- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- security threats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
As consultant, I have several customers asking how to identify specific events in the logs of their IT systems, which could be hackers attacks or viruses activities (ie Confliker).
How do you make sure that you can identify security threats in large amount of data?
Thank you.
Serge
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's an interesting question, and an interesting subject in general. The central question here is - what IS a security threat? Even with IDS systems (network and host based) that are designed specifically to identify and alert on perceived security threats, this is a challenge. Some events might be considered incredibly serious in one scenario while it is 100% normal and expected in another. For instance, if an IDS sees traffic on port 445 from an external unknown host to a Windows host in the DMZ, this is most likely a Very Bad Thing, while if port 445 traffic is observed between two hosts in the internal network this is highly normal activity in a Windows-based environment and nothing to worry about. It's all about context and defining what expected behaviour is.
With logs from operating systems and applications this holds even more true. Most of these weren't even designed to alert on perceived security threats. They might be designed to log security related information, but do not themselves perform any analysis on whether what just happened should be a considered threat or not. The key information might not even be stored in security logs, but rather in operational logs. For instance if a service crashes it is security related if it's caused by malicious input. It is up to you (or your customers) to decide on how to interpret the various events that exist in your logs, and define what behaviour should be considered normal - and also of course, what behaviour should be considered abnormal. Is a login event on one of your desktop clients at 4AM OK? Maybe, if your developers are night-owls. Again, it's all about context.
More reading material that I guess says the same thing but in more detail and with more elegance: http://www.splunk.com/view/advance-persistent-threats/SP-CAAAGG4
(be sure to read the whitepapers that are linked from there as well)
Also, for some inspiration to get you started with defining normal/abnormal behaviour, you might want to have a look at Sagan. It provides a number of signatures in a Snort like rule format that match log events that could be considered suspicious in one way or another - again, all depending on the context.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's an interesting question, and an interesting subject in general. The central question here is - what IS a security threat? Even with IDS systems (network and host based) that are designed specifically to identify and alert on perceived security threats, this is a challenge. Some events might be considered incredibly serious in one scenario while it is 100% normal and expected in another. For instance, if an IDS sees traffic on port 445 from an external unknown host to a Windows host in the DMZ, this is most likely a Very Bad Thing, while if port 445 traffic is observed between two hosts in the internal network this is highly normal activity in a Windows-based environment and nothing to worry about. It's all about context and defining what expected behaviour is.
With logs from operating systems and applications this holds even more true. Most of these weren't even designed to alert on perceived security threats. They might be designed to log security related information, but do not themselves perform any analysis on whether what just happened should be a considered threat or not. The key information might not even be stored in security logs, but rather in operational logs. For instance if a service crashes it is security related if it's caused by malicious input. It is up to you (or your customers) to decide on how to interpret the various events that exist in your logs, and define what behaviour should be considered normal - and also of course, what behaviour should be considered abnormal. Is a login event on one of your desktop clients at 4AM OK? Maybe, if your developers are night-owls. Again, it's all about context.
More reading material that I guess says the same thing but in more detail and with more elegance: http://www.splunk.com/view/advance-persistent-threats/SP-CAAAGG4
(be sure to read the whitepapers that are linked from there as well)
Also, for some inspiration to get you started with defining normal/abnormal behaviour, you might want to have a look at Sagan. It provides a number of signatures in a Snort like rule format that match log events that could be considered suspicious in one way or another - again, all depending on the context.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A great answer, I would stress the mention that Ayn makes of "context". Like most things in life, security is a great deal about context. To answer your question you need to realise that it actually applies to a very specific configuration of hardware, software, user groups and user experience.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
