{"id":728,"date":"2020-06-14T12:11:41","date_gmt":"2020-06-14T12:11:41","guid":{"rendered":"https:\/\/blog.samarthya.me\/wps\/?p=728"},"modified":"2020-06-16T11:07:08","modified_gmt":"2020-06-16T11:07:08","slug":"a-different-take-siem","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2020\/06\/14\/a-different-take-siem\/","title":{"rendered":"A different take: SIEM"},"content":{"rendered":"

Security space is an ever evolving. It never stays stagnant; everyday you see a new exploit, a new hack. As an individual, you may have Antivirus installed on your system, Firewall – UP, ports blocked yet you are not free from threat<\/p>\n\n\n

If you have….<\/p>\n\n\n\n

  1. Digital footprint: Use any of the social apps e.g. Facebook, Twitter etc.<\/li>
  2. Use an email: Gmail, yahoo, live etc.<\/li>
  3. Enter passwords (even though super secure)<\/li>
  4. Shop online,<\/li>
  5. Heck even if you have a smart phone<\/li><\/ol>\n\n\n\n

    you are at risk, everyday.<\/p>\n\n\n\n

    Even if you do not have or use any of the 5 above, you still have your identity, right? SSN, or UID? <\/p><\/blockquote>\n\n\n\n

    Your Biometrics fingerprints, eyeprints, stored in a DB govt or otherwise.<\/p>\n\n\n\n

    Just think about it; if this is for an individual<\/strong> what about an organization<\/strong>? <\/p>\n\n\n\n

    Organizations & SIEM<\/h2>\n\n\n\n

    W<\/strong>ith the ever evolving space of security the organization are also upping their game. You have dedicated analysts (individually or part of SoC<\/a><\/strong> or NoC) analyzing information using variety of tools, one such tool is Splunk (very prevalent), Elastic etc.<\/p>\n\n\n\n

    Perspective<\/h2>\n\n\n\n

    What is threat?<\/h3>\n\n\n\n

    A declaration of an intention or determination to inflict punishment, injury, etc., in retaliation for, or conditionally upon, some action or course; menace:<\/p><\/blockquote>\n\n\n\n

    Threat<\/a> is always contextual, specifically in the space of security e.g.<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    \"\"<\/figure>
    \n
    [Error: 401<\/strong>] Unauthorized<\/strong> A single authentication failure where say John Doe, operating from Australia tried to access his account in his organization and misspelled his password resulting an error.<\/pre>\n<\/div><\/div>\n\n\n\n
    Is this threat?<\/span><\/strong><\/p>\n\n\n\n
    It might be a a genuine mistake or lets add some spices to the situation<\/p>\n\n\n\n
    The request came in at a time lets say 5:30 in the evening (AEST) but came in from an IP that is from North Korea<\/p>\n\n\n\n
    Rings a bell?<\/span><\/strong><\/p>\n\n\n\n
    So now we are thinking<\/p>\n\n\n\n
    Volume Metrics<\/strong><\/h3>\n\n\n\n
    Too many unauthorized errors coming might be an anomaly, but may or may not be threat. <\/p>\n\n\n\n
    E.g. A configured password was just changed and the dev guy forgot to change one location and hence it may be false positive.<\/p><\/blockquote>\n\n\n\n
    Behavior Metrics<\/h3>\n\n\n\n
    Behavior is a pattern that is observed over a time for an entity. This entity can be a user or a resource.<\/p>\n\n\n\n
    John regularly logs in from Sydney around 8:00 to 8:30 AM and logs out by 6:00 to 6:30 PM sometimes he logs in on weekends, but not regularly.<\/p><\/blockquote>\n\n\n\n
    Param : One<\/h4>\n\n\n\n
    Today<\/strong>, John logs in at 7:00 PM on Friday<\/strong> and from Japan – Suspicious<\/strong>?<\/p>\n\n\n\n
    This is the deviations from historical pattern, which defines John Doe, as a regular user logging in at 8:00 AM logging out 6:00 PM everyday<\/p>\n\n\n\n
    Param : Two<\/h4>\n\n\n\n
    The last login location was Australia, and within 15 minutes John logs in from Japan? Suspicious again<\/strong>?<\/p>\n\n\n\n
    This is what is called anomaly from the regular behavior and may or may not be a threat, considering John may be on a regular visit to Japan, but what is suspicious is he was logged in from Australia 15 minutes ago so physically it is impossible to make a quantum leap in 15 minutes from one geographic location to another.<\/p>\n\n\n\n
    So this definitely looks like a genuine threat.<\/p><\/blockquote>\n\n\n\n
    Spatial: Metric<\/h3>\n\n\n\n
    Spatial is the location element of an entity, which impacts a V<\/strong>olume or B<\/strong>ehavior metric in a way. It is not just an attribute of an entity it can enrich the information in a decisive way.<\/p>\n\n\n\n
    SIEM: Security Information & Event Management<\/h3>\n\n\n\n
    SIEM is a process, approach or tools to monitor, analyze, evaluate and identify threats in an organization. <\/p>\n\n\n\n
    It collects security data from appliances like servers, firewalls, domain controllers, and more. It stores & normalizes data to discover trends, threats, and enable organizations to plug the gaps.<\/p><\/blockquote>\n\n\n\n
    \"\"<\/figure>
    \n
    The heart of all analysis is the data which is refined, correlated, enriched if required and normalized.<\/pre>\n<\/div><\/div>\n\n\n\n