Class 5 ‐ SIEM Introduction - Justin-Boyd/CIT-Class GitHub Wiki

Security Measures

Cybersecurity Threats

  • Threat
  • Vulnerability
  • Risk
  • Asset

Technological Asset Types

  • Hardware
  • Software
  • Data
  • Communications
  • Each of these assets can be an attack vector and must be monitored continuously.

Security Components

  1. Network Access Control
  2. Network Behavior Analysis
  3. Firewall
  4. Identity Management
  5. Web Application Firewall
  6. Virtual Private Network
  7. Intrusion Detection and Prevention
  8. Endpoint Detection and Response
  9. Mail Relay
  10. Endpoint Protection Security

SOC vs NOC

  • SOC

    • Security Operations Centers (SOCs) manage security incidents.
    • Help monitor logs from different systems and respond to incidents
    • Personnel handle data analysis and technologies.
    • Use SIEM and ticket management

  • NOC

    • Network Operations Centers (NOCs) manage network operations
    • A central location for controlling and monitoring network components
    • Personnel handle network management, configuration, and IT.
    • Use control systems, quality management, and tracking tools

Introduction to SIEM

SIEM for Security

  • Log collection software and log retention
  • Security incident alerts based on logs
  • Provides data analysis
  • Some organizations use SIEM as a third-party service to monitor infrastructure.

Why SIEM is Important

  • Helps detect security incidents at an early stage
  • Creates reports of suspicious activities

SIM, SEM & SIEM

  • Security Information Management

    • Automatic collection of event logs
    • Simplification and correlation of data
    • Strong log management capabilities
    • Security reporting

  • Security Event Management

    • Strong event management
    • Based on enterprise SQL databases
    • Ideal for running security operations
    • Data collection in near-real time

  • Security Information and Event Management

    • SIM and SEM capabilities combined
    • Real-time security alerts analysis
    • Software appliances or managed services
    • Data aggregation from many sources

SIEM General Components

  • Database
  • Correlation Engine
  • Collectors
  • Management Center and Dashboards
  • API

SIEM Monitoring Features

  • Filters
  • Rules
  • Active Lists
  • Reports
  • Trends

SIEM Workflow

  • Collection - Gather logs and data-related events.
  • Parsing - Inspect the data and sort it into key and value pairs.
  • Evaluation - Match against sets of rules to indicate a threat.
  • Correlation - Note if suspicious behavior is part of a more elaborate scenario.
  • Inspection - Tickets are managed by the SOC.

SIEM Key Objectives

  • Near-real-time alerts and correlations
  • Conduct investigations and provide evidence.
  • Provide risk management and assessment for corporate assets.

Popular SIEMs

  • QRadar
  • ArcSight
  • AlienVault
  • Splunk

Snort

  • An open-source IDS/IPS system
  • Can perform real-time network traffic analysis
  • Supported by pfSense

SIEM Installation

Splunk Components

Splunk Components

  • Search Head is an interface used to search and access data.
  • Indexers are the log parsers.
  • Small components collect data to be sent to Splunk.

Splunk Installation in Linux

Splunk Install in Linux

  • Splunk can be installed on any OS.
  • In a Debian-based OS, Splunk is installed with the package manager.
  • The daemon should be started after installation.

Installation in Windows

  • The Splunk Windows installation follows steps that are similar to a Linux installation.
  • Credentials for the system are provided during the installation process.
  • Splunk Forwarder should be installed separately (on Linux, Windows, or Mac).

Splunk PLugins

  • Add-on
    • Typically a single component that can be reused in different use cases
  • Apps
    • More comprehensive and may contain user interfaces
  • Apps and add-ons extend Splunk functionality.

Log Collection & Types

Log Structure

Log Structure

Log Collector

Log Collector

  • Typically located in every environment
  • Collectors forward logs received from OSs and applications to the SIEM.
  • To send logs from DMZ to LAN, specific ports must be opened.

Application Logs

  • DB
  • WAF
  • IPS
  • Firewall
  • Logs can also be obtained through external applications.

OS Logs

  • UNIX systems usually save logs in the /var/log directory.
  • In Windows, logs can be viewed in Event Viewer.
  • Mac uses Console.app, which is similar to the Windows Event Viewer.

UNIX Logs

UNIX Logs

  • Every day, a new file is created in sequential order and backs up the previous log.
  • Daemons may group the journals in a dedicated folder.
  • Some Linux distributions have tools to view the logs graphically.

UNIX Log Sources

  • Auth.log
  • Apache2
  • IPtables
  • Syslog
  • DPKG

Windows Event Logs

Windows Event Logs

  • Classifies events in several categories

  • Each entry is defined by its type to identify the severity of the event.

  • In the Event Viewer, events are listed with headers and descriptions.

  • Application

  • Security

  • Setup

  • System

  • Forwarded Events

Important Security Events

  • Windows events are assigned IDs
    • 4624 - Successful user login
    • 4625 - Failed user login
    • 4672 - Special privileges were assigned to a new logged on user.
    • 4700 - Scheduled task was enabled.
    • 1116 - Windows Defender malware detection
    • 5031 - A firewall service blocked an application from accepting incoming connections.

Event Log Classification

  • Information Logs
  • Warnings
  • Error Logs
  • Success Audit
  • Failure Audit

Log Gathering

  • Syslog can use TCP/UDP when the default port is 514.
  • Files: Some applications use files to write logs.
  • Database: SIEM logs in to the database and extracts logs according to a predefined query.