Protecting the Business: Creating a Security Maturity Model with SIEM
FLAC. Am. Joining. Me today is jamiehines a senior. Product manager for, solar wind security, products thanks that's to me excited to be here well Jamie for a lot of us security, especially, when. We're establishing a mature process for analyzing, security, data it can be a real challenge and, I'm, not sure operating, compliance, checklists for everything, equals. Maturity, it certainly can seem overwhelming and really. Just having a plan without at least some checklists to ensure you're using your sim software to its full potential, just simply isn't enough for. Example, if you're, aggregating all your critical security events in log in Event Manager that's great good stuff but. What's your plan for analyzing, all the data it gathers I recommend. Four main focus areas for security, analysis in any organization. A checklist, exactly, the, first item on the checklist will, be cyber threat intelligence the. Second beam threat detection thirdly. We have incident, or intrusion response, and finally, threat, prevention and that is definitely one way to start one in a great checklist, jamie something. To note is there are several ways to accomplish mature, analysis, so don't just think that this is the only way now, let's briefly talk about each one of these steps so that we can help you guys who have limb and can tweak them into a 500-pound. Gorilla helping, you guys succeed these, goals, so first up cyber. Threat, intelligence, this. Is where you will focus your efforts on finding intelligent, sources that will help you identify the, actual, threat yes that's, a long way of saying your antivirus or anti-malware software. Needs to be in place also. LEM, can help you in this area introduce, new to threats and having, an actual response to those threats okay exactly. See we're already making these big ideas simpler, so then the second one is threat detection which, includes, items such as NetFlow which, shows the flow of the data within your network for, a more forensic, and Incident route search and then, you have the response capabilities, as well so this improves awareness, with metrics, that allow you to the internal, visibility, to what's within your bandwidth and sets, a baseline which. Is. Because when you're identifying those anomalies you have to have a baseline and that flows right, into incident, intrusion response also death yeah I see what you did, having. A response to a threat is one thing popping, alerts to possible threats like, say for example a USB Drive on a device where, you have a watch set up for no USB activity, that takes it to the next level LEM.
Allows You to set up this kind of alert and also, to respond, to the alerts by disabling, and ejection, that USB device okay, see now, that is something that I personally think is just, flat awesome, so, being alerted to a situation, that's one thing doing. Something, actually about, it that's critical, which, brings us to the last but certainly not the least threat. Prevention all, right so for an example integrating. Tools like Cisco umbrella into your limb or adding better web filtering that prevents, calls to noon sites and consistently, scans for things like malware, some. Users even prevent, the call out to start file encryption so, Jaime now, that we have set the stage if you will show. Us the ways that limb can actually help them with, their plans sure let's jump right in so. Destiny's opening, the firehose and seen on your log data coming in to them can, be overwhelming, Oh extremely. So. What I want to do is to walk you through some use cases to, get you started in terms of as I said earlier analyzing, that log data and understanding. That and identifying, threats etc, from that log data now you're gonna actually show, us step by step how to do this correct absolutely that's why we got you so the first area, I want to focus on is file integrity monitoring, so, data is critical obviously, to any organization. File. Integrity monitoring, is the process, of monitoring, access to those files permission, changes and, not, only files a store the data but also key system files as well to monitor the integrity of those awesome. So, how do we get in how do we pull in the data so. The first step in our Event Manager to actually get your data into them is to deploy the LEM agent, very. Easy to do there's a local installer, or a mote installer you can use to push out your your agents from a central machine and. From there you see all the various different agents you're collecting, logs from. Number. Of benefits to the agent should compress the logs they can encrypt. The logs and also the active response we spoke about in terms of taking actions to threats the, agent takes care of that as well well, that's especially, encryption, level because that's a lot of security concerns that people have with logging myths exactly. So the data is encrypted in transit Whitlam which is obviously very important, so. We can come in here to our our. Agent and we can see all the various different connectors, we have when, I do a search for Finn for file integrity monitoring, I can see my file, and directory connector. For, fine, integrity monitoring, so. I know a lot of you are probably thinking and, you. Know do I have to go in and set, up my my, auditing, and all my windows files and folders which is obviously very time-consuming, Whitlam. We include, lots of templates, out-of-the-box to help you get started as well, as the ability to actually set up your file integrity monitoring, directly, from the LEM you I would, that happen to go into every single file and folder to actually set at your file, editing in something that I like to is this kind of reminds me of like the network configuration manager. With those out-of-the-box templates that are there you can use these as guidelines as, well so this is really key for people getting into it because you have these to kind of build a template around and in to see where, you need to go exactly, these are pretty much a starting off point and then you can go from there so. To give an idea I know I mentioned system, files and the integrity of those files if, you're not sure you know what should I be monitoring with. My Windows service to ensure my system files and are. Secure, and integrity, is good you, can come in here and you can see your Windows server monitoring template so, we're going to monitor things like patch files DLL, files change. The host files which I'll show you in a minute any. Change to boot out any or startup programs etc so. You can actually deploy the template from here and from. There add that monitoring from here, now. This adage we would now want to set up a custom monitor, so I'm sure everyone has lots of files and folders or sensitive files they want to monitor so, to do that you can click on add custom, monitor and in. Here you simply give it a name and then from, here you can actually browse to your machine to decide what files and folders you want to monitor I love the customization.
Of That because we all know that we trying to outsmart everybody, so sometimes we try to hide things and do things within there but we need to protect them so this is a great way to customize it precisely, so. In here on my machine here I have my C Drive and I can then see all my various different directories from here I'm. Going to monitor, the SWAT cam directory equally. I can come in here and monitor, any windows directory I like you. Can you'll select from here if there's an individual file you want to monitor you can even. Individual, files from here as well prefer for the time being I'm gonna select this plaque camp folder. From. Here you can go recursive, or non recursive so do want to monitor everything that folder or Nam recursively, whatever you prefer you. Can also set your masks, here so, you could say I only want to look at Excel. Files or Word, documents, whatever the case may be in this, case I'm going to monitor all, and. Sundry. Now. What's really good about this is when, you think file integrity monitoring, you. Know it can be quite noisy by nature as I had to call it so you're, going to associate lots and lots of logs coming from file integrity monitoring, but. In this section the right-hand side here we, can see how to actually. Adjust, the, login levels here so. If you want to maybe say I want to look a file deletions, and directory. Deletions but permissions aren't important for this particular folder, you can chop and change all these various, different permissions which is vital because you don't want all the white-noise because then it's not actually, helping you to pinpoint things in you need to put your focus to where you need it and with logging that's kind of a lot of the places where people go a little bit excessively, because they kind of open it up like you said the flood hose right and you don't want to really do that because then you're not pinpointing, it in or focusing in on your actual needs exactly, you want something actionable and, intelligent, when it comes to file integrity monitoring. For. The purpose this demo I want to just, enable everything. So we can see exactly, what you can pull in but you can completely customize this, so, now, that we have that saved I'm going to give this a name, so it's going to college track camp, and. We're. Going to save these changes and from. Here now we have our Windows server monitoring and Artois camp and monitor, setup we're. Going to save this and start the connector and from there we can show some examples on, how we can actually use this data, so. Now that the green button is on we can see file integrity management is now started, and. If I come back to my login bat manager here I can see the, monitor section so. In this monitor section we can see all their various different logs coming in from all my sources as, you can see the events filter is going to show all events but. I have lots and lots of different filters out-of-the-box and I, have some custom, file integrity monitoring, filters which I have created here earlier on. So. To give you some examples, if I come here to my track cam folder I, can. Then see say if someone creates a file really simple example they, create a file. Destiney, -, exodus. Straight. Away I can see LEM, has picked, up that file creation and I, can see there's my five creation so, I can see this file is created and thanks, to lems, normalization, which is very important, so rather than looking at raw event logs or syslog, etc, you can see here we can normalize all this data so. You can very easily see, it was a file create event I can, see the name of the file the machine was created on the IP address, to, use name to create the file etc so. I'm sure you're all familiar with looking at raw logs and trying to wade through those logs to make sense them this, normalization is incredibly beneficial in terms of understanding and comprehending those logs well it also helps you to pinpoint into where your area focuses, when you're seeing me since then the visualization. Is key right like you want to be able to go over here and see visually, what is going on and be able to pinpoint into the problem at hand that helps you with time and that also helps you to pinpointing, if there's any kind of a security event that needs your attention now, exactly, so.
With, The with the files as well you can actually call these sensitive, files so if you want it does one group of files you want to group together be, it every single excel file or files, that contain certain, keywords, you, can set up those sensitive files I'm from, there you can set up your filters so. Out, of the box LEM does include lots of different groups and as you can see one of these groups is sensitive files so. In this particular sensitive, file list I have, things like my accounting, directory, and he's in the names of as customers, salary. Is very important. I've set up a filter here for track camp and, also the HR directory, so, you can see all these various different folder. Names or file names can be grouped into the sensitive or critical files that you want to monitor and from. There we, can then have a filter to show sensitive, file activity and I, can then see all my various different, activity. In, the track camp directory, or my salary's directory, or my, HR. Directory etc, so. Really useful for actually honing. In on particular file names or, keywords, you want to phone in phone, into on your on your file server and you can also pause the screen like it because it's coming through and, you actually focus in on areas and move it through there and then when you resume it it's not like it like holds up back I mean it literally it starts you back off over where you're going but I know a lot of times when I've talked to you guys and you guys are like well uh when, it things are flooding through and you didn't want to pause it because they thought it like, may have stopped it from actually gathering and it doesn't so I mean we help you to find, what you need when you're needing it so you know instead of the noise or things coming in you're able to pinpoint into, getting your job done precisely. Equally. What's vital, is m5 emission changes so. I'm sure no one here is going to set file, permissions to everyone on your files no, one would do that but. In this case if you come into properties, here and you set your permissions, to everyone. Again. This could be an insider and setting, in crapper missions that you want to keep an eye on we're. Gonna set this to everyone and we're. Going to save to full control which I know none of you would ever do, so. In, here, we, have our permission set on that file incorrectly, and then, I can from there see, permission changes and, I, can within milliseconds see. Is there's an attribute change on that and, I can see Destiny's XML, file was changed by this, username this, IP address again etc so. Being able to monitor for five permission changes and, is. Hugely beneficial when it comes to file integrity. Monitoring. So. I've seen malware out there that actually makes. Whole file entries, to, divert. To you know bad IP addresses etc base and particular site. So. In here if I say, come in here and I actually make, a change the host file I'm going to do it manually but there is matter out there that can actually make change Judy's those files, so. If I come in to join me of the path again destiny system 32, drivers. Etc, yet, we get there eventually so, if I commit my host file destiny and I, for. Example have. An address in here just. Say you're going to pick, an IP address there anyone, and. That's going to bat site.com. If. That changes made that host file it's. Going to compromise the integrity of that file and could be browsing to a malicious. Site which is a lot of like how rain somewhere and things can get you on there precisely and in, here I can see by.
The Time I've even got to LEM it's picked up the to change so, I can see again the whole slide was changed by this user and from. There I can investigate. Further, so. That's kind of how you can see your real-time alerts or sorry your real-time filters and your events coming in but what happens you actually want to alert to these so, release you're not gonna be sitting look at the count 24/7. As you said earlier one to monitor, this activity and take an action from there so. LEM include lots of rules out of the box if, we do a quick search for files you, can see just some of the the file integrity monitoring, alerts we have out of the box, so. For example if you, have something like if. Someone deletes a sensitive file so, you can see the correlation here, so. If I come into the correlation I can, see if someone tries to delete a file and that's, part of the sensitive files that we spoke about earlier on the group that you need exactly, so it could be salaries file or a customer file or HR etc we're, actually gonna be very, strict and we're going to disable that the main user account they, shouldn't have tried to delete that file therefore. We to investigate, and before, they can do any more damage we can actually Sable their domain account from that action, that I was talking about that super critical I mean because to be alerted to it is one thing but doing something while you can actually get to the point that's vital, precisely, and you. Can also add more actions here so it's not just a case of you know disable that account and that's all we can do you, could also for, example send, an email alerts to the administrator, to let them know or send, an SNMP trap, to another third-party system that catechin in system there's, lots of options when it comes to your active response which we'll go through later, on fantastic. So. You. Also want to see if what happened historically so, if you want to look at reports, we'll say or you, know how many files were deleted yesterday, or there's a file missing what. Changed when did it change to, who what where when for example so. We can very easily come, into my sensitive file activity here there's going to capture all events, for my sensitive files and I, can then come, to in depth which is our historical, analysis tool in them and we, can then see all changes, made to any of my sensitive files for, a particular time frame so if. You want to pinpoint exactly what, happened in when I can, see for the last 10 minutes equally. If I want to shoot back to the last hour two hours last day week etcetera, I can customize my time frame here and I, can in here see all my various different event names that occurred in my sensitive files so, you can pinpoint into, specific. Events so that you can actually correlate, those kind of like a forensic dive in on it so that you can actually see, specific. Things, that you're wanting to do in that cloud of you know all of the flows that are coming through and all the log adjustments, you're able to actually pinpoint. Down very quickly and that's something that I actually like about it a lot to use because if I'm focusing in on areas then, I usually have a set of events. Or a set of logging, that I want to look for depending. Upon the, security threat of which that I'm dealing with and to be able to pinpoint it in and to go through those steps and actually figure out when things happen that helps me figure out when it occurred how long it happened, for and what, the mitigation, and when how we were able to actually resolve this and I have a time frame now to show that and even, to have you dive in much quicker you can see all the event names here so, you don't have to go through you know reams, and reams of event logs trying to find your various different and. Event. Key events etc you, can come in here and you can see very easily I've got, you know three five great events twelve, file rights one five deletes and that's that visualization I mean that's. Vital because that's your first alert when you're in here and you can visually, see and, all of a sudden you see a whole bunch of recreates, and this is jumping up into the two hundreds and I have seen this happen and you, see it just slowly rolling, and gathering. The events you know there's something that's going on especially if it's on a sensitive groove like you're talking about or something that you're monitoring, and, you're wanting to keep an eye on you know that's that anomaly from, your baseline.
Speaking. Of visualization destiny, we also have in, this, in-depth section we have things like word clouds where you can actually, you know drill into particular file names or file paths or any unusual keywords. As you can see then. We also include lots of tree maps bar, charts, line graphs etc to help you with that visualization, of your log data so, on the word chart it's something that a lot of people may not may, not know but I've actually used this before especially when different, malware. Especially, ransomware if came out because it has an actual, name or an extension type that it actually uses you. Can actually go through here and if it's not obviously, going rampant upon your system I can learn look for those words because it's going to pick it up within, the events, and actually see if there's something that's going on before I'm actually in that mode of the. Actual attack so it's like you can see the the prevention, happening. And taking place so that's something to think about when you're using that so, speaking of keyboards destiny you can type in any keyword you like into, this tool so if you wanted to type in will say as we looked at earlier claw. Camp so. If you want to really quickly trillium for a user name a file name and IP address even whatever you like. - keywords - clay. Italy, returned all the results for that particular keywords and highlight them from here very nice again if you just want to see fine deletions click. Find solutions click here and I, would have you know several thousand, event logs there's, your one file deletion that you want to focus in on within, seconds, well, great and I hope that helps you guys especially because, we're wanting to help you guys get the most out of the limb in any sim actually. So I hope that actually helps them they hone in on what they need to focus on exactly, so, destiny, USB. Devices often go hand in hand when it comes to file monitoring as well it's. Certainly a big fresh having users and copying files to USB devices, using. USB devices unauthorized. On particular servers, or, and, you. Know bringing, device in from home there could be ransomware. On it or something like that and, unwillingly, to them right like there's been several cases where you buy a new USB, and it has malware, or something that is actually on it yeah it might not even be intentionally, malicious with the colors so. Destiny is your time to shine can, you plug this USB device. Dramatic. Effect so with, a Simpson. Like lamb we can monitor for actual USB, device insertions. Into machines as you, can see here as soon as destiny plug that device in I can. See for example the us the unique ID, of the device so, if you wanted to block that one particular, device that's, very, device with a serial number on it we can lock that one device if. I. Want to take it a step further as we said earlier we can actually set up rules to, actually block those USB devices so, if you can just take that out of again for a second we, should see it here so.
We Can see there's my detachment. But. For the real power of this USB monitoring, comes into play is the, correlation rules so. We, have for example one. Here for it attached unauthorized USB device so. You could set up maybe a group, Mon check your sensitive files earlier of authorized. USB users, authorize. USB devices or servers etc so in this case we have a list of authorized USB devices we, have that unique ID of every device that we know is safe, to use in our environment and if, one of those devices is, and, is. Inserted that's okay if it's not part of my authorized, USB devices we want to detach that immediately. Some. Of the actions we're going to take, the very powerful one we mentioned earlier is actually blocked that USB device detach it immediately. You know, you can't run or run you can't copy files you can't install anything from that device the device is blocked perfect. We're, all it's going to send a popup message to the user to let them know that said device was blocked so. If I enable, this rule here and then, just click Save now. So, this time if you. Attach. That again for me okay. Attached. And this by magic, very nice destiny, are not allowed to use this USB device so, we. Laughed about this me and Jamie have about the destiny, you're not allowed but, this is actually vital, because a lot of you have specific messages. That you have to say by, your actual security team so we allow you to customize that out so that it's an actual warning, or a critical. Alert to the person, that's actually using, it so that's, a great feature so. Very. Easy again to do - you can come into your rule here and you can customize, any text so, obviously this is only a bit of phone here for our popup message but, you can put any text you want in there so if you have a requirement that usage to, include certain terms and that message to the user you can then pop, it in there so from. What you're showing here which is fantastic I'm curious. Of I'm doing a lot with databases, and things of that side so, would I be able to actually, prevent. My database, servers from even allowing a USB absolutely. And any server you like yep so you could actually have a group of database. Servers so, you could say for all my sequel servers, never allow USB device attachments regardless. If it's an administrator, or regardless of the serial number of that device okay. Now that's pretty awesome for me because I know a lot of the times when and you're securing, your data especially, if you have a lot of data to secure, you want to make sure that you're actually following a lot of security protocols, and that's just an extra checkbox on that just to make sure that backs up my actual, security plan exactly, so.
One, Of the other areas concerns, and, would, be actually copying data onto those USB devices so. Given that the amount of information the USB device can hold nowadays it's phenomenal. So, you know, users can copy so many files onto those devices within. Seconds you want to be alerted to that if users have cut. The files are one sensitive, file that's going to be a cause of concern so. You just pop that device in and out again from me again sorry no and this. Time we're going to copy a file over to the USB stick and show that. Copy directly from there. No. Pressure just to me. Okay. So it's back in so, if we were to now copy we'll, go back to my track. Camp this. Incredibly, sensitive file and. I'm going to copy this onto my USB, stick. And. As. You can see. Before. We even reached back to them again I can see this USB file was created on this device and. Again, you can create your rules to say if any, excel file is copied if there's one file is copied and, from. There say you don't have a correlation rule setup you've actually allowed that USB device to be attached you. Can actually come in here and you, can say detach that USB device from here so, even without a correlation. Rule enabled you can take action as soon as you see that event which, that's great especially if there is an actual attack or if there's something that's you know misleading, or something that's not right on your network you can detach it from there and then, investigate, the issue you, know beforehand, and after so, it allows you that interaction, of which that you need now, for any sim that you have what, we like to say is you know you want to be able to backup that those, maturity, plans any kind of a security protocol a, compliance, what, we wanted to try to convey here though is that with, whatever you're using you need to be able to match with, your security plan and have that actual you know that 500-pound, gorilla as we say you got to be able to backup your plan because it's one thing to say it but, it's another thing to actually do something about it and have the proof that you can showcase it if it's talking not documented it's not done exactly and you're, much like the file integrity monitoring, if you want to come. Back here and back to your point investigation. You, can see all the USB activity, that has taken place so. If you need to you know put the pieces of the puzzle back together again and see what USB file was copied by who by when which machine etc you can use this again and you can see all your various different activity there based, on the user name file name and it's the mean time to detection. And that's something that a lot of the security experts, and a lot of people out there are focusing, in on is how long did this go unknown.
And, That that's what we're trying to actually you know work on actually prevent, the time frames from getting so out you know crazy because a lot of the things have been there for like months years. And they're lying there so when you're able to go back and actually pinpoint in or be able to and you know proactively. Investigate. Issues that just don't seem right you. Have that mean time to detection, that's shortened, which is critical, in any kind of a security. Another. Area of when it comes to USB devices is, you know nowadays, use it on their laptops they're, taking laptops home out of the office you, know touch new SP devices, and companies don't have visibility into, that offline, activity, when it comes to SP devices what. You can do with the USB defender, with lem is have, a local policy so, you can restrict USB, device usage locally, on those machines based, on again device, ID or username so if users take their laptops. Out of the office and our. Plug-in devices and copying files we, can actually block that activity locally, on those devices as well which is fantastic because, that's a lot of the stuff that I talked about with user education especially. With you guys on thwack is that, you know it starts, at the business, but you have to also include the home because the people are very viable and they're going back and forth between these places you can protect them as much as you want with a business plan and a security maturity, analysis. Plan, but, when they leave they're outside, of kind of your threshold so to be able to do something even when they take home their laptop is vital, to help them to actually you know secure, themselves and prevent them from making a mistake by being at home yeah and then one wants to come back into the office again connect. Up to the same solution or that log data will be sent to the sim so you can see what they actually did while they were out of the office which, is great. So. Destiny when it comes to amateur analysis, of your security one. Huge, area, to monitor, your event logs from as Active Directory oh definitely, so Active Directory provides, centralized management and, administration, of user accounts groups computers, etc when. It comes to developing immature security, analysis the amount of information you can get from, Active. Directory for things like authentication, group, changes, user changes, group. Policy the list is endless when it comes to event log monitoring. Kind of the framework great so yeah exactly. So, you. Know much like to find integrity monitoring to get the event, log family to make controller it's simply a matter of installing the agent on your domain controller from, there we're going to pull in the windows application, system, and security logs so, you can see you, know within minutes of installing the agents you can see all your log data from your Active Directory servers, okay. So. Again, some, of the filters look, at change management user account changes, group. Changes etc so. If I bring up my Active, Directory server, here and. If I come into Active, Directory. So. One. Of the things that you know often kind. Of confuses users a bitch is you, know they've installed the agent on their machine they're, looking at them there's. No the no logs coming in from Active Directory they're not seeing logins are not seeing group changes, user account changes etc the. Reason for that is typically down to the main auto policy, so, then it's in solution and you're gonna have to adjust. Your domain order policy on your actual directory server so. In the, auto policy settings here you can see what you're going to audit for so. Maybe you don't want to look at successful logon events although we recommend you would you. Can come in here and you can say I don't want to look for successful logins I only care about logon, failures or if.
I Want to look at and. Say. Directory service access or account management you, only want to look at you know success successful, order management or account management so. Very, easy to get up and running when it comes to actually just in these policies and if, anybody, has our universal, device tracker they will understand, where this is as well but sometimes you just don't know where to make the connection up exactly, so. When it comes to Active Directory and, you, know a few things you might want to monitor for the first is new user accounts, so, if a new employee. Starts. The company and you want to see their new user account you're, gonna have the documentation, there to show that, that was crazy, you know successfully. That, the right correct permissions were assigned to a sign-off to create that account so with, that it's got to be important to actually monitor for your new. User account creations, so. When it comes to new users if I want to create a new user I can. Come into new, user. We'll, call them, John. Adams. And. Then we're gonna give them Jay Adams. We're. Going to give him the password. And. Then. We're going to create that user. So. If for example that user was created maliciously that that user shouldn't have been there or there wasn't the correct documentation to back up the creation of that user that's going to be a cause for concern so. In, here you can see straight away if I come into my user account changes, I can. See this. Guy here was enabled so, there's my new user account and. So. You can actually have an alert set up on this so like if you have your sensitive servers and things of that nature so don't automatically, do this for you exactly yes. But. You could take this step further where you know the, Jay Adams account he's just a regular user it's. Just um to kind of keep an eye on but it's not a critical event but. What happens if I add him to the domain admins group that's, going to be um. Definitely. A potential problem so. If I come into my John, Adams again and, I'm. Going, to add them to the main event group. Click, apply and. Now. He's, got a huge amount of access to the network he's hired to mate happens group you're, gonna want to ensure that that's that, is you, know ok to do or you know if not why, was he added who added them we, need to get that fixed right away so.
If I come in to my group. Changes I can, see straightaway he, was added to my my. Tomato admins group see. Just. Seeing this like this I'm having, a little ideas, here to the backup any kind of a security policy is that an, you have the documentation, that things went awry that wasn't there and then be you're also backing, up the actual active directory the the changes that have been made so, when you have change requests, and like you were saying the documentation, to actually create a user in to do things you can actually see this and have, a report something that's also an additional. Documentation, of when, things have had have actually made the change and were successfully, implemented, yeah I'm back to the visualization, we spoke with earlier you, can see a big flashing, red filter, to, say we have an s never late or an escalator, to privileged user event, flashing. Reg come in here see straightaway this. Guy was added made admins and I can also see who added him so. It was actually me that out of that user so if there was maybe a user they tried to add another user for some reason you, know we can investigate that from, there so, we'll. Jump, back to group changes later but we can also look at authentication, so it's a really valuable source to see who's, logging and where when. They're logging on to which machines, is. Their logon failures maybe people trying to guess passwords, or there's a password, to, let Outsiders trying to guess passwords, so, certainly a huge source, information as well is your authentication events, from Active Directory especially, if you do any kind of methodologies, with security, a lot of the actual. Evaluation, modes and things of it is you have to track right so weak sometimes let them play but, we're tracking what they're doing and so to be able to do that authentication, and where they going and you can kind of see what, they're trying to attain and. So, you can also validate that your your. Lock up policies are working correcting, or clipping levels are set correctly so, if no you can see all your failed logins here so I can see for example and, you, know this user logged on here from this machine etc it, was a failure and I can also see the reason for failure so it could have been that the password is long so in this case it's very specific I can see the username correct what the password is long maybe, it was the counters already disabled, or maybe the account doesn't have logon privileges, to that machine etc so that that, reason for failure can be very useful in terms of pinpointing why the logon was great. For people troubleshooting. As well so, when, we always say like we want you to have some type of a sim that's actually in place because you don't know what's happening on your network right, or your environment itself, unless you're actually you know paying attention to the logs and the events that are happening so. By. Using these tools you're not only like setting up a security, or a bear or an actual backup, plan to a security, model you're also helping yourself, troubleshooting pinpoint visually, errors, that are happening that can help an 80 guy or any of your exchange. Especially. - to, pinpoint the problem and fix it quickly because it's helping you to actually identify where. The problem is so that you can provide the solution mhm and then, from your logon failures.
You Can also validate that. Accounts are being locked out successfully, so, I can see this poor guy billy-bob is locked out and you, know I can you know go back to my logon failures and correlate the lockouts to the logon failures to see you, know why he was locked out if. He's encounters enabled again except so you can see all that data here as well fantastic. So speaking about account enablement, as well you. Know it's not beyond the realms of possibility that, people are enabling accounts accidentally. Or maliciously so, someone could have left the company so, far that I've seen a lot of users actually, build, groups in ad so we can integrate this with ad and pull in our groups so. You could see a group, of users that have left the company and you, can then have a rule or a filter to show you people. That have left the company but their account has been re-enabled, that's. Going to be you know a major red flag so. Let's just say if I come into ad again and I. Can see - I'm, going to disable this guy for a second so we'll Sable him so. Let's say he's left the company he's in my group to say he's after company I'm then, going to enable that account again. And. Now if he's in - and, that. That group I can see that account enabled event. So. Again you get your correlation rule you get your email alert to let you know is that user was enabled. And again. Going investigate, from there why was that user enabled, when he's left the company that's gonna make raised a major red flag so. The way that I'm seeing this would you be able to actually create, a rule that would not, allow them or - maybe disable, their account if they had left, yes you can add your say. Left users and group. Into your correlation rule and we have an action out of the box that, allows you to automatically, save that account so, if it's enabled like a split second the active responses kick in and automatically disabled that account again. So. One, thing is well what you know I've, seen people being, concerned about with Active Directory is, when, people care event logs so, again it could be. An. Outsider or an admin that decide they want to do something malicious and they're.
Gonna Try and be really clever and actually clear. The event logs either before or after the. The. Malicious. Actions have taken place I'm sure you guys understand, where we're going with this but just just, in case soon if security, is not your realm here a lot of people will delete the events, before they do something malicious, and they're doing this for two reasons one is because they kind. Of want to see, if you have a sim tool that's available that's. Going to be alerted upon on their actions that they're doing and two, is because they're sitting the presidents, for what they're about to do and what, you'll see is you'll have an event log that's cleared, you'll have a gape in time when it's collecting, and then you'll see it cleared again because, they're clearing it beforehand, to test you they're allowing them, to run their actions, and then they're clearing their actions, from the from the next time but if you're already alerting, to the first time you're. Already a step, ahead on there yes, that's new we can certainly monitor for that and create correlation. Rules around that to to, disabled users allowed them off as soon as an event log is cleared perfect. So. Destiny is part of the checklists at the very beginning we mentioned threat intelligence, we. Couldn't speak about a sim solution without threat feed intelligence, definitely, not so. With. Them we can monitor, say things like firewall logs to, see traffic coming in and leaving your network and correlating. Their that against some blacklist on the internet Oh perfect. So we, use in our case with log & Event Manager, we use emerging. Threat snitch and this, is the the exact text file that we reference, with LEM for our M our. Bad known IP addresses which also gets updated daily absolutely. Yeah so you can see things like IP, address is known for spam malware, tonight. A service etc and. We, see a lot of different black, lists out there through all incorporate in here so. To enable this in log map manager, literally. As simple as going to appliances and settings and simply, enable threat intelligence so. From there we're going to look at all the event logs see, the IP addresses, and alert you if we see a malicious. IP address. So. We have a filter here for all child events so as you can see there is quite a few so. I can see some TPC TCP. Traffic and. I can see it's an inbound TCP, connection and it was denied, it's. On my Cisco device and I. Can also see it's, changed activity and is trash is equal to true which. Means that - bad, know an IP address the source machine here is appearing. On a blacklist and and. That's. Going to be a cause of concern in them well, that's fantastic then that also helps you to be self aware of what's going on and what the traffic is and it's, something that I have faced it to you is that a lot of the firewalls sometimes you're in the trillions, of events that can actually happen, on firewall, logs so to be able to actually hone in and do something is fantastic.
With, That sheer volume of logs the firewalls generation. Have interaction, intelligent. Intelligent, and, you. Know alerts out of the box let you know there's a bad known IP address, so. In our correlation rules then we have ones. Both, inbound and outbound so. If there's an authentication, attempt, from the outside from potential, trash to, device in your network we're going to alert on - and. Also if there's a server communicating, from your network outside to, a bad known IP address we're going to learn on that which is how ransomware, goes right so it makes the call out to actually get them to let it know hey I'm available to send me the information to encrypt everything or change and then it comes back through so you're preventing it from going out essentially. Hmm so you, can see if there's an. Authentication. Event and it's true so the threat of the true which means that and that IP address appears again. We can go back to our active response and, not, only identify, the trash like we mentioned at the very beginning but also take our active responses well be, it no shutting down that machine blocking. The IP address on our firewall or. Login. To user off etc there's lots of different actions we can take great. So. That leaves, us with our threat, intelligence Jaime thank you so much for your time today and the step by step out of the box of how to get your lemming gear I think it's awesome to share these steps with our viewers, thanks, for not Trinity to join you for this fat camp session destiny hopefully, you will start your security models more quickly with Lim well, that's all for this session please feel free to ask questions in chat and just remember, there are plenty of ways to create a security maturity, model and the, key is a start nail and to, show steady progress don't, wait for the big bang and for, the security, to hit you all at once keep, pushing forward security. Isn't just an IT issue it's, a business issue and security. Should be a focus for business, from the top down and i'm, destinee, Bertucci, I'm Jamie Hinds and thank you for watching.
2017-12-07 18:37
