Home page logo

basics logo Security Basics mailing list archives

Re: SIEM Use Cases
From: krymson () gmail com
Date: Thu, 19 Jul 2012 18:31:15 GMT

I've not used RSA Envision, but I have used other SIEMs or seen them in action.

For the most part, you're either going to have to spend the time to set up each specific series of events that you want 
to look at. Or you're just not going to be able to stitch together individual events to make a whole incident.

Not without having an admin watching those logs and doing the work to correlate the events.

It's just near impossible for a tool to come out and easily do that a specific analysis like even your simple scenario 
illustrates. Each event can come in for separate issues or something on its own, or days apart, or whathaveyou. 

Today, imo, nothing replaces the analyst yet. They just help make his/her life a little easier. And it still doesn't 
replace needing an analyst that knows how to attack and how to see attacks or what to look for forensically.

Besides which, once you get it all set up and running for 4 months, then you do an upgrade of some piece that changes 
the log format and throws the whole thing out of whack... 


<- snip ->

This may not be the right forum ( if so please point me to the right
location) but here goes:

I am working on a project where we are integrating a SIEM into our
environment and I need to create a monitoring and alerting standard.

If I can explain some more:
- There are specific "isolated" suspicious behaviour that we would
want the SIEM to alert on e.g e.g Admin logon at specific times of
the day, mid night for instance.
- There are also specific "combination" of suspicious behaviour that
we should alert on: e.g

I have a simple 3-tier web app behind a firewall, and four event
sources for SIEM: a firewall, system events from
whatever daemon running on your servers and an (D)IDS

Event 1 : IDS says I have an SQL injection. Taken alone, this is
false, it's just an attempt at an SQLi and I have no idea whether or
not it has succeeded.
Event 2 : system daemon says I have a file creation on a temp folder
in your DB server
Event 3 : system daemon says said dropped file is ran under the DBserver user
Event 4 : firewall says I have outbound connection created to blah
server on port 80
Event 5 : IDS says blah server is hosted on an IP with a bad
reputation (I assume that's the D in DIDS)

Based on the above, I would say that i have been hacked.

The query that I have is: are there specific set of malicious
behaviour or "use cases" similar to the above that I can use as the
basis for configuring my SIEM to detect against malicious patterns of

Thanks in advance.

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]