Use Cases
Event Log Convergence = Business Intelligence
Problem
I have come across many prospects over the last 15 years that are only trying to acquire a SIEM solution to satisfy a compliance requirement, or what we call in the industry, “check-box purchasing” – they have a minimum set of requirements specific to only one business unit or compliance mandate that is completely siloed from the rest of the organization.
Here is how this conversation usually goes:
Client: “we would like a SIEM tool that will help us monitor our 200+ Windows Servers for PCI-DSS compliance”
Me: “What other event sources are you going to be monitoring with the solution?”
Client: (Stunned look) “we only need to monitor our servers.”
Me: “PCI-DSS requirement 10 states you have to monitor the logs from all of your security devices and servers that are deemed critical assets.”
Client: “our department is only responsible for the servers we listed.”
Me: “To get value out of a SIEM solution and monitor all 12 PCI requirements you need audit logs from all of your devices and contextual information regarding your network, asset and vulnerability data – and that will just get you started.”
Client: “Perhaps we need to increase the scope – we’ll get back to you.”
While the Centralized Log Management (CLM) and Security Information and Event Management (SIEM) vendors will be lined up around the block to influence the sale, the vendor you choose should be a trusted advisor. They will be interested in providing you the most value from your investment and assist you in designing a solution to satisfy many business problems that goes beyond a traditional security-centric SIEM. This is why you will need to identify key device types and the value that can be derived by cross correlating the log data with business context to align monitoring with your governance, security and compliance initiatives.
The SIEM Value Derived from Heterogeneous Device Logging
While each of the event sources you collect events from will provide distinct reporting and alerting value, combining many different “types” of event sources will derive immediate intelligence about the business and help analysts establish baselines of threat activity. One of the other benefits is that incidents can be prioritized by business value, threat classification and the additional context can help reduce the plethora of false-positives or false-negatives that plagues every CLM solution.
Additionally, the multitude of the various technologies have their own management and reporting solutions that become “silos of information” that only the black-belts responsible for each of the device types are able to decipher. This makes security intelligence and investigations near impossible when an analyst has to request log data from the owners or log in to many different systems to find the evidence to support their cause. Essentially, they would have to piece together the clues and manually normalize the data using a technique called “Spreadsheet Kung Fu”, which would be fraught with assumptions and inference.
Below is a list of different device types and the value that can be derived from each when correlated together. The list isn’t exhaustive and I’m not suggesting you need everyone mentioned to successfully deploy a SIEM, but the more data feeds you can correlate, the more intelligence you will have available in the future to expand and grow with your business (click “more…” for complete article):












Are you a Security PreSales Ninja?
Security Ninja Quiz
Quiz-summary
0 of 18 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
Information
Take this quiz and determine if you are a Security PreSales Ninja.
NOTE: this quiz has a 20 minute time limit to complete.
Enter your full name and email address in the results table to save to the leaderboard!
You must specify a text. |
|
You must specify an email address. |
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 18 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- AAA Security 0%
- Attack Vectors 0%
- Data Protection 0%
- Network Security 0%
- Sales Engineering 0%
- Security Management 0%
- System Admin 0%
-
“” you have graduated and we consider you a Security PreSales Ninja – great work!
Pos. | Name | Entered on | Points | Result |
---|---|---|---|---|
Table is loading | ||||
No data available | ||||
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- Answered
- Review
-
Question 1 of 18
1. Question
What’s the major difference between Symmetric and Asymmetric encryption?
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 2 of 18
2. Question
If you are alerted by a DMZ IDS that an IIS buffer overflow attack was targeting your Apache web server, what should you do?
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 3 of 18
3. Question
You have an older server with a password-protected BIOS configuration. What are two ways you can get past this problem without knowing the BIOS password? Choose the best two answers…
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 4 of 18
4. Question
What shell command should you use on Linux to perform “root” privilege functions without knowing the “root” password?
Correct
Awesome! You know the basics of Linux security!
Incorrect
Sorry, you are not even close…
-
Question 5 of 18
5. Question
What is the key difference between a Network Intrusion Prevention System (NIPS) vs Network Intrusion Detection System (NIDS)?
Correct
Awesome! You know the difference between IDS and IPS!
Incorrect
Sorry, you are not even close…
-
Question 6 of 18
6. Question
Select the most effective method you would use to secure a WiFi network?
Correct
Awesome! You know the WiFi security basics!
Incorrect
Sorry, you are not even close…
-
Question 7 of 18
7. Question
Select the best answer that describes a “false-negative” as it relates to information security.
Correct
Awesome! You know the basics!
Incorrect
Sorry, you are not even close…
-
Question 8 of 18
8. Question
If one attacker is trying to connect to a server with an excessive number of TCP packets, from a spoofed IP address, what is this attack commonly called?
Correct
Awesome! You know the basics of SYN flooding!
Incorrect
Sorry, you are not even close…
-
Question 9 of 18
9. Question
Match the SIEM product to the appropriate vendors below. Select the tile from the top and drag to the blank space next to each vendor:
Sort elements
- Qradar SIEM - was originally known as Q1 Labs before their acquisition.
- Enterprise Security Manager (ESM) - was originally known as NitroSecurity before their acquisition.
- ArcSight ESM - was founded in 2000 and acquired by this large company in 2010
- Security Analytics - was originally referred to as EnVision before they acquired NetWitness in 2011
-
IBM Security
-
McAfee
-
HP Enterprise Security Products
-
EMC / RSA
Correct
Awesome! You know the basic SIEM competitors!
Incorrect
Sorry, you are not even close…
-
Question 10 of 18
10. Question
The acronym “SIEM” translates to which of the following?
Correct
Awesome! Security Information & Event Management is correct!
Incorrect
Sorry, Security Information & Event Management was the correct answer.
-
Question 11 of 18
11. Question
What would you use to authenticate a Linux workstation on an Active Directory domain?
Correct
Awesome! You know the basics!
Incorrect
Sorry, SMB client or Samba was the correct answer.
-
Question 12 of 18
12. Question
An anonymous person calls your telephone and says they are from your credit card company and asks you to tell them your credit card number and expiry as a verification that they are speaking to the right person. What method of attack are they attempting?
Correct
Awesome! You know social engineering basics!
Incorrect
Sorry, you are not even close…
-
Question 13 of 18
13. Question
Scenario: your company top executive (CEO) alerts you that they have received an official looking email from the local law enforcement agency regarding a court subpoena directed at their full legal name and the email instructs them to click on a link and install special software to view the encrypted subpoena. Is this an attempted attack and, if so, what method of attack is this referred to?
Correct
Awesome! You know phishing basics!
Incorrect
Sorry, but you are close…
-
Question 14 of 18
14. Question
Scenario: An employee at a financial services company has been suspected of fraud by law enforcement and you have been consulted to perform the Forensic extraction of data from the user’s PC. Arrange the following tiles in the correct order based on each item’s volatility. List the items from most volatile (top) to least volatile (bottom).
-
Data in RAM / CPU cache, including recently used data, applications, system and network processes.
-
Swap files (aka paging files) stored on local disk drives
-
User and application data stored on local disk drives
-
Logs and personal files stored on remote systems
-
Archive media containing user backups
Correct
Awesome! You have a handle on forensic basics.
Incorrect
Sorry, you didn’t arrange the list correctly.
-
-
Question 15 of 18
15. Question
As a pre-sales engineer, the process of mastering your own solution before giving an effective product demonstration is referred to as the “Demo Pyramid”. During your “ramp-up” this process forms a series of layered stages, with each stage building upon the previous level. Sort the tiles below into the pyramid, in the order of beginner to mastery (lowest at the bottom, highest at the top):
-
Solution
-
Construction
-
Functional Explanation
-
Feature Explanation
-
Memorization & Recital
Correct
Well done! You show great skill in pre-sales…
Incorrect
Sorry, that’s not correct. You should read “Making the Technical Sale”…
-
-
Question 16 of 18
16. Question
Since Sales Engineers work closely with Sales Reps on a daily basis there is some basic sales terminology they must understand. Use the matrix below to sort the list of tiles and place them next the matching terms listed in the first column.
Sort elements
- This refers to the most popular tool that sales reps use to create opportunities, forecast closing dates and used for many other customer relationship management tasks.
- A method of calculating over achievement to increase the rate of pay for reps who exceed revenue targets.
- Usually a short term bonus (anywhere from one week out to a full quarter) designed to motivate sales reps with immediate payout.
- A tool usually developed by marketing that's used by the sales team to understand competition and helps qualify opportunities they are pursuing.
- A set amount of selling that a salesperson is expected to meet over a given time frame.
-
SFDC
-
Accelerators
-
SPIF(F)
-
SWOT
-
Quota
Correct
Excellent! You are proficient in sales terminology…
Incorrect
Sorry, you need to brush up on your sales terminology…
-
Question 17 of 18
17. Question
Within a large sales organization different teams provide valuable resources to complete the sale. Use the list of tiles below to best match the responsibilities of the various team members.
Sort elements
- Responsible for developing an account plan to try to secure a prospect as a customer, focus is on the financial and legal terms of the contract closing and manage the ongoing relationship with the customer.
- Provide technical overview of product architecture, functionality, data requirements, and integration with other enterprise applications.
- Often translate business objectives set for a product by Marketing or Sales into engineering requirements.
- Attempt to help the customer solve specific problems with a product after they have purchased through email or over the telephone.
- Top source of lead generation for the sales team and often performs their role remotely through virtual presentations and cold-calling prospective customers.
-
Regional Sales Representative
-
Pre-Sales Engineer
-
Product Management
-
Product Technical Support
-
Inside Sales Representative
Correct
Excellent! You show true proficiency in a sales organization.
Incorrect
Sorry, you need to better understand roles and responsibilities within a sales team.
-
Question 18 of 18
18. Question
Scenario: you are the lead Sales Engineer assisting three sales reps in a 3:1 ratio. All of the reps come to you at the same time with what they consider to be top priority tasks listed below. Read the task requests from each of the reps in this question and then choose which possible options you would use to assist the reps from the multiple choices below (HINT: more than one answer):
- REP #1: needs you to respond to an RFP with a closing date of one week away for a $20,000 opportunity set to close in the next quarter
- REP #2: needs you to create a custom demo for a prospect to be delivered in one week for a $15,000 opportunity set to close in the current quarter
- REP #3: needs you to go onsite and provide a one week Proof of Concept (POC) for a new prospect with no budget and no closing date
Correct
Wow! You have a strong time management and sense of sales priorities…
Incorrect
Sorry, that was not the answer we were looking for…












How to Become a C.S.I. – Enterprise Forensics using a SIEM
Gary Freeman – SecTor 2013 Sponsor Session
Many Security Analysts are tasked with assisting in Corporate Governance. This session explores the concept of network forensic investigations using a SIEM, and how security analysts can use it to assist in Governance, HR or law enforcement with network interception to gather evidence that must preserve chain-of-custody. With the challenges of cloud-based computing and mobile devices, the need for well-defined workflow and the use of industry-accepted tools is even more essential than ever. Get familiar with Using integration Commands on-demand to gather external data for an investigation.












NetCerebral’s Device EPS Calculator
Hi folks, this post is another form I created using the Calculated Fields Form plugin for WordPress. Basically, this simple form calculates the number of devices input in the form fields and multiplies the number of devices by the designated Events Per Second (EPS) average for each device type. It then provides a live calculation of total number of devices, total average EPS and total average Events Per Day (EPD).
This handy calculation can then be used on my other calculator NetCerebral’s Simple Log Storage Calculator as the average EPS, need as the primary input to calculate amount of storage and IOPs required for the EPD and retention periods defined.












Website Defacement – A Personal Account
It’s been a while since I had to put my SANS Incident Handling hat on or did root-cause analysis and Network Forensics on an actual attack this close to home. December 13th, 2011 marks the day that 144 websites mapped to the same IP address hosted by HostPapa were injected with a number of files that replaced their home pages with that of some script kiddy’s – website defacement on a large scale. Admittedly, netcerebral.com was one of the 144, as were two others, that I manage part-time.
Synopsis
The attacks appeared to originate from Kuwait (inconclusive) and when I traced the names of the attackers, their email addresses and the “Muslim Hackers” they were sending “GR33T5” to, it became evident that this was “bragging rights” under the shroud of “hactivism”. In fact, the hackers went as far as to list all 144 websites hacked at the same HostPapa IP address on www.zone-h.org, a pubic attribution of website defacements where hackers brag and place “mirrors” of the website defacements as proof of their misconduct.
The hackers jointly go by the alias of “7rb-team” and, according to zone-h.org, have successfully defaced 3,414 homepages since December 2nd, 2011 (and are currently still active with almost 100 defacements daily, in January 2012 alone).
Anatomy
Since HostPapa has not provided the access logs for the date of the attack (they had been requested but HostPapa doesn’t keep archives) we are left to assume the attack vector that was used to inject the PHP code into the websites. I have narrowed it down to either a SQL Injection or PHP URL Inclusion. The sites all had “wp__” ID tags on the WP core, no .htaccess files, out-dated WP PHP plugins and a number of other vulnerabilities, inherent to WP (themes are another possibility). I suspect the attackers used recon scanning to detect the open vulnerabilities on the site and then compromised the vulnerability to write files to the root of the virtual directory.
Once the PHP shell was injected, they connected remotely and ran the Syrian Shell which automated the creation of all “index.htm” files and downloaded all of the other artifacts that I found on the site.
Clean Up
The service provider detected the mass infection across the customer’s sites a day after the attacks and shut-down the sites. They opened a ticket and notified one of the billing contacts that the site had been shutdown and instructed us to backup the site so they could wipe it away and we could then manually restore the site. Fortunately, I had backups that I had done months prior to the attack but some of the newer posts were missing. The other issue is that, while I had backups of the site directories and MySQL for each, the attackers had injected files to the home root directory that needed to be cleaned up as well (directories such as /cgi-bin, /cpanel, etc were all infected).
I eventually decided to backup the entire site with all three domains, download and unzip them on my local PC, where I had Apache, PHP and MySQL running in a VM sandbox. I went through the painstaking task of removing 50+ occurrences of “index.htm” (the defacement page) and 5 instances of PHP shell kit code that had been injected in the root of the parent website. Next, I dropped all of the tables in two of the databases (the third site doesn’t use a DB) and restored from backup in MyPHPAdmin. Once the sites were functioning the way I wanted, I upgraded the WP core, updated all plugins and then installed WDS Security plugin, which found additional vulnerabilities, which I cleaned up on both sites.
The Evil Script
One other advantage of having the VM sandbox is that after I made a backup and export of the sanitized site, I reverted the VM snapshot back to when the site was infected and played around with the Syrian Shell (not recommended in a prod environment!) and could replicate what the attackers did once they had the PHP file uploaded to the site.
When you open up the code in an editor the first line of the code reads:
# syrian shell is a php evil script , please use it against Israel Only
Apparently the attackers didn’t read this line and showed no discrimination about who their targets were going to be.
The malicious script also comes with a GNU Public License disclaimer with more preamble about attacking Israel and then proceeds to allow the attacker to configure their own password for the shell.
The script then immediately starts to list privileged functions such as:
- Get Real IP Address
- Open Base Directory
- Base64 Encode/Decode
- Safe Mode (Read-Only)
- Search and Count a File Name (such as index.html)
- Suicide (aborts and deletes shell)
- CMD Shell (Win/Linux)
- Index Changer (supports multiple CMS tools)
- Get Passwords (reads /etc/passwd, domainalias and shadow files)
- System Info (runs netstat, arp, routes, ls, etc)
- MD5 Password Hashing
- Database Tools (Oracle, MS SQL, MySQL and PostGRES
Hardening
To be fully convinced that I was no longer at risk, I upgraded to the latest WP v3.3.1 on all sites, updated all plugins, disabled any that weren’t in use, created .htpasswd and .htaccess files and installed the IP Filter plugin to block a list of bad IP addresses and installed WDS Security on all sites (and corrected an y issues detected by WDS). I have since started to automate backups of the MySQL database and WP files so next time I get hacked, I can simply drop all the tables in the DB and restore from a backup.
I have definitely learned a valuable lesson in how vulnerable PHP/WP is and will stay on top of the site with updates, etc.












- Linux SecOps – Look Who’s Knocking July 19, 2021
- Calculating Peak EPS for Security Log Monitoring May 21, 2021
- Event Log Convergence = Business Intelligence April 18, 2021
- Chronology of a Ransomware Attack January 20, 2021
- SIEM Storage Calculator December 28, 2019
- AIO WP Security Firewall Log Hacks August 12, 2019
- Essential Firewall Rules for Internet Facing Firewalls July 23, 2019
- SIEM-as-a-Service: do the survey and let me know if you’re an early adopter… July 6, 2016
- Are you a Security PreSales Ninja? July 28, 2015
- SCAM: Call from Computer Maintenance Department July 22, 2015
- Mom’s Meals issues “Notice of Data Event”: What to know and what to do
- S3 Ep149: How many cryptographers does it take to change a light bulb?
- Using WinRAR? Be sure to patch against these code execution bugs…
- Smart light bulbs could give away your password secrets
- “Snakes in airplane mode” – what if your phone says it’s offline but isn’t?
- S3 Ep148: Remembering crypto heroes
- FBI warns about scams that lure you in as a mobile beta-tester
- “Grab hold and give it a wiggle” – ATM card skimming is still a thing
- Crimeware server used by NetWalker ransomware seized and shut down
- S3 Ep147: What if you type in your password during a meeting?