Security Monitoring

Security Monitoring

Generalize Architecture of SIEM


Above is the generalized work flow for any SIEMs technology.

Log collection: logs/events are collected from various log sources. There are two techniques used for log collection i.e. Push and Pull. We will discuss this in detail later.

Parsing of Logs: Each SIEM technology uses some parser to parse and read the logs/events and categories it into different field. For example:   "XX.XX.XX.XX" three dots in between numbers will be considered as IP address by the parser.

Normalization: Normalization is conversion of parsed log from various log sources, having different log formats into standard format (or SIEM's event schema).

Aggregation: Aggregation is coalescing the log/event as one event which describe similar pattern of logs. So, if 40 successive events are seen with same source IP, destination IP, destination port and similarly all other fields are also same, except the time. Then it will describe or the summarize all the 40 event as one.

Correlation: Correlation is what make the SIEM special. In correlation one log/event are correlated with  other. So in SIEM we write correlation rule like:

Suppose: X is Event 1
                Y is Event 2
Then we write rules like:
     Rule 1: If X is generated after Y within 2 minutes then generate SIEM alert Z
     Rule 2: If X is generated 10 times within 1 minutes then generate SIEM alert B

In SIEM we try to understand the pattern of different attack and then write the rule to detect theses kind of pattern. Try to understand the below pattern.


a)  1 attacker attacking multiple Assets: This could be some attacker trying to do network scan.





 

b) Multiple Attacker attacking different Asset: This could be multiple attacker trying to do DDOS on particular asset.




c) Single Attacker attacking particular asset but on different port: This could be a port scan by the attacker.




d)   Single attacker trying to attack a particular asset with different combination of username and password that results into failed authentication each time (or most of the time):  This could be a brute force attempt.  




e) Asset trying to communicate with some Command and Control server address:  This could be a malware callback attempt. So system might be botnet activity.





 









1 comment: