The Ethical Hacker Network - SIEM Custom Correlation Rules

Latest Additions

Who's Online

EH-Net News Feeds

Latest Additions

scuccii

Newbie

Offline

Posts: 17

SIEM Custom Correlation Rules

« on: September 27, 2010, 10:10:34 PM »

Hello,

I'm glad to see that there was a recent discussion on SIEM and incident response. This question is somewhat different than that post. I'm currently using a SIEM and want to get the most out of our product.

Our SIEM like all the others comes with a few canned correlation rules out of the box and I'm currently trying to get a good insight into our equipment through this solution.

We're currently pulling logs from almost all our networks/systems. I have some rules that I'd like to create for more insight into our network, but I'd like to hear from some of you that have worked on SIEM's if you have any advice on particular methods.

I'm using an IPS/IDS that also pulls into the SIEM, but I'd like to focus internally first since the perimeter has a harder shell than the internal network.

I'm considering starting at the database level, authentication servers, etc..

Any advice?


	Logged

pseud0

Recruiters
Full Member

Offline

Posts: 204

Re: SIEM Custom Correlation Rules

« Reply #1 on: September 28, 2010, 10:46:42 AM »

I'm running out the door and don't have time for a full reply, but your last line caught my attention. Go have a heart-to-heart with your DB admins, preferably over the carbonated beverage of your choice, before you move too far into doing heavy DB monitoring. Doing much more than the most basic monitoring on DBs can cause their performance to go into the toilet in a hurry. You need to be very careful and possibly look at one of the dedicated database activity monitoring tools ala appsec inc/guardium/imperva. Take it from me, if you scare/annoy the DB admins they will go straight up the chain and complain that "OMFG security is breaking the system! All business will end!" You'll usually come out on the wrong end of that argument. Once you do it's hard to get going again on those systems.


	Logged

CISSP, CISM, CISA, GCIH, CEH, HMFIC, KTHXBIROFLCOPTER

scuccii

Newbie

Offline

Posts: 17

Re: SIEM Custom Correlation Rules

« Reply #2 on: October 01, 2010, 03:04:34 PM »

Thank you my friend!!

Actually the database admin has approached us and wants this done, so we're kinda in a different boat.

I've already scheduled a meeting for him to go over what they're currently doing, what he'd like to see, and whats to be expected.

Thanks!!


	Logged

Salvalagio

Newbie

Offline

Posts: 4

Re: SIEM Custom Correlation Rules

« Reply #3 on: October 04, 2010, 11:14:15 AM »

You are in lucky. You have an open minded DBA who supports security as a necessity. In my point of view you should start with small things, such as:
- Login Errors correlated with network attackers;
- Stablish a network flow of data and start to understand your network, backup routines and other jobs;
- Try to associate badge systems with network logins without VPN.
- Associate system navigation with non-standard working hours.

I believe with this brief rules, you can start doing your point.

Hope it helps


	Logged

Pages: [1] Go Up

« previous next »

SANS Deals 4 EH-Netters

$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012

Recent Forum Topics