Re: Getting to know the pulse of security breaches, within our enterprise!

[Wim Remes <wremes () gmail com>]

Hi,

you can do all this (and more ! ) with a combination of OSSEC (www.ossec.net 
) and Splunk (www.splunk.com).

With OSSEC, you can create an extremely flexible ruleset, just like  
the one you describe here and trigger alerts on about
anything that your infrastructure or applications log.  It has a  
client/server architecture that allows you to build a redundant
design.  Best of all, it is open source (and free !).

Splunk is not free. it will allow you to build custom dashboards for  
the different roles in your organisation to provide a (real time)
view on the security status of your information infrastructure. It  
also has a plugin for OSSEC.

The both of them combined are absolute fireworks.

Cheers,

W
On 02 Oct 2009, at 07:12, WALI wrote:

> Thanks for the only reply that I have recievd to this one Paul.  
> Maybe the other thought that by the subject line it's probably some  
> product blitz. :)
>
> nevertheless, the core concept is not about what guys / user  
> community might be doing inadvertently. I do agree with you that an  
> online anonymous security reporting mechanism will be helpful though.
>
> I was thinking in terms of having some SIEM (Security Information  
> and Event Management ) system be put in place but with affordable  
> cost. Has anyone done it to get their threat profile?
>
> One most important area of concern is that related to real time  
> monitoring of High-risk roles and assets. It's a given that assets  
> with a greater impact on network security or company revenue, should  
> receive greater protection. Agreed, that certain groundwork is  
> required to assess all internal employee roles and responsibilities,  
> then determine which roles need closer monitoring for internal  
> security breaches; but once that's done, I need to have  
> infrastructure in place that Audits my security to make sure users  
> with greater privileges only access the appropriate files and no  
> suspicious activity goes on.
>
> That was the motive behind this posting.
>
> Requesting guys around to share their experiences / inputs.
>
> Thanks in advance.
>
>
>
> ----- Original Message ----- From: "Paul Jenkins" <pjenkins () dsci com>
> To: "Hrishikesh Khasgiwale" <hkhasgiwale () gmail com>; <security-basics () securityfocus com 
> >
> Sent: Tuesday, September 29, 2009 3:25 PM
> Subject: RE: Getting to know the pulse of security breaches, within  
> our enterprise!
>
>
> Interesting, when I first read this I was thinking questionnaire. I'm
> junior in this field however, I would say A LOT of internal security
> breeches are the result of ignorance not malice. So going of my first
> thought if you want to take a look at the human aspect of your network
> internals why not a management approved and mandated questionnaire.  
> Use
> a little psychology on the wording of the questions, and some
> hypotheticals just to see what people are really doing on the network
> and possibly educate the users at the same time. Now if you want true
> and honest answers some form of guaranteed non-retribution will need  
> to
> be used. If you do it anonymously you can never tell who has or has  
> not
> completed it. If you pull groups into a room and use paper "quizzes"
> then just us a count to verify all took one that may work.
>
> -Paul
>
> -----Original Message-----
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com]
> On Behalf Of Hrishikesh Khasgiwale
> Sent: Friday, September 25, 2009 2:31 AM
> To: security-basics () securityfocus com
> Subject: Getting to know the pulse of security breaches, within our
> enterprise!
>
> Hi guys..
>
> I was thinking of designing an infrastructure template, that would
> allow me to replicate that model across my organisation which would
> enable the fellow team members to proactively monitor the 'red flags'
> that might arise within our LAN from time to time. By red flags I
> mean, something that would mean there is an imminent 'threat' to the
> overall security posture within my enterprise and I am not talking
> from perimeter Firewall / IPS perspective but I want to look more
> inwards.
>
> Things that come to mind are:
>
> 1. Someone who tries to log into an AD account from a workstation that
> he/she doesn't usually log into, should be displayed on a dashboard.
>
> 2. Account lockouts happening from a given workstation abnormally
> (abnormal values can be defined)..
>
> 3. Abnormal ports being accessed from workstation (like attempts to
> make connection to someone else's C$, d$ share or someone else making
> connection to his/her C $ / D $ shares). This might even signify a
> malware on this PC that has gone undetected by the local antivirus.
>
> ...or any other stuff that might bring about a threat to the overall
> security of my environment.
>
> Has anyone been there n done that?
>
> I understand that it's part technology and part design but I am
> currently concerned about the design aspect and whether I have my
> requirements correctly sorted out.
>
> Any / all suggestions welcome!!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate.  We look at how SSL works, how it benefits your  
> company
> and how your customers can tell if a site is secure. You will find out
> how to test, purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management of your
> encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
> f727d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------