Security

security threats

BRA
Engager

Hi

As consultant, I have several customers asking how to identify specific events in the logs of their IT systems, which could be hackers attacks or viruses activities (ie Confliker).

How do you make sure that you can identify security threats in large amount of data?

Thank you.
Serge

Tags (1)
1 Solution

Ayn
Legend

It's an interesting question, and an interesting subject in general. The central question here is - what IS a security threat? Even with IDS systems (network and host based) that are designed specifically to identify and alert on perceived security threats, this is a challenge. Some events might be considered incredibly serious in one scenario while it is 100% normal and expected in another. For instance, if an IDS sees traffic on port 445 from an external unknown host to a Windows host in the DMZ, this is most likely a Very Bad Thing, while if port 445 traffic is observed between two hosts in the internal network this is highly normal activity in a Windows-based environment and nothing to worry about. It's all about context and defining what expected behaviour is.

With logs from operating systems and applications this holds even more true. Most of these weren't even designed to alert on perceived security threats. They might be designed to log security related information, but do not themselves perform any analysis on whether what just happened should be a considered threat or not. The key information might not even be stored in security logs, but rather in operational logs. For instance if a service crashes it is security related if it's caused by malicious input. It is up to you (or your customers) to decide on how to interpret the various events that exist in your logs, and define what behaviour should be considered normal - and also of course, what behaviour should be considered abnormal. Is a login event on one of your desktop clients at 4AM OK? Maybe, if your developers are night-owls. Again, it's all about context.

More reading material that I guess says the same thing but in more detail and with more elegance: http://www.splunk.com/view/advance-persistent-threats/SP-CAAAGG4
(be sure to read the whitepapers that are linked from there as well)

Also, for some inspiration to get you started with defining normal/abnormal behaviour, you might want to have a look at Sagan. It provides a number of signatures in a Snort like rule format that match log events that could be considered suspicious in one way or another - again, all depending on the context.

View solution in original post

Ayn
Legend

It's an interesting question, and an interesting subject in general. The central question here is - what IS a security threat? Even with IDS systems (network and host based) that are designed specifically to identify and alert on perceived security threats, this is a challenge. Some events might be considered incredibly serious in one scenario while it is 100% normal and expected in another. For instance, if an IDS sees traffic on port 445 from an external unknown host to a Windows host in the DMZ, this is most likely a Very Bad Thing, while if port 445 traffic is observed between two hosts in the internal network this is highly normal activity in a Windows-based environment and nothing to worry about. It's all about context and defining what expected behaviour is.

With logs from operating systems and applications this holds even more true. Most of these weren't even designed to alert on perceived security threats. They might be designed to log security related information, but do not themselves perform any analysis on whether what just happened should be a considered threat or not. The key information might not even be stored in security logs, but rather in operational logs. For instance if a service crashes it is security related if it's caused by malicious input. It is up to you (or your customers) to decide on how to interpret the various events that exist in your logs, and define what behaviour should be considered normal - and also of course, what behaviour should be considered abnormal. Is a login event on one of your desktop clients at 4AM OK? Maybe, if your developers are night-owls. Again, it's all about context.

More reading material that I guess says the same thing but in more detail and with more elegance: http://www.splunk.com/view/advance-persistent-threats/SP-CAAAGG4
(be sure to read the whitepapers that are linked from there as well)

Also, for some inspiration to get you started with defining normal/abnormal behaviour, you might want to have a look at Sagan. It provides a number of signatures in a Snort like rule format that match log events that could be considered suspicious in one way or another - again, all depending on the context.

Drainy
Champion

A great answer, I would stress the mention that Ayn makes of "context". Like most things in life, security is a great deal about context. To answer your question you need to realise that it actually applies to a very specific configuration of hardware, software, user groups and user experience.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...