SlideShare a Scribd company logo

SIEM

Download as PPTX, PDF
Napier University
Napier University

The document provides an overview of network security topics including SIEM, logs, NetFlow, web logs, and compliance standards. It discusses how SIEM systems aggregate and correlate log/event data from multiple sources to provide security monitoring, incident response, forensic analysis and compliance reporting capabilities. Specific topics covered include syslog, NetFlow for network monitoring, and examples of web server logs and the types of data that can be extracted from logs for security purposes. Compliance standards like PCI-DSS and SOX are also mentioned in relation to why log collection and monitoring is important for audit requirements.

1 of 38
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Big Data
HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
TypesIncResponse Author: Prof Bill Buchanan Some data breaches
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
IntroductionIncResponse Investigation sources Web server Firewall Router Proxy server Email server FTP server Bob Eve Internal systems Cloud service providers Communication service providers Trusted partners
IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
IntroductionIncResponse Eve Eve Logs/alerts Bob SIEM Package (Splunk) News feeds Security alerts
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
SIEMNetworkSecurity
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity HP ArcSight
SIEMNetworkSecurity HP ArcSight
Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
SIEMNetworkSecurity Security log
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice

Recommended

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
Pinewood
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
CloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 

Recommended

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
Pinewood
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
CloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
johndyson1
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
SORT OUT YOUR SIEM
SORT OUT YOUR SIEMSORT OUT YOUR SIEM
SORT OUT YOUR SIEM
SecureData Europe
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
Prolifics
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
Patten John
 
SIEM
SIEM SIEM
SIEM e.ferreira
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siemguesta606d9
 

More Related Content

What's hot

SIEM
SIEMSIEM
SIEM
vikasraina
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
johndyson1
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
Stijn Vande Casteele
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
SORT OUT YOUR SIEM
SORT OUT YOUR SIEMSORT OUT YOUR SIEM
SORT OUT YOUR SIEM
SecureData Europe
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
Prolifics
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
Patten John
 

What's hot (20)

SIEM
SIEMSIEM
SIEM
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
SORT OUT YOUR SIEM
SORT OUT YOUR SIEMSORT OUT YOUR SIEM
SORT OUT YOUR SIEM
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 

Viewers also liked

HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
Michael Nickle
 
Paragem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adultoParagem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adulto
José Pinheiro Neta
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALRisi Avila
 
1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesicalPelo Siro
 
Gelcampo sessão - sbv
Gelcampo sessão - sbvGelcampo sessão - sbv
Gelcampo sessão - sbvsininhu
 
Guitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGuitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGil Ferreira
 
125838312 sbv
125838312 sbv125838312 sbv
125838312 sbvPelo Siro
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
Anton Chuvakin
 

Viewers also liked (14)

SIEM
SIEM SIEM
SIEM
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siem
 
Siem
SiemSiem
Siem
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
Paragem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adultoParagem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adulto
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical
 
Gelcampo sessão - sbv
Gelcampo sessão - sbvGelcampo sessão - sbv
Gelcampo sessão - sbv
 
Guitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGuitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do Guitarrista
 
125838312 sbv
125838312 sbv125838312 sbv
125838312 sbv
 
Suporte básico de vida
Suporte básico de vidaSuporte básico de vida
Suporte básico de vida
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 

Similar to SIEM

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
Cisco Canada
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
Robb Boyd
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Martin Holovský
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
matthew.maisel
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
Cisco Canada
 

Similar to SIEM (20)

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Core Values Decision Sept
Core Values Decision SeptCore Values Decision Sept
Core Values Decision Sept
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 

More from Napier University

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
Napier University
 
Networks
NetworksNetworks
Networks
Napier University
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
Napier University
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
Napier University
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
Napier University
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
Napier University
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
Napier University
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
Napier University
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
Napier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Napier University
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
Napier University
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
Napier University
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
Napier University
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
Napier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Napier University
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
Napier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Napier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
Napier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Napier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Napier University
 

More from Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Recently uploaded

Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 

Recently uploaded (20)

Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 

SIEM

  • 1. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 2.
  • 4. HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
  • 5. TypesIncResponse Author: Prof Bill Buchanan Some data breaches
  • 6.
  • 7. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
  • 8. DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
  • 9. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
  • 10. IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
  • 11. IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
  • 13. IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
  • 15. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 16. SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
  • 17.
  • 18. Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
  • 19. SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
  • 20. SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
  • 21. SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
  • 22. SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
  • 23. SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
  • 24. Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
  • 27. SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
  • 34. Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
  • 35. SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
  • 36. SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
  • 38. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice