Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security



Similar documents
Network/Internet Forensic and Intrusion Log Analysis

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Concierge SIEM Reporting Overview

Find the needle in the security haystack

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Guideline on Auditing and Log Management

Network Monitoring using MMT:

Configuration Information

GFI White Paper PCI-DSS compliance and GFI Software products

USM IT Security Council Guide for Security Event Logging. Version 1.1

Secret Server Qualys Integration Guide

Enterprise SysLog Manager (ESM)

RAVEN, Network Security and Health for the Enterprise

Information Technology Policy

Understand Troubleshooting Methodology

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Configuration Information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

QRadar SIEM 6.3 Datasheet

McAfee Web Reporter Turning volumes of data into actionable intelligence

Fight the Noise with SIEM

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

pt360 FREE Tool Suite Networks are complicated. Network management doesn t have to be.

Web Application Hosting Cloud Architecture

Hosts HARDENING WINDOWS NETWORKS TRAINING

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Endpoint Protection Small Business Edition 2013?

The SIEM Evaluator s Guide

Network Monitoring for Cyber Security

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Solicitation RFI-FTB-1415-SIEM Project. SIEM Project. Bid designation: Public. State of California

Subject: Request for Information (RFI) Franchise Tax Board (FTB) Security Information and Event Management (SIEM) Project.

How To Understand And Understand Cisco Security Specialist (For A Non-Profit)

SANS Top 20 Critical Controls for Effective Cyber Defense

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

End-user Security Analytics Strengthens Protection with ArcSight

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

What s New in Security Analytics Be the Hunter.. Not the Hunted

CALNET 3 Category 7 Network Based Management Security. Table of Contents

AVeS Cloud Security powered by SYMANTEC TM

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Ovation Security Center Data Sheet

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Core Protection Suite

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Protecting Your Organisation from Targeted Cyber Intrusion

THE OPEN UNIVERSITY OF TANZANIA

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

VESZPROG ANTI-MALWARE TEST BATTERY

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Bridging the gap between COTS tool alerting and raw data analysis

GFI Product Manual. Deployment Guide

Security Event Management. February 7, 2007 (Revision 5)

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

Network Security Policy: Best Practices White Paper

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Load Balancing & High Availability

SonicWALL Global Management System Reporting User Guide. Version 2.5

APPLICATION PROGRAMMING INTERFACE

FIREWALL POLICY November 2006 TNS POL - 008

RSA Security Anatomy of an Attack Lessons learned

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SonicWALL Global Management System Reporting Guide Standard Edition

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

FISMA / NIST REVISION 3 COMPLIANCE

Discover & Investigate Advanced Threats. OVERVIEW

SonicWALL Global Management System Reporting Guide Standard Edition

Server Monitoring: Centralize and Win

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Secure Networks for Process Control

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Sophos for Microsoft SharePoint startup guide

How To Protect Your Network From Attack From A Hacker On A University Server

Firewalls, IDS and IPS

The Comprehensive Guide to PCI Security Standards Compliance

WMI syslog management of Windows AD Server V 1.1.2

Clavister InSight TM. Protecting Values

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Detect & Investigate Threats. OVERVIEW

Configuring WMI Performance Monitors

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

Load-Balanced Merak Mail Server

TORNADO Solution for Telecom Vertical

Transcription:

Foreword p. xvii Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security Information to Management p. 5 Example of an Incident Report: IDS Case No. 123, 5 September 2005 p. 6 Combining Resources for an "Eye-in-the-Sky" View p. 9 Blended Threats and Reporting p. 12 Conclusion p. 16 Code Solutions p. 16 Bird's-Eye View for Management: HTML p. 16 Birds-Eye View for Security Teams: HTML p. 20 Commercial Solutions: ArcSight and Netforensics p. 30 Summary p. 32 Solutions Fast Track p. 32 Frequently Asked Questions p. 35 IDS Reporting p. 37 Introduction p. 38 Session Logging with Snort p. 39 Did That Exploit Work? Did the Attacker Download Any Data? p. 41 An Example of a Web Connection p. 43 An Example of a Web Connection with a Backdoor Snort Session p. 43 Session/Flow Logging with Argus p. 44 Database Setup p. 46 Can You Determine When a DDoS/DoS Attack Is Occurring? p. 53 Using Snort for Bandwidth Monitoring p. 57 Using Bro to Log and Capture Application-Level Protocols p. 65 Tracking Malware and Authorized Software in Web Traffic p. 67 Determining Which Machines Use a Provided/Supported Browser p. 71 Tracking Users' Web Activities with Bro p. 74 Using Bro to Gather DNS and Web Traffic Data p. 79 Using Bro for Blackholing Traffic to Malware-Infested Domains p. 90 Using Bro to Identify Top E-Mail Senders/Receivers p. 101 Top Mail Server p. 102 Top E-Mail Address p. 103 Virus Attachment Du Jour p. 104 Summary p. 107 Solutions Fast Track p. 107 Frequently Asked Questions p. 111 Firewall Reporting p. 113 Firewall Reporting: A Reflection of the Effectiveness of Security Policies p. 114

The Supporting Infrastructure for Firewall Log Management p. 116 Parsing the Data p. 118 Tools for an Overview of Activity p. 126 Time History Graphics p. 127 Reporting Statistics p. 132 Statistics by Country p. 132 Statistics by Business Partner p. 135 What Is "Normal" and What Is Threatening p. 136 Tools and URLs p. 138 Summary p. 139 Solutions Fast Track p. 139 Frequently Asked Questions p. 141 Systems and Network Device Reporting p. 143 Introduction p. 144 What Should the Logs Log? Everything? p. 145 The 5 Ws (Who, What, When, Where, and Why) p. 145 Web Server Logs p. 147 Recon and Attack Information p. 148 Identifying User Agent Types p. 149 Isolating Attacking IP Addresses p. 151 Correlating Data with the Host System p. 152 Did They Try to Get In? p. 152 Did They Get In? p. 153 What Did They Do While They Were In? p. 155 Pulling It All Together p. 156 Awstats Graphical Charting of Web Statistics p. 156 Top Attacker and Top User for the Web Server p. 160 Summary p. 162 Solutions Fast Track p. 162 Frequently Asked Questions p. 162 Creating a Reporting Infrastructure p. 165 Introduction p. 166 Creating IDS Reports from Snort Logs-Example Report Queries p. 166 Prepare Different Report Formats-Text, Web, E-mail p. 177 Creating IDS Reports from Bro Logs-Application Log Information p. 178 Prepare Different Report Formats-Text, Web, E-mail p. 185 Summary p. 190 Solutions Fast Track p. 190 Frequently Asked Questions p. 191 Scalable Enterprise Solutions (ESM Deployments) p. 193 Introduction p. 194

What Is ESM? p. 196 Security Policy p. 197 Controlling Configuration p. 198 Controlling Deployment p. 200 Monitoring p. 202 When Deploying ESM Makes Sense p. 205 Questions Your Organization Should Be Asking p. 207 What Problem Are You Trying to Solve? p. 207 How Many Information Sources Are Manageable? p. 208 What Benefits Do I Gain from ESM? p. 209 What Is the Return on Investment for ESM Tools? p. 211 What Type of Reports Do I Expect from ESM? p. 213 Monitoring and Managing versus Reporting p. 214 Which Security Reporting Tools to Aggregate into ESM p. 216 Determining How Much Data Is Too Much p. 219 Using ESM Reporting for Maximum Performance p. 220 Real-Time Reporting p. 221 Centralized Repository Reporting p. 222 ESM Reporting as a Single Point of View p. 224 Automation of ESM Reporting p. 226 Special Considerations for Using ESM p. 227 Security p. 227 Reliability p. 228 Scalability p. 229 Lessons Learned Implementing ESM p. 230 Knowing Your Environment p. 231 Implementing at the Right Pace p. 232 Obtaining Vendor Support p. 234 Ensuring Usability p. 235 Summary p. 237 Solutions Fast Track p. 238 Frequently Asked Questions p. 241 Managing Log Files with Log Parser p. 243 Introduction p. 244 Log File Conversion p. 244 Standardizing Log Formats p. 244 Using XML for Reporting p. 248 Correlating Log File Data p. 251 Identifying Related Data p. 252 Converting Related Log Files p. 253 Analyzing Related Log File Data p. 257

Log Rotation and Archival p. 259 Rotating Log Files p. 259 Rotating Log Files Based on Size p. 260 Rotating Log Files Based on Date p. 260 Automating Log File Rotation p. 261 Determining an Archiving Methodology p. 262 Meeting Legal or Policy Requirements p. 263 Archiving Logs for Non-Repudiation p. 264 Building a Hierarchical Logging Directory Structure p. 266 Using a Syslog Server p. 269 Separating Logs p. 271 Determining Log File Separation Strategies p. 271 Separating by Date p. 272 Separating by Event Type p. 272 Separating by System p. 273 Using Separated Log Files p. 275 Developing a Separated Log File Hierarchy p. 276 Summary p. 277 Solutions Fast Track p. 277 Frequently Asked Questions p. 279 Investigating Intrusions with Log Parser p. 281 Introduction p. 282 Locating Intrusions p. 282 Monitoring Logons p. 283 Excessive Failed Logons p. 283 Terminal Services Logons p. 284 Monitoring IIS p. 287 Identifying Suspicious Files p. 287 Finding Modification Dates p. 289 Reconstructing Intrusions p. 291 Most Recently Used Lists p. 291 Downloading Stolen Data p. 293 DNS Name Cache p. 294 User Activity p. 295 Login Count p. 298 Services p. 298 Installed Programs p. 300 Summary p. 302 Solutions Fast Track p. 302 Frequently Asked Questions p. 304 Managing Snort Alerts with Microsoft Log Parser p. 305

Introduction p. 306 Building Snort IDS Reports p. 306 Gathering Snort Logs p. 306 Building an Alerts Detail Report p. 308 Most Common Alerts p. 309 Alerts by IP Address p. 317 Building an Alerts Overview Report p. 319 Managing Snort Rules p. 323 Summary p. 327 Index p. 329 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information