Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Transcription

1 Running the SANS Top 5 Essential Log Reports with Activeworx Security Center Creating valuable information from millions of system events can be an extremely difficult and time consuming task. Particularly when these events are being generated on disparate devices such as firewalls, IPS/IDS appliances or different server operating systems the challenges are two fold. Firstly collecting all the data and then generating valuable reports or analysis based on potentially millions of different events. As we shall see in the following exercises the key to running these reports is, know what you are looking for. Activeworx Security Center (ASC) is designed to help you build intelligence and increase the visibility of your network based on a large amount of seemingly unrelated security events. This is most obvious and valuable when running reports either for compliance or internal security analysis. Many security organizations around the world are working hard to develop standards for reporting with recommendations on what types of report can be most useful and for whom. In the following section we will take the Top 5 Essential Log Reports as recommended by the SANS Institute and see how ASC can effectively address these best practices with built-in and customizable reports. Top 5 Essential Log Reports as recommended by SANS Institute: 1) Attempts to Gain Access through Existing Accounts 2) Failed File or Resource Access Attempts 3) Unauthorized Changes to Users, Groups and Services 4) Systems Most Vulnerable to Attack 5) Suspicious or Unauthorized Network Traffic Patterns

2 Attempts to Gain Access through Existing Accounts As described by SANS, failed authentication attempts can indicate a user or malicious program attempting to crack a password or access a resource that is not allowed. Logon Reports are extremely important when attempting to mine through all of the logon events generated for example on a Windows Active Directory environment. Activeworx Security Center includes several built-in Logon reports that will help create Logon Reports that best suits your environment. These built-in tasks will automatically generate reports based on Windows Authentication events as well as provide the flexibility for you to customize the logon report to target a specific type of authentication (i.e. Failed Logons, specific UserID, or target Host). To Run a Built-in ASC Authentication Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your Database and expand Standard Reports. 3. Select Logon Events by User or by Host. 4. Set your Time Filter by hour, day, week, or month and your Style, Detailed (displaying the text of each event message) or Grouped (describing an event once with a number of occurrences which corresponds to a particular event) Click Run Report and export to any format available (pdf, html, csv, etc...)

3 To Customize a Built-in ASC Authentication Report to Show Only Failures: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. On the right side under Output, select Report. 3. Select your database, Date filter, and Time filter. 4. Add a Filter using the Filter Wizard to check for a particular Event Name. 5. Click Start. In this case we have created a Logon Failure Report by Windows Username. Example Task Filter Sample Logon Failure Report

4 Failed Resource or File Access Attempts Failed resource or file access attempts are an extremely broad category but depending on your role as a security administrator or manager some types of reports may be more appropriate than others. ASC is a complete Security Information and Event Management (SIEM) tool that can prove useful when analyzing many different events, so it can be just as useful for firewall and Windows administrators or even security managers that need to have a broader picture of an organizations entire security posture. Common categories of resources to monitor could include Network Traffic, such as denied attempts to communicate on unauthorized ports for a firewall, or File Access attempts for a Windows system. These reports and many more are built into ASC to help as an early indication of an attacker probing a system. Below are examples of both built-in and custom reports for Firewall and Windows event data. To Run a Built-in ASC Firewall Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your Firewall Database and expand Standard Reports. 3. Select one of the built-in Reports such as Events by Destination or Source IP, by Host or any other criteria you would like. 4. Set your Time Filter and Style. 5. Click Run Report and export to any format available (pdf, html, csv, etc...).

5 To Customize a Built-in ASC Firewall Report To Show Only Denied Packets: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. On the right side under Output, select Report. 3. Select your Firewall Database, Date filter, and Time filter. 4. Add a Filter using the Filter Wizard to check for a particular Action taken. 5. Click Save to make this report available in the future and Click Start. Example Task Filter Sample Denied Network Access Attempts Report

6 To Customize a Windows Failed File Access Report: 1. Verify your Windows System is configured for Auditing on the File or Directory. 2. Verify that your Windows Local or Group Policy Object has Object Access Auditing enabled for at least Failure (You may begin to see Event ID 560 Failed and/or Successful which directly match Windows rules available within ASC). 3. Open the ASC Desktop, click on the Task Manager Icon. 4. Select your AEF Event Database, Action, Date filter, Time filter and Output. 5. Add a Filter using the Filter Wizard to check for a particular Rule ID. Click Save to make this report available in the future and Click Start. NOTE: ASC Rule IDs may vary depending on your installation. Example Task Filter Sample Failed File Access Report

7 Unauthorized Changes to Users, Groups and Services Monitoring changes to Users, Groups, and Services, especially in a Windows environment, is a crucial part of security. The assigning of group memberships, the creating of users or the addition of system services can all be considered a vehicle for escalating privileges as well as attacking a network from within. Windows typically logs both Directory Services access as well as Account Management activity. Of the two the easiest to understand is Account Management auditing events. Windows offers five different event IDs for each group type and scope combination available in Windows. The 5 events correspond to the 5 operations Windows audits for each group: creation, change, deletion, member added and member removed. The following table shows the event IDs. Type Scope Created Changed Deleted Member Added Removed Security Local Global Universal Distribution Local Global Universal There are also other Security Related events such as Password Policy Change that would be useful to track. From an access control auditing perspective, the most important column would have to be member added since that operation usually corresponds to a user being granted new access. As you can see, Audit account management provides a wealth of information for tracking changes to your users and groups in Active Directory however most of these changes may be legitimate, so how do you filter through the false positives? This is a more difficult task. With ASC it is easy to identify a group of Windows Security Events that you would like to report on. In this case we know that Windows Account Management events correspond to Event IDs per the table above. We have matched these Event IDs to Rule IDs within ASC and have added a couple more for good measure. The resulting Report Task is called Windows Account Management Report. To Customize a Windows Account Management Report by User or Destination Host: 1. Verify that your Windows Local or Group Policy Object has Account Management Auditing enabled for both Success and Failure (You may begin to see Event IDs Failed and Successful in your Windows Security Event logs, these events directly match rules available within ASC). 2. Open the ASC Desktop, click on the Task Manager Icon. 3. Select your AEF Event Database, Date filter, Action, Time filter and Output. 4. Add a Filter using the Filter Wizard to check for greater than and less than a particular set of Rule IDs. 5. Click Save to make this report available in the future and Click Start. NOTE: ASC Rule IDs may vary depending on your ASC installation

8 Example Task Filter Sample Windows Account Management Reports by User or Destination Host:

9 NOTE: A report layout can be changed with just one click in ASC. Go to the Task Manager and change the Type of report to any one of over a dozen different layouts. Systems Most Vulnerable to Attack Vulnerabilities are an essential aspect of security, without them there is no way to paint a picture of exactly what a system or network is vulnerable to, more importantly they help prioritize and focus scarce IT resources. Vulnerability scans provide the context in which security events coming from IDS/IPS, firewalls, and servers must be interpreted. ASC allows for the automated importing of vulnerability scans from popular open source tools such as Nessus as well as commercial scanners such as ISS Internet Scanner, GFI, REM, and more. All of these vulnerabilities once imported into ASC can be reported on, correlated, and analyzed in many different ways. To Run a Built-in ASC Vulnerability Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your AEF Database and expand Standard Reports. 3. Select one of the built-in Vulnerability Reports such as by Host or by Name. 4. Set your Time Filter and Style. 5. Click Run Report and export to any format available (pdf, html, csv, etc...).

10 To Customize a Vulnerability Report by Risk: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. Select your AEF Event Database, Date filter, Action, Time filter and Output to Report 3. Select Type as Vulnerabilities by either Name or by Host. 4. Add a Filter using the Filter Wizard to check for Risk equal to High. 5. Click Save to make this report available in the future, then Click Start. Example Task Filter Sample High Risk Vulnerability Report by Name

11 Suspicious or Unauthorized Network Traffic Patterns Unexpected network traffic from one segment of the network to another, or from your internal LAN to the Internet, can be serious cause for concern. It almost always indicates some sort of policy violation. Usually reports associated with this type of anomalous activity are quite short and useful because they indicate exactly what type of unauthorized activity is occurring. The following is an example of a custom ASC report based on the need to identify a particular type of traffic coming from one segment of the LAN to another meant identifying these types of unauthorized network traffic patterns. To Customize an ASC Unauthorized Network Traffic Report: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. Select your Firewall Database, Date filter, Action, Time filter and Output (Report). 3. Select Type as Firewall Destination Port Grouped. 4. Add a Filter using the Filter Wizard to check for IPs that match * (assuming a DMZ of x.x and an Internal LAN of 10.x for example) and Action equal to Deny. 5. Click Save to make this report available in the future, then Click Start. Example Task Filter NOTE: Keep in mind that there are plenty of built-in reports that make running these types of reports quite easy and straight forward using ASC. However, every network is different, which means that many of the built-in ASC reports can serve as fantastic templates for the running of these reports but they do not always address the custom needs of every administrator. This is why the ASC Task Manager is a key component that we have discussed in detail within this paper. The Task Manager will allow very detailed filtering of your events and the more effective your task filters, the more valuable and precise all of these reports become.

12 Sample Unauthorized DMZ Traffic Report Summary The volume of Network traffic and the sheer number of security events are increasing on a daily basis, overwhelming network devices and security administrators. Adding to that, continuous malware attacks, increasing regulatory compliance and network perimeters that extend to an employee s home PC, creating valuable reports has become a significant challenge. Organizations such as NIST, SANS, and many others have contributed by providing documentation helping organizations put in real terms, what types of reports are valuable and to whom. One such document, the SANS Top 5 Essential Log Reports, covers what reports are essential for any organization concerned about security. You ll be able to run all of these reports and more using the Activeworx Security Center Reporting Engine and Task Manager. Once it is determined by your organization which reports are important, these can be scheduled to run automatically. These summary reports can be ed as PDF s to managers, loaded onto a website as HTML or uploaded to a network share for easy access. Reporting on all these types of activity is increasingly important for visibility and compliance; however, correlating these events across the network could mean the difference between thousands of independent false positive events and just a handful of meaningful, correlated high-priority events.

13 For more information on any of the ASC components including the Correlation and Scheduling Engines visit