1 / 15

SIEM Based Intrusion Detection

SIEM Based Intrusion Detection. Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN. Objective. Attackers are more sophisticated and targeted in their attacks. Defenders need systems which help provide visibility and altering across numerous security systems.

jaegar
Download Presentation

SIEM Based Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • Attackers are more sophisticated and targeted in their attacks. • Defenders need systems which help provide visibility and altering across numerous security systems. • SIEM adoption driven by compliance • Gartner says “more than 80%” • Put “Security” back into SIEM using real world examples. SANS Technology Institute - Candidate for Master of Science Degree

  3. SIEM System Setup SANS Technology Institute - Candidate for Master of Science Degree

  4. Basics – Outbound Traffic • Outbound SMTP, DNS and IRC • Unexpected outbound connections SANS Technology Institute - Candidate for Master of Science Degree

  5. New Hosts and Services • Scanner integration for new host and service discovery SANS Technology Institute - Candidate for Master of Science Degree

  6. Darknets • Network segments without any live systems, but are monitored • Any traffic considered suspicious • Qradar defines Darknets at setup • Qradar Rule: Suspicious Activity: Communication with Known Watched Networks SANS Technology Institute - Candidate for Master of Science Degree

  7. Brute-force Attacks • Create reports to generate statistical data on failed logins by device, source IP and locked accounts per day. • Qradar provides several alerts for brute force attacks. Login Failures Followed by Success and Repeated Login Failures Single Host being the most helpful • Customize alerts for maximum impact SANS Technology Institute - Candidate for Master of Science Degree

  8. Brute-force Attacks SANS Technology Institute - Candidate for Master of Science Degree

  9. Windows Accounts • Report of accounts created by whom • Alerts for: • accounts not using std naming convention • outside of creation script timeframe • workstation account created • group membership adds to key groups • Understand the account management process and alert accordingly SANS Technology Institute - Candidate for Master of Science Degree

  10. IDS Context/Correlation • Reduce noise by reporting based upon high value systems or asset weights • Add context of target operating system • Add knowledge of vulnerabilities • Rules • Target Vulnerable to Detected Exploit • Vulnerable to Detected Exploit on Different Port • Vulnerable to Different Exploit than Detected on Attacked Port SANS Technology Institute - Candidate for Master of Science Degree

  11. Web Application Attacks • Analyze WAF logs if possible as header data (POST) not available in server logs • Create regular expressions to look for signs of attack, for example • /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or -- • Create and alert on web honeytokens • Fake admin page in robots.txt • Fake credentials in html code SANS Technology Institute - Candidate for Master of Science Degree

  12. Data Exfiltration • Collection of flows or session data is extremely helpful • Reports/Alerts based upon • Size/destination of outbound flows “Large Outbound Data Transfer” • Application data inside specific protocols • Frequency of requests/application usage • Session Duration “Long Duration Flow” SANS Technology Institute - Candidate for Master of Science Degree

  13. Client Side Attacks • Information in Windows event logs: • Process Information • Start (592/4688) Ends (593/4689) • New Service Installed (601/4697) • Scheduled Tasks Created (602/4689) • Audit Policy Changed and Cleared • (612/4719) and (517/1102) • Integration with third-party tools SANS Technology Institute - Candidate for Master of Science Degree

  14. Sample Attack SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Defenders need to look for indicators of compromise across many sources • SIEM solution centralize data • Start small with basic methods, test, and move to more advanced techniques • Goal is to detect compromise and provide as much information as possible before starting incident response SANS Technology Institute - Candidate for Master of Science Degree

More Related