Download - Incident Response: SIEM Part II
![Page 1: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/1.jpg)
SIEM II
Author: Prof Bill Buchanan
Inci
dent
Res
pons
e
SIEM II
Proxy
VPN
Eve
Bob
Alice
![Page 2: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/2.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inci
dent
Res
pons
e
Data Sources/Timeline
![Page 3: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/3.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
Intruder
Intrusion Detection
![Page 4: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/4.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Dat
a st
ates
Inc.
Res
pons
e
Data in-motion, data in-use and data at-rest
Intrusion Detection System
Intrusion Detection System
Firewall
Internet
Switch
Router
Proxyserver
Emailserver
Webserver
DMZ
FTPserver
Firewall
Domain nameserver
Databaseserver
Bob
Alice
Eve
Data in-motion
Data at-rest
Data in-use Data at-
rest
![Page 5: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/5.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
TimelineData At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights, Domain Rights, etc.
File changes, File CRUD (Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web logs, Security logs
Network scanners, Intrusion Detection Systems, Firewall
logs, etc
Processes, Threads, Memory, etc.
Security Log, Application Log, Registry, Domain Rights.
Intruder
![Page 6: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/6.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Four Vs of Big Data
Intrusion Detection System
Firewall
Router
Proxyserver
Emailserver
Webserver
FTPserver
Switch
Alice
Management report
Sales analysis
Targeted marketing
Trending/Correlation
V- Volume[Scale of data]
V- Variety[Different forms of
data]
V- Velocity[Speed of data generation]
V- Veracity[Trustworthiness]
Incident Response
Eve
Bob
![Page 7: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/7.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Data Capture
Webserver
IT Ops
Nagios.NetApp.
Cisco UCS.Apache.
IIS.
Web Services
Firewall
Router
Proxyserver
Emailserver
FTPserver
Switch
Eve
Bob
Microsoft Infrastructure
Active Directory.Exchange.SharePoint.
Structured Data
CSV.JSON.XML.
Database Sys
Oracle.My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.Cisco NetFlow.
Snort.
Intrusion Detection System
Alice
Cloud
AWS Cloudtrail.Amazon S3.
Azure.
Application Serv
Weblogic.WebSphere.
Tomcat
![Page 8: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/8.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Investigation sources
Webserver
Firewall
Router
Proxyserver
Emailserver
FTPserver
Bob
EveInternal systems
Cloud service providers
Communication service providers
Trusted partners
![Page 9: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/9.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill Buchanan
Intro
duct
ion
Inc
Res
pons
e
Security Operations Centre
EveEve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts
![Page 10: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/10.jpg)
Aut
hor:
Bill
Buc
hana
nA
utho
r: B
ill B
ucha
nan
Sta
tefu
l fire
wal
lN
etw
ork
Sec
urity
Stateful firewall
PIX
/AS
A C
onfig
Net
wor
k S
ecur
ity
PIX/ ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inci
dent
Res
pons
e
Threat Analysis
Proxy
VPN
Eve
Bob
Alice
![Page 11: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/11.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Data Fusion
Semi-structured
>10 million events
Select shape and type
text. Yellow handle
adjusts line spacing.
Data storage (2GB/day)
Context
Parsing/Normalisation
Processing
Rule based correlation.Statistical correlation.
Event priorization
SIEM
10,000 alerts1 incident
Aggregation
![Page 12: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/12.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Security Operations Centres (SoC)
![Page 13: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/13.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Logstalgia
![Page 15: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/15.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Akamai.com
![Page 16: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/16.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Trent Micro Threat Analysis
![Page 17: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/17.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
DDoS Attack Map
![Page 18: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/18.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
State of the Internet
![Page 19: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/19.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
IPew Attack Map
![Page 20: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/20.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
FORINET
![Page 22: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/22.jpg)
SIE
MN
etw
ork
Sec
urity
SIEM
SIE
MN
etw
ork
Sec
urity
SIEM
Kaspersky Cyber Threat Map
![Page 23: Incident Response: SIEM Part II](https://reader031.vdocument.in/reader031/viewer/2022032710/58a358c91a28ab14598b5db9/html5/thumbnails/23.jpg)
SIEM II
Author: Prof Bill Buchanan
Inci
dent
Res
pons
e
SIEM II
Proxy
VPN
Eve
Bob
Alice