Re: seeking input on log analysis for identifying suspicious activity

["Lambert, Tony M" <Tony.Lambert () VOLSTATE EDU>]

Hi Alex,

I apologize in advance because my answer is derived from clichéd and overused security advice.

When we move from collection of data into detection and analysis, we get into the human side of infosec. I agree with 
your sentiment about SIEM magic that can "find the bad guys" as that SIEM magic has to first be trained by humans with 
the capability to recognize issues indicating compromise. One potential answer to the questions you pose (like "what 
does normal look like?") involves configuration management and an inventory of hardware/software as security controls. 
To establish a baseline of normal in your technology environment, your team must become experts in your environment in 
terms of knowing which configurations are used with particular systems. For example, an NGINX web service starting up 
on a normally Windows/IIS web server is highly suspicious but one would only recognize the issue by being familiar with 
the normal configuration. We can see this type of mindset at work when we talk to malware analysts. Malware analysts 
recognize malicious software by becoming experts in normal and abnormal behavior among computer systems. To recognize 
potential issues among your environment, the long and arduous road of adopting this mindset may help the most.

For what types of behaviors and conditions to check, a risk analysis exercise might be helpful. An organization can 
determine what risks are most worrisome, research threats/attacks that correspond to that risk, and identify conditions 
within a specific configuration according to that research. For example, a research institution may view intellectual 
property theft as a worrisome risk and, through research, discover that exfiltration of data via FTP is common. 
Identification of conditions corresponding to this risk may include looking for abnormal FTP connections reaching over 
the Internet. From this conclusion, one may then configure systems to trigger alerts based upon whether these abnormal 
connections are "risky" enough to warrant immediate attention.

Successful analysis and identification is supplemented and accelerated by technology. Successful baselines, 
inventories, and analyses all originate from humans.

Thanks,

--Tony

Tony M Lambert
Jr. Systems Administrator, Information Technology
Volunteer State Community College
X4832, tony.lambert () volstate edu 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex 
Keller
Sent: Tuesday, July 5, 2016 8:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [Spam?] [SECURITY] seeking input on log analysis for identifying suspicious activity
Importance: Low

Hi EDUCAUSE Security folks,

We are seeking input on log analysis for identifying suspicious activity and
relevant security conditions. Scope is open ended but we are starting with
Windows and Linux servers. Assuming log aggregation is in place and pulling
native OS logs (plus perhaps anti-virus, host based IDS, maybe even netflow,
etc)....What's next with respect to identifying anomalous or suspect
behavior, determining alert thresholds, and tuning for investigative
response?

We have reviewed some excellent resources like the NSA's "Spotting the
Adversary with Windows Event Log Monitoring"* but are left wondering how
others have approached more general questions like "What types of behaviors
and conditions are we trying to detect?", "How do we determine what normal
looks like?", "What events should generate an alert versus being sent to a
dashboard for aggregate analysis?", etc.

Our inquiry is less about the nuts and bolts of implementing log aggregation
and more about how to holistically analyze the resulting data in a
meaningful and sustainable manner. I am reticent about SIEM magic that can
"find the bad guys", but if you love a specific vendor in this space, please
do tell. 

Along these lines this MIT Computer Science and Artificial Intelligence Lab
project piqued our interest:
https://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using-
input-human-experts-0418

Best,
Alex 

*NSA - Spotting the Adversary with Windows Event Log Monitoring:
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-
event-log-monitoring.cfm 

*Detecting Lateral Movement in APTs - Analysis Approach on Windows Event
Logs: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf

*SANS - Detecting Security Incidents Using Windows Workstation Event Logs:
https://www.sans.org/reading-room/whitepapers/logging/detecting-security-inc
idents-windows-workstation-event-logs-34262

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu
(650)736-6421