SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Host Intrusion Prevention Systems & Beyond
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Enabling Secure Internet Access with ISA Server.
Security Guidelines and Management
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
The Most Analytical and Comprehensive Defense Network in a Box.
Monitoring for network security and management Cyber Solutions Inc.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Honeypot and Intrusion Detection System
Vantage Report 3.0 Product Sales Guide
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Transmission Control Protocol TCP. Transport layer function.
Computer Emergency Notification System (CENS)
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Integrating and Troubleshooting Citrix Access Gateway.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Integration Framework: QRadar 7.2 MR1.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Intrusion Detection System
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
INTRODUCTION Sam Wachira
SIEM Rotem Mesika System security engineering
Major focus areas derived from NIST Guidelines
C IBM Security QRadar SIEM V7.2.6 Associate Analyst
Nicholas Hsiao Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.
Securing the Network Perimeter with ISA 2004
SECURITY INFORMATION AND EVENT MANAGEMENT
NETWORK SECURITY LAB Lab 9. IDS and IPS.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Intrusion Detection & Prevention
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
ISMS Information Security Management System
Human (user) behavior patterns and analytics
Protecting your data with Azure AD
Bro, I Can See You Moving Laterally
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey

2 Objective Attackers are more sophisticated and targeted in their attacks. Defenders need systems which help provide visibility and altering across numerous security systems. SIEM adoption driven by compliance Gartner says “more than 80%” Put “Security” back into SIEM using real world examples.

3 SIEM System Setup

4 Basics – Outbound Traffic Outbound SMTP, DNS and IRC Unexpected outbound connections

5 New Hosts and Services Scanner integration for new host and service discovery

6 Darknets Network segments without any live systems, but are monitored Any traffic considered suspicious Qradar defines Darknets at setup Qradar Rule: Suspicious Activity: Communication with Known Watched Networks

7 Brute-force Attacks Create reports to generate statistical data on failed logins by device, source IP and locked accounts per day. Qradar provides several alerts for brute force attacks. Login Failures Followed by Success and Repeated Login Failures Single Host being the most helpful Customize alerts for maximum impact

8 Brute-force Attacks

9 Windows Accounts Report of accounts created by whom Alerts for: – accounts not using std naming convention – outside of creation script timeframe – workstation account created – group membership adds to key groups Understand the account management process and alert accordingly

10 IDS Context/Correlation Reduce noise by reporting based upon high value systems or asset weights Add context of target operating system Add knowledge of vulnerabilities Rules Target Vulnerable to Detected Exploit Vulnerable to Detected Exploit on Different Port Vulnerable to Different Exploit than Detected on Attacked Port

11 Web Application Attacks Analyze WAF logs if possible as header data (POST) not available in server logs Create regular expressions to look for signs of attack, for example /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or -- Create and alert on web honeytokens Fake admin page in robots.txt Fake credentials in html code

12 Data Exfiltration Collection of flows or session data is extremely helpful Reports/Alerts based upon – Size/destination of outbound flows “Large Outbound Data Transfer” – Application data inside specific protocols – Frequency of requests/application usage – Session Duration “Long Duration Flow”

13 Client Side Attacks Information in Windows event logs: – Process Information Start (592/4688) Ends (593/4689) – New Service Installed (601/4697) – Scheduled Tasks Created (602/4689) – Audit Policy Changed and Cleared (612/4719) and (517/1102) Integration with third-party tools

14 Sample Attack

15 Summary Defenders need to look for indicators of compromise across many sources SIEM solution centralize data Start small with basic methods, test, and move to more advanced techniques Goal is to detect compromise and provide as much information as possible before starting incident response

System Options Commercial SIEM Solutions – ArcSight ( – Q1Labs Qradar ( – RSA Envision ( Lower Cost/Free Log Search – Q1Labs FE ( – OSSEC ( – Splunk (

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.