Security Basics mailing list archives
RE: SIEM Use Cases
From: "Platt, Mario, Vodafone UK" <mario.platt () vodafone com>
Date: Mon, 9 Jul 2012 08:41:48 +0000
Hey, I would tell you to get "The Tao of Network Security Monitoring: Beyond Intrusion Detection" book by Richard Bejtlich. It's a great book on the subject, but as there stated for effective SIEM correlation and results you should try to find a balance between: statistical data, full content data and intrusion detection. The book is a true must read for anyone working with SIEM, in order to maximize your "bang for buck". cheers -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Thugzclub Thugzclub Sent: 09 July 2012 02:36 To: listbounce () securityfocus com; security-basics () securityfocus com; pen-test () securityfocus com; discussion () siemusers org Subject: SIEM Use Cases Hi, This may not be the right forum ( if so please point me to the right location) but here goes: I am working on a project where we are integrating a SIEM into our environment and I need to create a monitoring and alerting standard. If I can explain some more: - There are specific "isolated" suspicious behaviour that we would want the SIEM to alert on e.g e.g Admin logon at specific times of the day, mid night for instance. - There are also specific "combination" of suspicious behaviour that we should alert on: e.g I have a simple 3-tier web app behind a firewall, and four event sources for SIEM: a firewall, system events from whatever daemon running on your servers and an (D)IDS Event 1 : IDS says I have an SQL injection. Taken alone, this is false, it's just an attempt at an SQLi and I have no idea whether or not it has succeeded. Event 2 : system daemon says I have a file creation on a temp folder in your DB server Event 3 : system daemon says said dropped file is ran under the DBserver user Event 4 : firewall says I have outbound connection created to blah server on port 80 Event 5 : IDS says blah server is hosted on an IP with a bad reputation (I assume that's the D in DIDS) Based on the above, I would say that i have been hacked. The query that I have is: are there specific set of malicious behaviour or "use cases" similar to the above that I can use as the basis for configuring my SIEM to detect against malicious patterns of behaviour. Thanks in advance. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)
- Re: SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)
- Re: SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Platt, Mario, Vodafone UK (Jul 09)
- Re: SIEM Use Cases gig (Jul 09)
- Re: SIEM Use Cases Thugzclub (Jul 09)
- <Possible follow-ups>
- Re: SIEM Use Cases krymson (Jul 19)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)