SlideShare a Scribd company logo

Incident Response: SIEM

Download as PPTX, PDF
Napier University
Napier University

The document discusses network security topics including SIEM, logs, NetFlow, web logs, and security standards. It provides examples of configuring Cisco routers to collect NetFlow data and export it to a SIEM system. Splunk and HP ArcSight are mentioned as examples of SIEM systems that can aggregate and correlate log data from various sources for security monitoring, analysis, and incident response.

1 of 38
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Big Data
HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
TypesIncResponse Author: Prof Bill Buchanan Some data breaches
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
IntroductionIncResponse Investigation sources Web server Firewall Router Proxy server Email server FTP server Bob Eve Internal systems Cloud service providers Communication service providers Trusted partners
IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
IntroductionIncResponse Eve Eve Logs/alerts Bob SIEM Package (Splunk) News feeds Security alerts
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
SIEMNetworkSecurity
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity HP ArcSight
SIEMNetworkSecurity HP ArcSight
Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
SIEMNetworkSecurity Security log
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice

Recommended

Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
Napier University
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
Napier University
 
[242] wifi를 이용한 실내 장소 인식하기
[242] wifi를 이용한 실내 장소 인식하기[242] wifi를 이용한 실내 장소 인식하기
[242] wifi를 이용한 실내 장소 인식하기
NAVER D2
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPN
Netwax Lab
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
anandvaidya
 
Securing & Optimizing Linux the Hacking Solution (v.3.0)
Securing & Optimizing Linux the Hacking Solution (v.3.0)Securing & Optimizing Linux the Hacking Solution (v.3.0)
Securing & Optimizing Linux the Hacking Solution (v.3.0)
- Mark - Fullbright
 

Recommended

Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
Napier University
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
Napier University
 
[242] wifi를 이용한 실내 장소 인식하기
[242] wifi를 이용한 실내 장소 인식하기[242] wifi를 이용한 실내 장소 인식하기
[242] wifi를 이용한 실내 장소 인식하기
NAVER D2
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPN
Netwax Lab
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
anandvaidya
 
Securing & Optimizing Linux the Hacking Solution (v.3.0)
Securing & Optimizing Linux the Hacking Solution (v.3.0)Securing & Optimizing Linux the Hacking Solution (v.3.0)
Securing & Optimizing Linux the Hacking Solution (v.3.0)
- Mark - Fullbright
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden services
Jose Manuel Ortega Candel
 
Firewall
FirewallFirewall
Firewall
arichoana
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Wireshark.ethereal
Wireshark.etherealWireshark.ethereal
Wireshark.etherealgh02
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
Babaa Naya
 
Network commands
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편
ymtech
 
EMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailEMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailMohomed Shehan
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
CODE BLUE
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
SANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation TimelineSANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation Timeline
giacomo83m
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Positive Hack Days
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
APNIC
 
LIquidity and Validity - Jan Gill
LIquidity and Validity - Jan GillLIquidity and Validity - Jan Gill
LIquidity and Validity - Jan Gill
Napier University
 
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Nikhil Daliya
 

More Related Content

What's hot

Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden services
Jose Manuel Ortega Candel
 
Firewall
FirewallFirewall
Firewall
arichoana
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Wireshark.ethereal
Wireshark.etherealWireshark.ethereal
Wireshark.etherealgh02
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
Babaa Naya
 
Network commands
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편
ymtech
 
EMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailEMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailMohomed Shehan
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
CODE BLUE
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
SANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation TimelineSANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation Timeline
giacomo83m
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Positive Hack Days
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
APNIC
 

What's hot (20)

Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden services
 
Firewall
FirewallFirewall
Firewall
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Wireshark.ethereal
Wireshark.etherealWireshark.ethereal
Wireshark.ethereal
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Network commands
Network commandsNetwork commands
Network commands
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편
 
EMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailEMSC1515104 Shehansuhail
EMSC1515104 Shehansuhail
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
SANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation TimelineSANS Holiday Hack 2013 – Investigation Timeline
SANS Holiday Hack 2013 – Investigation Timeline
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
 

Viewers also liked

LIquidity and Validity - Jan Gill
LIquidity and Validity - Jan GillLIquidity and Validity - Jan Gill
LIquidity and Validity - Jan Gill
Napier University
 
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Nikhil Daliya
 
Kaseya Monitoring Suite Overview
Kaseya Monitoring Suite OverviewKaseya Monitoring Suite Overview
Kaseya Monitoring Suite Overview
Kaseya
 
ADC/DAC
ADC/DACADC/DAC
ADC/DAC
Armin Maghami
 
Reporting and Dashboards: The Present and Future Direction of VSA Reporting
Reporting and Dashboards: The Present and Future Direction of VSA ReportingReporting and Dashboards: The Present and Future Direction of VSA Reporting
Reporting and Dashboards: The Present and Future Direction of VSA Reporting
Kaseya
 
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
Kaseya
 
Incident Response: Network Forensics
Incident Response: Network ForensicsIncident Response: Network Forensics
Incident Response: Network Forensics
Napier University
 
Incident Response: SIEM Part II
Incident Response: SIEM Part IIIncident Response: SIEM Part II
Incident Response: SIEM Part II
Napier University
 
Venturefest 2016 Cyber Security Innovation
Venturefest 2016 Cyber Security InnovationVenturefest 2016 Cyber Security Innovation
Venturefest 2016 Cyber Security Innovation
Napier University
 
SIMD 2016 - Alistair McAlpine
SIMD 2016 - Alistair McAlpineSIMD 2016 - Alistair McAlpine
SIMD 2016 - Alistair McAlpine
Napier University
 
Big Data Big Picture - Professor Derek Bell
Big Data Big Picture - Professor Derek BellBig Data Big Picture - Professor Derek Bell
Big Data Big Picture - Professor Derek Bell
Napier University
 
Using Big Data to Create Engagement Agility
Using Big Data to Create Engagement Agility Using Big Data to Create Engagement Agility
Using Big Data to Create Engagement Agility
Napier University
 
Incident response: Introduction
Incident response: IntroductionIncident response: Introduction
Incident response: Introduction
Napier University
 
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
e-Frality - Adrian Smales and Brian Brown (CM2000)
e-Frality - Adrian Smales and Brian Brown (CM2000)e-Frality - Adrian Smales and Brian Brown (CM2000)
e-Frality - Adrian Smales and Brian Brown (CM2000)
Napier University
 
CSN09112: Introduction to Computer Security
CSN09112: Introduction to Computer SecurityCSN09112: Introduction to Computer Security
CSN09112: Introduction to Computer Security
Napier University
 
OpManager Major Features
OpManager Major FeaturesOpManager Major Features
OpManager Major Features
tecanody
 
Trust and Governance in Health and Social Care
Trust and Governance in Health and Social Care Trust and Governance in Health and Social Care
Trust and Governance in Health and Social Care
Napier University
 
Blockchain and Health - James Little-john
Blockchain and Health - James Little-johnBlockchain and Health - James Little-john
Blockchain and Health - James Little-john
Napier University
 
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
Napier University
 

Viewers also liked (20)

LIquidity and Validity - Jan Gill
LIquidity and Validity - Jan GillLIquidity and Validity - Jan Gill
LIquidity and Validity - Jan Gill
 
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
Integrating Network Discovery and Community Detection (IRE IIITH) Team 24
 
Kaseya Monitoring Suite Overview
Kaseya Monitoring Suite OverviewKaseya Monitoring Suite Overview
Kaseya Monitoring Suite Overview
 
ADC/DAC
ADC/DACADC/DAC
ADC/DAC
 
Reporting and Dashboards: The Present and Future Direction of VSA Reporting
Reporting and Dashboards: The Present and Future Direction of VSA ReportingReporting and Dashboards: The Present and Future Direction of VSA Reporting
Reporting and Dashboards: The Present and Future Direction of VSA Reporting
 
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
Remote Control Architecture: How We Are Building The World’s Fastest Remote C...
 
Incident Response: Network Forensics
Incident Response: Network ForensicsIncident Response: Network Forensics
Incident Response: Network Forensics
 
Incident Response: SIEM Part II
Incident Response: SIEM Part IIIncident Response: SIEM Part II
Incident Response: SIEM Part II
 
Venturefest 2016 Cyber Security Innovation
Venturefest 2016 Cyber Security InnovationVenturefest 2016 Cyber Security Innovation
Venturefest 2016 Cyber Security Innovation
 
SIMD 2016 - Alistair McAlpine
SIMD 2016 - Alistair McAlpineSIMD 2016 - Alistair McAlpine
SIMD 2016 - Alistair McAlpine
 
Big Data Big Picture - Professor Derek Bell
Big Data Big Picture - Professor Derek BellBig Data Big Picture - Professor Derek Bell
Big Data Big Picture - Professor Derek Bell
 
Using Big Data to Create Engagement Agility
Using Big Data to Create Engagement Agility Using Big Data to Create Engagement Agility
Using Big Data to Create Engagement Agility
 
Incident response: Introduction
Incident response: IntroductionIncident response: Introduction
Incident response: Introduction
 
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
 
e-Frality - Adrian Smales and Brian Brown (CM2000)
e-Frality - Adrian Smales and Brian Brown (CM2000)e-Frality - Adrian Smales and Brian Brown (CM2000)
e-Frality - Adrian Smales and Brian Brown (CM2000)
 
CSN09112: Introduction to Computer Security
CSN09112: Introduction to Computer SecurityCSN09112: Introduction to Computer Security
CSN09112: Introduction to Computer Security
 
OpManager Major Features
OpManager Major FeaturesOpManager Major Features
OpManager Major Features
 
Trust and Governance in Health and Social Care
Trust and Governance in Health and Social Care Trust and Governance in Health and Social Care
Trust and Governance in Health and Social Care
 
Blockchain and Health - James Little-john
Blockchain and Health - James Little-johnBlockchain and Health - James Little-john
Blockchain and Health - James Little-john
 
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre
 

Similar to Incident Response: SIEM

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
Cisco Canada
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
Robb Boyd
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Martin Holovský
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
matthew.maisel
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
Cisco Canada
 

Similar to Incident Response: SIEM (20)

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Core Values Decision Sept
Core Values Decision SeptCore Values Decision Sept
Core Values Decision Sept
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 

More from Napier University

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
Napier University
 
Networks
NetworksNetworks
Networks
Napier University
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
Napier University
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
Napier University
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
Napier University
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
Napier University
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
Napier University
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
Napier University
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
Napier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Napier University
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
Napier University
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
Napier University
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
Napier University
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
Napier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Napier University
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
Napier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Napier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
Napier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Napier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Napier University
 

More from Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Recently uploaded

Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Po-Chuan Chen
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
timhan337
 

Recently uploaded (20)

Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdfAdversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
Adversarial Attention Modeling for Multi-dimensional Emotion Regression.pdf
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
 

Incident Response: SIEM

  • 1. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 2.
  • 4. HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
  • 5. TypesIncResponse Author: Prof Bill Buchanan Some data breaches
  • 6.
  • 7. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
  • 8. DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
  • 9. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
  • 10. IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
  • 11. IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
  • 13. IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
  • 15. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 16. SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
  • 17.
  • 18. Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
  • 19. SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
  • 20. SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
  • 21. SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
  • 22. SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
  • 23. SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
  • 24. Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
  • 27. SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
  • 34. Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
  • 35. SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
  • 36. SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
  • 38. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice