SlideShare a Scribd company logo

Using indicators to deal with security attacks

Zoho Corporation
Zoho Corporation

Learn the unique capabilities of using indicators to deal with the security breaches and attacks in the security information and event management space. Detect and enrich the indicators using ManageEngine Log360.

Technology
1 of 11
Download to read offline
Using Indicators Security Attacks To Deal With
Introduction Attack patterns and their indicators Explaining the indicators with an attack scenario Attack scenario Investigating the attack Detecting and enriching IoCs and IoAs with Log360 IoA or IoC: Which one should be used? 1. 2. 3. 3 4 5 5 6 8 10 4. 5. Table of contents www.manageengine.com/log360log360-support@manageengine.com
Introduction Security breaches and sophisticated attacks are on the rise, spurring continued improvements in the security information and event management (SIEM) space. To further combat these advanced attacks, security intelligence platforms and solutions have been strengthened by their vendors. Improvements in attack mitigation techniques have given rise to several new parameters that detect potential threats and attack patterns early on. Later sections of this white paper elaborate on two such parameters—indicators of compromise (IoCs) and indicators of attack (IoAs)—that help detect attacks instantly, blueprint an attack sequence, identify an attack before damage is caused, and more. This white paper helps security professionals understand the unique capabilities of these indicators, the differences between them, and the steps to configure a SIEM solution to detect IoCs and IoAs. 3 www.manageengine.com/log360log360-support@manageengine.com
Attack patterns and their indicators. Security attacks can thus be broadly classified into two types: Enterprises are not immune to security attacks, no matter how good their security systems are. Hackers always try to exploit a network's vulnerabilities and security loopholes, usually either to gain access to critical network resources or to bring down business services. Depending on the attack type, the pattern of approach will be different. For instance, attacks that attempt to bring down business operations will concentrate on bypassing endpoint security systems and flooding the resources with irrelevant traffic. On the other hand, attacks attempting to steal data will focus on acquiring confidential information through unauthorized access to critical resources. Attacks that disrupt business operations, such as DDoS attacks targeted at bringing down an e-commerce or banking company's web service. Attacks that steal confidential information. Regardless of its type, every attack will leave a trace, which is known as an indicator. These indicators provide details that help security professionals: Conclude whether a suspicious event is a threat or an on-going attack. . Detect threats at their initial stage, which helps contain an attack before it even occurs. Identify whether an attack is ongoing or if it has happened before. Speed up the attack discovery process. Ascertain an attack's total impact once it has been resolved. 4 www.manageengine.com/log360log360-support@manageengine.com
Most enterprises rely on IoCs to contain an ongoing attack or to conduct forensic analysis to resolve an attack or assess its impact. Essentially, IoCs tell administrators the network has been compromised. They answer the vital w's: what happened, who was involved, and when it occurred. Two major indicators come in handy for security professionals: IoCs and IoAs IoCs IoAs are suspicious security events that could turn out to be a potential threat or attack. Once they're detected, IoAs are then enriched with contextual information such as user behavior patterns, vulnerabilities, and input data from other security tools. All these details help in ascertaining whether an IoA is a potential threat. Since IoAs identify attacks at an early stage, they play a major role in preventing attacks. IoAs Explaining the indicators with an attack scenario. Fighting security attacks is a multi-step process. Gathering clues, aka indicators, from the network Is the first step in that process. Let's use an attack scenario to elaborate on the process of identifying indicators. Attack scenario Assume in this scenario that a malicious Microsoft Excel file is spread over email to employees in an organization. The email is drafted with authentic message threads, so many employees download the malicious file because they are made to believe it is a message from someone they know. When a user opens that file, a macro is automatically executed. That macro then tries to access critical databases, copies confidential customer information from those databases, appends that data to the Excel file, and then uploads the modified Excel file to a cloud site. 5 www.manageengine.com/log360log360-support@manageengine.com
Investigating the attack The compromise stage is when the attack surfaces, allowing it to be detected. These kinds of attacks can be detected promptly by configuring the right alert profiles for the following IoCs: Attacks can be prevented during the intrusion stage if the source of the attack is found to be suspicious or malicious. In this scenario, the email has come from a non-suspicious IP address and the message looks authentic, thus deceiving the spam filter. Therefore, detecting and containing this attack at the initial stage would be difficult. Again, the success of this attack discovery process depends on validating each of the IoCs (with respect to user context) and enriching the events by correlating them with other related events. Security administrators need to delve deep into this specific attack pattern and identify the indicators of this attack. Once they do so, they can proactively deal with any attack that follows a similar pattern. However, attacks don't occur like this all the time. Considering this scenario, every time the attacker attempts an attack, they may not use the same technique of infiltrating the network with an Excel file. With that in mind, security administrators should set up traps by defining correlation rules that cover all possible actions in an attack pattern. Unauthorized access attempts on critical databases. Unauthorized copy actions performed in a database. Attempts to upload or transfer a file to an unauthorized cloud site. Hackers circulate a seemingly innocuous email that includes a malicious Excel file attachment. Each time the user opens the Excel file, it executes a macro that steals confidential data from the network. Intrusion Navigation Macro finds the critical database and accesses it. Appends the Excel sheet with copied confidential data. Data Compromise The macro uploads the modified file to a cloud file storage site. Transmission 6 www.manageengine.com/log360log360-support@manageengine.com
For this scenario, security administrators can build a custom correlation rule that includes the following actions: Correlation actions Reasons for setting up the action Malware is installed in the system or a malicious file is executed. An attacker may not use the same vector to force their way into the network each time. Therefore, set up an action to detect malware in the system, either in the form of a malicious file or script execution. An IP spoofing attack occurs within an internal firewall. Following a malicious file injection in the network, the attacker may try to find the IP address of a critical database or server in order to gain unauthorized access. Therefore, it is crucial to set up an action to detect any spoof attacks in internal firewalls. Attempts to read or copy files from a database in bulk. When there's an attempt to perform database read or file copying actions in bulk, the event can be classified as an ongoing attack. This action can be used to stop hackers from reading or copying database files before they leak critical data. Suspicious file transfer attempts to a cloud site or external IP address. Even if hackers have already copied data from critical resources, there's still a chance to prevent the data from leaving the premises by tracking file transfer events within the network. Set up actions for file transfer attempts to a suspicious destination (malicious IP destination, destination located at unrelated geographical region, restricted cloud site, etc.) or during non-business hours to prevent data leakage. Multiple unauthorized access attempts on a critical database or server. After an attacker finds a server or database, their next step would be to gain access to these resources. Attackers with insufficient privileges will either try to bypass the authentication process or access the system with a password attack. In either case, setting up an action for a high number of login failures will help validate the events as a potential threat. 7 www.manageengine.com/log360log360-support@manageengine.com
These kinds of correlation rules cover all possible scenarios in which similar attack patterns can occur. More importantly, these rules alert security administrators in real time, helping them prevent security threats from compromising their organization's security and reputation. To further aid in threat mitigation, each correlation rule can be enriched with contextual business information specific to that event. Detecting and enriching IoCs and IoAs with Log360 Log360 comes with a built-in, real-time event response system that detects IoCs, and a correlation engine that helps enrich IoAs. This solution also has a prepackaged global IP threat database that has over 600 million malicious IP addresses. Whenever traffic from any of these IP addresses hit resources in the network, the security administrators will be notified in real-time and with the solution, they can even configure a custom script to block this IP address right away. Unauthorized access attempts to critical databases. Unusual login failures-Identify who attempted to log on, from which IP address, when, and whether it was from a remote host. Login failure details—Lists all logon failures, including why the logon failed (for example, whether it was due to a bad password or incorrect username). Unauthorized copy of critical information. Detailed DML auditing—Track who executed a select query in the database, from where, and when. Copy attempts—Determine who tried to copy data, to where, and from which machine the attempt was made. Real-time event response system: Log360 has over 700 prebuilt alert profiles that are based on meticulous study of various IoCs. Security administrators can choose to enable alert profiles that are relevant to their business context to detect attacks instantly. Whenever an IoC occurs, administrators will get real-time notifications via email or SMS, as well as a detailed report on the event, speeding up the attack mitigation process. Furthermore, to reduce the number of false positives, Log360 includes the ability to create alert profiles for specific devices based on event frequency or time frame. Log360 also provides detailed reports on each of the following: 8 www.manageengine.com/log360log360-support@manageengine.com
Log360 rule builder Detailed analysis of suspicious activities on a database These details give Log360 users additional context, which helps them validate incidents as a threat or attack. The correlation engine: Log360 offers the capability to correlate different events across the network to recreate and detect known attack patterns. In terms of the data breach scenario above, administrators can use Log360 to build a custom correlation rule and detect similar attacks faster. With Log360's drag-and-drop correlation rule builder, users can simply select predefined actions and create a rule for any attack pattern. Further, users can set up threshold values for each of the actions to precisely detect attack patterns and save time investigating false positives. 9 www.manageengine.com/log360log360-support@manageengine.com
IoA or IoC: Which one should be used? There is no single answer. Security attacks are dynamic and they change pattern very often. While some attacks are identified at their earlier stage, many sophisticated attacks happen over a long period of time and aren't detected until the damage is done. Therefore, many times businesses realize they're the victims of an attack once it's too late. There's no hard and fast rule on which indicators security operations centers should use. To effectively secure their network from attacks, audit activities occurring on the network, and detect anomalies, organizations should configure their SIEM solution to track all known IoCs as well as IoAs that synchronize with their security strategy. 10 www.manageengine.com/log360log360-support@manageengine.com
About ManageEngine ManageEngine delivers the real-time IT management tools that empower an IT team to meet an organization’s need for real-timeservices and support. Worldwide, more than 60,000 established and emerging enterprise-including more than 60 percent of the Fortune 500-rely on ManageEngine products to ensure the optimal performance of their critical IT infrastructure, including networks, servers, applications, desktops and more. ManageEngine is a division of Zoho Corp. with offices worldwide, including the United States, United Kingdom, India, Japan and China. Log360 offers the capability to correlate different events across the network to recreate and detect known attack patterns. About the author Subhalakshmi Ganapathy currently works as a Senior Product Marketing Analyst for IT Security Solutions at ManageEngine. She has in-depth knowledge in information security and compliance management. She provides strategic guidance for enterprises on Security Information and Event Management (SIEM), network security, and data privacy. Reach out to Subha at subhalakshmi.g@manageengine.com. Visit www.manageengine.com/log360 for in-depth information about the solution and all its features. Email: log360-support@manageengine.com. Dial Toll Free: +1 925 924 9500 (Toll Free) +1 408 916 9393 (Direct) Or Or

Recommended

Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a BudgetSean D. Goodwin
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)Samantha Pierre
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through CorrelationAnton Chuvakin
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 

Recommended

Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a BudgetSean D. Goodwin
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)UBA 5.0 Data Sheet (September 2016)
UBA 5.0 Data Sheet (September 2016)Samantha Pierre
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through CorrelationAnton Chuvakin
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Security
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesSpectorsoft
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Splunk app for_enterprise_security
Splunk app for_enterprise_securitySplunk app for_enterprise_security
Splunk app for_enterprise_securityGreg Hanchin
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Splunk for security
Splunk for securitySplunk for security
Splunk for securityGreg Hanchin
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISKDATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISKRobert Anderson
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetupAWS User Group North (Manchester)
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 

More Related Content

What's hot

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Security
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesSpectorsoft
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Splunk app for_enterprise_security
Splunk app for_enterprise_securitySplunk app for_enterprise_security
Splunk app for_enterprise_securityGreg Hanchin
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Splunk for security
Splunk for securitySplunk for security
Splunk for securityGreg Hanchin
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISKDATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISKRobert Anderson
 

What's hot (19)

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick Overview
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To Companies
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Splunk app for_enterprise_security
Splunk app for_enterprise_securitySplunk app for_enterprise_security
Splunk app for_enterprise_security
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBA
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
 
Splunk for security
Splunk for securitySplunk for security
Splunk for security
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISKDATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
DATA BREACH REPRESENTS POTENTIAL EXISTENTIAL RISK
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetup
 

Similar to Using indicators to deal with security attacks

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...IJCSIS Research Publications
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecCMR WORLD TECH
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Running head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docxRunning head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docxhealdkathaleen
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 

Similar to Using indicators to deal with security attacks (20)

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
Malicious Code Intrusion Detection using Machine Learning and Indicators of C...
 
Application security
Application securityApplication security
Application security
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
185
185185
185
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 
C01461422
C01461422C01461422
C01461422
 
Running head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docxRunning head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docx
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 

More from Zoho Corporation

The Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementThe Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementZoho Corporation
 
One portal for all your login needs - ADSelfService Plus Single sign-on.
One portal for all your login needs - ADSelfService Plus Single sign-on.One portal for all your login needs - ADSelfService Plus Single sign-on.
One portal for all your login needs - ADSelfService Plus Single sign-on.Zoho Corporation
 
Ensuring security and consistency of users' self-service actions in Active Di...
Ensuring security and consistency of users' self-service actions in Active Di...Ensuring security and consistency of users' self-service actions in Active Di...
Ensuring security and consistency of users' self-service actions in Active Di...Zoho Corporation
 
Empowering ServiceNow help desk for Active Directory management
Empowering ServiceNow help desk for Active Directory managementEmpowering ServiceNow help desk for Active Directory management
Empowering ServiceNow help desk for Active Directory managementZoho Corporation
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Zoho Corporation
 
Overcoming the challenges of Office 365 user management in hybrid environments​
Overcoming the challenges of Office 365 user management in hybrid environments​Overcoming the challenges of Office 365 user management in hybrid environments​
Overcoming the challenges of Office 365 user management in hybrid environments​Zoho Corporation
 
Self-service password management and single sign-on for on-premises AD and cl...
Self-service password management and single sign-on for on-premises AD and cl...Self-service password management and single sign-on for on-premises AD and cl...
Self-service password management and single sign-on for on-premises AD and cl...Zoho Corporation
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Zoho Corporation
 
7 tips to simplify Active Directory Management ​
7 tips to simplify Active Directory Management ​7 tips to simplify Active Directory Management ​
7 tips to simplify Active Directory Management ​Zoho Corporation
 
Effective User Life Cycle Management in Active Directory
Effective User Life Cycle Management in Active DirectoryEffective User Life Cycle Management in Active Directory
Effective User Life Cycle Management in Active DirectoryZoho Corporation
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
 
Change Monitoring of Active Directory
Change Monitoring of Active DirectoryChange Monitoring of Active Directory
Change Monitoring of Active DirectoryZoho Corporation
 
Controlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryControlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryZoho Corporation
 
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...Microsoft, Active Directory, Security Management Tools and Where ManageEngine...
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...Zoho Corporation
 
ALIGN Technology timely alerts its employees of their password expiry using A...
ALIGN Technology timely alerts its employees of their password expiry using A...ALIGN Technology timely alerts its employees of their password expiry using A...
ALIGN Technology timely alerts its employees of their password expiry using A...Zoho Corporation
 
Unisource Worldwide Inc - An ADSelfservice Plus Case study
Unisource Worldwide Inc - An ADSelfservice Plus Case studyUnisource Worldwide Inc - An ADSelfservice Plus Case study
Unisource Worldwide Inc - An ADSelfservice Plus Case studyZoho Corporation
 
Case study-self-password-management-camh
Case study-self-password-management-camhCase study-self-password-management-camh
Case study-self-password-management-camhZoho Corporation
 
Case study-administrative-office-schwarzwald-baar-kreis
Case study-administrative-office-schwarzwald-baar-kreisCase study-administrative-office-schwarzwald-baar-kreis
Case study-administrative-office-schwarzwald-baar-kreisZoho Corporation
 

More from Zoho Corporation (20)

The Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementThe Future of integrated Identity and Access Management
The Future of integrated Identity and Access Management
 
One portal for all your login needs - ADSelfService Plus Single sign-on.
One portal for all your login needs - ADSelfService Plus Single sign-on.One portal for all your login needs - ADSelfService Plus Single sign-on.
One portal for all your login needs - ADSelfService Plus Single sign-on.
 
Ensuring security and consistency of users' self-service actions in Active Di...
Ensuring security and consistency of users' self-service actions in Active Di...Ensuring security and consistency of users' self-service actions in Active Di...
Ensuring security and consistency of users' self-service actions in Active Di...
 
Empowering ServiceNow help desk for Active Directory management
Empowering ServiceNow help desk for Active Directory managementEmpowering ServiceNow help desk for Active Directory management
Empowering ServiceNow help desk for Active Directory management
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​
 
Overcoming the challenges of Office 365 user management in hybrid environments​
Overcoming the challenges of Office 365 user management in hybrid environments​Overcoming the challenges of Office 365 user management in hybrid environments​
Overcoming the challenges of Office 365 user management in hybrid environments​
 
Self-service password management and single sign-on for on-premises AD and cl...
Self-service password management and single sign-on for on-premises AD and cl...Self-service password management and single sign-on for on-premises AD and cl...
Self-service password management and single sign-on for on-premises AD and cl...
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...
 
7 tips to simplify Active Directory Management ​
7 tips to simplify Active Directory Management ​7 tips to simplify Active Directory Management ​
7 tips to simplify Active Directory Management ​
 
Effective User Life Cycle Management in Active Directory
Effective User Life Cycle Management in Active DirectoryEffective User Life Cycle Management in Active Directory
Effective User Life Cycle Management in Active Directory
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
 
Change Monitoring of Active Directory
Change Monitoring of Active DirectoryChange Monitoring of Active Directory
Change Monitoring of Active Directory
 
Controlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryControlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active Directory
 
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...Microsoft, Active Directory, Security Management Tools and Where ManageEngine...
Microsoft, Active Directory, Security Management Tools and Where ManageEngine...
 
ALIGN Technology timely alerts its employees of their password expiry using A...
ALIGN Technology timely alerts its employees of their password expiry using A...ALIGN Technology timely alerts its employees of their password expiry using A...
ALIGN Technology timely alerts its employees of their password expiry using A...
 
Unisource Worldwide Inc - An ADSelfservice Plus Case study
Unisource Worldwide Inc - An ADSelfservice Plus Case studyUnisource Worldwide Inc - An ADSelfservice Plus Case study
Unisource Worldwide Inc - An ADSelfservice Plus Case study
 
Case study-self-password-management-camh
Case study-self-password-management-camhCase study-self-password-management-camh
Case study-self-password-management-camh
 
Case study-administrative-office-schwarzwald-baar-kreis
Case study-administrative-office-schwarzwald-baar-kreisCase study-administrative-office-schwarzwald-baar-kreis
Case study-administrative-office-schwarzwald-baar-kreis
 

Recently uploaded

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Using indicators to deal with security attacks

  • 2. Introduction Attack patterns and their indicators Explaining the indicators with an attack scenario Attack scenario Investigating the attack Detecting and enriching IoCs and IoAs with Log360 IoA or IoC: Which one should be used? 1. 2. 3. 3 4 5 5 6 8 10 4. 5. Table of contents www.manageengine.com/log360log360-support@manageengine.com
  • 3. Introduction Security breaches and sophisticated attacks are on the rise, spurring continued improvements in the security information and event management (SIEM) space. To further combat these advanced attacks, security intelligence platforms and solutions have been strengthened by their vendors. Improvements in attack mitigation techniques have given rise to several new parameters that detect potential threats and attack patterns early on. Later sections of this white paper elaborate on two such parameters—indicators of compromise (IoCs) and indicators of attack (IoAs)—that help detect attacks instantly, blueprint an attack sequence, identify an attack before damage is caused, and more. This white paper helps security professionals understand the unique capabilities of these indicators, the differences between them, and the steps to configure a SIEM solution to detect IoCs and IoAs. 3 www.manageengine.com/log360log360-support@manageengine.com
  • 4. Attack patterns and their indicators. Security attacks can thus be broadly classified into two types: Enterprises are not immune to security attacks, no matter how good their security systems are. Hackers always try to exploit a network's vulnerabilities and security loopholes, usually either to gain access to critical network resources or to bring down business services. Depending on the attack type, the pattern of approach will be different. For instance, attacks that attempt to bring down business operations will concentrate on bypassing endpoint security systems and flooding the resources with irrelevant traffic. On the other hand, attacks attempting to steal data will focus on acquiring confidential information through unauthorized access to critical resources. Attacks that disrupt business operations, such as DDoS attacks targeted at bringing down an e-commerce or banking company's web service. Attacks that steal confidential information. Regardless of its type, every attack will leave a trace, which is known as an indicator. These indicators provide details that help security professionals: Conclude whether a suspicious event is a threat or an on-going attack. . Detect threats at their initial stage, which helps contain an attack before it even occurs. Identify whether an attack is ongoing or if it has happened before. Speed up the attack discovery process. Ascertain an attack's total impact once it has been resolved. 4 www.manageengine.com/log360log360-support@manageengine.com
  • 5. Most enterprises rely on IoCs to contain an ongoing attack or to conduct forensic analysis to resolve an attack or assess its impact. Essentially, IoCs tell administrators the network has been compromised. They answer the vital w's: what happened, who was involved, and when it occurred. Two major indicators come in handy for security professionals: IoCs and IoAs IoCs IoAs are suspicious security events that could turn out to be a potential threat or attack. Once they're detected, IoAs are then enriched with contextual information such as user behavior patterns, vulnerabilities, and input data from other security tools. All these details help in ascertaining whether an IoA is a potential threat. Since IoAs identify attacks at an early stage, they play a major role in preventing attacks. IoAs Explaining the indicators with an attack scenario. Fighting security attacks is a multi-step process. Gathering clues, aka indicators, from the network Is the first step in that process. Let's use an attack scenario to elaborate on the process of identifying indicators. Attack scenario Assume in this scenario that a malicious Microsoft Excel file is spread over email to employees in an organization. The email is drafted with authentic message threads, so many employees download the malicious file because they are made to believe it is a message from someone they know. When a user opens that file, a macro is automatically executed. That macro then tries to access critical databases, copies confidential customer information from those databases, appends that data to the Excel file, and then uploads the modified Excel file to a cloud site. 5 www.manageengine.com/log360log360-support@manageengine.com
  • 6. Investigating the attack The compromise stage is when the attack surfaces, allowing it to be detected. These kinds of attacks can be detected promptly by configuring the right alert profiles for the following IoCs: Attacks can be prevented during the intrusion stage if the source of the attack is found to be suspicious or malicious. In this scenario, the email has come from a non-suspicious IP address and the message looks authentic, thus deceiving the spam filter. Therefore, detecting and containing this attack at the initial stage would be difficult. Again, the success of this attack discovery process depends on validating each of the IoCs (with respect to user context) and enriching the events by correlating them with other related events. Security administrators need to delve deep into this specific attack pattern and identify the indicators of this attack. Once they do so, they can proactively deal with any attack that follows a similar pattern. However, attacks don't occur like this all the time. Considering this scenario, every time the attacker attempts an attack, they may not use the same technique of infiltrating the network with an Excel file. With that in mind, security administrators should set up traps by defining correlation rules that cover all possible actions in an attack pattern. Unauthorized access attempts on critical databases. Unauthorized copy actions performed in a database. Attempts to upload or transfer a file to an unauthorized cloud site. Hackers circulate a seemingly innocuous email that includes a malicious Excel file attachment. Each time the user opens the Excel file, it executes a macro that steals confidential data from the network. Intrusion Navigation Macro finds the critical database and accesses it. Appends the Excel sheet with copied confidential data. Data Compromise The macro uploads the modified file to a cloud file storage site. Transmission 6 www.manageengine.com/log360log360-support@manageengine.com
  • 7. For this scenario, security administrators can build a custom correlation rule that includes the following actions: Correlation actions Reasons for setting up the action Malware is installed in the system or a malicious file is executed. An attacker may not use the same vector to force their way into the network each time. Therefore, set up an action to detect malware in the system, either in the form of a malicious file or script execution. An IP spoofing attack occurs within an internal firewall. Following a malicious file injection in the network, the attacker may try to find the IP address of a critical database or server in order to gain unauthorized access. Therefore, it is crucial to set up an action to detect any spoof attacks in internal firewalls. Attempts to read or copy files from a database in bulk. When there's an attempt to perform database read or file copying actions in bulk, the event can be classified as an ongoing attack. This action can be used to stop hackers from reading or copying database files before they leak critical data. Suspicious file transfer attempts to a cloud site or external IP address. Even if hackers have already copied data from critical resources, there's still a chance to prevent the data from leaving the premises by tracking file transfer events within the network. Set up actions for file transfer attempts to a suspicious destination (malicious IP destination, destination located at unrelated geographical region, restricted cloud site, etc.) or during non-business hours to prevent data leakage. Multiple unauthorized access attempts on a critical database or server. After an attacker finds a server or database, their next step would be to gain access to these resources. Attackers with insufficient privileges will either try to bypass the authentication process or access the system with a password attack. In either case, setting up an action for a high number of login failures will help validate the events as a potential threat. 7 www.manageengine.com/log360log360-support@manageengine.com
  • 8. These kinds of correlation rules cover all possible scenarios in which similar attack patterns can occur. More importantly, these rules alert security administrators in real time, helping them prevent security threats from compromising their organization's security and reputation. To further aid in threat mitigation, each correlation rule can be enriched with contextual business information specific to that event. Detecting and enriching IoCs and IoAs with Log360 Log360 comes with a built-in, real-time event response system that detects IoCs, and a correlation engine that helps enrich IoAs. This solution also has a prepackaged global IP threat database that has over 600 million malicious IP addresses. Whenever traffic from any of these IP addresses hit resources in the network, the security administrators will be notified in real-time and with the solution, they can even configure a custom script to block this IP address right away. Unauthorized access attempts to critical databases. Unusual login failures-Identify who attempted to log on, from which IP address, when, and whether it was from a remote host. Login failure details—Lists all logon failures, including why the logon failed (for example, whether it was due to a bad password or incorrect username). Unauthorized copy of critical information. Detailed DML auditing—Track who executed a select query in the database, from where, and when. Copy attempts—Determine who tried to copy data, to where, and from which machine the attempt was made. Real-time event response system: Log360 has over 700 prebuilt alert profiles that are based on meticulous study of various IoCs. Security administrators can choose to enable alert profiles that are relevant to their business context to detect attacks instantly. Whenever an IoC occurs, administrators will get real-time notifications via email or SMS, as well as a detailed report on the event, speeding up the attack mitigation process. Furthermore, to reduce the number of false positives, Log360 includes the ability to create alert profiles for specific devices based on event frequency or time frame. Log360 also provides detailed reports on each of the following: 8 www.manageengine.com/log360log360-support@manageengine.com
  • 9. Log360 rule builder Detailed analysis of suspicious activities on a database These details give Log360 users additional context, which helps them validate incidents as a threat or attack. The correlation engine: Log360 offers the capability to correlate different events across the network to recreate and detect known attack patterns. In terms of the data breach scenario above, administrators can use Log360 to build a custom correlation rule and detect similar attacks faster. With Log360's drag-and-drop correlation rule builder, users can simply select predefined actions and create a rule for any attack pattern. Further, users can set up threshold values for each of the actions to precisely detect attack patterns and save time investigating false positives. 9 www.manageengine.com/log360log360-support@manageengine.com
  • 10. IoA or IoC: Which one should be used? There is no single answer. Security attacks are dynamic and they change pattern very often. While some attacks are identified at their earlier stage, many sophisticated attacks happen over a long period of time and aren't detected until the damage is done. Therefore, many times businesses realize they're the victims of an attack once it's too late. There's no hard and fast rule on which indicators security operations centers should use. To effectively secure their network from attacks, audit activities occurring on the network, and detect anomalies, organizations should configure their SIEM solution to track all known IoCs as well as IoAs that synchronize with their security strategy. 10 www.manageengine.com/log360log360-support@manageengine.com
  • 11. About ManageEngine ManageEngine delivers the real-time IT management tools that empower an IT team to meet an organization’s need for real-timeservices and support. Worldwide, more than 60,000 established and emerging enterprise-including more than 60 percent of the Fortune 500-rely on ManageEngine products to ensure the optimal performance of their critical IT infrastructure, including networks, servers, applications, desktops and more. ManageEngine is a division of Zoho Corp. with offices worldwide, including the United States, United Kingdom, India, Japan and China. Log360 offers the capability to correlate different events across the network to recreate and detect known attack patterns. About the author Subhalakshmi Ganapathy currently works as a Senior Product Marketing Analyst for IT Security Solutions at ManageEngine. She has in-depth knowledge in information security and compliance management. She provides strategic guidance for enterprises on Security Information and Event Management (SIEM), network security, and data privacy. Reach out to Subha at subhalakshmi.g@manageengine.com. Visit www.manageengine.com/log360 for in-depth information about the solution and all its features. Email: log360-support@manageengine.com. Dial Toll Free: +1 925 924 9500 (Toll Free) +1 408 916 9393 (Direct) Or Or