Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

Published byProsper Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,"— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Attackers are more sophisticated and targeted in their attacks. Defenders need systems which help provide visibility and altering across numerous security systems. SIEM adoption driven by compliance Gartner says “more than 80%” Put “Security” back into SIEM using real world examples.

3 SANS Technology Institute - Candidate for Master of Science Degree 3 SIEM System Setup

4 SANS Technology Institute - Candidate for Master of Science Degree 4 Basics – Outbound Traffic Outbound SMTP, DNS and IRC Unexpected outbound connections

5 SANS Technology Institute - Candidate for Master of Science Degree 5 New Hosts and Services Scanner integration for new host and service discovery

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Darknets Network segments without any live systems, but are monitored Any traffic considered suspicious Qradar defines Darknets at setup Qradar Rule: Suspicious Activity: Communication with Known Watched Networks

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Brute-force Attacks Create reports to generate statistical data on failed logins by device, source IP and locked accounts per day. Qradar provides several alerts for brute force attacks. Login Failures Followed by Success and Repeated Login Failures Single Host being the most helpful Customize alerts for maximum impact

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Brute-force Attacks

9 SANS Technology Institute - Candidate for Master of Science Degree 9 Windows Accounts Report of accounts created by whom Alerts for: –accounts not using std naming convention –outside of creation script timeframe –workstation account created –group membership adds to key groups Understand the account management process and alert accordingly

10 SANS Technology Institute - Candidate for Master of Science Degree 10 IDS Context/Correlation Reduce noise by reporting based upon high value systems or asset weights Add context of target operating system Add knowledge of vulnerabilities Rules Target Vulnerable to Detected Exploit Vulnerable to Detected Exploit on Different Port Vulnerable to Different Exploit than Detected on Attacked Port

11 SANS Technology Institute - Candidate for Master of Science Degree 11 Web Application Attacks Analyze WAF logs if possible as header data (POST) not available in server logs Create regular expressions to look for signs of attack, for example /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or -- Create and alert on web honeytokens Fake admin page in robots.txt Fake credentials in html code

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Data Exfiltration Collection of flows or session data is extremely helpful Reports/Alerts based upon –Size/destination of outbound flows “Large Outbound Data Transfer” –Application data inside specific protocols –Frequency of requests/application usage –Session Duration “Long Duration Flow”

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Client Side Attacks Information in Windows event logs: –Process Information Start (592/4688) Ends (593/4689) –New Service Installed (601/4697) –Scheduled Tasks Created (602/4689) –Audit Policy Changed and Cleared (612/4719) and (517/1102) Integration with third-party tools

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Sample Attack

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Defenders need to look for indicators of compromise across many sources SIEM solution centralize data Start small with basic methods, test, and move to more advanced techniques Goal is to detect compromise and provide as much information as possible before starting incident response

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis,

SANS Technology Institute - Candidate for Master of Science Degree What's in the data bucket? Event Correlation and SIEM Vendor Approaches Brough Davis,
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Security Guidelines and Management

Security Guidelines and Management
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google