Security Basics mailing list archives
Re: SIEM Use Cases
From: Thugzclub <thugzclub () googlemail com>
Date: Tue, 10 Jul 2012 02:37:02 +0100
Hi Gig We are in implementation phase. We have implemented the canned alerts but we are now at a stage where we would like detect the more advanced threats. The SIEM is RSA envision ! On 10 Jul 2012, at 02:01, "gig" <gigabit () satx rr com> wrote:
yes, that is a pretty good scenario that you've outlined. However, I can't tell how far along you are with your SIEM implementation. Also, without knowing which SIEM you're talking about, it's hard to make recommendations. NOT all SIEMs are the same in terms of capability and built in logic functions. I'd suggest you start with the canned features you product has already defined.....then pare down once you "tune" it to your environment. Once you're good at configuring your device, then you can start with your own customized alerts. ----- Original Message ----- From: "Thugzclub Thugzclub" <thugzclub () googlemail com> To: <listbounce () securityfocus com>; <security-basics () securityfocus com>; <pen-test () securityfocus com>; <discussion () siemusers org> Sent: Sunday, July 08, 2012 8:36 PM Subject: SIEM Use CasesHi, This may not be the right forum ( if so please point me to the right location) but here goes: I am working on a project where we are integrating a SIEM into our environment and I need to create a monitoring and alerting standard. If I can explain some more: - There are specific "isolated" suspicious behaviour that we would want the SIEM to alert on e.g e.g Admin logon at specific times of the day, mid night for instance. - There are also specific "combination" of suspicious behaviour that we should alert on: e.g I have a simple 3-tier web app behind a firewall, and four event sources for SIEM: a firewall, system events from whatever daemon running on your servers and an (D)IDS Event 1 : IDS says I have an SQL injection. Taken alone, this is false, it's just an attempt at an SQLi and I have no idea whether or not it has succeeded. Event 2 : system daemon says I have a file creation on a temp folder in your DB server Event 3 : system daemon says said dropped file is ran under the DBserver user Event 4 : firewall says I have outbound connection created to blah server on port 80 Event 5 : IDS says blah server is hosted on an IP with a bad reputation (I assume that's the D in DIDS) Based on the above, I would say that i have been hacked. The query that I have is: are there specific set of malicious behaviour or "use cases" similar to the above that I can use as the basis for configuring my SIEM to detect against malicious patterns of behaviour. Thanks in advance. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)
- Re: SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)
- Re: SIEM Use Cases Thugzclub Thugzclub (Jul 09)
- RE: SIEM Use Cases Platt, Mario, Vodafone UK (Jul 09)
- Re: SIEM Use Cases gig (Jul 09)
- Re: SIEM Use Cases Thugzclub (Jul 09)
- <Possible follow-ups>
- Re: SIEM Use Cases krymson (Jul 19)
- RE: SIEM Use Cases Uzair Hashmi (Jul 09)