incident response: siem part ii
TRANSCRIPT
SIEM II
Author: Prof Bill Buchanan
Inci
dent
Res
pons
e
SIEM II
Proxy
VPN
Eve
Bob
Alice
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inci
dent
Res
pons
e
Data Sources/Timeline
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
Intruder
Intrusion Detection
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Dat
a st
ates
Inc.
Res
pons
e
Data in-motion, data in-use and data at-rest
Intrusion Detection System
Intrusion Detection System
Firewall
Internet
Switch
Router
Proxyserver
Emailserver
Webserver
DMZ
FTPserver
Firewall
Domain nameserver
Databaseserver
Bob
Alice
Eve
Data in-motion
Data at-rest
Data in-use Data at-
rest
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
TimelineData At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights, Domain Rights, etc.
File changes, File CRUD (Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web logs, Security logs
Network scanners, Intrusion Detection Systems, Firewall
logs, etc
Processes, Threads, Memory, etc.
Security Log, Application Log, Registry, Domain Rights.
Intruder
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Four Vs of Big Data
Intrusion Detection System
Firewall
Router
Proxyserver
Emailserver
Webserver
FTPserver
Switch
Alice
Management report
Sales analysis
Targeted marketing
Trending/Correlation
V- Volume[Scale of data]
V- Variety[Different forms of
data]
V- Velocity[Speed of data generation]
V- Veracity[Trustworthiness]
Incident Response
Eve
Bob
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Data Capture
Webserver
IT Ops
Nagios.NetApp.
Cisco UCS.Apache.
IIS.
Web Services
Firewall
Router
Proxyserver
Emailserver
FTPserver
Switch
Eve
Bob
Microsoft Infrastructure
Active Directory.Exchange.SharePoint.
Structured Data
CSV.JSON.XML.
Database Sys
Oracle.My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.Cisco NetFlow.
Snort.
Intrusion Detection System
Alice
Cloud
AWS Cloudtrail.Amazon S3.
Azure.
Application Serv
Weblogic.WebSphere.
Tomcat
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Investigation sources
Webserver
Firewall
Router
Proxyserver
Emailserver
FTPserver
Bob
EveInternal systems
Cloud service providers
Communication service providers
Trusted partners
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Security Operations Centre
EveEve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inci
dent
Res
pons
e
Threat Analysis
Proxy
VPN
Eve
Bob
Alice
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Data Fusion
Semi-structured
>10 million events
Select shape and type
text. Yellow handle
adjusts line spacing.
Data storage (2GB/day)
Context
Parsing/Normalisation
Processing
Rule based correlation.Statistical correlation.
Event priorization
SIEM
10,000 alerts1 incident
Aggregation
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Security Operations Centres (SoC)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Logstalgia
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Akamai.com
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Trent Micro Threat Analysis
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
DDoS Attack Map
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
State of the Internet
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
IPew Attack Map
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
FORINET
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Kaspersky Cyber Threat Map
SIEM II
Author: Prof Bill Buchanan
Inci
dent
Res
pons
e
SIEM II
Proxy
VPN
Eve
Bob
Alice