SlideShare a Scribd company logo

Security Monitoring Course - Ali Ahangari

Ali Ahangari
Ali Ahangari

Security Monitoring Slides Author: Ali Ahangari Company: Soorin

Technology
1 of 26
Download to read offline
‫دوره‬ ‫جامع‬ ‫مانیتورینگ‬ ‫امنیتی‬ Security Monitoring Ali Ahangari Soorin Co. LinkedIn: linkedin.com/in/AliAhangari Email: Ahangari@soorinsec.ir LinkedIn: linkedin.com/company/soorinsec Site: soorinsec.ir Telegram: @hypersec Tel: 91002621 - 22011734
Topics Module 1: Security Monitoring Fundamentals • Getting Start • SOC Components • Security Monitoring Process • Identification and Analysis • Required Knowledge • Security Monitoring Tasks • Security Monitoring Infrastructure • Lab Architecture • Windows Setup and Logging • Linux Setup and Logging • NSM Setup and Logging • SIEM Setup • Splunk as a Security Monitoring Solution • Introduction to Splunk • Splunk Architecture • Log Parsing and Normalization • Splunk SPL • Data Models and Correlation Searches • Alerts, Dashboards and Reports Module 2: Endpoint Security Monitoring • Windows Components • Windows Architecture • Windows Event Log • Windows Process • COM Objects and .NET Framework • Windows Powershell • Windows Registry • Windows APIs • Windows Defender • Windows Auditing and Logging • Sysmon Installation and Configuration • Windows Audit Policies • Windows Firewall Logging • Powershell Logging • Windows Defender Logging • Windows Threats Analysis • Credential Abuse • Binary Attacks • Microsoft Office Attacks • Windows Privilege Escalation • Windows Persistence • Windows Lateral Movement • Antivirus Alerts and Evasion • Active Directory Attacks • Linux Components • Linux Architecture • Linux Bash and Scripting • Linux Auditd Service • Linux Device and Drivers • Linux Syscalls • Linux Firewall and SELinux • Linux Auditing and Logging • Auditd and Rules • Kernel Auditing • Files and Directory Auditing • Firewall Auditing • Suspicious Activity Auditing • Linux Threat Analysis • Credential Abuse • Linux Privilege Escalation • Linux Persistence • Linux Defense Evasion
Topics Module 3: Network Security Monitoring • Network Service and Components • Network Protocol Stack • Mail Service • DNS • Web • SMB • RPC • Netflow • Syslog • NSM Components • Suricata as a NIDS • Firewall • Flow Generator • Full Packet Capture • NSM Auditing and Logging • NIDS Configuration • NIDS Rules Writing • NIDS Alerting • Firewall Rules and Logging • Flow Logging • Network Threat Analysis • Web Attacks • SMTP Attacks • SMB Attacks • RPC Attacks • DNS Attacks • C2 Infrastructure • Port Forwarding • Tunneling • Known Exploits Module 4: Security Monitoring Functions • Security Monitoring Checklist • Alert Investigation • Alert Correlation • Monitoring Tips and Tricks • Threat Intelligence • Incident Reporting • Security Monitoring Automation
Module 1- Security Monitoring Fundamentals Getting Started
SOC Components • Q: What is a security operations center (SOC)? • Gartner defines a SOC as: A team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. • SANS defines a SOC as: A combination of people, processes and technology protecting the information systems of an organization through: proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimizing damage from unwanted effects Response Analysis Detection
SOC Components • Key Components • Business and Organization • People • Infrastructure • Services • Processes
SOC Components • Case Study: • Lessons Learned from the Microsoft SOC • Overall SOC model • SOC metrics • Microsoft SOC teams and tiers model • Roles and functions of the SOC analyst tiers
SOC Components • Q: What is Security Monitoring? • NIST 800-137: Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions • Maintaining situational awareness of all systems across the organization • Maintaining an understanding of threats and threat activities • Assessing all security controls • Collecting, correlating, and analyzing security-related information • Providing actionable communication of security status across all tiers of the organization • Active management of risk by organizational officials
Security Monitoring Process •Bussiness Environment •Assets and Identities •Network Diagram •Risk Assessment •Security Policies •USECASE List •Sensor and Logs Identification and Analyze •Sensor Deployment •Enable Logging •SIEM Deployment •Log Collection Plan •Log Aggregation and Normalization Setup/Tune Monitoring Infrastructure •Define Process •Develop USECASE •Monitoring Daily Tasks •Investigation •Alerting •Ticketing Monitoring and Investigation
Security Monitoring Process • Identification and Analysis • Business environment • Business Context: Mission, Objectives and … • Legal and Regulatory Requirements • Business Relationships • Governance Structure • Assets • Create an inventory of servers, clients, network devices, … (Automatic or Manual) • Integrate the inventory with your Security Monitoring solution • Security Controls • AUPs • Access Controls • Backup policies • , …
Security Monitoring Process • Identification and Analysis • Network Communications • Topology • Trusted/Untrusted items • Public or Private network services • … Business Environment Assets Security Controls Network Communications What to Monitor
Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework business environment Context XYZ Bank's mission is to provide secure and reliable financial services to its customers. Key stakeholders include the board of directors, executive management, shareholders, customers, regulatory agencies, and industry partners. Stakeholder expectations include safeguarding customer financial information, ensuring regulatory compliance, and maintaining trust and confidence in the bank's services. Legal and Regulatory Requirements: XYZ Bank must comply with financial regulations such as the Dodd-Frank Act, Bank Secrecy Act (BSA), and regulations issued by regulatory bodies like the Federal Reserve and the Office of the Comptroller of the Currency (OCC). Data protection laws such as the Gramm-Leach-Bliley Act (GLBA) and state-specific data breach notification laws also apply to XYZ Bank's operations. Governance Structure XYZ Bank's governance structure includes a board of directors, executive management, and various committees responsible for oversight. The board's risk committee oversees cybersecurity risk management and sets the overall risk appetite for the organization. Business Relationships XYZ Bank has relationships with third-party vendors for services such as IT infrastructure, payment processing, and customer support. These vendors may have access to sensitive customer data, so XYZ Bank must ensure that appropriate security measures are in place to protect data shared with them. Services traditional banking services offered to individual consumers, such as savings accounts, checking accounts, loans (e.g., mortgages, personal loans), credit cards, and debit cards
Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework Asset Type Hostname Zone IP owner priority category should_update requires_av Internet Access Client Bank-AccountingClient-U1 To U150 Clients 192.168.12.0/24 U1-U50 medium Accounting TRUE TRUE FALSE Server Bank-Exchange-Server-01 External 1.2.3.4 MailAdmin-01 critical Mail Servers TRUE TRUE TRUE Server Bank-DNS-Server-01,02 DMZ 192.168.15.2,3 NetAdmin-01 high DNS Servers TRUE TRUE TRUE Server Bank-WebServers-01-12 DMZ 192.168.12.9- 192.168.12.20 1.2.3.5 WebMaster- 01 critical Public Facing Web Servers TRUE TRUE TRUE Net Device Bank-Router-01 External 192.168.15.1 NetAdmin-01 critical Router FALSE FALSE TRUE Net Device Bank-SecDev-01-03 Internal 192.168.15.8- 192.168.15.10 SecAdmin-01 high Firewall TRUE FALSE FALSE Net Device Bank-SW-01-20 Internal 192.168.15.100-120 NetAdmin-01 low Switch FALSE FALSE FALSE Server Bank-VPN-Server-01 External 5.6.7.8 SecAdmin-01 critical VPN TRUE TRUE FALSE Client Bank-CustomerClient-U151 To U400 Clients 192.168.15.0/24 U151-U400 medium CustomerSuppoer TRUE TRUE FALSE Server Bank-FlowGenetor-01 Internal 192.168.13.13 SecAdmin-01 NetAdmin-01 medium Traffic Capture FALSE FALSE FALSE Server Bank-FileServer-01-03 Internal 192.168.13.18,20 NetAdmin-01 high File Sharing TRUE TRUE FALSE Server Bank-Automation-01-03 Internal 192.168.13.15,17 NetAdmin-01 critical Automation TRUE TRUE FALSE Server Bank-WSUS-01 External Internal 192.168.13.59 NetAdmin-01 critical Update Server TRUE TRUE TRUE (Limited)
Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework Control Type Security Requirement Access Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. Access Control Control the flow of CUI in accordance with approved authorizations. Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Access Control Employ the principle of least privilege, including for specific security functions and privileged accounts. Access Control Use non-privileged accounts or roles when accessing nonsecurity functions Access Control Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Access Control Limit unsuccessful logon attempts. Access Control Provide privacy and security notices consistent with applicable CUI rules. Access Control Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity Access Control Terminate (automatically) a user session after a defined condition. Access Control Monitor and control remote access sessions. Access Control Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Access Control Route remote access via managed access control points. Access Control Authorize remote execution of privileged commands and remote access to security-relevant information.
Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework
Security Monitoring Process • Case Study Key Requirements and Results Drived from Identification Phase Trigger High Level Concerns Technical Mapping to Monitoring Sensors Datatype State Identify Business Monitor and Analyze Untrusted Connections to/from External Networks Connections from untrusted relationships Connections during work-off times Connections to/from Untrusted Locations NSM Firewall ACL Network Connection Logs ACL Logs NSM Logs Exist Firewall Logs Exists Lack of ACL Logs Monitor and Analyze Unsecure Network Connections Monitor and Analyze Unauthorized Access to Saving Accounts Monitor and Analyze Unauthorized Access to Transaction Database Compliance Monitoring Based-on BSA Security Controls Identify Assets Monitor and Analyze None Updated Assets Monitor and Analyze AV Status on Assets Monitor and Analyze Unauthorized Internet Access from Clients and Others Monitor and Analyze Clients to Clients Communications Monitor and Analyze WSUS Access and Network Connections Security Policies Monitor and Analyze Access Control Violations Monitor and Analyze Configuration Managements Violations Monitor and Analyze Media Protection Violations Monitor and Analyze Authentication Policy Violations Network Communications Monitor and Analyze File Server To Database Connections DBF Database Connection Logs Lack of DBF Monitor and Analyze Communication Between Servers Monitor and Analyze Communication Between Data Center and Client Zones
Required Knowledge for Security Monitoring Example Company Name Responsibilities Required Knowledge Englewood • Conduct proactive monitoring, investigations, and mitigation of security events • Analyze security event data from EDR, SIEM, Dashboards, etc. • Spend time understanding the environment you're responsible for and engage with various teams to gain further knowledge of the environment(s) • Recognize potential, successful, and unsuccessful intrusion attempts and compromises through review and analysis of relevant event data • Research new and evolving threats with potential to impact the monitored environment • Minimum 2 years experience in Information Systems or IT security-related functions • Knowledge of information security principles, concepts, practices • Knowledge of networks, firewalls, and operating systems • Ability to provide technical advice, guidance, and recommendations to management and other technical specialists on critical information technology security issues • Strong analytical skills and able to collate and interpret data from various sources • Experience with security incident detection and response Cognizant Technology Solutions • Monitors various log sources from tools and applications such as Endpoint Detection and Response (EDR) logs, Intrusion Prevention/Detection Systems (IPS/IDS), firewall logs, Windows logs, Linux operating system logs, etc. • Analyze, investigate, and respond to security events and incidents. • Escalate high or critical incidents or complex security alerts to Senior Security Analysts. • Track and update security incidents over the course of the incident lifecycle. • Work with SIEM engineering to fine-tune rules for false positive alerts. • Develop and suggest SIEM rules that help in detection of security incidents. • Prepare documents and reports as requested. • Attend meetings and training as required. • Participate in knowledge sharing sessions. • Recommend documentation improvements. Minimum Qualifications: • 0 or more years of Security Operations Center experience • Some IT exposure (Networking, Service Desk, self-learning, etc.) • Industry standard security certification (i.e., Security+ or other entry-level security certifications) • Strong verbal/written communication and interpersonal skills are required to document and communicate findings, escalate critical incidents, and interact with other members. Preferred Qualifications • SIEM software and EDR tool experience • Well versed in log analysis on various log sources from Next-Gen firewalls, Domain Controllers, Linux operations systems, Anti-Virus logs, EDR/XDR, IPS/IDS, router and switch logs, etc. • Experience in threat hunting, log integration, and incident case management. • 1-2 years of Security Operations Center experience. • 1-2 years of general IT support experience. • Any experience with networking Korn Ferry • Security Monitoring and Incident Response • Monitoring systems for signs anomalies, attacks, and unauthorized activities. • Investigate potential incidents and provide timely feedback. • Analyze events to identify trends, threats, and vulnerabilities. • Work to contain and remediate security incidents. • Threat Intelligence • Keep up to date with latest trends in cybersecurity threats, vulnerabilities, and best practices. • Security Infrastructure Management • Assist with the maintenance of existing security tools and technologies, such as SIEM, EDR and firewalls. • Contribute to the selection of new security tools. • Documentation and Reporting • Create and maintain detailed documentation of security processes and procedures. • Generate regular reports on security metrics, incidents, and trends for management review. • Collaboration and Communication • Work closely with other IT teams to identify and remediate security vulnerabilities. • Hands on experience with security tools such as SIEM / EDR and vulnerability Management. • Proven experience in a security operations role. • In-depth knowledge of cybersecurity principles, threat landscapes, and attack vectors. • Experience working in a large, multinational, complex company. • Good knowledge of infrastructure concepts – such as Windows / Linux, DNS, AD and routing. • Knowledge and understanding of cloud computing concepts and service models. • Active learner with strong work ethic. • Proactive, flexible, responsive, and resourceful. • Ability to work both independently and collaboratively as a member of a small team. • Excellent organization and prioritization skills. • Ability to manage multiple projects and thrive in a fast-paced environment. • Strong attention to detail and analytical skills. • Strong communication and interpersonal skills. • Achieved a cybersecurity certification (e.g., CompTIA Security+, ISC2 SSCP, etc.)
Required Knowledge for Security Monitoring • Network Knowledge • Protocols and Services • Network Devices • Switching and Routing • Operating System • Windows Structure • Windows Event Logs • Windows Components (WMI, COM Objects, …) • Windows Audit Policies • Windows Defender • Windows Powershell • Linux Structure • Linux Kernel and Service Logs • Linux Components (Kernel Modules, Systemd, …) • Linux Auditd Service • Linux Firewall • Linux Bash Scripting • Sensors • NSM • Firewall • EDR • Syslog • Audit Logs • , … • Threat Knowledge • Kill-Chain • The most important techniques MITRE ATT&CK • Known Exploit Tools • Client Side Attack Knowledge • SIEM • SIEM Structure • SIEM Query • SIEM Report and Dashboard • Investigation with SIEM • Reporting
Security Monitoring Daily Tasks • Monitoring the infrastructure • Monitoring, analysis and measurement of Alerts issued by the Security Monitoring solution • Monitoring, analyzing and quantifying the output of USECASEs • Monitor vulnerability news, security alerts and signs of threats • Registration and tracking of security tickets • Registering/changing/tracking the list of assets (servers, clients and users) • Preparation of reports and documents
Module 1- Security Monitoring Fundamentals Security Monitoring Infrastructure
Security Monitoring Infrastructure • Lab architecture
SIEM Setup • Debian-based or Red-hat based Linux installation • Download Splunk Enterprise • Install Splunk (Single Instance) • Splunk Initial Configurations • Data Input • Required apps and add-ons • Config indexes
Windows Setup and Logging • Windows default Event Logs • Security logs • Application logs • System logs • Sysmon setup and initial configuration • Sysinternal • Initial configuration • Powershell logging • Module logging • Script block logging • Transcript logging • Install and Config SIEM agent
Linux Setup and Logging • Network configuration • Linux default logs • Install and config SIEM agent
NSM Setup and Logging • Suricata • Installation • Initial configuration • Update Suricata rulesets • Validating Suricata conf file • Zeek • Installation • Initial configuration • Validating Zeek config
Module 1- Security Monitoring Fundamentals Splunk as a Security Monitoring Solution

Recommended

Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptxShah Sheik Building a CSoC v1.2 DEFCAMP.pptx
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptxmohamadchiri
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostPrecisely
 
Jaxxon consulting presentation
Jaxxon consulting presentationJaxxon consulting presentation
Jaxxon consulting presentationDarrin Jackson
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 

Recommended

Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptxShah Sheik Building a CSoC v1.2 DEFCAMP.pptx
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptxmohamadchiri
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostPrecisely
 
Jaxxon consulting presentation
Jaxxon consulting presentationJaxxon consulting presentation
Jaxxon consulting presentationDarrin Jackson
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
199 baseline security
199 baseline security199 baseline security
199 baseline securityDarrin Jackson
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology ExpoTony DeGonia (LION)
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfGurvinder Singh, CISSP, CISA, ITIL v3
 
DTS Services
DTS ServicesDTS Services
DTS ServicesDavid A. Le Roy
 
SIEM 1 solution .pptx
SIEM 1 solution .pptxSIEM 1 solution .pptx
SIEM 1 solution .pptxAbdulrahmanMuhammadB
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)Olesya Shelestova
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowPrecisely
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsSolarWinds
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdfCompetition Advisory Services (India) LLP
 

More Related Content

Similar to Security Monitoring Course - Ali Ahangari

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)Olesya Shelestova
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowPrecisely
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsSolarWinds
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 

Similar to Security Monitoring Course - Ali Ahangari (20)

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
199 baseline security
199 baseline security199 baseline security
199 baseline security
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
DTS Services
DTS ServicesDTS Services
DTS Services
 
SIEM 1 solution .pptx
SIEM 1 solution .pptxSIEM 1 solution .pptx
SIEM 1 solution .pptx
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to Know
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Security Monitoring Course - Ali Ahangari

  • 1. ‫دوره‬ ‫جامع‬ ‫مانیتورینگ‬ ‫امنیتی‬ Security Monitoring Ali Ahangari Soorin Co. LinkedIn: linkedin.com/in/AliAhangari Email: Ahangari@soorinsec.ir LinkedIn: linkedin.com/company/soorinsec Site: soorinsec.ir Telegram: @hypersec Tel: 91002621 - 22011734
  • 2. Topics Module 1: Security Monitoring Fundamentals • Getting Start • SOC Components • Security Monitoring Process • Identification and Analysis • Required Knowledge • Security Monitoring Tasks • Security Monitoring Infrastructure • Lab Architecture • Windows Setup and Logging • Linux Setup and Logging • NSM Setup and Logging • SIEM Setup • Splunk as a Security Monitoring Solution • Introduction to Splunk • Splunk Architecture • Log Parsing and Normalization • Splunk SPL • Data Models and Correlation Searches • Alerts, Dashboards and Reports Module 2: Endpoint Security Monitoring • Windows Components • Windows Architecture • Windows Event Log • Windows Process • COM Objects and .NET Framework • Windows Powershell • Windows Registry • Windows APIs • Windows Defender • Windows Auditing and Logging • Sysmon Installation and Configuration • Windows Audit Policies • Windows Firewall Logging • Powershell Logging • Windows Defender Logging • Windows Threats Analysis • Credential Abuse • Binary Attacks • Microsoft Office Attacks • Windows Privilege Escalation • Windows Persistence • Windows Lateral Movement • Antivirus Alerts and Evasion • Active Directory Attacks • Linux Components • Linux Architecture • Linux Bash and Scripting • Linux Auditd Service • Linux Device and Drivers • Linux Syscalls • Linux Firewall and SELinux • Linux Auditing and Logging • Auditd and Rules • Kernel Auditing • Files and Directory Auditing • Firewall Auditing • Suspicious Activity Auditing • Linux Threat Analysis • Credential Abuse • Linux Privilege Escalation • Linux Persistence • Linux Defense Evasion
  • 3. Topics Module 3: Network Security Monitoring • Network Service and Components • Network Protocol Stack • Mail Service • DNS • Web • SMB • RPC • Netflow • Syslog • NSM Components • Suricata as a NIDS • Firewall • Flow Generator • Full Packet Capture • NSM Auditing and Logging • NIDS Configuration • NIDS Rules Writing • NIDS Alerting • Firewall Rules and Logging • Flow Logging • Network Threat Analysis • Web Attacks • SMTP Attacks • SMB Attacks • RPC Attacks • DNS Attacks • C2 Infrastructure • Port Forwarding • Tunneling • Known Exploits Module 4: Security Monitoring Functions • Security Monitoring Checklist • Alert Investigation • Alert Correlation • Monitoring Tips and Tricks • Threat Intelligence • Incident Reporting • Security Monitoring Automation
  • 4. Module 1- Security Monitoring Fundamentals Getting Started
  • 5. SOC Components • Q: What is a security operations center (SOC)? • Gartner defines a SOC as: A team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. • SANS defines a SOC as: A combination of people, processes and technology protecting the information systems of an organization through: proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimizing damage from unwanted effects Response Analysis Detection
  • 6. SOC Components • Key Components • Business and Organization • People • Infrastructure • Services • Processes
  • 7. SOC Components • Case Study: • Lessons Learned from the Microsoft SOC • Overall SOC model • SOC metrics • Microsoft SOC teams and tiers model • Roles and functions of the SOC analyst tiers
  • 8. SOC Components • Q: What is Security Monitoring? • NIST 800-137: Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions • Maintaining situational awareness of all systems across the organization • Maintaining an understanding of threats and threat activities • Assessing all security controls • Collecting, correlating, and analyzing security-related information • Providing actionable communication of security status across all tiers of the organization • Active management of risk by organizational officials
  • 9. Security Monitoring Process •Bussiness Environment •Assets and Identities •Network Diagram •Risk Assessment •Security Policies •USECASE List •Sensor and Logs Identification and Analyze •Sensor Deployment •Enable Logging •SIEM Deployment •Log Collection Plan •Log Aggregation and Normalization Setup/Tune Monitoring Infrastructure •Define Process •Develop USECASE •Monitoring Daily Tasks •Investigation •Alerting •Ticketing Monitoring and Investigation
  • 10. Security Monitoring Process • Identification and Analysis • Business environment • Business Context: Mission, Objectives and … • Legal and Regulatory Requirements • Business Relationships • Governance Structure • Assets • Create an inventory of servers, clients, network devices, … (Automatic or Manual) • Integrate the inventory with your Security Monitoring solution • Security Controls • AUPs • Access Controls • Backup policies • , …
  • 11. Security Monitoring Process • Identification and Analysis • Network Communications • Topology • Trusted/Untrusted items • Public or Private network services • … Business Environment Assets Security Controls Network Communications What to Monitor
  • 12. Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework business environment Context XYZ Bank's mission is to provide secure and reliable financial services to its customers. Key stakeholders include the board of directors, executive management, shareholders, customers, regulatory agencies, and industry partners. Stakeholder expectations include safeguarding customer financial information, ensuring regulatory compliance, and maintaining trust and confidence in the bank's services. Legal and Regulatory Requirements: XYZ Bank must comply with financial regulations such as the Dodd-Frank Act, Bank Secrecy Act (BSA), and regulations issued by regulatory bodies like the Federal Reserve and the Office of the Comptroller of the Currency (OCC). Data protection laws such as the Gramm-Leach-Bliley Act (GLBA) and state-specific data breach notification laws also apply to XYZ Bank's operations. Governance Structure XYZ Bank's governance structure includes a board of directors, executive management, and various committees responsible for oversight. The board's risk committee oversees cybersecurity risk management and sets the overall risk appetite for the organization. Business Relationships XYZ Bank has relationships with third-party vendors for services such as IT infrastructure, payment processing, and customer support. These vendors may have access to sensitive customer data, so XYZ Bank must ensure that appropriate security measures are in place to protect data shared with them. Services traditional banking services offered to individual consumers, such as savings accounts, checking accounts, loans (e.g., mortgages, personal loans), credit cards, and debit cards
  • 13. Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework Asset Type Hostname Zone IP owner priority category should_update requires_av Internet Access Client Bank-AccountingClient-U1 To U150 Clients 192.168.12.0/24 U1-U50 medium Accounting TRUE TRUE FALSE Server Bank-Exchange-Server-01 External 1.2.3.4 MailAdmin-01 critical Mail Servers TRUE TRUE TRUE Server Bank-DNS-Server-01,02 DMZ 192.168.15.2,3 NetAdmin-01 high DNS Servers TRUE TRUE TRUE Server Bank-WebServers-01-12 DMZ 192.168.12.9- 192.168.12.20 1.2.3.5 WebMaster- 01 critical Public Facing Web Servers TRUE TRUE TRUE Net Device Bank-Router-01 External 192.168.15.1 NetAdmin-01 critical Router FALSE FALSE TRUE Net Device Bank-SecDev-01-03 Internal 192.168.15.8- 192.168.15.10 SecAdmin-01 high Firewall TRUE FALSE FALSE Net Device Bank-SW-01-20 Internal 192.168.15.100-120 NetAdmin-01 low Switch FALSE FALSE FALSE Server Bank-VPN-Server-01 External 5.6.7.8 SecAdmin-01 critical VPN TRUE TRUE FALSE Client Bank-CustomerClient-U151 To U400 Clients 192.168.15.0/24 U151-U400 medium CustomerSuppoer TRUE TRUE FALSE Server Bank-FlowGenetor-01 Internal 192.168.13.13 SecAdmin-01 NetAdmin-01 medium Traffic Capture FALSE FALSE FALSE Server Bank-FileServer-01-03 Internal 192.168.13.18,20 NetAdmin-01 high File Sharing TRUE TRUE FALSE Server Bank-Automation-01-03 Internal 192.168.13.15,17 NetAdmin-01 critical Automation TRUE TRUE FALSE Server Bank-WSUS-01 External Internal 192.168.13.59 NetAdmin-01 critical Update Server TRUE TRUE TRUE (Limited)
  • 14. Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework Control Type Security Requirement Access Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. Access Control Control the flow of CUI in accordance with approved authorizations. Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Access Control Employ the principle of least privilege, including for specific security functions and privileged accounts. Access Control Use non-privileged accounts or roles when accessing nonsecurity functions Access Control Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Access Control Limit unsuccessful logon attempts. Access Control Provide privacy and security notices consistent with applicable CUI rules. Access Control Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity Access Control Terminate (automatically) a user session after a defined condition. Access Control Monitor and control remote access sessions. Access Control Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Access Control Route remote access via managed access control points. Access Control Authorize remote execution of privileged commands and remote access to security-relevant information.
  • 15. Security Monitoring Process • Case Study • Let's consider a hypothetical financial services company, XYZ Bank, and how they would identify their business environment using the NIST Cybersecurity Framework
  • 16. Security Monitoring Process • Case Study Key Requirements and Results Drived from Identification Phase Trigger High Level Concerns Technical Mapping to Monitoring Sensors Datatype State Identify Business Monitor and Analyze Untrusted Connections to/from External Networks Connections from untrusted relationships Connections during work-off times Connections to/from Untrusted Locations NSM Firewall ACL Network Connection Logs ACL Logs NSM Logs Exist Firewall Logs Exists Lack of ACL Logs Monitor and Analyze Unsecure Network Connections Monitor and Analyze Unauthorized Access to Saving Accounts Monitor and Analyze Unauthorized Access to Transaction Database Compliance Monitoring Based-on BSA Security Controls Identify Assets Monitor and Analyze None Updated Assets Monitor and Analyze AV Status on Assets Monitor and Analyze Unauthorized Internet Access from Clients and Others Monitor and Analyze Clients to Clients Communications Monitor and Analyze WSUS Access and Network Connections Security Policies Monitor and Analyze Access Control Violations Monitor and Analyze Configuration Managements Violations Monitor and Analyze Media Protection Violations Monitor and Analyze Authentication Policy Violations Network Communications Monitor and Analyze File Server To Database Connections DBF Database Connection Logs Lack of DBF Monitor and Analyze Communication Between Servers Monitor and Analyze Communication Between Data Center and Client Zones
  • 17. Required Knowledge for Security Monitoring Example Company Name Responsibilities Required Knowledge Englewood • Conduct proactive monitoring, investigations, and mitigation of security events • Analyze security event data from EDR, SIEM, Dashboards, etc. • Spend time understanding the environment you're responsible for and engage with various teams to gain further knowledge of the environment(s) • Recognize potential, successful, and unsuccessful intrusion attempts and compromises through review and analysis of relevant event data • Research new and evolving threats with potential to impact the monitored environment • Minimum 2 years experience in Information Systems or IT security-related functions • Knowledge of information security principles, concepts, practices • Knowledge of networks, firewalls, and operating systems • Ability to provide technical advice, guidance, and recommendations to management and other technical specialists on critical information technology security issues • Strong analytical skills and able to collate and interpret data from various sources • Experience with security incident detection and response Cognizant Technology Solutions • Monitors various log sources from tools and applications such as Endpoint Detection and Response (EDR) logs, Intrusion Prevention/Detection Systems (IPS/IDS), firewall logs, Windows logs, Linux operating system logs, etc. • Analyze, investigate, and respond to security events and incidents. • Escalate high or critical incidents or complex security alerts to Senior Security Analysts. • Track and update security incidents over the course of the incident lifecycle. • Work with SIEM engineering to fine-tune rules for false positive alerts. • Develop and suggest SIEM rules that help in detection of security incidents. • Prepare documents and reports as requested. • Attend meetings and training as required. • Participate in knowledge sharing sessions. • Recommend documentation improvements. Minimum Qualifications: • 0 or more years of Security Operations Center experience • Some IT exposure (Networking, Service Desk, self-learning, etc.) • Industry standard security certification (i.e., Security+ or other entry-level security certifications) • Strong verbal/written communication and interpersonal skills are required to document and communicate findings, escalate critical incidents, and interact with other members. Preferred Qualifications • SIEM software and EDR tool experience • Well versed in log analysis on various log sources from Next-Gen firewalls, Domain Controllers, Linux operations systems, Anti-Virus logs, EDR/XDR, IPS/IDS, router and switch logs, etc. • Experience in threat hunting, log integration, and incident case management. • 1-2 years of Security Operations Center experience. • 1-2 years of general IT support experience. • Any experience with networking Korn Ferry • Security Monitoring and Incident Response • Monitoring systems for signs anomalies, attacks, and unauthorized activities. • Investigate potential incidents and provide timely feedback. • Analyze events to identify trends, threats, and vulnerabilities. • Work to contain and remediate security incidents. • Threat Intelligence • Keep up to date with latest trends in cybersecurity threats, vulnerabilities, and best practices. • Security Infrastructure Management • Assist with the maintenance of existing security tools and technologies, such as SIEM, EDR and firewalls. • Contribute to the selection of new security tools. • Documentation and Reporting • Create and maintain detailed documentation of security processes and procedures. • Generate regular reports on security metrics, incidents, and trends for management review. • Collaboration and Communication • Work closely with other IT teams to identify and remediate security vulnerabilities. • Hands on experience with security tools such as SIEM / EDR and vulnerability Management. • Proven experience in a security operations role. • In-depth knowledge of cybersecurity principles, threat landscapes, and attack vectors. • Experience working in a large, multinational, complex company. • Good knowledge of infrastructure concepts – such as Windows / Linux, DNS, AD and routing. • Knowledge and understanding of cloud computing concepts and service models. • Active learner with strong work ethic. • Proactive, flexible, responsive, and resourceful. • Ability to work both independently and collaboratively as a member of a small team. • Excellent organization and prioritization skills. • Ability to manage multiple projects and thrive in a fast-paced environment. • Strong attention to detail and analytical skills. • Strong communication and interpersonal skills. • Achieved a cybersecurity certification (e.g., CompTIA Security+, ISC2 SSCP, etc.)
  • 18. Required Knowledge for Security Monitoring • Network Knowledge • Protocols and Services • Network Devices • Switching and Routing • Operating System • Windows Structure • Windows Event Logs • Windows Components (WMI, COM Objects, …) • Windows Audit Policies • Windows Defender • Windows Powershell • Linux Structure • Linux Kernel and Service Logs • Linux Components (Kernel Modules, Systemd, …) • Linux Auditd Service • Linux Firewall • Linux Bash Scripting • Sensors • NSM • Firewall • EDR • Syslog • Audit Logs • , … • Threat Knowledge • Kill-Chain • The most important techniques MITRE ATT&CK • Known Exploit Tools • Client Side Attack Knowledge • SIEM • SIEM Structure • SIEM Query • SIEM Report and Dashboard • Investigation with SIEM • Reporting
  • 19. Security Monitoring Daily Tasks • Monitoring the infrastructure • Monitoring, analysis and measurement of Alerts issued by the Security Monitoring solution • Monitoring, analyzing and quantifying the output of USECASEs • Monitor vulnerability news, security alerts and signs of threats • Registration and tracking of security tickets • Registering/changing/tracking the list of assets (servers, clients and users) • Preparation of reports and documents
  • 20. Module 1- Security Monitoring Fundamentals Security Monitoring Infrastructure
  • 22. SIEM Setup • Debian-based or Red-hat based Linux installation • Download Splunk Enterprise • Install Splunk (Single Instance) • Splunk Initial Configurations • Data Input • Required apps and add-ons • Config indexes
  • 23. Windows Setup and Logging • Windows default Event Logs • Security logs • Application logs • System logs • Sysmon setup and initial configuration • Sysinternal • Initial configuration • Powershell logging • Module logging • Script block logging • Transcript logging • Install and Config SIEM agent
  • 24. Linux Setup and Logging • Network configuration • Linux default logs • Install and config SIEM agent
  • 25. NSM Setup and Logging • Suricata • Installation • Initial configuration • Update Suricata rulesets • Validating Suricata conf file • Zeek • Installation • Initial configuration • Validating Zeek config
  • 26. Module 1- Security Monitoring Fundamentals Splunk as a Security Monitoring Solution