EH-Net

Ethical Hacking Discussions and Related Certifications => Incident Response => Topic started by: scuccii on September 27, 2010, 10:10:34 PM


Title: SIEM Custom Correlation Rules
Post by: scuccii on September 27, 2010, 10:10:34 PM
Hello,

I'm glad to see that there was a recent discussion on SIEM and incident response. This question is somewhat different than that post. I'm currently using a SIEM and want to get the most out of our product.

Our SIEM like all the others comes with a few canned correlation rules out of the box and I'm currently trying to get a good insight into our equipment through this solution.

We're currently pulling logs from almost all our networks/systems. I have some rules that I'd like to create for more insight into our network, but I'd like to hear from some of you that have worked on SIEM's if you have any advice on particular methods.

I'm using an IPS/IDS that also pulls into the SIEM, but I'd like to focus internally first since the perimeter has a harder shell than the internal network.

I'm considering starting at the database level, authentication servers, etc..

Any advice?

Title: Re: SIEM Custom Correlation Rules
Post by: pseud0 on September 28, 2010, 10:46:42 AM
I'm running out the door and don't have time for a full reply, but your last line caught my attention.  Go have a heart-to-heart with your DB admins, preferably over the carbonated beverage of your choice, before you move too far into doing heavy DB monitoring.  Doing much more than the most basic monitoring on DBs can cause their performance to go into the toilet in a hurry.  You need to be very careful and possibly look at one of the dedicated database activity monitoring tools ala appsec inc/guardium/imperva.  Take it from me, if you scare/annoy the DB admins they will go straight up the chain and complain that "OMFG security is breaking the system!  All business will end!"  You'll usually come out on the wrong end of that argument. Once you do it's hard to get going again on those systems.

Title: Re: SIEM Custom Correlation Rules
Post by: scuccii on October 01, 2010, 03:04:34 PM
Thank you my friend!!

Actually the database admin has approached us and wants this done, so we're kinda in a different boat.

I've already scheduled a meeting for him to go over what they're currently doing, what he'd like to see, and whats to be expected.

Thanks!!

Title: Re: SIEM Custom Correlation Rules
Post by: Salvalagio on October 04, 2010, 11:14:15 AM
You are in lucky. You have an open minded DBA who supports security as a necessity. In my point of view you should start with small things, such as:
- Login Errors correlated with network attackers;
- Stablish a network flow of data and start to understand your network, backup routines and other jobs;
- Try to associate badge systems with network logins without VPN.
- Associate system navigation with non-standard working hours.

I believe with this brief rules, you can start doing your point.

Hope it helps


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com