Introduction to SIEMs

Introduction to Continuous Monitoring

Continuous Monitoring (Information Security Continuous Monitoring (ISCM)): The processes and technologies used to detect information security risks associated with an organization’s operational environment in real time

ISCM provides real-time insight into the current state, vulnerabilities, and effectiveness of current security controls

Prioritizing Risks to Monitor

Compliance: Requirements for monitoring and analyzation of application and system activity

Financial Impact: How a system breach or downtime can impact an organization financially

Repetitional Impact: How an incident would affect an organization’s standing toward customers

Likelihood of Attack: The probability of an attack based on the subject of the application or system (i.e. politically-associated businesses)

Logs

Logs are the most common organizational method for monitoring, and are collections of entries that record individuals events occurring on a device or network

Types of Logs

• Operating System Logs: Created on devices such as Linux and Windows systems
  • Security Access Events
  • Security Permission Events
• Application Logs: Created by devices such as Apache and IIS servers
  • Application Access Events
  • Fraud Events
• Networking Device Logs: Created on devices such as routers, switches, and DHCP/DNS servers
  • Administrative Events
  • Network Security Events
• Security Device Logs: Created on devices such as IDS/IPS firewalls, endpoints, devices, and honeypots
  • Endpoint Events
  • IDS Signature Events

Log Aggregation and Normalization

Log Aggregation: The identification and collection of logs from multiple computing sources

Log Parsing: The process of converting the single string of data and into structured data

Log Normalization: The process of standardizing fields in data from different sources and formats so it can be analyzed together

Splunk Reports and Alerts

Introduction to Splunk Statistics

Splunk uses the Statistics feature to display specific data points from search results in an easy-to-read format

stats: Basic command that creates a statistical report

source="statsreport.csv" | stats count by Account_Name 

• source="statsreport.csv": Search being conducted
• | stats count by Account_Name: Creates a statistical report of the Account_Name field and shows that number of events each Account_Name appears in

| top limit=10 Account_Name: Can be used to list the top 20 values of the Account_Name field

eval: Used to create fields

source="statsreport.csv" | eval BruteForce = if('EventCode'="4740","Potential Brute Force", "Not Brute Force")

• eval BruteForce: Creates the new field BruteForce
• if('EventCode'="4740",: States the expression (if field is equal to 4740)
• "Potential Brute Force",: If true, name this value Potential Brute Force
• "Not Brute Force": If false, name this value Not Brute Force

Splunk Reports

Statistical reports can be ran at a specific and reoccurring times

Creating Scheduled Reports

1. Enter an SPL Query
2. Select Save As > Report
3. Provide the:
   1. Title
   2. Description
   3. Time Range Option
4. Select Schedule
5. In the next window:
   1. Select the Schedule Report checkbox
   2. Schedule
   3. Time Range
   4. Select Add Actions > Send Email
6. Provide the email information and select Save

Splunk Alerts

Splunk alerts are designed to notify pertaining parties when a specific condition, or trigger condition, is met

Trigger Condition Criteria

• Search/Report Results
• Time Parameters
• Schedule

Baselining

A required skill for designing alerts is being able to avoid false positives and false negatives

Baselining: A method of looking at historical data to determine typical activity, known as a threshold

Alert Fatigue may occur when an abundance of alerts are created and cannot be adequately responded to individually

Creating and Scheduling Alerts

1. Select Save As > Alert
2. Provide a Title
3. Provide a schedule
4. Within the Trigger Conditions section, provide a value
5. Select Send Email
6. Select Save

Splunk Dashboards and Visualizations

Introduction to Visualization

Splunk uses visualizations to make complex data easier to understand and analyze

To create a Single Value visualization:

1. Load in data
2. Create a search
3. Select the Visualization section
4. Select the Visualization Type
5. Customize the Visualization
6. Select Save As > Report to save the Visualization

Geographic Maps Visualizations

Splunk can create location-specific reports with the iplocation and geostats commands

iplocation

1. Create a search: source="demo_http_logs.csv" sourcetype="stream:http" | iplocation src_ip
   1. iplocation src_ip: Will output the city and country data of the src_ip field
2. Search for the City and Country fields

geostats

1. Append | geostats count to the search: source="demo_httplogs.csv" | iplocation src_ip | geostats count
2. Select the Visualization tab
3. Select the Map visulization

Introduction to Dashboards

Dashboards: Collection of multiple visualizations in a single location

To create a Dashboard:

1. Create a search
2. Select Save As > Dashboard Panel
   1. Select New if this is a new Dasboard
3. Select Save

Drilldowns and Dashboard Interactivity

Time Input

1. Open a Dashboard
2. Select Add Input > Time
3. For each panel, select the magnifying glass icon
4. Select Shared Time Picker
5. Select Apply
6. Select Save to save the entire Dashboard

Drilldown

1. Select the Edit option to modify the Dashboard
2. Select the edit icon on a panel and select Edit Drilldowns
   1. Select Link to search in the dropdown
   2. Keep auto selected
   3. Click Apply
3. Select Save to save the entire Dashboard

Advanced Security Monitoring Tools

Advanced Security Monitoring Solutions

UBA (User Behavior Analytics): A tool that uses machine learning, AI, and data processing to detect abnormalities in user activity

UEBA (User and Entity Behavior Analytics): A tool similar to UBA, except it extends monitoring to other entities, such as routers, servers, and IoT devices

SOAR (Security Orchestration, Automation, and Response): A SIEM that automates security processes and responds to security incidents