Most of the SIEM tools on the market today use a variation of the Events Per Second, or EPS
metric, to determine licensing, sizing and storage requirements. However, none of the
monitored devices have specifications about the amount
of logging per second, or per day. In many cases, same device types from same vendors
generate varying amounts of log volume and it takes an artful cyber pro to determine what
volume all corporate devices would generate on a daily
volume. A few of the most common factors that interfere with a properly designed SIEM
Inventory of all assets to be monitored
Determining average event rates, expressed as an EPS metric
Retention periods, use cases, regulatory requirements and the like
Studying the relationship between logging levels and volume of logs generated
The end goal is to have a device count, determine EPS generated on average by the different devices that need monitoring and then determining the licensing, storage performance and archiving needs.
A route map of some of today’s most high-profile security breaches reveal predictable
patterns. Attackers first emerge through the network perimeter, hijack credentials and move
laterally through the network, collecting additional credentials
and setting out to accomplish their goal. Singled out as one of the most dangerous attach
techniques, Kerberos attacks have grabbed eyeballs for three main reasons:
One an attacker gains Local Admin privileges, he dumps additional credentials in compromised machines, enabling the attacker to move laterally in the network and gain easy access to assets.
Attackers can use Kerberos tickets to impersonate authorised users and dodge authentication processes
Kerberos gives attackers time. Time to remain on the network for undiscovered periods, time to weed out information slowly but steadily and time to persist much after credentials are changed.
Luckily, Kerberos can be predicted and prevented by:
Using machine learning to detect suspicious activity and provide rapid response and
Blocking an attacker’s progress either during credential theft or lateral movement.