Planning and Sizing SIEM

Admin | 28 Feb 2018

Most of the SIEM tools on the market today use a variation of the Events Per Second, or EPS metric, to determine licensing, sizing and storage requirements. However, none of the monitored devices have specifications about the amount of logging per second, or per day. In many cases, same device types from same vendors generate varying amounts of log volume and it takes an artful cyber pro to determine what volume all corporate devices would generate on a daily volume. A few of the most common factors that interfere with a properly designed SIEM solution are:

 Inventory of all assets to be monitored
 Determining average event rates, expressed as an EPS metric
 Retention periods, use cases, regulatory requirements and the like
 Studying the relationship between logging levels and volume of logs generated

The end goal is to have a device count, determine EPS generated on average by the different devices that need monitoring and then determining the licensing, storage performance and archiving needs.

Comments


Post Comment

The Kerberos Question

Admin | 28 Feb 2018

A route map of some of today’s most high-profile security breaches reveal predictable patterns. Attackers first emerge through the network perimeter, hijack credentials and move laterally through the network, collecting additional credentials and setting out to accomplish their goal. Singled out as one of the most dangerous attach techniques, Kerberos attacks have grabbed eyeballs for three main reasons:

 One an attacker gains Local Admin privileges, he dumps additional credentials in compromised machines, enabling the attacker to move laterally in the network and gain easy access to assets.
 Attackers can use Kerberos tickets to impersonate authorised users and dodge authentication processes
 Kerberos gives attackers time. Time to remain on the network for undiscovered periods, time to weed out information slowly but steadily and time to persist much after credentials are changed.

Luckily, Kerberos can be predicted and prevented by:

 Using machine learning to detect suspicious activity and provide rapid response and
 Blocking an attacker’s progress either during credential theft or lateral movement.

Comments


Post Comment