SlideShare una empresa de Scribd logo

SIEM

Descargar como PPTX, PDF
Napier University
Napier University

http://asecuritysite.com/subjects/chapter17

Educación
1 de 38
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Big Data
HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
TypesIncResponse Author: Prof Bill Buchanan Some data breaches
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
IntroductionIncResponse Investigation sources Web server Firewall Router Proxy server Email server FTP server Bob Eve Internal systems Cloud service providers Communication service providers Trusted partners
IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
IntroductionIncResponse Eve Eve Logs/alerts Bob SIEM Package (Splunk) News feeds Security alerts
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
SIEMNetworkSecurity
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow
SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity SIEM
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity Splunk
SIEMNetworkSecurity HP ArcSight
SIEMNetworkSecurity HP ArcSight
Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
SIEMNetworkSecurity Security log
Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice

Recomendados

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 

Recomendados

McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
SIEM
SIEMSIEM
SIEMvikasraina
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolutionStijn Vande Casteele
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
SORT OUT YOUR SIEM
SORT OUT YOUR SIEMSORT OUT YOUR SIEM
SORT OUT YOUR SIEMSecureData Europe
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)rver21
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
SIEM
SIEM SIEM
SIEM e.ferreira
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siemguesta606d9
 

Más contenido relacionado

La actualidad más candente

Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)rver21
 

La actualidad más candente (20)

SIEM
SIEMSIEM
SIEM
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
SIEM evolution
SIEM evolutionSIEM evolution
SIEM evolution
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
SORT OUT YOUR SIEM
SORT OUT YOUR SIEMSORT OUT YOUR SIEM
SORT OUT YOUR SIEM
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 

Destacado

MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMichael Nickle
 
Paragem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adultoParagem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adultoJosé Pinheiro Neta
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALRisi Avila
 
1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesicalPelo Siro
 
Gelcampo sessão - sbv
Gelcampo sessão - sbvGelcampo sessão - sbv
Gelcampo sessão - sbvsininhu
 
Guitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGuitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGil Ferreira
 
125838312 sbv
125838312 sbv125838312 sbv
125838312 sbvPelo Siro
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...Anton Chuvakin
 

Destacado (14)

SIEM
SIEM SIEM
SIEM
 
Apresenta Siem
Apresenta SiemApresenta Siem
Apresenta Siem
 
Siem
SiemSiem
Siem
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
MISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM ImplementationMISTI Infosec 2010- SIEM Implementation
MISTI Infosec 2010- SIEM Implementation
 
Paragem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adultoParagem Cárdio-respiratória no adulto
Paragem Cárdio-respiratória no adulto
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical1238687 cuidados de_manutencao_da_sonda_vesical
1238687 cuidados de_manutencao_da_sonda_vesical
 
Gelcampo sessão - sbv
Gelcampo sessão - sbvGelcampo sessão - sbv
Gelcampo sessão - sbv
 
Guitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do GuitarristaGuitarrist finger nails - As unhas do Guitarrista
Guitarrist finger nails - As unhas do Guitarrista
 
125838312 sbv
125838312 sbv125838312 sbv
125838312 sbv
 
Suporte básico de vida
Suporte básico de vidaSuporte básico de vida
Suporte básico de vida
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 

Similar a SIEM

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco Canada
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetNathan Wallace, PhD, PE
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedJames '​-- Mckinlay
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics Robb Boyd
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats FasterForce 3
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaAndy Shutka
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Felipe Prado
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 

Similar a SIEM (20)

Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Core Values Decision Sept
Core Values Decision SeptCore Values Decision Sept
Core Values Decision Sept
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 

Más de Napier University

10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and PandasNapier University
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneNapier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-WattNapier University
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergNapier University
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinNapier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Napier University
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeNapier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarNapier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiNapier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Napier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraNapier University
 

Más de Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Último

Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 

Último (20)

Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 

SIEM

  • 1. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 2.
  • 4. HPCCloudCracking HPC 1997: Deep Blue deep Kasparov 2011: Watson beats humans at Jeopardy! 2013: Watson beats Cancer Specialists
  • 5. TypesIncResponse Author: Prof Bill Buchanan Some data breaches
  • 6.
  • 7. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Intruder Intrusion Detection
  • 8. DatastatesInc.Response Data in-motion, data in-use and data at-rest Intrusion Detection System Intrusion Detection System Firewall Internet Switch Router Proxy server Email server Web server DMZ FTP server Firewall Domain name server Database server Bob Alice Eve Data in- motion Data at- rest Data in- use Data at- rest
  • 9. IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
  • 10. IntroductionIncResponse Four Vs of Big Data Intrusion Detection System Firewall Router Proxy server Email server Web server FTP server Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation V- Volume [Scale of data] V- Variety [Different forms of data] V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Incident Response Eve Bob
  • 11. IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
  • 13. IntroductionIncResponse Basic timeline Eve Cloud service providers Communication service providers Web services Phone call Wifi connect Tweet Facebook post Email send Web page access Web log Call record Location record Corporate login Web/Domain Log Device switch-on Logs/Email Time line Device logs System Log Internet cache
  • 15. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice
  • 16. SIEMNetworkSecurity Why? Protect users Protect assets Audit/ compliance Customer trust Shareholder trust Protect data Protect transactions Detect Fraud
  • 17.
  • 18. Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext -------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123 1 million accounts – in plain text. 77 million compromised 47 million accounts 200,000 client accounts Dropbox compromised 2013 One account hack … leads to others 6.5 million accounts (June 2013)
  • 19. SIEMNetworkSecurity PCI-DSS Build and Maintain and Secure Network Firewall. System passwords. Protect Cardholder Data Stored cardholder data. Encrypt data. Strong Access Control Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access. Maintain Vulnerability Management Program Anti-virus. Develop/ maintain secure systems and apps. Monitor and Test Networks Track/monitor accesses. Perform security tests. Define/Maintain Security Policy Design and implement a policy which focuses on security.
  • 20. SIEMNetworkSecurity SOX Auditor Independence Public Company Accounting Oversight Board Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. USA, Canada, France, etc. Corporate Tax Returns Analyst Conflicts of Interest Corporate Responsibility
  • 21. SIEMNetworkSecurity SIEM Intrusion Detection System Firewall Internet Router Proxy server Email server Web server FTP server Switch Alice Log Aggregation: Data from many sources … networks, databases, applications, servers, etc Correlation: Links events together into a coherent instances (time- lining) Dashboard: Provides an overview of events and alerts for analysis/response Complaince: Gathering and reporting of audit/ compliance (PCI- DSS, etc). Retention: Long- term storage of data for audit/ compliance Forensic Analysis: Analysis of logs across infrastructure
  • 22. SIEMNetworkSecurity Logs Local host logs - Application. - Security. - System - etc File and Directories - CRUD. - Security changes. Performance - CPU. - Memory. - Threads. TCP/UDP - Syslog. Registry Monitoring - Key changes. - Updates. Active Directory - User additions. - Host changes. - Logins Print Monitoring - Jobs. Email - Logs. Remote Access - Logs. Database Access - Logs. Environmental - Temp. - Humidity. Intrusion Detection - Alerts
  • 23. SIEMNetworkSecurity Syslog Intrusion Detection System Firewall Internet Router Syslog server Email server Web server FTP server Switch Alice Buffered logging: 0 Emergencies System shutting down due to missing fan tray 1 Alerts Temperature limit exceeded 2 Critical Memory allocation failures 3 Errors Interface Up/Down messages 4 Warnings Configuration file written to server, via SNMP request 5 Notifications Line protocol Up/Down 6 Information Access-list violation logging 7 Debugging Debug messages > enable # config t (config)# logging on (config)# logging 212.72.52.7 (config)# logging buffer 440240 (config)# logging trap emergency (config)# logging monitor emergency (config)# logging console emergency (config)# logging buffer emergency (config)# clock timezone AKDT
  • 24. Author: Prof Bill Buchanan SIEM Types Proxy VPN Eve Bob Alice
  • 27. SIEMNetworkSecurity SIEM Data collected with Cisco NetFlow Router# configure terminal // Destination is 192.168.1.1 UDP Port: 999 Router(config)# ip flow-export destination 192.168.1.1 999 Router(config)# ip flow-export version 9 Router(config)# interface ethernet 0/0 // Monitor incoming Router(config-if)# ip flow ingress 192.168.1.1 UDP Listen: 999 FA0/0 Egress Ingress Router# show ip cache flow IP packet size distribution (1103746 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 35 active, 4061 inactive, 980 added 2921778 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 108 0.0 1133 40 2.4 1799.6 0.9 TCP-FTPD 108 0.0 1133 40 2.4 1799.6 0.9 TCP-WWW 54 0.0 1133 40 1.2 1799.6 0.8 TCP-SMTP 54 0.0 1133 40 1.2 1799.6 0.8 TCP-BGP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-NNTP 27 0.0 1133 40 0.6 1799.6 0.7 TCP-other 297 0.0 1133 40 6.8 1799.7 0.8 UDP-TFTP 27 0.0 1133 28 0.6 1799.6 1.0 UDP-other 108 0.0 1417 28 3.1 1799.6 0.9 ICMP 135 0.0 1133 427 3.1 1799.6 0.8 Total: 945 0.0 1166 91 22.4 1799.6 0.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0043 0043 51 Et0/0 10.10.18.1 Null 172.16.11.5 11 0045 0045 51 Et0/0 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 51 . . Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0087 0087 50 Et0/0 172.16.1.84 Et1/0.1 172.16.10.19 06 0050 0050 51 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0089 0089 49 Et0/0 172.16.1.85 Et1/0.1 172.16.10.20 06 0050 0050 50 Et0/0 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 51 Et0/0 10.162.37.71 Null 172.16.11.3 06 027C 027C 49 NetFlow Collection Agent NetFlow Route
  • 34. Author: Prof Bill Buchanan SIEM Splunk Proxy VPN Eve Bob Alice
  • 35. SIEMNetworkSecurity Web logs 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349 209.160.24.63 - - [11/Mar/2014:18:22:16] "GET /oldlink?itemId=EST-6&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 1748 "http://www.buttercupgames.com/oldlink?itemId=EST-6" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 731 209.160.24.63 - - [11/Mar/2014:18:22:17] "GET /product.screen?productId=BS-AG-G09&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2550 "http://www.buttercupgames.com/product.screen?productId=BS-AG-G09" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 422 209.160.24.63 - - [11/Mar/2014:18:22:19] "POST / category.screen?categoryId=STRATEGY&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 407 "http:// www.buttercupgames.com/cart.do?action=remove&itemId=EST-7&productId=PZ-SG-G05" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 211 209.160.24.63 - - [11/Mar/2014:18:22:20] "GET /product.screen?productId=FS-SG-G03&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 2047 "http://www.buttercupgames.com/category.screen?categoryId=STRATEGY" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 487 #Software: Microsoft Internet Information Services 7.5 #Date: 2014-03-25 00:00:09 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32- status time-taken 2014-03-25 00:00:09 10.185.7.7 GET /ip/whois site=asos.com 80 - 162.244.11.111 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-03-25 00:00:12 10.185.7.7 GET /security/information/bmp - 80 - 66.249.68.217 Mozilla/5.0+(compatible;+Googlebot/ 2.1;++http://www.google.com/bot.html) 500 19 183 77 2014-03-25 00:00:12 10.185.7.7 GET /ip/whois site=blogspot.nl 80 - 78.46.169.130 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 233 2014-03-25 00:00:15 10.185.7.7 GET /Content/footer.png - 80 - 81.133.198.251 Mozilla/ 5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 404 0 64 5693 2014-03-25 00:00:17 10.185.7.7 GET /ip/whois site=proxyring.com 80 - 110.85.106.101 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 14149 2014-03-25 00:00:21 10.185.7.7 GET /ip/whois site=surewest.net 80 - 216.169.139.190 Opera/ 9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-03-25 00:00:23 10.185.7.7 GET / - 80 - 203.206.171.20 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:27.0)+Gecko/ 20100101+Firefox/27.0 200 0 0 530 Access.log IIS Log
  • 36. SIEMNetworkSecurity Security log Thu Mar 11 2014 00:15:01 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[4111]: Failed password for invalid user db2 from 118.142.68.222 port 4150 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[5359]: Failed password for invalid user pmuser from 118.142.68.222 port 3356 ssh2 Thu Mar 11 2014 00:15:01 www1 su: pam_unix(su:session): session opened for user root by djohnson(uid=0) Thu Mar 11 2014 00:15:01 www1 sshd[2660]: Failed password for invalid user irc from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1705]: Failed password for happy from 118.142.68.222 port 4174 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1292]: Failed password for nobody from 118.142.68.222 port 1654 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1560]: Failed password for invalid user local from 118.142.68.222 port 4616 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[59414]: Accepted password for myuan from 10.1.10.172 port 1569 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[1876]: Failed password for invalid user db2 from 118.142.68.222 port 1151 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[3310]: Failed password for apache from 118.142.68.222 port 4343 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2149]: Failed password for nobody from 118.142.68.222 port 1527 ssh2 Thu Mar 11 2014 00:15:01 www1 sshd[2766]: Failed password for invalid user guest from 118.142.68.222 port 2581 ssh2 Secure.log
  • 38. Author: Prof Bill Buchanan AdvSecurityand NetworkForensics SIEM Proxy VPN Eve Bob Alice