.

SIEM Custom Correlation Rules

<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Mon Sep 27, 2010 10:10 pm

SIEM Custom Correlation Rules

Hello,

I'm glad to see that there was a recent discussion on SIEM and incident response. This question is somewhat different than that post. I'm currently using a SIEM and want to get the most out of our product.

Our SIEM like all the others comes with a few canned correlation rules out of the box and I'm currently trying to get a good insight into our equipment through this solution.

We're currently pulling logs from almost all our networks/systems. I have some rules that I'd like to create for more insight into our network, but I'd like to hear from some of you that have worked on SIEM's if you have any advice on particular methods.

I'm using an IPS/IDS that also pulls into the SIEM, but I'd like to focus internally first since the perimeter has a harder shell than the internal network.

I'm considering starting at the database level, authentication servers, etc..

Any advice?
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Sep 28, 2010 10:46 am

Re: SIEM Custom Correlation Rules

I'm running out the door and don't have time for a full reply, but your last line caught my attention.  Go have a heart-to-heart with your DB admins, preferably over the carbonated beverage of your choice, before you move too far into doing heavy DB monitoring.  Doing much more than the most basic monitoring on DBs can cause their performance to go into the toilet in a hurry.  You need to be very careful and possibly look at one of the dedicated database activity monitoring tools ala appsec inc/guardium/imperva.  Take it from me, if you scare/annoy the DB admins they will go straight up the chain and complain that "OMFG security is breaking the system!  All business will end!"  You'll usually come out on the wrong end of that argument. Once you do it's hard to get going again on those systems.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Fri Oct 01, 2010 3:04 pm

Re: SIEM Custom Correlation Rules

Thank you my friend!!

Actually the database admin has approached us and wants this done, so we're kinda in a different boat.

I've already scheduled a meeting for him to go over what they're currently doing, what he'd like to see, and whats to be expected.

Thanks!!
<<

Salvalagio

Newbie
Newbie

Posts: 4

Joined: Sun Oct 19, 2008 2:15 pm

Post Mon Oct 04, 2010 11:14 am

Re: SIEM Custom Correlation Rules

You are in lucky. You have an open minded DBA who supports security as a necessity. In my point of view you should start with small things, such as:
- Login Errors correlated with network attackers;
- Stablish a network flow of data and start to understand your network, backup routines and other jobs;
- Try to associate badge systems with network logins without VPN.
- Associate system navigation with non-standard working hours.

I believe with this brief rules, you can start doing your point.

Hope it helps

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software