Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Identity & Access Management Project Challenges and RecoveryHanno Ekdahl
Presented by Hanno Ekdahl at ISACA Atlanta's #GeekWeek2017.
ISACA's 10th Annual Geek Week Conference in Atlanta, GA featured speakers across a wide range of security topics from Risk Management to Penetration Testing. During the conference, policy and technical tracks provided a forum for participants to exchange experiences from the front lines of IT security, including industry best practices as well as driving both accountability and effectiveness for security programs within the organization. The week-long event included plenary and panel sessions, practical workshops and technology demonstrations. This summary presents the key themes, ideas, and considerations that emerged from our Identity Management Presentation at the conference.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Identity & Access Management Project Challenges and RecoveryHanno Ekdahl
Presented by Hanno Ekdahl at ISACA Atlanta's #GeekWeek2017.
ISACA's 10th Annual Geek Week Conference in Atlanta, GA featured speakers across a wide range of security topics from Risk Management to Penetration Testing. During the conference, policy and technical tracks provided a forum for participants to exchange experiences from the front lines of IT security, including industry best practices as well as driving both accountability and effectiveness for security programs within the organization. The week-long event included plenary and panel sessions, practical workshops and technology demonstrations. This summary presents the key themes, ideas, and considerations that emerged from our Identity Management Presentation at the conference.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
ControlCase discusses the following:
- What is Log Management and FIM
- PCI DSS, EI3PA, ISO 27001 requirements
- Log Management and regulation requirements/ mapping
- File Integrity
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.
Best Practices for Log & Event ManagementSolarWinds
Discover What Security Threats are Lurking in Your Network Logs!
Proactive threat management is a must in today’s networks, and log files hold the key. Learn how to make your log files work for you to secure your network in an increasingly threat-ridden landscape.
Standartlar ve güvenlik açısından veritabanı loglamanın önemi herkesçe malum. Veritabanına yönelik aktivitelerin görüntülenip, analiz edilerek, veriye hangi kullanıcının ve sistemin eriştiği bilgisinin detaylarını, hangi IP üzerinden, ne zaman erişildiğini ve veri üzerinde yapılan PL/SQL, T-SQL, SQL-T ve ANSI-SQL işlemlerini saklayarak raporlayabilmek hem kritik hem de standartlar ve uyumluluklar açısından gereklidir.
Scaling the logging pipeline requires better understanding of each phase behind the scenes.
Everything about Fluentd as an aggregator and Fluent Bit as it Log Forwarder
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerShell, the must have tool and the long overlooked security challenge. Learn how PowerShell’s deep integration with the Microsoft platform can be utilized as a powerful attack platform within the enterprise space. Watch as a malicious actor moves from a compromised end user PC to the domain controllers and learn how we can begin to defend these types of attacks.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
ManageEngine Log360 is a comprehensive log management and security information and event management (SIEM) solution offered by ManageEngine, a division of Zoho Corporation. Log360 provides various functionalities for log management, security information, and event management.
MacDevOpsYVR 2016 Talk on osquery, Google Santa technologies managed with Zentral TLS Server and event/filter/action Framework.
http://www.macdevops.ca/
If you are starting to ask questions about your IT infrastructure and want to know what is happening on your clients, osquery - an open source technology, developed by the Facebook engineering team - is an interesting and promising technology. It can be used for intrusion detection, infrastructure reliability or compliance checking. With osquery you gain deep insight into your endpoints. While osquery delivers a broad set of tools, ranging from collecting metrics, state checks and I/O monitoring to file system integrity checks, Google Santa is a security technology developed by the Google MacOps team, that is focused on white- and blacklisting of binaries on macOS. Together, osquery and Santa form the technological base for the Information and Event Monitoring and Notification tool called Zentral. Zentral is a TLS server for deploying the required configurations and aggregating the results. Zentral can filter the results and notify users on any changes, additions and triggered events on the clients monitored. Zentral can also automatically react on those events, and trigger external actions, like creating tickets in a ticketing system or interact with client management software.
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
This is my presentation on "Logs for Information Assurance and Forensics", which was given to 2 of the USMA @ West Point, NY classes in April 2006. It sure was fun! Now I know where all the smart college students are :-)
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
Outline:
Incident Response Process
Logs Overview
Logs Usage at Various Stages of the Response Process
How Log from Diverse Sources Help
Log Review, Monitoring and Investigative processes
Standards and Regulation Affecting Logs and Incident Response
Incident Response vs Forensics
Case Studies
Log Analysis Mistakes
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana: A Brief Overview
Active Directory (AD) Monitoring is essential for maintaining network security, performance, and compliance. One powerful approach to achieve this is by utilizing the combination of Telegraf, InfluxDB, and Grafana.
Telegraf: Data Collection
Telegraf acts as a versatile data collector, capable of retrieving various metrics from your AD environment. It offers a range of plugins to monitor AD-related parameters, including event logs, replication status, user activity, and more. Telegraf gathers these metrics and prepares them for further processing.
InfluxDB: Data Storage
InfluxDB serves as a robust time-series database, designed to handle high-frequency data updates. It's an ideal choice for storing the metrics collected by Telegraf. The schemaless architecture accommodates evolving data requirements. Metrics are stored with timestamps, making historical analysis and trend identification seamless.
Grafana: Data Visualization
Grafana excels in turning data into meaningful insights. It connects to InfluxDB and transforms raw metrics into interactive, visually appealing dashboards. You can design custom visualizations, such as line charts for monitoring replication status, gauges for real-time user login activity, and tables for critical event logs. Alerts can also be set up to notify administrators of anomalies.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. Overview
Introducing… the Event Log
Why Monitor Logs
Enabling Event Logging
Real Time Monitoring
Example: Security Log Tampering
Auditing and Analysis
Archiving Events
Example: File Modification Investigation
Event Log Limitation
Vista Event Log
Example: Creating Log File Using Event Triggered Tasks
Resources and Questions
3. Introducing…Event Log
Centralized log service to allow applications and the
operating system to report events that have taken place.
Introduced with Windows NT 4 (1993).
Main Windows Logs
Application (example: Database message)
System (example: driver failure)
Security (example: Logon attempt, file access)
A Windows 2003 domain controller will also include
Directory Service (example: Active Directory connection problem)
File Replication (example: domain controller information updates)
DNS
Vista has introduced a lot of changes
4. Why Should We Monitor Logs
We don’t NEED to… We HAVE to…
Organizations are obligated by regulations to gather and
audit systems activity logs.
HIPPA (Health Industry)
Regulatory review of system activity to ensure that a user
information remains private but accessible
Identify, respond and document security incidents
GLBA (Financial)
Dual control procedures
Segregation of duties
SOX (Financial)
Record Retention and availability
Accountability
5. Why Should We Monitor Logs (cont.)
To comply with the regulations organizations require the
following forms of log monitoring
Real-time monitoring
Identify attack attempts in progress and if a security breach has
occurred.
Audit and analysis
Periodic reports and analysis for regulation compliance (due diligence).
Archiving
Again… regulations compliance (log retention)
Forensic investigation of an incident
The event log should also enable the organization to
implement internal security policies.
6. Enabling Event Logging
Each event category is controlled by audit policies:
Account logon events (for domain accounts)
Account management (group and account events)
Directory service access
Logon events (local machine events)
Object access (user accessing an object such as file, folder, printer)
Policy change (changes in the audit, user rights and trust policies)
Privilege use (user exercising one or more of his rights)
Process tracking (detailed tracking information)
System events (events that affect the system security or log)
Each policy can be set to audit success events only, failure
events only, success/failure events, or no auditing at all.
8. Real-Time Monitoring
Successful events that grant the user high level privileges
(either by spoofing identity or elevation of privileges)
Events to monitor
Successful high profile user account / group management events
#636– Group member added or removed
Successful logon events of high profile user accounts
#680 – Logon attempt
Successful logon events to a domain controller
Operations on specific high profile resources (files, folder)
#560 (Object Access), #564 (Object Deleted)
Successful policy change events
#612 – Audit Policy Change (logs no more…)
All system events
#517 – security log was cleared
10. Example: Event #517 (Clear Security Log)
Security Log
A User will try
to erase the
logs
11. Example: Event #517 (Clear Security Log)
Security Log
A User will try
to erase the
logs (and not
event save it)
12. Example: Event #517 (Clear Security Log)
Security Log
A User will try to
erase the logs
A New Event is
Created
13. Example: Event #517 (Clear Security Log)
Security Log
A User will try to
erase the logs
A New Event is
Created
The Event
Contains the
User Name
14. Real-Time Monitoring (cont.)
Tracking and analysing event failure patterns may
indicate a range of malicious attack attempts
Failed logon activity (e.g. brute force attack)
#675 – Pre Auth, failed with Kerberos code 24 (Bad password)
#539 - logon failure due to account lockout (if systematic may be an
indication of DoS)
Failed account management activity (e.g. password reset events)
All failed system events
#517 – Audit log cleared
Note: Most of the auditing policies, by default, are set to log
successful events only. Local policies may be set to no
auditing at all.
15. Real-Time Monitoring (cont.)
Possible issues
Flood of events (domain controller and member server event
duplication, detailed tracking events)
Solution: Consolidate log information for better analysis
Unmonitored systems (e.g. unaudited events on a file server)
Solution: Threat modeling, identifying assets in organization
Unmonitored events (detailed user and process activity)
Solution: Organization security program and policies
False positives due to configuration problems
(e.g. expired service password)
Solution: Knowledge of the network, components and assets
(Human Factor)
16. Auditing and Analysis
Most regulations require a periodic review of important
events (not critical or show stoppers) for two reasons:
A “second chance” to reveal malicious activity originally undetected
(and unaccountable for).
Audit the ongoing activity to verify no major changes have taken
place.
The data is usually reviewed in the form of reports
(detailed and summarized)
Example of Events to Monitor (A short list)
#529 to #535 and #539 – Logon failure (different reasons)
#629 – User account Disabled
#644 – User account Locked Out
17. Auditing and Analysis (cont.)
Possible issues
Finding a critical event that was not detected by the real-time
monitoring processes
Solution: Investigate the incident to eliminate or mitigate any results of
malicious activity.
Duplicated events (Domain controller and Local Server)
Solution: Correlate and consolidate events using external system
Lack of security policies to help and identify events to be audited
(e.g. Messenger)
Solution: Define security policies to determine which event types need
to be audited on a regular basis.
Report requirements are unclear and affect the log detail level
Solution: Define auditing processes to determine what type of logs
and details are required (TIP: when in doubt, use graphs…)
18. Archiving Events
Event Archiving is done for two main reasons:
Log retention compliance (e.g. SOX)
Forensic investigation of a security incident (chain of evidence)
In general, all system events should be logged. However,
by default, not all audit policies are set to generate logs.
In particular, detailed tracking of high profile objects (such
as files, folders, printers, etc.) is turned off by default. A
common misconception is that regular object access
events provide this information.
19. Example: Detailed Event Tracking
Detailed Event tracking can include the following events:
#528 – Successful Login (The user authenticate to the system)
#592 – A new process has been created (application is launched)
#560 – Object Open (a file is requested)
#567 – Object Access (the file is modified and saved)
#564 – Object Deleted
#562 – Handle Closed (the file has been closed)
#593 – A Process Has Exited (the application was terminated)
20. Example: Detailed Event Tracking
Enabling Audit Policies
Object Access
Logon (Local and
Domain)
Privilege Use
Process Tracking
21. Example: Detailed Event Tracking
A Very Important Folder
(e.g. sensitive document on
a file server)
22. Example: Detailed Event Tracking
A Very Important Folder
(e.g. sensitive document on
a file server)
The folder contains files we
wish to monitor
(compliance, sensitive
information, etc.)
24. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced
25. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab
26. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
27. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
28. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
29. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
Select the events to
audit (Read, Write,
Delete…)
30. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
Select the events to
audit (Read, Write,
Delete…)
Each user/group will
require additional
settings
33. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
Filter who was logged
in during that time
34. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
35. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
36. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
37. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
38. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
39. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
40. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
Excel Process (2916) Terminated
41. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
Excel Process (2916) Terminated
Matching Modification Times
42. Archiving Events (cont.)
Possible issues
Volume of events
(can reach several million events a day from a busy server)
Solution: Transfer logs to long-term storage (compressed, digitally
signed, etc.)
Lack of security policies to help and identify events and
processes to be audited (e.g. Messenger)
Solution: Define security policies to determine which processes and
their relevant events need to be logged on a regular basis.
The event logs are just a portion of the “chain of evidence”
Solution: Define auditing processes to ensure that all the required logs
are being gathered and associated (e.g. a unique ID or a time stamp).
For example: associate firewall logs through the Windows event logs
and to the database logs.
43. Know Your Event Log Limits
Size matters (and its never enough…)
Solution: For long term logging, use an external storage system.
44. Know Your Event Log Limits (cont.)
Log Analysis and correlation (especially when using
automatic systems like SEM and SIM) often result in a
large number of false positives.
Solution: Knowledge of the network and assets to refine alerts, ongoing
tuning
Logs are a “detective” measure and are not an IPS
(Intrusion prevention system) on their own
Solution: Vista has a partial solution. For complicated responses,
leverage external solution to gather and analyze logs
Not all events are logged on the domain controller. These
events require a log gathering process
Solution: Vista has presented a solution. Otherwise, use external log
gathering system.
45. Know Your Event Log Limits (cont.)
Security event logs monitor only the authentication and
authorization mechanisms of the operating system.
Solution: Most applications write (or should…) logs to the Windows event
log. These logs can be used to enhance the monitoring capabilities.
Custom application logs neglect to provide information
regarding the log details or the severity or of the event.
Solution: Educate your developers, develop an API, buy something
better…
55. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
56. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
57. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
e-mail settings
58. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
59. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Launch a process
60. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
61. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
A New Task is Born…
62. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
Task Created
Task is Visible in the
Task Scheduler
63. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
Task Created
Task is Visible in the
Task Scheduler (new
Tasks Category)
65. Event Log Tasks (Vista)
Problem: Basic Task
Event Details are pre-
defined.
The next example will:
• Trigger on successful logon events of a specific group
• Create a file with a list of users that logged on
• Highlight username with “Admin” string
67. Event Log Tasks (Vista)
Create a New Task
Select the User Group
68. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Triggers Tab > New
69. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
70. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
71. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
72. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs
73. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
74. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs) and Keywords
75. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs)
The trigger is saved as
XMLQuery (Can be modified)
76. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs)
The trigger is saved as
XMLQuery (Can be modified)
The Task Action will be
“Select a Program”…
77. Event Log Tasks (Vista)
This VB script search for “Admin” string in the
logged user name and add a notes beside it.
78. Event Log Tasks (Vista)
The output of three different users logging to the machine…
79. Event Log @ Vista
New Event Viewer (interface)
Over 50 new Event categories
Over 2400 policies (over 1000 in W2K3)
XML based
Events are still written locally
Critical Events can be forwarded
Expanded to serve as single location for all
events (using Windows Remote Manager)
Events can launch system tasks
80. Resources
TechNet – Auditing Overview
(http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55-
29c089ade6381033.mspx?mfr=true)
EventID.net (http://www.eventid.net/search.asp)
Randy Franklin Smith’s Windows Security Log Encyclopedia
(http://www.ultimatewindowssecurity.com/encyclopedia.html)
81. Company:
Private Canadian company Toronto based
Providing Security consulting and networking solutions for over 10 years
Business model focused on delivering timely security information to all areas of an organization
(CEO down to administrator)
Dynamic, agile response to client needs
Experience with customers in multiple verticals
Experienced management team
Consistent Approach:
Provide “snapshot” security information for senior executives
Provide detailed “security to-do” lists for follow-up by onsite personnel
Proven & Scalable Solutions:
Phased Delivery method ensures client satisfaction
Successful deployments with large organizations
Clients need fewer in-house qualified security professionals
Minimize manual, mundane daily client tasks
Leverages both Proprietary and Industry Best-of-Breed Technologies
Extensible Framework:
Adheres to ISO 17799 Framework, Security & Industry Best Practices
The Sentry Dashboard is an enabler for any security subsystem
Can be adapted to present information from non-security sources (network availability and trending,
HR reporting, etc.)
Engages all areas of an organization, from Senior Executives and security officers, to hands-on
systems and network administrators
