SIEMSecurity Information and Event Management

Background on Network components Firewall Router Switch Anti-virus Duo two factor authentication Server Workstation Other sources

Log Management

Log management : states that the information regarding an incident is recorded in several places, such as firewalls, routers, network IDS, host IDS and application logs.

Send the duplicate logs to the centralized syslog

Infrastructure: log generation, log analysis and storage, and log monitoring.

Communication of logs via Ports Devices like workstations send

logs to the Syslog Servers by Transmission Control Protocol(TCP) by 3 way handshake (Syn, Syn Ack, Ack)

Devices like Palo Alto send logs to the Syslog Servers by Secure Socket Layer(SSL)

The other devices like Lanco sends logs to Syslog Servers by User Datagram Protocol(UDP) which do not have 3 way handshake process.

The syslog Server receives logs by 514 port

Common ports

22-SSH 53-DNS 123-NTP 80-HTTP 443-HTTPS 3389-RDP

Transition of Logs

The syslog forwards those logs to the event processor/flow processor. The logs are processed and CORRELATED OFFENSES are sent to the management console.

The logs can be monitored in Qradar SIEM tool with the combination of all components, the event processors, the flow processors, and the management console

Syslog Server

Syslog-ng is a computer program that can act as a server or a client to send or receive device logs.

Linux is the operating system of CHS syslog servers.

Syslog admin controls the data, deletes, updates the files if necessary

Syslog admin use cron to schedule jobs to manage the logs at fixed times, dates or intervals.

SIEM Objectives

Identify threats and possible breaches Collect audit logs for security and

compliance Conduct investigations and provide evidence

SIEM Overview A software provides the log management

infrastructure encompassing log analysis, log storage, and log monitoring tiers.

It also has Event correlation, altering, incident management, reporting, and forensic investigation

SIEM technology aggregates the event data produced by security devices, network devices, systems and applications

Event data is combined with contextual information about users, data and assets.

Technology provides real time security monitoring, historical analysis, incident investigation and compliance reporting.

SIEM Features

Log activity: monitor and display network events in real time or perform advanced searches

Network activity: investigate the communication sessions between two hosts

Assets:  automatically creates asset profiles by using passive flow data and vulnerability data to discover your network servers and hosts.

Offenses:  investigate offenses to determine the root cause of a network issue

SIEM Features Reports: create custom reports or use default

reports Data Collection: accepts information in various

formats and from a wide range of devices, including security events, network traffic, and scan results. Events are generated by log sources such as

firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Flows provide information about network traffic and can be sent to QRadar SIEM in various formats, including flowlog files, NetFlow, J-Flow, sFlow, and Packeteer

import VA information from various third-party scanners.

SIEM Features

Rules: perform tests on events, flows, or offenses, and if all the conditions of a test are met, the rule generates a response

Supported web browser: For the features in IBM Security QRadar products to work properly, you must use a supported web browser.

SIEM Features

AQL

The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel databases. Use AQL to manage event and flow data from the Ariel database.

 Retrieve specific fields from the events, flows and simarc table in the Ariel database

SELECT statement, WHERE clause, GROUPBY clause, ORDERBY clause, LIKE clause, COUNT function

FireEye interaction with SIEM SIEM receives alerts from HX and PX tool of

FireEye HX: It is the antivirus provided by fire eye to

detect the advanced forms of attacks and malware

PX: Is the full packet capture solution provided by fire eye. This allows us to perform network forensics/investigation

Fire Eye