RE: SIEM Use Cases

["Platt, Mario, Vodafone UK" <mario.platt () vodafone com>]

Hey,

I would tell you to get "The Tao of Network Security Monitoring: Beyond Intrusion Detection" book by Richard Bejtlich. 
It's a great book on the subject, but as there stated for effective SIEM correlation and results you should try to find 
a balance between: statistical data, full content data and intrusion detection. The book is a true must read for anyone 
working with SIEM, in order to maximize your "bang for buck".

cheers

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Thugzclub Thugzclub
Sent: 09 July 2012 02:36
To: listbounce () securityfocus com; security-basics () securityfocus com; pen-test () securityfocus com; discussion () 
siemusers org
Subject: SIEM Use Cases

Hi,

This may not be the right forum ( if so please point me to the right
location) but here goes:

I am working on a project where we are integrating a SIEM into our environment and I need to create a monitoring and 
alerting standard.

If I can explain some more:
- There are specific "isolated" suspicious behaviour that we would want the SIEM to alert on e.g  e.g Admin logon at 
specific times of the day, mid night for instance.
- There are also specific "combination" of suspicious behaviour that we should alert on: e.g

I have a simple 3-tier web app behind a firewall, and four event sources for  SIEM: a firewall, system events from 
whatever daemon running on your servers and an (D)IDS

Event 1 : IDS says I have an SQL injection. Taken alone, this is false, it's just an attempt at an SQLi and I have no 
idea whether or not it has succeeded.
Event 2 : system daemon says I have a file creation on a temp folder in your DB server Event 3 : system daemon says 
said dropped file is ran under the DBserver user Event 4 : firewall says I have outbound connection created to blah 
server on port 80 Event 5 : IDS says blah server is hosted on an IP with a bad reputation (I assume that's the D in 
DIDS)

Based on the above, I would say that i have been hacked.

The query that I have is: are there specific set of malicious behaviour  or "use cases" similar to the above that I can 
use as the basis for configuring my SIEM to detect against malicious patterns of behaviour.



Thanks in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------