1. 8/11/2016
Operationalizing a cyber Security Operations
Center (SOC) using a Security Information
and Event Management (SIEM) solution.
Final Project T411 Wireless networking: George Brown College, Toronto, ON,
Canada. August, 2016
Rangan Grama-Yoga 101017090
Ankit Divyesh Pandya 100984504
Lakshay Chamoli 101026076
Zhou Lu 101015405

2. 1
TABLE OF CONTENTS
Agenda .......................................................................................................................................................................... 3
Introduction .................................................................................................................................................................. 3
In the project ........................................................................................................................................................ 3
Itinerary ................................................................................................................................................................ 3
Splunk ........................................................................................................................................................................... 4
Introduction to Splunk .......................................................................................................................................... 5
Problem/Opportunity Assessment .............................................................................................................................. 6
Our Project .................................................................................................................................................................... 7
Implementation Phase .......................................................................................................................................... 8
Searching Data ...................................................................................................................................................... 9
Creating Traps ..................................................................................................................................................... 11
Data Analysis ...................................................................................................................................................... 11
Log data File ........................................................................................................................................................ 13
Use Case 1 ............................................................................................................................................................... 14
Detection of Possible Brute Force Attack .......................................................................................................... 14
Use Case 2 ............................................................................................................................................................... 15
Detection of Insider Threat ................................................................................................................................ 15
Acceptable Use Monitoring (AUP) ..................................................................................................................... 15
Use Case 3 ............................................................................................................................................................... 18
Application Defense Check ................................................................................................................................. 18
Use Case 4 ........................................................................................................................................................... 19
Suspicious Behavior of Log Source ............................................................................................................... 19
Expected Host/Log Source Not Reporting ......................................................................................................... 19
Use Case 5 ........................................................................................................................................................... 20
Use Case 6 ............................................................................................................................................................... 20
Detection of Anomalous Ports, Services and Unpatched Hosts/Network Devices .......................................... 20

3. 2
Conclusion ........................................................................................................................................................... 21
Credits ......................................................................................................................................................................... 22

4. 3
AGENDA
This particular project report Embracing the Practice of Network Security: An analysis of the
merging context was borne out of a series of processes undergone by the securing of multiple
systems in accordance with to maintain a secure network environment in the field of networking.
INTRODUCTION
Security information and event management (SIEM) is an approach to security management that
seeks to provide a holistic view of an organization's information technology (IT) security.
Implementation of SIEM software in any network, to detect, control and resolve various attacks
and threats faced in Cyber security. In this simulation we will be showing how various cyber
activities are monitored and events regarding the activities of various objects in the network are
monitored, accounted and flagged with various flagging events that occur in an enterprise
environment.
IN THE PROJECT
• Simple SNMP experiment with AD DC server
• Multiple machines added in the same domain
• Events Raised
• Communication stopped
• Events addressed
• Communication stopped until resolved
• Splunk can be completely unattended
• Event raised and email sent
ITINERARY
• Cisco ASA(Adaptive Security Appliance) Fire wall 5520 without VLAN support
• Windows Server 2008 R2 | Operating System

5. 4
• Ubuntu 12.3 | Operating System
• Splunk | SIEM (Security Information and Event Management Software)
• Passware | Brut force Attack Software
• Active Directory Service | Microsoft Windows Server 2008 R2
• Oracle VMBOX | Virtualization
SPLUNK
• Data Management Engine
• Data time does not matter
• Multiple source support
• Doesn‘t require a switching component for data translation
• Multiple platform integration

6. 5
FIGURE 1: SOURCED FROM SPLUNK WEBSITE
INTRODUCTION TO SPLUNK
To achieve operational intelligence, the first thing CIOs and CTOs must do is find technologies to
help them. Splunk is a platform for machine data. It collects, indexes and harnesses machine data
generated by any IT system and infrastructure—whether it’s physical, virtual or in the cloud.
Splunk laid its foundation helping IT find and fix problems faster, but its applications are far
broader, as we will see. Splunk makes sense of machine data to support business goals.
It handles both the form and the semantics of machine data.
It accomplishes this through a unique approach of universally indexing any machine data across

7. 6
the infrastructure. It consumes network traffic and app server logs and tracks hypervisors and
GPS, as well as social media activity. It even absorbs PBX and IP telephony data. Splunk does this
without requiring costly connectors or agents. It does not need to filter or parse the data to load
it into a database. By providing users an index of all the machine data generated by all systems
and infrastructure, Splunk enables users to ask any question and find answers quickly to the most
simple or strategic propositions.
Splunk was born to help IT manage and monitor the datacenter. System
administrators were sniffing out security threats, server inefficiencies, network outages, and
bandwidth bottlenecks, not looking for business insights. But along the way, that’s exactly what
they discovered in the wealth of machine-generated data that is driving operational intelligence.
Analysts can have a conversation with the data and gradually uncover the structure and
relationships between elements. They can create custom applications, dashboards, and reports
that don’t just present information, but allow for deep drill-downs into the data to answer
questions. Splunk also offers prebuilt integrations to common data stores, such as Hadoop and
traditional relational databases.
PROBLEM/OPPORTUNITY ASSESSMENT
Various attacks (Brute Force, DDOS, Multiple access, etc..): we would show various attacks that
can occur and how these attacks would be spotted and raised as events
A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt
any encrypted data (except for data encrypted in an information-theoretically secure manner).
Such an attack might be used when it is not possible to take advantage of other weaknesses in
an encryption system (if any exist) that would make the task easier
False Alarm: User interaction with server against an external threat, this would raise a lot of false
alarms and segregation of events.
DDOS - A distributed denial-of-service (DDoS) is where the attack source is more than one, often
thousands of unique IP addresses. It is analogous to a group of people crowding the entry door
or gate to a shop or business, and not letting legitimate parties enter into the shop or business,
disrupting normal operations. The scale of DDoS attacks has continued to rise over recent years,
even reaching over 400Gbit/s.
Event Logging: All events that occur on a server is logged and the dataflow is presented.
Authentication tracking and account compromise detection; admin and user tracking.

8. 7
Compromised- and infected-system tracking: malware detection by using outbound firewall
logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc.
Validating intrusion detection system/intrusion prevention system (IDS/IPS): Alerts by using
vulnerability data and other context data about the assets collected in the SIEM
Monitoring for suspicious outbound connectivity and data transfers: By using firewall logs, Web
proxy logs and network flows; detecting exfiltration and other suspicious external connectivity
Tracking system changes and other administrative actions: Across internal systems and
matching them to allowed policy; detecting violations of various internal policies, etc.
Tracking of Web application attacks and their consequences by using Web server: WAF and
application server logs; detecting attempts to compromise and abuse web applications by
combining logs from different components.
Key Deliverables to be produced by students:
Log management: Various events flagged by SIEM software to me mapped and logged.
Windows Events: Windows application, security and system event logs, Detect problems with
business critical applications, security information and usage patterns.
Wire Data: DNS lookups and records, protocol level information including headers, content and
flow records. Proactively monitor the performance and availability of applications, end-user
experiences, incident investigations, networks, threat detection, monitoring and compliance.
OUR PROJECT
We created a test environment and implemented Splunk on DMZ where the Servers were
located. The following Schematics is the network design of our implementation.

9. 8
FIGURE 2: NETWORK DESIGN
As the above scchematics show we dedicated a server on the DMZ (De-Miletarised Zone) where
the other servers would be placed as well. Making the splunk server as secure as your other
servers. But for the test purposes, we implemeted design on Virtual Machines.
We also made sure that all the data flow was monitored on the perticular port that Splunk had
access to, giving splunk the power to access all machine data remotely and locally.
IMPLEMENTATION PHASE
After implementing Splunk on a simple network we gathered the following data. We installed
Splunk and added various data Sources for monitoring. And as shown in the picture, we have
added Active Directory as one the sources for data, along with various other services that were
monitored.
The various sources of data were added with ease. All we had to do was:
Settings>Data Inputs>Event Log Collections> ‘select the local data source that you would like
to add’

10. 9
FIGURE 3: ADDING DATA SOURCES
SEARCHING DATA
As soon a the sources were added to monitor, events from every source was gathered
immidietly. This data that we gathered was collected and analysed for event management
purposes. For the sake of testing purposes, we only implemented Multiple login using Active
directory services. And finding the data was extremely easy with the search service.-

11. 10
FIGURE 4: LOCAL EVENT SOURCE
And once we got on to the sources that were being gathered by the local host, we noticed that
all 3 sources of data were recognised and indexed.
FIGURE 5: REMOTE DATA SOURCES

12. 11
CREATING TRAPS
We created a trap with just a simple search and highlighting the serachresult to be the source of
the trap, and set the refresh rate at 30 seconds. This could also be changed to live monitoring
which would allow you to look at live trap monitoring.
FIGURE 6: DATA SEARCH
DATA ANALYSIS
Instead of just collection of data, the false Login information was collected and Searched with the
native machine language. This also holds true for any script or coding errors that might occur.

13. 12
FIGURE 7: MACHINE DATA
The created serach querrt can be further saved as a dashboard where in every related querry is
monitored and activity is saved as a dash board.

14. 13
FIGURE 8: ALERT DASHBOARD
We saved the dash board as ‘Brute force’, as we used Passware to break into network
authentication on the Active Directory server using brute force attack. These events were
monitored and accounted for. The above image shows various vlans created on the network and
login attempts using the same login credentials. The failed login show how many times the Active
Directory service was blocked.
LOG DATA FILE
The log Data File has been attached in this for your reference:
Event_Log_for_mult
ile_Access.csv

15. 14
USE CASE 1
DETECTION OF POSSIBLE BRUTE FORCE ATTACK
With the evolution of faster and more efficient password cracking tools, brute force attacks are
on a high against the services of an organization. As a best practice, every organization should
configure logging practices for security events such as invalid number of login attempts, any
modification to system files, etc., so that any possible attack underway will get noticed and
treated before the attack succeeds. Organizations generally apply these security policies via a
Group Policy Object (GPO) to all the hosts in their network.
To check for brute force pattern, we have enabled auditing on logon events in the Local Security
Policy and we will be feeding my System Win: Security logs to Splunk to check for a brute force
pattern against local login attempts.

16. 15
Below is the correlation search (SPL) that is created in Splunk against Win:Security logs to monitor
real time login attempts. In this search, brute force criteria get matched with two failure
attempts.
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT
(User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by
Account_Name | where count > 2
Note: EventCode: 4625 is used in new versions of the Windows family like Win 7. In older
versions, the event code for invalid login attempts is 675, 529.
After this, I log off my machine, and entered the password incorrectly three times in attempt to
impersonate a brute force attack.
Since these activities gets logged in Win: Security, which in turn is feeding Splunk in real time, an
alert will be created in Splunk, giving analysts an incident to investigate and take responsive
actions, like changing the firewall policy to blacklist that IP.
USE CASE 2
DETECTION OF INSIDER THREAT
Reportedly, more than 30 percent of attacks are from malicious insiders in any organization.
Therefore, every organization must keep the same level of security policies for insiders also.
ACCEPTABLE USE MONITORING (AUP)
Acceptable Use Monitoring covers a basic questions, i.e. what resource is being accessed by
whom and when. Organizations generally publish policies for users to understand how they can
use the organization’s resources in the best way. Organizations should develop a baseline
document to set up threshold limits, critical resources information, user roles, and policies, and
use that baseline document to monitor user activity, even after business hours, with the help of
the SIEM solution.

17. 16
For example, the below illustration is of logging a user activity on an object. For demonstrative
purposes, we have created a file named “Test_Access” on my system. Auditing on object access
is enabled in my system, like below in the Local Security Policy.
Enabling auditing on security policies is not enough, and now we have to enable the auditing on
the respective file, also named “Test_Access” in this case. We have enabled auditing for Group
Name –”Everyone” on this file. Organizations should fingerprint all the sensitive files and
corresponding privileges and user group access on them.

18. 17
For demonstrative purposes, we have selected all the object properties to be audited.
After this, we accessed the “Test_Access” file, which generates an event in Security logs with
Event ID 4663, giving user name, action performed, time it was accessed, etc. This useful
information can be fed into the SIEM solution through security logs to detect any unauthorized
or suspicious object access.
Organizations should develop fingerprints on all the sensitive documents, files and folders, and
feed all this information to respective security solutions such as data leakage prevention

19. 18
solutions, application logs, WAF, etc. into the SIEM solution to detect a potential insider threat.
Organizations can develop the below use cases in the SIEM solution under AUP
• Top malicious DNS requests from user
• Incidents from users reported at DLP, spam filtering, web proxy, etc
• Transmission of sensitive data in plain text
• 3rd
party users network resource access
• Resource access outside business hours
• Sensitive resource access failure by user
• Privileged user access by resource criticality, access failure, etc
USE CASE 3
APPLICATION DEFENSE CHECK
Besides network, perimeter, and end point security, organizations must develop security
measures to protect applications. With attacks like SQL injection, Cross site scripting (XSS), Buffer
overflow, and insecure direct object references, organizations have adopted security measures
like secure coding practices, use of Web Application Firewall (WAF) which can inspect traffic at
layer 7 (Application layer) against a signature, pattern based rules, etc. Along with the log of
applications, organizations must also feed SIEM with logs of technologies such as WAF, which can
correlate among various security incidents to detect a potential web application attack. One of
the very important points to check for in a sensitive application is that the application should
encrypt the sensitive information like PII in the logs as well, as these logs will be fed into SIEM,
and if unencrypted, sensitive information could be exposed in SIEM.
Organizations must also develop a strategy to secure the operating system (OS) platform onto
which the application is hosted. OS as well as application performance logging features must also
be enabled. Below are some of the use cases that can be implemented in SIEM to check
Application defense.
• Top Web application Attacks per server
• Malicious SQL commands issued by administrator
• Applications suspicious performance indicator, resource utilization vector

20. 19
• Application Platform (OS) patch-related status
• Web attacks post configuration changed on applications
USE CASE 4
SUSPICIOUS BEHAVIOR OF LOG SOURCE
EXPECTED HOST/LOG SOURCE NOT REPORTING
Log sources are the feeds for any SIEM solution. Most of the SIEM solution these days comes with
an agent-manager deployment model, which means that on all the log sources, light weight SIEM
agent software is installed to collect logs and pass them to a manager for analysis. An attacker,
after gaining control over a compromised machine/account, tends to stop all such agent services,
so that their unauthorized and illegitimate behavior goes unnoticed.
To counter such malformed actions, SIEM should be configured to raise an alert if a host stops
forwarding logs after a threshold limit. For example, the below search query (SPL) in Splunk will
raise an alert if a host has not forwarded the logs for more than one hour.
| metadata type=hosts| where recentTime < now() -3600 | convert cTime(recentTime) as "Last
time the log source reported" | rename host as "Log Sources" | table " Log Sources" "Last time
the log source reported"
As soon as an alert is received with the IP address of the machine under attack, the Incident
Response Team (IRT) can start mitigating this issue.
Unexpected Events Per Second (EPS) from Log Sources
Another common pattern found among compromised log sources is that attackers tends to
change the configuration files of endpoint agents installed and forward a lot of irrelevant files to
the SIEM manager, causing a bandwidth choke between the endpoint agent and manager. This
affects the performance of real time searches configured, storage capacity of underlying index
for storing logs, etc. Organizations must develop a use case to handle this suspicious behavior of
log sources. For example, below is the search (SPL) created in Splunk which can detect unusual
forwarding of events from log sources in one day.
index= _internal earliest="-1d@d" latest="-0d@d" source=*license_usage.log type=Usage h !=
"*ip*" | eval Mb= b/1024/1024 | bucket span=1h _time| search Mb > 5 | stats sum(Mb) as MB
by _time,h | sort -MB,h | dedup h | rename h as " Workload" MB as "Total events"
An alert will be configured with it to get triggered whenever the amount of EPS from a log source
exceeds a threshold value for the IRT team to investigate.

21. 20
USE CASE 5
MALWARE CHECK
These days, organizations believe in protecting their network end to end, i.e. right from their
network perimeter with devices like firewall, Network Intrusion Prevention System (NIPS), till the
endpoints hosts with security features like antivirus and Host Intrusion Prevention System (HIPS),
but most organizations collect reports of security incidents from these security products in a
standalone mode, which brings problem like false positives, etc.
Correlation logic is the backbone of every SIEM solution, and correlation is more effective when
it is built over the output from disparate log sources. For example, an organization can correlate
various security events like unusual port activities in firewall, suspicious DNS requests, warnings
from Web Application firewall and IDS/IPS, threats recognized from antivirus, HIPS, etc. to detect
a potential threat. Organizations can make following sub-use case under this category.
• Unusual network traffic spikes to and from sources
• Endpoints with maximum number of malware threats
• Top trends of malware observed; detected, prevented, mitigated
• Brute force pattern check on Bastion host
USE CASE 6
DETECTION OF ANOMALOUS PORTS, SERVICES AND UNPATCHED HOSTS/NETWORK DEVICES
Hosts or network devices usually get exploited because they often left unhardened, Unpatched.
Organizations first must develop a baseline hardening guideline that includes rules for all
required ports and services rules as per business needs, in addition to best practices like “default
deny-all”.
For example, to check for the services being started, systems logs from event-viewer must be fed
into the SIEM solution, and a corresponding correlation search must be created against the
source name of “Service Control Manager” to detect what anomalous services got started or
stopped.

22. 21
Organizations can also check out for vulnerable ports. Services can be exposed by deploying a
vulnerability manager and running a regular scan on the network. The report can be fed into the
SIEM solution to get a more comprehensive report encompassing risk rate of the machines in the
network. Some use cases that an organization can build from reports are:
• Top vulnerabilities detected in network
• Most vulnerable hosts in the network with highest vulnerabilities
Another important aspect that an organization should constantly monitor as part of the SIEM
process is that all clients or endpoints are properly patched with software updates and feed the
client patch status information into the SIEM solution. There are various ways an organization
can plan out for this check.
• Organizations can plan out to check the patch–related status by deploying a Vulnerability
Manager and running a regular scan to check out for Unpatched endpoints
• Organizations can deploy a “centralized update manager” like WSUS and feed the results
of the updated status of endpoints into the SIEM solution or can feed the logs of the
manager endpoint deployed on endpoints directly into SIEM to detect all unpatched
endpoints in the network
CONCLUSION
Above use-cases are not a comprehensive SIEM security check list, but in order to have success
with SIEM, the above listed use cases must be implemented at the minimum on every
organization’s check list.
An SOC (Cyber-Security Operations Centre) can function much easily with the help of SIEM such
as Splunk which doesn’t require a lot of monitoring and can handle machine data without altering
its source format.
With the help of SIEM solution, we were able to analyse, detect and also prevent multiple attacks
on the network. We also saw how SIEM can be used as an IDS on an enterprise network.
Detection of various threats is much easier with the help of Splunk on a large scale network.

23. 22
CREDITS
Role Individual Profile LinkedIn
Course Instructor Shaukat Mulla
Course Instructor,
George Brown College
https://ca.linkedin.com/in/smulla
Project Designer Wayne Ward
Network Security
Implementation
Lecturer, George
Brown College
https://ca.linkedin.com/in/wayneward1
Mentor and
project execution
vision
Ali Khan
Senior Manager, Cyber
Risk Advisory, Deloitte
LLP.
https://ca.linkedin.com/in/khanuali
Project Lead
Rangan Grama-
Yoga
Student, George
Brown College
https://ca.linkedin.com/in/ranganiyengar
Project Team
Member
Ankit Pandya
Student, George
Brown College
https://ca.linkedin.com/in/ankit-pandya-
98316a4b
Project Team
Member
Lakshay Chamoli
Student, George
Brown College
https://ca.linkedin.com/in/lakshay-
chamoli-48b319118
Project Team
Member
Zhou Lu
Student, George
Brown College
https://ca.linkedin.com/in/zhou-lu-
28512a122
A total of 300 man hours was put into the execution of this project.
All the Use cases and the data were sourced from various sources using the
internet.