Running the SANS Top 5 Essential Log Reports with Activeworx Security Center



Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

Configuring User Identification via Active Directory

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide: PCI DSS

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Achieving PCI-Compliance through Cyberoam

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements with Enterasys SIEM

Automate PCI Compliance Monitoring, Investigation & Reporting

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How To Manage Sourcefire From A Command Console

FISMA / NIST REVISION 3 COMPLIANCE

CrossTec Corporation. Evaluator s Guide. Activeworx Security Center 4.5

QRadar SIEM 6.3 Datasheet

State Grant Information Technology Application

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CTS2134 Introduction to Networking. Module Network Security

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Advanced Event Viewer Manual

LogRhythm and PCI Compliance

Cisco IPS Tuning Overview

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM Security QRadar Vulnerability Manager Version User Guide

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Guideline on Auditing and Log Management

IBM QRadar Security Intelligence April 2013

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Integrating LANGuardian with Active Directory

STARTER KIT. Infoblox DNS Firewall for FireEye

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

How To Manage Security On A Networked Computer System

Top 20 Critical Security Controls

Configuration Information

This exhibit describes how to upload project information from Estimator (PC) to Trns.port PES (server). Figure 1 summarizes this process.

Enabling Security Operations with RSA envision. August, 2009

Concierge SIEM Reporting Overview

4. Getting started: Performing an audit

Payment Card Industry Data Security Standard

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

rating of 5 out 5 stars

Policy Compliance. Getting Started Guide. January 22, 2016

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

A CrossTec Corporation. Instructional Setup Guide. Activeworx Security Center Quick Install Guide

Server Account Management

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

74% 96 Action Items. Compliance

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Configuration Information

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

MatriXay Database Vulnerability Scanner V3.0

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

PCI Compliance. Network Scanning. Getting Started Guide

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

WatchDox Administrator's Guide. Application Version 3.7.5

Lab Configuring Access Policies and DMZ Settings

USM IT Security Council Guide for Security Event Logging. Version 1.1

SecurityCenter 5.1 with Nessus Agent Support. October 22, 2015

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

The SIEM Evaluator s Guide

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

NetFlow Analytics for Splunk

SonicWALL PCI 1.1 Implementation Guide

IBM. Vulnerability scanning and best practices

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

The Comprehensive Guide to PCI Security Standards Compliance

IBM Security QRadar Vulnerability Manager Version User Guide IBM

RSA Security Anatomy of an Attack Lessons learned

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Introduction to Endpoint Security

CorreLog Alignment to PCI Security Standards Compliance

March

Strategic Asset Tracking System User Guide

SysPatrol - Server Security Monitor

GFI White Paper PCI-DSS compliance and GFI Software products

CloudPassage Halo Technical Overview

F5 and Microsoft Exchange Security Solutions

How To - Implement Clientless Single Sign On Authentication with Active Directory

Secret Server Qualys Integration Guide

What is the Barracuda SSL VPN Server Agent?

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Juniper Secure Analytics Release Notes

File Management Utility User Guide

Computer and Network Security Policy

GE Measurement & Control. Cyber Security for NEI 08-09

Penetration Testing Report Client: Business Solutions June 15 th 2015

SB34: Event Logs Don t Lie: Step-by-Step Security. Rick Simonds, Sage Data Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Tenable for CyberArk

Transcription:

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center Creating valuable information from millions of system events can be an extremely difficult and time consuming task. Particularly when these events are being generated on disparate devices such as firewalls, IPS/IDS appliances or different server operating systems the challenges are two fold. Firstly collecting all the data and then generating valuable reports or analysis based on potentially millions of different events. As we shall see in the following exercises the key to running these reports is, know what you are looking for. Activeworx Security Center (ASC) is designed to help you build intelligence and increase the visibility of your network based on a large amount of seemingly unrelated security events. This is most obvious and valuable when running reports either for compliance or internal security analysis. Many security organizations around the world are working hard to develop standards for reporting with recommendations on what types of report can be most useful and for whom. In the following section we will take the Top 5 Essential Log Reports as recommended by the SANS Institute and see how ASC can effectively address these best practices with built-in and customizable reports. Top 5 Essential Log Reports as recommended by SANS Institute: 1) Attempts to Gain Access through Existing Accounts 2) Failed File or Resource Access Attempts 3) Unauthorized Changes to Users, Groups and Services 4) Systems Most Vulnerable to Attack 5) Suspicious or Unauthorized Network Traffic Patterns

Attempts to Gain Access through Existing Accounts As described by SANS, failed authentication attempts can indicate a user or malicious program attempting to crack a password or access a resource that is not allowed. Logon Reports are extremely important when attempting to mine through all of the logon events generated for example on a Windows Active Directory environment. Activeworx Security Center includes several built-in Logon reports that will help create Logon Reports that best suits your environment. These built-in tasks will automatically generate reports based on Windows Authentication events as well as provide the flexibility for you to customize the logon report to target a specific type of authentication (i.e. Failed Logons, specific UserID, or target Host). To Run a Built-in ASC Authentication Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your Database and expand Standard Reports. 3. Select Logon Events by User or by Host. 4. Set your Time Filter by hour, day, week, or month and your Style, Detailed (displaying the text of each event message) or Grouped (describing an event once with a number of occurrences which corresponds to a particular event)... 5. Click Run Report and export to any format available (pdf, html, csv, etc...)

To Customize a Built-in ASC Authentication Report to Show Only Failures: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. On the right side under Output, select Report. 3. Select your database, Date filter, and Time filter. 4. Add a Filter using the Filter Wizard to check for a particular Event Name. 5. Click Start. In this case we have created a Logon Failure Report by Windows Username. Example Task Filter Sample Logon Failure Report

Failed Resource or File Access Attempts Failed resource or file access attempts are an extremely broad category but depending on your role as a security administrator or manager some types of reports may be more appropriate than others. ASC is a complete Security Information and Event Management (SIEM) tool that can prove useful when analyzing many different events, so it can be just as useful for firewall and Windows administrators or even security managers that need to have a broader picture of an organizations entire security posture. Common categories of resources to monitor could include Network Traffic, such as denied attempts to communicate on unauthorized ports for a firewall, or File Access attempts for a Windows system. These reports and many more are built into ASC to help as an early indication of an attacker probing a system. Below are examples of both built-in and custom reports for Firewall and Windows event data. To Run a Built-in ASC Firewall Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your Firewall Database and expand Standard Reports. 3. Select one of the built-in Reports such as Events by Destination or Source IP, by Host or any other criteria you would like. 4. Set your Time Filter and Style. 5. Click Run Report and export to any format available (pdf, html, csv, etc...).

To Customize a Built-in ASC Firewall Report To Show Only Denied Packets: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. On the right side under Output, select Report. 3. Select your Firewall Database, Date filter, and Time filter. 4. Add a Filter using the Filter Wizard to check for a particular Action taken. 5. Click Save to make this report available in the future and Click Start. Example Task Filter Sample Denied Network Access Attempts Report

To Customize a Windows Failed File Access Report: 1. Verify your Windows System is configured for Auditing on the File or Directory. 2. Verify that your Windows Local or Group Policy Object has Object Access Auditing enabled for at least Failure (You may begin to see Event ID 560 Failed and/or Successful which directly match Windows rules available within ASC). 3. Open the ASC Desktop, click on the Task Manager Icon. 4. Select your AEF Event Database, Action, Date filter, Time filter and Output. 5. Add a Filter using the Filter Wizard to check for a particular Rule ID. Click Save to make this report available in the future and Click Start. NOTE: ASC Rule IDs may vary depending on your installation. Example Task Filter Sample Failed File Access Report

Unauthorized Changes to Users, Groups and Services Monitoring changes to Users, Groups, and Services, especially in a Windows environment, is a crucial part of security. The assigning of group memberships, the creating of users or the addition of system services can all be considered a vehicle for escalating privileges as well as attacking a network from within. Windows typically logs both Directory Services access as well as Account Management activity. Of the two the easiest to understand is Account Management auditing events. Windows offers five different event IDs for each group type and scope combination available in Windows. The 5 events correspond to the 5 operations Windows audits for each group: creation, change, deletion, member added and member removed. The following table shows the event IDs. Type Scope Created Changed Deleted Member Added Removed Security Local 635 641 638 636 637 Global 631 639 634 632 633 Universal 658 659 662 660 661 Distribution Local 648 649 652 650 651 Global 653 654 657 655 656 Universal 663 664 667 665 666 There are also other Security Related events such as Password Policy Change that would be useful to track. From an access control auditing perspective, the most important column would have to be member added since that operation usually corresponds to a user being granted new access. As you can see, Audit account management provides a wealth of information for tracking changes to your users and groups in Active Directory however most of these changes may be legitimate, so how do you filter through the false positives? This is a more difficult task. With ASC it is easy to identify a group of Windows Security Events that you would like to report on. In this case we know that Windows Account Management events correspond to Event IDs 630 667 per the table above. We have matched these Event IDs to Rule IDs within ASC and have added a couple more for good measure. The resulting Report Task is called Windows Account Management Report. To Customize a Windows Account Management Report by User or Destination Host: 1. Verify that your Windows Local or Group Policy Object has Account Management Auditing enabled for both Success and Failure (You may begin to see Event IDs 624-667 Failed and Successful in your Windows Security Event logs, these events directly match rules available within ASC). 2. Open the ASC Desktop, click on the Task Manager Icon. 3. Select your AEF Event Database, Date filter, Action, Time filter and Output. 4. Add a Filter using the Filter Wizard to check for greater than and less than a particular set of Rule IDs. 5. Click Save to make this report available in the future and Click Start. NOTE: ASC Rule IDs may vary depending on your ASC installation

Example Task Filter Sample Windows Account Management Reports by User or Destination Host:

NOTE: A report layout can be changed with just one click in ASC. Go to the Task Manager and change the Type of report to any one of over a dozen different layouts. Systems Most Vulnerable to Attack Vulnerabilities are an essential aspect of security, without them there is no way to paint a picture of exactly what a system or network is vulnerable to, more importantly they help prioritize and focus scarce IT resources. Vulnerability scans provide the context in which security events coming from IDS/IPS, firewalls, and servers must be interpreted. ASC allows for the automated importing of vulnerability scans from popular open source tools such as Nessus as well as commercial scanners such as ISS Internet Scanner, GFI, REM, and more. All of these vulnerabilities once imported into ASC can be reported on, correlated, and analyzed in many different ways. To Run a Built-in ASC Vulnerability Report: 1. Open the ASC Desktop, click on the Report Center Icon. 2. Select your AEF Database and expand Standard Reports. 3. Select one of the built-in Vulnerability Reports such as by Host or by Name. 4. Set your Time Filter and Style. 5. Click Run Report and export to any format available (pdf, html, csv, etc...).

To Customize a Vulnerability Report by Risk: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. Select your AEF Event Database, Date filter, Action, Time filter and Output to Report 3. Select Type as Vulnerabilities by either Name or by Host. 4. Add a Filter using the Filter Wizard to check for Risk equal to High. 5. Click Save to make this report available in the future, then Click Start. Example Task Filter Sample High Risk Vulnerability Report by Name

Suspicious or Unauthorized Network Traffic Patterns Unexpected network traffic from one segment of the network to another, or from your internal LAN to the Internet, can be serious cause for concern. It almost always indicates some sort of policy violation. Usually reports associated with this type of anomalous activity are quite short and useful because they indicate exactly what type of unauthorized activity is occurring. The following is an example of a custom ASC report based on the need to identify a particular type of traffic coming from one segment of the LAN to another meant identifying these types of unauthorized network traffic patterns. To Customize an ASC Unauthorized Network Traffic Report: 1. Open the ASC Desktop, click on the Task Manager Icon. 2. Select your Firewall Database, Date filter, Action, Time filter and Output (Report). 3. Select Type as Firewall Destination Port Grouped. 4. Add a Filter using the Filter Wizard to check for IPs that match 192.16.* (assuming a DMZ of 192.16.x.x and an Internal LAN of 10.x for example) and Action equal to Deny. 5. Click Save to make this report available in the future, then Click Start. Example Task Filter NOTE: Keep in mind that there are plenty of built-in reports that make running these types of reports quite easy and straight forward using ASC. However, every network is different, which means that many of the built-in ASC reports can serve as fantastic templates for the running of these reports but they do not always address the custom needs of every administrator. This is why the ASC Task Manager is a key component that we have discussed in detail within this paper. The Task Manager will allow very detailed filtering of your events and the more effective your task filters, the more valuable and precise all of these reports become.

Sample Unauthorized DMZ Traffic Report Summary The volume of Network traffic and the sheer number of security events are increasing on a daily basis, overwhelming network devices and security administrators. Adding to that, continuous malware attacks, increasing regulatory compliance and network perimeters that extend to an employee s home PC, creating valuable reports has become a significant challenge. Organizations such as NIST, SANS, and many others have contributed by providing documentation helping organizations put in real terms, what types of reports are valuable and to whom. One such document, the SANS Top 5 Essential Log Reports, covers what reports are essential for any organization concerned about security. You ll be able to run all of these reports and more using the Activeworx Security Center Reporting Engine and Task Manager. Once it is determined by your organization which reports are important, these can be scheduled to run automatically. These summary reports can be emailed as PDF s to managers, loaded onto a website as HTML or uploaded to a network share for easy access. Reporting on all these types of activity is increasingly important for visibility and compliance; however, correlating these events across the network could mean the difference between thousands of independent false positive events and just a handful of meaningful, correlated high-priority events.

For more information on any of the ASC components including the Correlation and Scheduling Engines visit www.crosstecsecurity.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information