SIEM Ürününün Gücü Senaryoların Gücüdür

Bir SIEM ürününün gücü senaryolarına bağlıdır. SIEM üreticileri farklılaşmayı bu alanda yapmaktadır. Bu alanda çok temel korelasyon ve tespit yetenekleri ile başlayıp ML ve AI kullanarak tespit eden çözümlere kadar geniş bir yelpazede çözüm bulmak mümkündür. Bu yelpazede en temel senaryolara örnekler:

• Detect brute force attack
• Detect pass the hash
• Detect golden ticket
• Detect failed logins above a threshold
• Monitor user account creation
• Monitor user account deletion
• Monitor user account enabled
• Monitor allowed inbound connections by location (using threat intelligence)
• Monitor allowed inbound connections by location (white/black list)
• Monitor allowed outbound connections by location (using threat intelligence)
• Monitor allowed outbound connections by location (white/black list)
• Monitor denied outbound connections by location (using threat intelligence)
• Monitor denied outbound connections by location (white/black list)
• Monitor denied internal connections by ip/hostname
• Detect same user authentication from multiple sources
• Identify threat indicators
• Detect failed malware cleaning
• Monitor inbound data usage
• Monitor outbound data usage
• Monitor data usage by application
• Detect SSHD authentication on Linux
• Detect successful authentication after brute force
• Detect repeated login failure
• MySQL authentication bypass through a zero-length password
• Account deletion after DoS attack
• Detect attempts to compromise user credentials
• Detect self escalation
• Detects-lived accounts
• Detect instances of denial of service such as abnormal number of requests from multiple ports or the same ip address
• Suspicious file type download (executable, DLL, archive file, …)
• Suspicious mail headers (Intel based)
• Mismatched HREF attribute
• Concurrent logins from Multiple Locations
• Account activity from Blacklisted Locations
• Disabled account Logins
• Multiple account Lockouts
• Excessive authentication Failures
• Outbound traffic observed from Severs to Internet
• Outbound traffic involving Database
• Detection of virtual machine start/stop/resume/reboot
• Probable SQL injection attack observed

Yukarıdaki senaryoların %70 i ücretsiz çözümlerle bile tespit edilebilir.

Aşağıda bir kademe daha iyi bir SIEM çözümü ile elde edebileceğiniz senaryo örnekleri mevcuttur.

• Warn if Powershell command with base64 format and more than 100 characters appears
• Password changes for the same user more than 3 within 45 days
• If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
• Misuse of an account
  Lateral movement
• Executive only asset accessed by non-executive user
• Multiple vpn accounts failed login from single ip
• First access to critical assets
• User access from multiple hosts at the same time
• User account created and deleted in a short period of time
• Monitor privileged accounts for suspicious activity
• Chained RDP connections
• RDP with unusual charset
• Multiple RDP from same host in short time
• Lateral movement following an attack

Yukarıdaki senaryoları sağlayan SIEM ürünleri iyi ürünlerdir. SureLog SIEM ile bu senaryoların hepsi tespit edilebilir.

Aşağıda da makine öğrenmesi ve/veya yapay zeka gerektiren ve korelasyon motoru da çok yetenekli olan SIEM çözümleri ile tespit edilebilecek senaryo örnekleri mevcut.

• Returns days where a user accessed more than his 95th percentile number of assets
• Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week
• If a user number of failed authentication ratio to number of successful authentication is %10, alert
• Data loss detection by monitoring all endpoints for an abnormal volume of data egress
• Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade
• DGA detection
• Detect attack Tools
• Detect malwares
• Detect suspicious/malicious processes
• Detect suspicious/malicious files
• Detect suspicious/malicious services
• Detect abnormal port used in outbound network connection from an asset
• Abnormal number of assets logged on
• Failed logon to an asset that a user has previously never logged on to
• first time a user saves files to a USB drive
• first time user is performing an activity from a country
• First VPN connection from a device for a user
• First connection from a source IP
• First access to a device for a user
• First access to database MSSQL for peer group HR
• First access to database MSSQL for user
• First mail to/from a domain for the organization
• First access to this web domain which has been identified as risky by a reputation feed
• First execution of a process on a host
• First access to object fdghsdydhas
• First access from a host to a database for a user
• First access from source zone Atlanta office to a database for a user
• Suspicious temporary account activity
• Abnormal account administration
• Unusual account privilege escalation
• Unusual file modifications
• Abnormal password activity

Yukarıda listelenen senaryoların tamamı SureLog SIEM ile gerçeklenir.

SureLog