SlideShare a Scribd company logo

Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

ReZa AdineH
ReZa AdineH

in this presentation we will review all concepts related to event correlation. Event correlation is the most important concepts in Log management and analysis. if you considering attack detection and incident detection, it is the fundamental of these topics. in this presentation we will familiar with event correlation definition, event correlation types and event correlation approaches. it is simple presentation gathered and presented by Reza Adineh as an instructor in 2018. Hope to enjoy. ---------------------------------------------- این ارائه در سال 2018 میلادی توسط رضا آدینه تهیه و تدوین شده است. موضوع این ارائه معرفی مفهوم همبسته سازی، انواع روشها و رویکردهای موجود برای همبسته سازی است که در عموم راهکارهای مدیریت رخداد بکار می رود.

Software
1 of 28
A general review on Event Correlation Concepts Presented by : Reza Adineh ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018
Who am I ? Reza Adineh • Professional Summary: • Over 10 years of professional experience • SOC & CSIRT Architect & Consultant • SIEM Engineer • Currently working as senior on SOC & IR • Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC” • Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting” Courses Instructor for many official courses including Security+, CysA+, CHFI, ECIH, Log management, Forensic Investigation, Incident response, Splunk administration, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018
Event correlation definition: • Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events. ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018
Event Correlation • Correlation is a statistical measure that indicates the extent to which two or more variables fluctuate together. A positive correlation indicates the extent to which those variables increase or decrease in parallel; a negative correlation indicates the extent to which one variable increases as the other decreases. ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018
Event Correlation • In simple word: it is a way to find out specific and particular conditions among the events. 12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5
Event Correlation • Event Correlation is the process of relating a set of events that have occurred in a predefined interval of time. • The process includes analysis of the events to know how it could add up to become a bigger event ! And finally in most of the case it could be an Incident . • It usually occurs on the log management platform, after the users find out certain logs having similar properties. In general it is not a completely new concepts, it used some how in many different solution, such as NIDS. • In general, the event correlation is implemented with the help of single event correlator software ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018
SIEM Event Correlation • SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss. ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018
Steps in event correlation • Event Aggregation • Event Masking • Event Filtering • Root cause analysis ReZa.AdineH; Think Smarter, Stay Secure .... 812/20/2018
Types of Event Correlation • Simple Correlation • This is when you use one log source for correlation • Cross Correlation • In this case you have to use multiple log source for correlation • Tip: keep in mind which most useful type in most case is cross correlation. Because when you need to detect an incident, you need many different log source for collecting evidence, and in this case the result is more reliable and efficient for analysis. ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018
Prerequisites of event correlation • Transmission of Events and data • Pull or Push • Normalization • Reduction ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018
Event Correlation Approaches • Graph-based correlation approach • Neural-Network Based correlation approach • Code-book based correlation approach • Rule-Based correlation approach • Field-based correlation approach • Automated field correlation approach • Packet parameter/payload correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1112/20/2018
Event Correlation Approaches • Profile (finger print) based correlation approach • Vulnerability based correlation approach • Open port based correlation approach • Bayesian based correlation approach • Time based correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018
Correlation: Graph-based approach • This approach construct a graph with each node as a system component and each edge as dependency among 2 components. ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018
Correlation: Neural-Network Based approach • This approach uses a neural network to detect the anomalies in the event stream, root cause of fault events, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018
Correlation: Code-book based approach • This approach uses a code book to store a set of events and correlate them. • Monitors capture alarm events; configuration model contains the configuration of network. • Event model represents events and their casual relationships. • Correlator correlate alarms events with event model and determines the problem that caused the events. • Problem events viewed as messages generated by a system and encoded in sets of alarms. Correlator decodes the problem message to identify the problem. • There are two phases: • Codebook selection phase • Correlator compares alarm events with codebook and identifies the problem. ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018
Correlation: Rule-Based approach • In this approach, events are correlated according to a set of rules as follows: • Condition -> Action • We have to make a combination of rules with logical operator to get results. ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018
Field-based approach • A basic approach where specific events are compared with single or multiplied fields in the normalized data. ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018
Automated field correlation • This methods checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields. ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018
Packet parameter/payload correlation • This approach is used to correlating particular packets with other packets. • This approach can make a list of possible new attacks by comparing packets with attacks signatures. ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018
Profile (finger print) based correlation approach • A series of datasets can be gathered from forensic events data such as isolated OS fingerprints, isolated port scan, finger information, banner snatching to compare link attack data to other attacker profiles. • This information is used to identify whether any system is a rely or a formerly compromised host, or to detect the same hacker from different locations. • In this approach the most important thing is a good enough baseline. ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018
Vulnerability based correlation approach • This approach is used to map IDS events that target a specific vulnerable host with the help of vulnerability scanner. • This approach is also used to deduce an attack on a particular host in advance, and it prioritized attack data so that you can response to trouble spots quickly. ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018
Open port based correlation approach • This approach determines the rates of successful attacks by comparing it with the list of open ports available on the hosts and that are being attacked. ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018
Bayesian based correlation approach • This approach is an advanced correlation method that assumes and predict what an attacker can do next after attack by studying the statistics and probability. ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018
Role or Time based correlation approach • This is used to monitor the systems and users behavior and provide an alert if something amanous is found. • It focus on roles of systems and or users. • In this approach, when a condition is happened the alert is triggered and wait for next condition in a defined time. ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018
Route Correlation • This approach is used to extract the attack route information and use that information to single out other attack data. • In this correlation we have information about the attack path or flow. ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018
Hybrid correlation ReZa.AdineH; Think Smarter, Stay Secure .... 26 • In this types of correlation we need correlate simultaneously multiple source together and enriching them, to get the results. • In fact It is combination of different approaches. 12/20/2018
Alerting and Incidents ReZa.AdineH; Think Smarter, Stay Secure .... 2712/20/2018
ReZa.AdineH; Think Smarter, Stay Secure .... 28 End. 12/20/2018

Recommended

Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 

Recommended

Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) BGA Cyber Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 

More Related Content

What's hot

Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) BGA Cyber Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 

What's hot (20)

Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC)
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 

Similar to Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics Interset
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteInterset
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasInterset
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNorth Texas Chapter of the ISSA
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Interset
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Collin Miles
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Technology
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousPriyanka Aash
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI and ML in Cybersecurity
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in CybersecurityForcepoint LLC
 

Similar to Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد (20)

How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event Processing
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum Dallas
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI and ML in Cybersecurity
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in Cybersecurity
 

More from ReZa AdineH

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
MITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfMITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehReZa AdineH
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟ReZa AdineH
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareReZa AdineH
 

More from ReZa AdineH (10)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
MITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfMITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdf
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
 

Recently uploaded

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

  • 1. A general review on Event Correlation Concepts Presented by : Reza Adineh ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018
  • 2. Who am I ? Reza Adineh • Professional Summary: • Over 10 years of professional experience • SOC & CSIRT Architect & Consultant • SIEM Engineer • Currently working as senior on SOC & IR • Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC” • Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting” Courses Instructor for many official courses including Security+, CysA+, CHFI, ECIH, Log management, Forensic Investigation, Incident response, Splunk administration, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018
  • 3. Event correlation definition: • Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events. ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018
  • 4. Event Correlation • Correlation is a statistical measure that indicates the extent to which two or more variables fluctuate together. A positive correlation indicates the extent to which those variables increase or decrease in parallel; a negative correlation indicates the extent to which one variable increases as the other decreases. ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018
  • 5. Event Correlation • In simple word: it is a way to find out specific and particular conditions among the events. 12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5
  • 6. Event Correlation • Event Correlation is the process of relating a set of events that have occurred in a predefined interval of time. • The process includes analysis of the events to know how it could add up to become a bigger event ! And finally in most of the case it could be an Incident . • It usually occurs on the log management platform, after the users find out certain logs having similar properties. In general it is not a completely new concepts, it used some how in many different solution, such as NIDS. • In general, the event correlation is implemented with the help of single event correlator software ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018
  • 7. SIEM Event Correlation • SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss. ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018
  • 8. Steps in event correlation • Event Aggregation • Event Masking • Event Filtering • Root cause analysis ReZa.AdineH; Think Smarter, Stay Secure .... 812/20/2018
  • 9. Types of Event Correlation • Simple Correlation • This is when you use one log source for correlation • Cross Correlation • In this case you have to use multiple log source for correlation • Tip: keep in mind which most useful type in most case is cross correlation. Because when you need to detect an incident, you need many different log source for collecting evidence, and in this case the result is more reliable and efficient for analysis. ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018
  • 10. Prerequisites of event correlation • Transmission of Events and data • Pull or Push • Normalization • Reduction ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018
  • 11. Event Correlation Approaches • Graph-based correlation approach • Neural-Network Based correlation approach • Code-book based correlation approach • Rule-Based correlation approach • Field-based correlation approach • Automated field correlation approach • Packet parameter/payload correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1112/20/2018
  • 12. Event Correlation Approaches • Profile (finger print) based correlation approach • Vulnerability based correlation approach • Open port based correlation approach • Bayesian based correlation approach • Time based correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018
  • 13. Correlation: Graph-based approach • This approach construct a graph with each node as a system component and each edge as dependency among 2 components. ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018
  • 14. Correlation: Neural-Network Based approach • This approach uses a neural network to detect the anomalies in the event stream, root cause of fault events, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018
  • 15. Correlation: Code-book based approach • This approach uses a code book to store a set of events and correlate them. • Monitors capture alarm events; configuration model contains the configuration of network. • Event model represents events and their casual relationships. • Correlator correlate alarms events with event model and determines the problem that caused the events. • Problem events viewed as messages generated by a system and encoded in sets of alarms. Correlator decodes the problem message to identify the problem. • There are two phases: • Codebook selection phase • Correlator compares alarm events with codebook and identifies the problem. ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018
  • 16. Correlation: Rule-Based approach • In this approach, events are correlated according to a set of rules as follows: • Condition -> Action • We have to make a combination of rules with logical operator to get results. ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018
  • 17. Field-based approach • A basic approach where specific events are compared with single or multiplied fields in the normalized data. ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018
  • 18. Automated field correlation • This methods checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields. ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018
  • 19. Packet parameter/payload correlation • This approach is used to correlating particular packets with other packets. • This approach can make a list of possible new attacks by comparing packets with attacks signatures. ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018
  • 20. Profile (finger print) based correlation approach • A series of datasets can be gathered from forensic events data such as isolated OS fingerprints, isolated port scan, finger information, banner snatching to compare link attack data to other attacker profiles. • This information is used to identify whether any system is a rely or a formerly compromised host, or to detect the same hacker from different locations. • In this approach the most important thing is a good enough baseline. ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018
  • 21. Vulnerability based correlation approach • This approach is used to map IDS events that target a specific vulnerable host with the help of vulnerability scanner. • This approach is also used to deduce an attack on a particular host in advance, and it prioritized attack data so that you can response to trouble spots quickly. ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018
  • 22. Open port based correlation approach • This approach determines the rates of successful attacks by comparing it with the list of open ports available on the hosts and that are being attacked. ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018
  • 23. Bayesian based correlation approach • This approach is an advanced correlation method that assumes and predict what an attacker can do next after attack by studying the statistics and probability. ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018
  • 24. Role or Time based correlation approach • This is used to monitor the systems and users behavior and provide an alert if something amanous is found. • It focus on roles of systems and or users. • In this approach, when a condition is happened the alert is triggered and wait for next condition in a defined time. ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018
  • 25. Route Correlation • This approach is used to extract the attack route information and use that information to single out other attack data. • In this correlation we have information about the attack path or flow. ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018
  • 26. Hybrid correlation ReZa.AdineH; Think Smarter, Stay Secure .... 26 • In this types of correlation we need correlate simultaneously multiple source together and enriching them, to get the results. • In fact It is combination of different approaches. 12/20/2018
  • 27. Alerting and Incidents ReZa.AdineH; Think Smarter, Stay Secure .... 2712/20/2018
  • 28. ReZa.AdineH; Think Smarter, Stay Secure .... 28 End. 12/20/2018