Re: Getting to know the pulse of security breaches, within our enterprise!

[krymson () gmail com]

> From what I gather, you basically want to watch all the logs and all the traffic patterns in your environment and flag 
> on things that you would deem suspicious, either because of their mere presence, or after a certain treshold/criteria 
> is met. I may be wrong, and if so I think the more examples you give, the more input you may receive. I think there 
> may just be some confusion on what you're talking about because this can be a rather *huge* scope.

One thing to keep in mind, depending on the size and status of your organization, you may experience 95%+ false 
positives on your red flags, and there may be nothing you can do about it except investigate each one. Likewise, it can 
be difficult to get all the data you want, especially intra-network (as opposed to what traverses perimeters) without 
getting a robust endpoint agent.

This leads down the path of SEIM, as you mentioned, or an endpoint security suite with centralized data collection. But 
while such products are trying to be efficient, they almost always dilute the information that you receive. Too often, 
diluted so much as to be useless or horribly incomplete. Or you'll just get too much noise and then tune things down so 
much that you'll miss attacks within tuned-out channels. And so on. If you're lucky (arguably), you might find a good 
suite of tools, but you'll probably pay the price in administrative costs to manage the whole beast.

SEIMs sound great on paper, but in practice I'm not sure anyone has been happy with the investment.  But they certainly 
may be a part of your total security posture; they just shouldn't be all of it.

There is still value in having good analysts also looking at the raw data rather than dashboards interpreted from the 
data by third-party apps.





<- snip ->

Thanks for the only reply that I have recievd to this one Paul. Maybe the 
other thought that by the subject line it's probably some product blitz. :)

nevertheless, the core concept is not about what guys / user community might 
be doing inadvertently. I do agree with you that an online anonymous 
security reporting mechanism will be helpful though.

I was thinking in terms of having some SIEM (Security Information and Event 
Management ) system be put in place but with affordable cost. Has anyone 
done it to get their threat profile?

One most important area of concern is that related to real time monitoring 
of High-risk roles and assets. It's a given that assets with a greater 
impact on network security or company revenue, should receive greater 
protection. Agreed, that certain groundwork is required to assess all 
internal employee roles and responsibilities, then determine which roles 
need closer monitoring for internal security breaches; but once that's done, 
I need to have infrastructure in place that Audits my security to make sure 
users with greater privileges only access the appropriate files and no 
suspicious activity goes on.

That was the motive behind this posting.

Requesting guys around to share their experiences / inputs.

Thanks in advance.



-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email 
concealed]]
On Behalf Of Hrishikesh Khasgiwale
Sent: Friday, September 25, 2009 2:31 AM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Getting to know the pulse of security breaches, within our
enterprise!

Hi guys..

I was thinking of designing an infrastructure template, that would
allow me to replicate that model across my organisation which would
enable the fellow team members to proactively monitor the 'red flags'
that might arise within our LAN from time to time. By red flags I
mean, something that would mean there is an imminent 'threat' to the
overall security posture within my enterprise and I am not talking
from perimeter Firewall / IPS perspective but I want to look more
inwards.

Things that come to mind are:

1. Someone who tries to log into an AD account from a workstation that
he/she doesn't usually log into, should be displayed on a dashboard.

2. Account lockouts happening from a given workstation abnormally
(abnormal values can be defined)..

3. Abnormal ports being accessed from workstation (like attempts to
make connection to someone else's C$, d$ share or someone else making
connection to his/her C $ / D $ shares). This might even signify a
malware on this PC that has gone undetected by the local antivirus.

..or any other stuff that might bring about a threat to the overall
security of my environment.

Has anyone been there n done that?

I understand that it's part technology and part design but I am
currently concerned about the design aspect and whether I have my
requirements correctly sorted out.

Any / all suggestions welcome!!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------