Tuesday, March 20, 2012

Security Event of Interest for various technologies

Security Information and Event Management or SIEM, capabilities can provide a range of tools and functionalities to facilitate the management of security-related events, by assessing log data and correlating information coming from various sources. By not relying on a single source of information -- such as an IDS/IPS -- to flag potential breaches, the event management function can help reduce the number of false positives by first ensuring that the discovered event has been felt by other systems in the environment. As the system is tuned over time, it becomes more effective at differentiating between full-blown security incidents and other types of events patterns.

SIEM systems can provide a means to detect events of interest in two distinct ways: by providing a real-time assessment of security-relevant information directed to it; and by supporting forensic analysis of log records collected from perimeter and internal networks of the controlled environment. Below are few security event of interest that can be considered to start the security event repository.

Antivirus Events:
·         Instances of detected malware
·         File and system disinfection attempts (success and fail)
·         File quarantines
·         Malware scans
·         System start up and shutdown
·         Detection of infected files and updates
·         Quarantining of files
·         Cleansing of infected files and updates
·         System compromises
·         updating of virus signatures
·         updating of software

Application Events:

·         Requests to privileged resources
·         Application start-up, shutdown, failures and restarts
·         Application access to sensitive resources (functions, data)
·         Account lock-outs
·         User logon / logoff activities

Authentication Servers: Authentication servers, including directory servers and single sign-on servers, typically log each authentication attempt, including its origin, username, success or failure, and date and time.

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Operational Actions
·         Application start-up and shutdown
·         Application failures and restarts
·         Modification of application system settings, parameters and/or configuration

Database Events:

·         Database service (including instance) start-up and shutdown
·         Administrative user and privileged user activities including:
·         Updates
·         Deletions
·         Select
·         Imports & Exports
·         Creation of or modification to database objects (i.e. data definition language queries) and including:
·         Drop (delete)
·         Alter
·         Create
·         Modification of access controls to database objects
·         Creation of database users
·         Modification to database user properties and privileges
·         Database user logon and logoff
·         Utility Events including backup, restore and bulk insert commands
·         Connections to instances using administrator privileges

F5 devices: F5’s are intermediate hosts through which Web sites are accessed. F5 make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make additional accesses to those pages more efficient. F5 /web proxies can also be used to restrict Web access and to add a layer of protection between Web clients and Web servers.

·         Monitoring authentication attempts
·         Administrative actions
·         Activity by Users
·         Top Error types
·         Top Protocol
·         Top Severity codes
·         Top Signatures
·         Top violations by signature
·         Top violations
·         Top violations by protocol (HTTP, FTP, SMTP)
·         Top violations by URL
·         Top response codes by web application
·         Top Signature
·         Web application requests by method

Firewall / Networking Devices:  Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more sophisticated methods to examine network traffic. Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to have more complex policies and generate more detailed logs of activity than routers.

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting password)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Physical or virtual interface(s) configuration and status
·         System start up and shutdown
·         System compromises
·         System Alerts
·         Changes to firewall policy
·         Logging of firewall rules (Dropped packets
·         Identity context of connections where available e.g. terminated mutual authentication SSL

IIS:

·         Error Types recorded
·         Usage of bad user agents
·         Ip address or user with maximum bandwidth usage
·         Top referrals
·         Access to privileged URL
·         Attempt to upload file
·         Web pages with more consecutive hits from same source/different source
·         Excessive connection in short period of time
·         SQL Injection attempt
·         Potential malicious referrals
·         XML injection attempts
·         XPATH injection attempts
·         Session spoofing attempts
·         Cross site scripting
·         LDAP injection

Intrusion Detection/ Intrusion Prevention System: Intrusion detection and intrusion prevention systems record detailed information on suspicious behaviour and detected attacks, as well as any actions intrusion prevention systems performed to stop malicious activity in progress. Some intrusion detection systems, such as file integrity checking software, run periodically instead of continuously, so they generate log entries in batches instead of on an ongoing basis

·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Configuration changes
·         System start up and shutdown
·         Heuristic anomalies and action (success/fail)
·         Matches to attack signatures and action (success/fail)
·         Update signature (success/fail)
·         Update software (success/fail)

Operating System Events: Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches) usually log a variety of information related to security. The most common types of security-related OS data are as follows:

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Configuration changes
·         System start up and shutdown
·         Failed attempts to access data and system resources
·         Successful and failed attempts to use special privileges
·         Successful and failed user or group management attempts
·         Successful and failed security policy change attempts
·         Successful and failed attempts to access audit logs
·         The copying and accessing of sensitive information