Playbook of SIEM Use Cases

Summary:

The document outlines several key aspects of cybersecurity in organizations using Microsoft Windows platforms. It emphasizes the importance of securing critical systems and data by implementing effective security measures such as access controls, real-time monitoring, and strategic response plans against potential threats like unauthorized access attempts and network disruptions due to attacks. Here’s a detailed breakdown of each point: 1. **Cloud Security**: The document highlights the need for cloud security solutions that provide best-in-class deterrence, forensic capabilities, and automated remediation procedures to maintain secure global presence. This involves monitoring more events from multiple devices across various locations to ensure efficient incident investigations and effective responses. 2. **Insider Threat**: It discusses a scenario where employees unhappy with their company's policies in Hong Kong steal information by accessing databases and file shares. Detection mechanisms such as VPN logs, OS authentication logs, database authentication logs, and DLP (Data Loss Prevention) logs help identify the incident. This underscores the importance of having robust monitoring systems to detect potential insider threats within an organization. 3. **Attack Survivability**: The text describes a scenario where multinational defense contractors are attacked by North Korea, Cuba, and Iraq, stealing data and planting Trojans. Despite being stealthy, these attacks are detected at all sites due to comprehensive detection mechanisms. This section is crucial for understanding how critical infrastructure can implement specific response procedures to minimize their cyber footprint in the face of sophisticated attacks. 4. **Local Network Protection**: The document introduces the concept of local network protection within an enterprise security management framework and highlights unauthorized wireless access from outside sources accessing corporate networks for financial data theft. It emphasizes detecting and preventing unauthorized connections to the network, protecting against potential threats that could lead to data breaches or other cyber-attacks. 5. **Network Breach**: The scenario describes a breach involving a rogue MAC address on a wireless access point leading to disabling the wireless access based on strong evidence detected at multiple points including the router/switch, servers, authentication logs, and DLP (Data Loss Prevention) logs. This highlights the importance of real-time monitoring and detection mechanisms in securing local networks. 6. **Web Defacement**: The text discusses an attacker performing a reconnaissance scan of a Web server with malicious intent to deface the website. Early warning signs from this activity lead to immediate action by the system administrator, such as patching vulnerabilities or enabling IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) to block attacks before they can be exploited. 7. **Identity Mismatch**: This involves a situation where someone unauthorized attempts to access an application using another person's login credentials. The identity mismatch is detected when an authenticated user accesses SAP from an IP address not associated with their DHCP address, leading to actions such as disabling the account or investigating further to prevent misuse of credentials. 8. **Application Authentication Logs**: These logs record every attempt by users to access applications using their credentials, providing details such as username, time of login, IP address from which the login was attempted, and success/failure status. This is crucial for ensuring that only authorized personnel can access sensitive data or applications within the network. 9. **Domain Controller Logs**: These logs record every significant event related to user authentication in a Windows environment, including successful and failed login attempts, changes to user accounts (like password resets), and other activities controlled by administrative users. This provides detailed information about who accessed what application when from where, ensuring that only authorized personnel can access sensitive data or applications within the network. Overall, these scenarios and measures discussed in the document underscore the importance of proactive cybersecurity measures, continuous monitoring, and efficient response strategies across various platforms within an organization to safeguard against potential cyber threats.

Details:

The provided text outlines a list of use cases for Security Information & Event Management (SIEM) systems, which are designed to enhance the tracking and management of security incidents within organizations. These use cases include: 1. Log Management: This involves collecting and analyzing logs from various sources such as network devices, servers, applications, and endpoints to identify potential threats or suspicious activities. 2. Perimeter (Gateway) Threat Protection: SIEM systems help protect the perimeter by monitoring traffic entering and leaving the network for signs of malicious activity that could potentially breach security. 3. Malware Detection Across Multiple Systems: By analyzing data from multiple systems, a SIEM tool can detect malware infections across an organization's entire infrastructure. 4. Desktop Protection: While not explicitly mentioned in the text, desktop protection often involves monitoring user devices for signs of malware or unauthorized access. 5. Windows Server Protection: Specialized features within SIEM solutions are available to monitor and protect Windows servers, which can be critical targets for attackers. 6. Global Network Protection: This use case extends beyond traditional network security by providing a comprehensive view of all networks within an organization, allowing for more effective threat detection and response. 7. Local Network Protection: SIEM tools help protect local networks by monitoring activity and alerting administrators to potential threats or anomalies that may not be detected by other security measures. The document is intended for internal use only and highlights the importance of a centralized approach in addressing various business issues related to cybersecurity incidents, particularly focusing on improving incident response times and reducing the timeframe between compromise and discovery. This centralization helps organizations mitigate risks associated with data breaches committed by IT administrators or others within the organization. The "use case" approach is presented as a solution that can be tailored to address specific security concerns and provide a positive return on investment in terms of enhanced security posture and reduced risk exposure. The text outlines a system designed to enhance network visibility, improve real-time incident response, and reduce risk associated with security breaches. It begins by discussing the importance of logs in providing a comprehensive view of events within the network across various platforms. Due to differences in log sources from different solutions, centralizing log management is challenging; however, normalizing event data before archiving enables powerful reporting across multiple platforms, aligning with regulatory standards like PCI-DSS and ISO. Centralized log management not only simplifies the process of reviewing large volumes of log data but also aids organizations in achieving compliance with various regulations, potentially reducing audit preparation time by up to 90%. This solution is designed for efficiency and cost effectiveness, providing a platform for centralized storage and retrieval that adheres to a data retention policy. In summary, this system aims to improve network management through automated log analysis, enhance visibility into operational health, and facilitate compliance with regulatory standards, thereby reducing audit preparation time and minimizing the risk of security breaches. The document outlines three main sections related to security management and threat protection in an enterprise environment. 1. **Perimeter (Gateway) Threat Protection**: This section deals with protecting the company's perimeter or gateway from external threats. It mentions that companies use point technologies like firewalls, IDS/IPS, and content filters to monitor internet access but these tools often have limitations such as misconfiguration, false positives, incomplete threat views, and lack of corrective actions. The document suggests that a more comprehensive system is needed for effective management of the external security posture. 2. **Anti-Phishing**: This section focuses on detecting phishing attacks through email traffic analysis. When suspicious spikes in email gateway traffic are detected with multiple targets but few sources, correlation rules trigger alerts and populate dashboards to notify analysts about potential threats. The focus here is on protecting against malicious emails that might contain attachments leading to malware installations and data breaches. 3. **Malware Detection Across Multiple Systems**: This section discusses the detection of malware installed by insiders or through external attacks across various systems in the enterprise network. The document mentions that once malware is detected, it should be contained promptly to prevent further spread and impact on other systems. Overall, these sections provide an overview of common security threats and how they can be mitigated using different technologies such as firewalls, IDS/IPS, anti-phishing measures, and malware detection tools across multiple systems. The document highlights the need for a more integrated and automated approach to enhance enterprise security management. This passage discusses the role of system administrators and various security measures to protect systems from malware threats, focusing on different scenarios where malware may compromise a system or network. The text highlights how anti-malware solutions can be augmented with correlation, anomaly detection, and profiling across non-malware sources for more comprehensive threat analysis. It also emphasizes the importance of monitoring and stopping the spread of malware to prevent further damage. For instance, Sam, the system administrator, disables the anti-virus on a mission-critical server, connects a USB device with keylogger, Trojan, and logic bomb, which is detected, leading to his access being disabled and the system taken offline. This highlights the importance of real-time monitoring and detection mechanisms to identify such unauthorized activities. The passage also discusses various methods used by malware to spread within networks: through compromised systems accessing online gambling sites (zero-day browser exploit), downloading attachments in hotel rooms, or via USB devices. Each scenario involves detecting the anomaly early enough to prevent the infection from spreading further. In conclusion, this text underscores the critical role of robust security measures and continuous monitoring in preventing malware threats within an organization's network infrastructure. It advocates for a multi-layered approach that includes anti-malware tools, correlation with non-malware sources, real-time detection, and immediate response to stop the spread of malware. This document outlines various security management practices focused on protecting desktop environments and Windows Servers within an organization. Key areas include unauthorized software use, P2P traffic detection, DHCP address correlation with user identity for contact, anti-virus monitoring, operating system and DNS/DHCP configurations, active directory or IAM integration, data leakage prevention, firewall settings, power utilization monitoring, and illegal account creation on local windows servers. For desktop protection:

• Unapproved software usage is detected through logs from both desktops and asset management systems, as well as network devices tracking P2P activity.

• DHCP addresses are linked to user identities for contact if suspicious activities are detected.

• Anti-virus software should be in place to monitor operating systems.

• Active Directory or IAM solutions should be integrated to manage identity and access rights.

• Desktop logs provide detailed insights into user activities, which can help distinguish between malicious and careless users when correlated with other events.

• Other desktop applications are monitored for data leakage through network communications and file transfers.

• Power utilization is monitored using desktop logs, providing a method to track specific times of logoff.

For Windows Server Protection:

• Privileged users must follow a process to create local accounts, which involves approval from the central Identity Management Solution (IAM).

• Violations of this policy are detected and alerts are triggered accordingly, with higher priority if the affected account is part of the local administrator group.

This document aims to enhance security measures by providing detailed event management for both desktop environments and servers within an organization's IT infrastructure. This document appears to be related to cybersecurity practices within an organization. It discusses various scenarios involving unauthorized access attempts, remote administration, and network attacks like denial-of-service (DoS) attacks. Here's a summary of each section: 1. **MS Windows and Critical Services**: MS Windows provides essential services such as authentication, user management, and file sharing that are crucial for business operations. It serves as the backbone for various applications including databases, messaging systems, and web services. Microsoft Windows servers host many mission-critical applications and services. Protecting these servers from misuse, data leakage, fraud, malware, and downtime is a top priority in every organization due to their critical role in daily operations. 2. **Excessive Access Attempts**: A user attempts unauthorized access to internal materials by trying to copy files he should not have access to. All attempts are denied but the user persists in attempting access despite being blocked. These actions trigger alerts, identifying the user and potentially preventing data leakage or further misuse of resources. 3. **Remote Administration**: Administrators use Remote Desktop Protocol (RDP) to remotely manage Windows servers. However, using generic 'administrator' accounts for multiple administrators can lead to policy violations and alert generation in domain controller logs and standalone window logs. This highlights the importance of implementing strong access controls and policies to prevent unauthorized access. 4. **Global Network Protection**: This section outlines a business issue related to a DoS attack on a company’s global Internet points of presence, leading to significant disruptions in internet connectivity for critical services like VPNs, VoIP, email, and web services across the organization. The solution involves detecting such attacks, visualizing their sources, sharing evidence with ISPs, and mitigating their impact. 5. **Enterprise Security Management**: This framework encompasses various aspects of security management including network protection, access controls, and detection mechanisms to protect against threats like excessive access attempts, remote administration errors, and DoS attacks across the enterprise. It emphasizes a proactive approach to cybersecurity through robust policies, continuous monitoring, and responsive actions in case of detected threats. Overall, this document underscores the importance of securing critical systems and data within an organization using MS Windows platforms by implementing effective security measures such as access controls, real-time monitoring, and strategic response plans against potential cyber threats like unauthorized access attempts and network disruptions due to attacks. This text discusses various aspects of cybersecurity within organizations, focusing on different types of threats and how they can be mitigated. 1. **Cloud Security**: The text describes a scenario where malicious traffic in the cloud is locked down using firewalls, proxy logs, and web server logs. It emphasizes the importance of monitoring more events from multiple devices across various locations to ensure efficient incident investigations and effective responses. Cloud security solutions should provide best-in-class deterrence, forensic capabilities, and automated remediation procedures to maintain a secure global presence. 2. **Insider Threat**: A company in Hong Kong acquires a German subsidiary where some employees are unhappy and decide to steal information. They access databases and file shares to download large amounts of data. Detection mechanisms such as VPN logs, OS authentication logs, database authentication logs, and DLP (Data Loss Prevention) logs help identify the incident. 3. **Attack Survivability**: The international headquarters of a major defense contractor are attacked by North Korea, Cuba, and Iraq, stealing data and planting Trojans. Despite being stealthy, these attacks are detected at all sites due to comprehensive detection mechanisms. To minimize their cyber footprint in such scenarios, companies with critical infrastructure often implement specific response procedures. 4. **Local Network Protection**: This section introduces the concept of local network protection within an enterprise security management framework. It highlights unauthorized wireless access from outside sources accessing corporate networks for financial data theft. The platform for this involves detecting and preventing unauthorized connections to the network, protecting against potential threats that could lead to data breaches or other cyber-attacks. Overall, these scenarios illustrate the importance of proactive cybersecurity measures, continuous monitoring, and efficient response strategies across various platforms within an organization. This document discusses three different types of security breaches and how they are detected and prevented in local networks: 1. **Network Breach**: The text describes a breach involving a rogue MAC address on a wireless access point, communication between the wireless network and financial servers, and file downloads from financial servers to the wireless network. These actions lead to disabling the wireless access based on strong evidence. The breach is detected at multiple points including the router/switch, servers, authentication logs, and DLP (Data Loss Prevention) logs. 2. **Web Defacement**: An attacker performs a reconnaissance scan of a Web server with malicious intent to deface the website. Early warning signs from this activity lead to immediate action by the system administrator, such as patching vulnerabilities or enabling Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) to block attacks before they can be exploited. 3. **Identity Mismatch**: This involves a situation where someone unauthorized attempts to access an application using another person's login credentials. In this case, the identity mismatch is detected when an authenticated user accesses SAP from an IP address not associated with their DHCP address. As a result, Jessica is notified and actions such as disabling her account or investigating the circumstances can be taken to prevent further misuse of her credentials. Overall, these scenarios highlight how different types of security breaches are identified through various logs (e.g., wireless network logs, web server logs) and preventive measures (e.g., patching vulnerabilities, enabling IDS/IPS) that help mitigate potential risks in local networks. The provided text seems to be a placeholder or an incomplete sentence. However, based on the context and typical terms associated with IT (Information Technology) security, it appears that "Application Authentication Logs" and "Domain Controller Logs" are mentioned. 1. **Application Authentication Logs**: These logs record every attempt by users to access applications using their credentials. They help in identifying whether a user has successfully logged into the application or if there were any failed attempts. This can include details such as username, time of login, IP address from which the login was attempted, and success/failure status. 2. **Domain Controller Logs**: A domain controller is a server that controls access to a Windows network. It manages all aspects of authentication for users attempting to log on to any networked computer within the domain. Domain controller logs record every significant event related to user authentication in a Windows environment, including successful and failed login attempts, changes to user accounts (like password resets), and other activities controlled by administrative users. In summary, these logs are crucial for IT security teams as they provide detailed information about who accessed what application when from where, ensuring that only authorized personnel can access sensitive data or applications within the network.