By Prabhat Pokharel, KB Lead Architect, LogPoint - June 10th, 2016.
With the growing use of SIEM solutions, business houses are keen on solving a number security and business use cases seen during their day-to-day operations. In this post, we will go through the top 10 use cases with an overview of how you can use LogPoint to detect any such behavior in your infrastructure (click on the images to see them in a larger size).
The following are the top 10 use cases:
1. Authentication Activities
Abnormal authentication attempts, off hour authentication attempts etc, using data from Windows, Unix and any other authentication application.
2. Shared Accounts
Multiple sources(internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc.
3. Session Activities
Session duration, inactive sessions etc, using login session related data specifically from Windows server.
4. Connections Details
Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, connection made to bad destinations etc, using data from firewalls, network devices or flow data. External sources can further be enriched to discover the domain name, country and geographical details.
5. Abnormal Administrative Behavior
Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc, using data from AD account management related activities.
6. Information Theft
Data exfiltration attempts, information leakage through emails etc, using data from mail servers, file sharing applications etc.
7. Vulnerability Scanning and Correlation
Identification and correlation of security vulnerabilities detected by applications like Qualys against other suspicious events.
8. Statistical Analysis
Statistical analysis can be done to study the nature of data. Functions like average, median, quantile, quartile etc can be used for the purpose. Numerical data from all kind of sources can be used to monitor relations like ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.
9. Intrusion Detection and Infections
This can be done by using data from IDS/IPS, antivirus, anti-malware applications etc.
10. System Change Activities
This can be done by using data for changes in configurations, audit configuration changes, policy changes, policy violations etc.
If you want more information about any of these use cases, you are of course welcome to get in touch. Do you have any use case that you find are particularily relevant? We would love to hear from you!
With LogPoint, you will discover a full enterprise SIEM solution.
LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.
And the best part..? We have the most predictable licensing model in the industry.