2. Background on Network
components
Firewall
Router
Switch
Anti-virus
Duo two factor authentication
Server
Workstation
Other sources
3. Log Management
Log management : states that the information
regarding an incident is recorded in several
places, such as firewalls, routers, network IDS,
host IDS and application logs.
Send the duplicate logs to the centralized syslog
Infrastructure: log generation, log analysis and
storage, and log monitoring.
4. Communication of logs via Ports
Devices like workstations send
logs to the Syslog Servers by
Transmission Control
Protocol(TCP) by 3 way
handshake (Syn, Syn Ack, Ack)
Devices like Palo Alto send logs
to the Syslog Servers by Secure
Socket Layer(SSL)
The other devices like Lanco sends logs to Syslog Servers by User
Datagram Protocol(UDP) which do not have 3 way handshake process.
The syslog Server receives logs by 514 port
6. Transition of Logs
The syslog forwards those logs to the event processor/flow processor.
The logs are processed and CORRELATED OFFENSES are sent to the
management console.
The logs can be monitored in Qradar SIEM tool with the combination of
all components, the event processors, the flow processors, and the
management console
7. Syslog Server
Syslog-ng is a computer program that can act as a
server or a client to send or receive device logs.
Linux is the operating system of CHS syslog
servers.
Syslog admin controls the data, deletes, updates
the files if necessary
Syslog admin use cron to schedule jobs to manage
the logs at fixed times, dates or intervals.
8. SIEM Objectives
Identify threats and possible breaches
Collect audit logs for security and compliance
Conduct investigations and provide evidence
9.
10. SIEM Overview
A software provides the log management
infrastructure encompassing log analysis, log
storage, and log monitoring tiers.
It also has Event correlation, altering, incident
management, reporting, and forensic investigation
SIEM technology aggregates the event data
produced by security devices, network devices,
systems and applications
Event data is combined with contextual
information about users, data and assets.
Technology provides real time security monitoring,
historical analysis, incident investigation and
compliance reporting.
11. SIEM Features
Log activity: monitor and display network events
in real time or perform advanced searches
Network activity: investigate the communication
sessions between two hosts
Assets: automatically creates asset profiles by
using passive flow data and vulnerability data to
discover your network servers and hosts.
Offenses: investigate offenses to determine the
root cause of a network issue
12. SIEM Features
Reports: create custom reports or use default reports
Data Collection: accepts information in various formats
and from a wide range of devices, including security
events, network traffic, and scan results.
Events are generated by log sources such as
firewalls, routers, servers, and intrusion detection
systems (IDS) or intrusion prevention systems (IPS).
Flows provide information about network traffic and
can be sent to QRadar SIEM in various formats,
including flowlog files, NetFlow, J-Flow, sFlow, and
Packeteer
import VA information from various third-party
scanners.
13. SIEM Features
Rules: perform tests on events, flows, or offenses,
and if all the conditions of a test are met, the rule
generates a response
Supported web browser: For the features in IBM
Security QRadar products to work properly, you
must use a supported web browser.
15. AQL
The Ariel Query Language (AQL) is a structured query
language that you use to communicate with the Ariel
databases. Use AQL to manage event and flow data from
the Ariel database.
Retrieve specific fields from the events, flows and
simarc table in the Ariel database
SELECT statement, WHERE clause, GROUPBY clause,
ORDERBY clause, LIKE clause, COUNT function
16.
17.
18.
19.
20. FireEye interaction with SIEM
SIEM receives alerts from HX and PX tool of FireEye
HX: It is the antivirus provided by fire eye to detect the
advanced forms of attacks and malware
PX: Is the full packet capture solution provided by fire
eye. This allows us to perform network
forensics/investigation
software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications .
Security Log Management (Kent & Souppaya, 2006) states
that information regarding an incident may be recorded in several places, such as firewalls,
routers, network IDS, host IDS, and application logs.
log management infrastructure typically comprises of three tiers: log generation,
log analysis and storage, and log monitoring.
log generation tier involves hosts making their logs available to log servers in the
second tier.
log analysis and storage tier is composed of one or more log servers receiving log data
from the hosts.
log monitoring tier contains consoles that are used for monitoring and reviewing of log
data and the results of automated analysis.
In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service.
The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
UDP: It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network protocol. There is no guarantee of delivery, ordering, or duplicate protection.
Host A sends a TCP SYNchronize packet to Host B
Host B receives A's SYN
Host B sends a SYNchronize-ACKnowledgement
Host A receives B's SYN-ACK
Host A sends ACKnowledge
Host B receives ACK. TCP socket connection is ESTABLISHED.
In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service.
SSH SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer.SSH also refers to the suite of utilities that implement the protocol.
DNS- a system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names.
(NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks
Hypertext Transfer protocol HTTP is the foundation of data communication for the World Wide Web.
HTTPS: is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.
SMB: by default, with a thin layer, similar to the Session Message packet of NBT's Session Service, on top of TCP, using TCP port 445 rather than TCP port 139—a feature known as "direct host SMB".
RDP: provides a user with a graphical interface to connect to another computer over a network connection.
Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslogprotocol is supported by a wide range of devices and can be used to log different types of events.
Security information and event management (SIEM) software provides the log
management infrastructure encompassing log analysis, log storage and log monitoring tiers.
What sets SIEM products apart from traditional log management software is the ability to
perform event correlation, alerting, incident management, reporting and forensic investigation
based on event analysis.
SIEM
technology aggregates the event data produced by security devices, network devices, systems
and applications. The primary data source is log data, but SIEM technology can also process
other forms of data. Event data is combined with contextual information about users, data and
assets. The data is normalized, so that events from disparate sources can be correlated and
analyzed for specific purposes, such as network security event monitoring, user activity
monitoring or compliance reporting. The technology provides real-time security monitoring,
historical analysis, and other support for incident investigation and compliance reporting.
Events are generated by log sources such as firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).
Flow data collection Flows provide information about network traffic and can be sent to QRadar SIEM in various formats, including flowlog files, NetFlow, J-Flow, sFlow, and Packeteer.
Vulnerability assessment information QRadar SIEM can import VA information from various third-party scanners.
Mobile:Malicious apps compromise mobile security to access private information, such as contact lists and calendar details. They also use mobile device features, such as cameras and microphones, to spy, profile users, or conduct cyber attacks.
TAP provides enterprise-wide visibility, codified detection expertise and guided investigation workflows to amplify your defense against today’s most sophisticated cyber-attacks.
The Threat Analytics Platform applies threat intelligence, expert rules and advanced security data analytics to noisy event data streams. By revealing suspicious behavior patterns and generating alerts that matter, security teams can prioritize and optimize their response efforts.
FireEye Threat Intelligence is the most extensive and immediately operational cyber intelligence. It enables security teams to detect and respond to threats effectively and efficiently.
FireEye Network Security (NX) solutions protect against known and unknown advanced attacks with the signature-less Multi-Vector Virtual Execution™ (MVX) engine, conventional intrusion prevention system (IPS) and intelligence-driven detection. This enables faster detection, more accurate alerts and reduced noise. Identifying threats traditional security solutions can't allows you to focus on alerts that pose a genuine threat and reduce the operational cost of false positives.
Cyber criminals often use spear phishing attacks, as well as malicious file attachments and URLs in emails, to launch an advanced cyber attack. These email attacks routinely bypass email security that uses conventional signature-based defenses such as antivirus (AV) and spam filters.
FireEye File Content Security (FX Series) products help prevent, detect and respond to cyber attacks by scanning file content for signs of malicious threats. These threats might be brought into an organization from outside sources, such as online file sharing services and portable file storage devices.
o reduce the impact of a security incident, organizations should focus on early detection and swift investigation. Enterprise forensics makes this possible. When attacked, an enterprise needs to be able to rapidly investigate and determine the scope and impact of the incident so they can effectively contain the threat and re-secure their network.
Your security team should be focused on safeguarding your company’s data assets. Instead, they are overwhelmed by alerts, unable to discern real threats from false alarms. Most security teams can investigate just a small fraction of alerts, most of which turn out to be false alarms. Your managed security services provider (MSSP) is not helping, either. Most likely, they are simply filtering the noise, parsing down the number of alerts from millions to hundreds, telling you that you might have a problem but pushing the investigative burden back on your team. Meanwhile, attackers hide in the noise, operating at will for months before detection.
