Educause Security Discussion mailing list archives
seeking input on log analysis for identifying suspicious activity
From: Alex Keller <axkeller () STANFORD EDU>
Date: Wed, 6 Jul 2016 01:30:08 +0000
Hi EDUCAUSE Security folks, We are seeking input on log analysis for identifying suspicious activity and relevant security conditions. Scope is open ended but we are starting with Windows and Linux servers. Assuming log aggregation is in place and pulling native OS logs (plus perhaps anti-virus, host based IDS, maybe even netflow, etc)....What’s next with respect to identifying anomalous or suspect behavior, determining alert thresholds, and tuning for investigative response? We have reviewed some excellent resources like the NSA's "Spotting the Adversary with Windows Event Log Monitoring"* but are left wondering how others have approached more general questions like "What types of behaviors and conditions are we trying to detect?", "How do we determine what normal looks like?", "What events should generate an alert versus being sent to a dashboard for aggregate analysis?", etc. Our inquiry is less about the nuts and bolts of implementing log aggregation and more about how to holistically analyze the resulting data in a meaningful and sustainable manner. I am reticent about SIEM magic that can "find the bad guys", but if you love a specific vendor in this space, please do tell. Along these lines this MIT Computer Science and Artificial Intelligence Lab project piqued our interest: https://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using- input-human-experts-0418 Best, Alex *NSA - Spotting the Adversary with Windows Event Log Monitoring: https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows- event-log-monitoring.cfm *Detecting Lateral Movement in APTs - Analysis Approach on Windows Event Logs: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf *SANS - Detecting Security Incidents Using Windows Workstation Event Logs: https://www.sans.org/reading-room/whitepapers/logging/detecting-security-inc idents-windows-workstation-event-logs-34262 Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu (650)736-6421
Attachment:
smime.p7s
Description:
Current thread:
- seeking input on log analysis for identifying suspicious activity Alex Keller (Jul 05)
- Re: seeking input on log analysis for identifying suspicious activity Lambert, Tony M (Jul 07)