Nicholas Hsiao nicholas.hsiao@hp.com Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.

Slides:



Advertisements
Similar presentations
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Intrusion Detection Systems and Practices
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Security Guidelines and Management
Module 8: Implementing Administrative Templates and Audit Policy.
ManageEngine ADAudit Plus A detailed walkthrough.
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Troubleshooting Windows Vista Security Chapter 4.
Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Windows 7 Firewall.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
© 2006 Cisco Systems, Inc. All rights reserved.1 Connection 7.0 Serviceability Reports Todd Blaisdell.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Module 10: Implementing Administrative Templates and Audit Policy.
Role Of Network IDS in Network Perimeter Defense.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Module 8 Implementing Security Using Group Policy.
Part A. Remote Viewing IP Surveillance Camera Application Guide.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Windows 10 Common VPN Error Tech Support Number
Security fundamentals
Module 9: Preparing to Administer a Server
Major focus areas derived from NIST Guidelines
Installing TMG & Choosing a Client Type
Working at a Small-to-Medium Business or ISP – Chapter 8
Module Overview Installing and Configuring a Network Policy Server
Configuring Windows Firewall with Advanced Security
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
Securing the Network Perimeter with ISA 2004
Active Directory Administration
CONFIGURING HARDWARE DEVICE & START UP PROCESS
6.6 Firewalls Packet Filter (=filtering router)
Printer Admin Print Job Manager
Unit 27: Network Operating Systems
Intrusion Detection Systems (IDS)
Chapter 8: Monitoring the Network
Lesson 16-Windows NT Security Issues
Cloud computing mechanisms
Using Splunk – A Case Study
Net Report WMI Dashboard Summary
Module 9: Preparing to Administer a Server
Designing IIS Security (IIS – Internet Information Service)
Features Overview.
STATEL an easy way to transfer data
OSL150 – Get Hands on with Ivanti Endpoint Security
Presentation transcript:

Nicholas Hsiao nicholas.hsiao@hp.com Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this template to an existing presentation, see the ArcSight presentation style guide: https://na5.salesforce.com/sfc/#version?id=06870000000DKLp Questions, contact marcom@arcsight.com Nicholas Hsiao nicholas.hsiao@hp.com

Agenda General Approach Potential Security Log Sources Typical Log Locations What to Look for on Linux What to Look for on Windows What to Look for on Network Devices What to Look for on Web Servers

General Approach

Identify which log sources and automated tools you can use during the analysis Problem Most user don’t know the EPS or log per day. The Log Management tools need these information by default. ArcSight could Provide the checklist with default EPS for you With EPS, you could calculate the total log size per day/week/month/year. It will help you for long term planning Of course ArcSight do have a calculate for ArcSight log model

Copy log records to a single location where you will be able to review them. Problem: Collect logs from different might need different approach, agent / agentless You also need to consider the effective , real time / batch You need to deal with different protocol, syslog, SNMP, s/ftp … ArcSight could Provide both Agent / Agentless architecture via connector architecture. Base on the requirement, ArcSight could provide different approach for same log source. ArcSight have default documents to tell customer how to configure their host, device, servers for log collections.

Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are begign Problem: Most log management tools just collect all the logs and put it together ArcSight could Filter the log from connector level directly. Aggregate the same logs And all the configuration could be done remotely.

Determine whether you can rely on logs’ time stamps; consider time zone differences Problem: Different logs may have different logs’ time stamps format. It’s not easy for you to review these logs one by one and convert the time stamps via your eyes/brain. ArcSight could: Make it happened automatically. Add the ‘received time’ for each log, if you choose real time log collection methodology.

Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment. Problem: Most users don’t know the log from different devices, so you may not know how to search/query the log for ‘failures, errors, status changes…’ ArcSight could: Classify the log and provide categorization information for each log. All user need to do is query the categorization formation. It will reduce the effort of administrators.

Potential Security Log Source

Potential Security Log Sources Server and workstation operating system logs categoryDeviceGroup=“/Operation System” Application logs (e.g., web server, database server) categoryDeviceGroup="/Application" Web Server categoryDeviceGroup="/Application " AND deviceVendor="Apache" categoryDeviceGroup="/Application " AND applicationProtocol=“http" Oracle Server categoryDeviceGroup="/Application" AND categoryObject=“/HostApplicationDatabase"

Potential Security Log Sources Security tool logs (e.g. anti-virus, change detection, intrusion detection/prevention system) AntiVirus categoryDeviceGroup contains "Antivirus" Change Detection categoryBehavior CONTAINS "/Modify/Configuration“ Intrusion Detection/Prevention System categoryDeviceGroup="/IDS/Network“ Outbound proxy logs and end-user application logs Proxy: proxy deviceProduct CONTAINS "Proxy" End-user application logs : application name Remember to consider other, non-log sources for security events.

Typical Log Locations

Typical Log Locations Linux OS and core applications: /var/log ArcSight : collect log via ‘syslog’ or via ‘agent base. Windows OS and core applications: Windows Event Log (Security, System, Application) ArcSight : Remote Collection or Install Agent Network devices: usually logged via Syslog; some use proprietary locations and formats ArcSight : syslog, or other protocols

What to Look for on Linux

What to Look for on Linux Successful user login (“Accepted password”, “Accepted publickey”, "session opened”) name IN ["session opened", "Accepted publickey", "Accepted password"] categoryBehavior="/Authentication/Verify" AND categoryOutcome="/Success" AND categoryDeviceGroup="/Operating System" Failed user login (“authentication failure”, “failed password” ) name IN ["authentication failure", "failed password"] categoryBehavior="/Authentication/Verify" AND categoryOutcome="/Failure" AND categoryDeviceGroup="/Operating System"

What to Look for on Linux User Log-off ("session closed”) deviceProduct="Unix" AND name="session closed" categoryBehavior="/Access/Stop" AND categoryOutcome="/Success" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Application/Service" User account change or deletion (“password changed”, “new user”, “delete user” ) name="session closed" categoryObject="/Host/Operating System" AND categoryBehavior IN ["Authentication/Delete","/Authentication/Add", "/Authentication/Modify"] AND categoryOutcome="/Success" Sudo actions (“sudo: … COMMAND=…” ,“FAILED su” ) sudo

What to Look for on Linux Service failure (“failed” or “failure” ) deviceVendor="Unix" AND (failed OR failure) categoryObject="/Host/Application/Service" AND categoryOutcome="/Failure" AND deviceVendor="Unix"

What to Look for on Windows

What to Look for on Windows Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID. Most of the events below are in the Security log; many are only logged on the domain controller. deviceProduct="Microsoft Windows" .

What to Look for on Windows User logon/logoff events (Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc ) Successful Logon deviceProduct="Microsoft Windows" AND (528 OR 540) deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Verify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" Failed Logon (with ArcSight search, you will find more.. i.e. 681) deviceProduct="Microsoft Windows" AND (529 OR 530 OR 531 OR 532 OR 533 OR 534 OR 535 OR 536 OR 537 OR 539) deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Verify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Failure" .

What to Look for on Windows User logon/logoff events (Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc ) Logoff (538, 551) deviceProduct="Microsoft Windows" AND (538 OR 551) deviceProduct="Microsoft Windows" AND categoryBehavior="/Access/Stop" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success"

What to Look for on Windows User account changes (Created 624; enabled 626; changed 642; disabled 629; deleted 630) Account Create (624) deviceProduct="Microsoft Windows" AND 624 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Add" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" Account Enable (626) deviceProduct="Microsoft Windows" AND 626 Account Change (642) deviceProduct="Microsoft Windows" AND 642 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Modify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND deviceEventClassId CONTAINS "Security:642"

What to Look for on Windows User account changes (Created 624; enabled 626; changed 642; disabled 629; deleted 630) Account Disable (629) deviceProduct="Microsoft Windows" AND 629 Account Delete (630) deviceProduct="Microsoft Windows" AND 630 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Delete" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND categorySignificance CONTAINS "/Informational"

What to Look for on Windows Password changes (To self: 628; to others: 627 ) Password Change – Self (628) deviceProduct="Microsoft Windows" AND 628 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Modify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND categorySignificance CONTAINS "/Informational" Password Change – To others(627) deviceProduct="Microsoft Windows" AND 627

What to Look for on Windows Service started or stopped (7035, 7036, etc. ) Service started deviceProduct="Microsoft Windows" AND 7035 deviceProduct="Microsoft Windows" AND categoryObject="/Host/Application/Service" AND categoryBehavior="/Execute/Response" AND categoryOutcome="/Success" AND categorySignificance ="/Normal" AND name CONTAINS "start" Service stopped deviceProduct="Microsoft Windows" AND 7036 deviceProduct="Microsoft Windows" AND categoryObject="/Host/Application/Service" AND categoryBehavior="/Execute/Response" AND categoryOutcome="/Success" AND categorySignificance ="/Normal“ AND name CONTAINS “stop"

What to Look for on Windows Object access denied (if auditing enabled) (560, 567, etc ) Object Access (Open) deviceProduct="Microsoft Windows" AND 560 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authorization/Verify" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Resource" Process Access deviceProduct="Microsoft Windows" AND 567 deviceProduct="Microsoft Windows" AND categoryBehavior="/Access" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Resource" AND categoryOutcome="/Success"

What to Look for on Network Devices

What to Look for on Network Devices Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality. Object Access (Open) Traffic allowed on firewall (“Built … connection”, “access-list … permitted” ) ( built AND connection ) OR (access-list AND permitted) categoryBehavior="/Access" AND categoryDeviceGroup="/Firewall" AND categoryOutcome="/Success" Traffic blocked on firewall (“access-list … denied”, “deny inbound”; “Deny … by”) (access-list AND denied) OR (deny AND inbound) OR (deny AND by) categoryBehavior="/Access" AND categoryDeviceGroup="/Firewall" AND categoryOutcome="/Failure"

What to Look for on Network Devices Bytes transferred (large files?) (“Teardown TCP connection … duration … bytes …” ) Teardown AND TCP AND connection AND duration AND bytes Bandwidth and protocol usage (“limit … exceeded”, “CPU utilization” ) (limit AND exceeded) OR (CPU AND utilization) Detected attack activity (“attack from” ) ATTACK AND FROM

What to Look for on Network Devices User account changes (“user added”, “user deleted”, “User priv level changed” ) (USER AND ADDED) OR (USER AND DELETED) OR (USER AND PRIV AND LEVEL AND CHANGED) Administrator access (“AAA user…”, “User… locked out”, “login failed”) (AAA AND user) OR (User AND locked AND out) OR (login AND failed) (( name CONTAINS "AAA" ) AND (name CONTAINS "user" )) OR ((name CONTAINS "User") AND (name CONTAINS "locked") AND (name CONTAINS "out")) OR ((name CONTAINS "login") AND (name CONTAINS "failed"))

What to Look for on Web Servers

What to Look for on Web Servers Excessive access attempts to non-existent deviceEventClassId=404 categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" AND categoryOutcome="/Failure" AND categorySignificance CONTAINS "/Informational/Warning“ Code (SQL, HTML) seen as part of the URL categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" and (name CONTAINS "<" OR name CONTAINS ">" OR name CONTAINS "='")

What to Look for on Web Servers Access to extensions you have not implemented For example, if you don’t have *.exe file -- categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" AND requestUrl CONTAINS ".exe" categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal“ AND requestUrl CONTAINS ".exe" Web service stopped/started/failed messages

What to Look for on Web Servers Access to “risky” pages that accept user input For example, if you have input.jsp and output.jsp files categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal“ AND (requestUrl CONTAINS “input.jsp" OR requestUrl CONTAINS “output.jsp" ) Look at logs on all servers in the load balancer pool categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource"

What to Look for on Web Servers Error code 200 on files that are not yours deviceEventClassId=200 categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal" AND requestUrl IS NOT NULL Failed user authentication (Error code 401, 403 ) deviceEventClassId=401 OR deviceEventClassId=403

What to Look for on Web Servers Invalid request (Error code 400 ) deviceEventClassId=400 categoryBehavior="/Access/Start" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Failure“ Internal server error (Error code 500 ) deviceEventClassId=500

Q&A Q&A 37

Corporate Headquarters: 1 888 415 ARST For template guidelines or applying this template to an existing presentation, see the ArcSight presentation style guide: https://na5.salesforce.com/sfc/#version?id=06870000000DKLp Questions, contact marcom@arcsight.com ArcSight, Inc. Corporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795 www.arcsight.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.