Educause Security Discussion mailing list archives
Re: seeking input on log analysis for identifying suspicious activity
From: "Lambert, Tony M" <Tony.Lambert () VOLSTATE EDU>
Date: Thu, 7 Jul 2016 16:20:20 +0000
Hi Alex, I apologize in advance because my answer is derived from clichéd and overused security advice. When we move from collection of data into detection and analysis, we get into the human side of infosec. I agree with your sentiment about SIEM magic that can "find the bad guys" as that SIEM magic has to first be trained by humans with the capability to recognize issues indicating compromise. One potential answer to the questions you pose (like "what does normal look like?") involves configuration management and an inventory of hardware/software as security controls. To establish a baseline of normal in your technology environment, your team must become experts in your environment in terms of knowing which configurations are used with particular systems. For example, an NGINX web service starting up on a normally Windows/IIS web server is highly suspicious but one would only recognize the issue by being familiar with the normal configuration. We can see this type of mindset at work when we talk to malware analysts. Malware analysts recognize malicious software by becoming experts in normal and abnormal behavior among computer systems. To recognize potential issues among your environment, the long and arduous road of adopting this mindset may help the most. For what types of behaviors and conditions to check, a risk analysis exercise might be helpful. An organization can determine what risks are most worrisome, research threats/attacks that correspond to that risk, and identify conditions within a specific configuration according to that research. For example, a research institution may view intellectual property theft as a worrisome risk and, through research, discover that exfiltration of data via FTP is common. Identification of conditions corresponding to this risk may include looking for abnormal FTP connections reaching over the Internet. From this conclusion, one may then configure systems to trigger alerts based upon whether these abnormal connections are "risky" enough to warrant immediate attention. Successful analysis and identification is supplemented and accelerated by technology. Successful baselines, inventories, and analyses all originate from humans. Thanks, --Tony Tony M Lambert Jr. Systems Administrator, Information Technology Volunteer State Community College X4832, tony.lambert () volstate edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Keller Sent: Tuesday, July 5, 2016 8:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [Spam?] [SECURITY] seeking input on log analysis for identifying suspicious activity Importance: Low Hi EDUCAUSE Security folks, We are seeking input on log analysis for identifying suspicious activity and relevant security conditions. Scope is open ended but we are starting with Windows and Linux servers. Assuming log aggregation is in place and pulling native OS logs (plus perhaps anti-virus, host based IDS, maybe even netflow, etc)....What's next with respect to identifying anomalous or suspect behavior, determining alert thresholds, and tuning for investigative response? We have reviewed some excellent resources like the NSA's "Spotting the Adversary with Windows Event Log Monitoring"* but are left wondering how others have approached more general questions like "What types of behaviors and conditions are we trying to detect?", "How do we determine what normal looks like?", "What events should generate an alert versus being sent to a dashboard for aggregate analysis?", etc. Our inquiry is less about the nuts and bolts of implementing log aggregation and more about how to holistically analyze the resulting data in a meaningful and sustainable manner. I am reticent about SIEM magic that can "find the bad guys", but if you love a specific vendor in this space, please do tell. Along these lines this MIT Computer Science and Artificial Intelligence Lab project piqued our interest: https://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using- input-human-experts-0418 Best, Alex *NSA - Spotting the Adversary with Windows Event Log Monitoring: https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows- event-log-monitoring.cfm *Detecting Lateral Movement in APTs - Analysis Approach on Windows Event Logs: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf *SANS - Detecting Security Incidents Using Windows Workstation Event Logs: https://www.sans.org/reading-room/whitepapers/logging/detecting-security-inc idents-windows-workstation-event-logs-34262 Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu (650)736-6421
Current thread:
- seeking input on log analysis for identifying suspicious activity Alex Keller (Jul 05)
- Re: seeking input on log analysis for identifying suspicious activity Lambert, Tony M (Jul 07)