in Handling Alert Triage The overwhelming number of security alerts from SIEM everyday can make It impessle fer analyst te Investigate them all Even though correlating events irom diffeent ources using SIEM iz helpful in priotising the investigetion of alerts but sometireit is not enough to determine whetherthe securty alertistrue positive cr false postive based on log cata lone. This can lead co nctfying Inaccurate false positives o° pnoring the aler: Sometimas manual investigation to the packet level is required to investigate what ectually hes happened. However, itis not possible to dedicate separate valuable resource fer SOC to investigate I further for exch alert. Moreover, railed anaysis requires advancec skilsets that not all teammembers possessRts ekg Peper oR eee entry eeeEffective Alert Triage Te) in iS SOC Analyst 2 sOCanalyst reeds often © Asa anabst, © You musthaveshils anéablity to cetermine quick and accurately the severity of seemingly endles eam of alerts ard which lers require thelr irmresiate attention (oer) You shouldclesrly know whats llowed ané what snot alowed (polly) It bps yeu qulchly lentfy what has happened tht was not allowed ly wlage-secuty alerts triggered by the SIEM Threat Inteligence 1 The SOC analyst should be soto access contertand othorolatad iefarmation quik and eal. It helps them aralye,decde, and saparate alerts 2x2 true eshte erase pestive SIEM Solution 1 Thoright election cf SIEM olution ates tho dFfararcein effoctivescuity aor triage. THe haps removing complextlos inolved in allating sacutyalovts 1 The SI eoltien should nave tha ality te Imeelately delve 2 clear and accurate pletureof the devalaleg situation 1 Url SIEM slut ceas rot sronee clear and cones information analysts will nat beable to qulchlyassesseach alert and plvitize them acearinglyTriaging Alerts: Was This an Actual Attack? 1 Verious types of alerts are produced by security tools; emeng them, only a few are related to 2 potential security issue ‘There are four types of alerts: Q ralse Poutve: Ansiet sists analarm when no sttackoceurred,t means son-alicous sethites ae dertfesee dangerous ‘© true Positive: Ao ale raises an alarm whan alegitimate attack osteo (Q ratse Negative: Noalecisaisec when aleghimate attack ocurred k means malicious actives are not recogrized © true Negative: Ar alert wil ct rise anaiarm when no tack s detected, It mears norerliciousfl is rejected successfully a e Bealetes: (Decares incident > I -> ab Security Analyst-Ld Takes dersMore than Dace scree Cpe tty pO ieEliminating False Positives ¢ i A Define the 'tealty of alerts in your environment © Theertesitsafsane ry vary far enitarmert caniranmert, (© Dec whether ale rauaceaures inmate ero, fnae than tan detested at file postin fyouate rotor wt Son need tobe ten. ther th ye (heck carefully and remove the SIEM rules that you don't want to maniter for oth ceptable vl | “Ture the ru © Typs afeverthapsaned rumba afsinee thappones ove wht pari ft shouldbe sth resroavauethatsiovs bencceptble njcur eniranre ‘Should know various polces including acceptable use policy ‘Should know celine usage ofthe natwore Hpemienratog .Eliminating False Positives (Cont'd) ia in DS | (Ff oes ent nate et ent ca er nt “rust the secutty devces in place (© Te dersarerasedastrewallaeascerin wate rom gen te te network. Fars ye art, yu cot recat vesgate | [i sive tm vets oryourentonment ndiroethem “ne your rues on pesiote basisan > Triaging Alerts: Has the Attack Been Successful? C @ IFyes, then: © What other assets hasaks bean compromises? ) |@ Which typeof activities did the attacker execute to carry out the attack? J 1 How shouldtte egarization spondto this atack? ) 1W itis responsiblity ofthe SOC analyst [L2) to perform hitial validation, dassizaton, and priortization onthe alerts and Bcaldle Res INT fotiicient espana dt ake > db Wages gers imaststs scope ardimpect,Alert Classification and Prioritization Peed Por Scanning Aetvity Cus} Reconnaissance & Probing ‘Malware Infection Delivery & attack Distributed Denial OF Service Fepaitation & Installation Distributed Denial Of Service Diversion Eepleitaticn & Installation Unauthorized Access fxplcitaton & Installation Insider Breach system CompromiseAlert Classification and Prioritization (Cont'd) eras UUneutherized Privilege Escalation Cu to) Beplotation & Installation ar igh Destructive Attack System Compromise igh ‘Advanced Persistent Threat Or Mulistage Attack False Alarms Allscages AllSeages igh allseagesEscalation to IRT CSA ‘Incidents are then escalated to IRT with initial classification and priority assigned a ’ ahh Tiagessere lnestgees copes irget Incident responderModule Summary C SA 1@ SEN helps SOC to fulilits main cbjectve of provicing asingle point comprehensive view ofan organization's I infrastructure securty 1@ Phased stemdeployment approach can reduce the inherent compleaty of the SIEM deloyment (@ Scouentil implementation of ure ease helps to reach the desired scope and objective |G. The scape isthe driver behind she implementation of SIEM 1@ Use cases are tegoa's behind the SIEM imclementation, which enables the successful mplementasion of SIEM In IT infrastructure |@ Requirements state data required for successful execution of use case (© SEN should ingest context feeds to improve stustionsl awareness \@ Goth signature-based anc anamaly-based detection is used to cetectintusion attempts @ The new usecase is created eliher bi don a seul incldent happened, risk assessment, oF a new attack type dscovered in recent vends 1 Alert wiageis the most cemmmon werlflow of the SOC analyst |@ Fight kind of intelligence is requires for provicing eective alert triage