Event Categories and Recommended UseCase (Part two)

This post is part two of Event Categories and Recommended UseCase, you can see part one :

The guidelines provided in this article help SOC professionals in understanding and respond to security monitoring requirements in a more professional manner. Additionally, the use cases and correlation rules proposed in this article aid in making the security monitoring service more relevant to the threat landscape. The use cases recommended are for the event source category.

Antivirus

Anti-malware software helps in the prevention, detection, and removal of malicious software. The modern-day antivirus programs are capable of providing protection against malicious browser help objects (BHO), key loggers, backdoors, Trojans, root-kits, worms, adware, spyware, spam, phishing attacks, APT, privacy threats, and DDOS attacks.

The common detection method includes:

Sandboxing – Behavioral-based detection by allowing the program execution in a sandboxed environment and capturing all its actions.

Data mining – Data mining and machine learning algorithms classify the behavior of a file (as either malicious or benign) given a series of file features that are extracted from the file itself.

Signature-based detection – Compares the suspected file or pattern with its signature database to detect known threats.

Heuristics – Compares the suspected files or pattern with the generic signature specific to a Virus Family. Behavioral-based – Detection based on the behavioral pattern of the malware.

Rootkit detection – A combination of advanced detection techniques is used for this.

Event Categories

The three major categories of events to be considered from an Antivirus event source for effective security monitoring are –

  1. AV Definition/Signature Database Status events–Helps the Security Analyst detect the state of protection and virus and spyware signature definitions updates.
  2. Scan-antivirus scan-related events.
  3. Treatment–events related to the action done to the infected files.
NoUse CaseEvent Type /CategoryCorrelation Rule
1To monitor antivirus software logs to track if detected viruses are cleaned properly.  AV ScanFailed AV mitigation or cleaning detected, possible persistent virus infection.
2Identify machines that are not updated to the latest AV definitions.AV UpdateDetect unprotected end points, possible Antivirus disable attempt. Detect Anti-virus stop, start, update failures.
3Identify machines that are updated to the latest AV definitions.AV UpdateReport of the Current AV protection Posture
4Identify quarantine action failed events.AV ScanReport of Anti-virus trends; prevented, detected, remediated
5To monitor antivirus software logs to track the level, AV Scan type & scope of infectionAV ScanReport type & scope of Virus infection Anti-virus trends; prevented, detected, remediated. Top malware attacks by sources. Top unusual traffic to and from sources. Top source and destinations of malicious connections Top systems with multiple infections / top systems re-infected. Top systems with suspicious malware activity.
6Identify events where the user chose to quarantine a file.AV-TreatmentDetect user-initiated quarantine action.
7Identify events where the user chose to delete an item.AV-TreatmentTrack forced file removal events.
8Identify events where the user chose to ignore an item.AV-TreatmentReport AV recommended action bypass  attempts
9Identify events of the applications that were quarantined and restored.AV-TreatmentDetect failed quarantine-restore attempts.

End-point Threat Protection, Application Control , Whitelisting solution

End-point security monitoring tools are used for prevention and  detection of threats against the devices which they are running on. Though the threat visibility of the attack is limited the end-point devices communicate with its server to share information about the data. So, this makes it important to monitor end-point security server and client event data. SIEM boxes should have policies to correlate activities on end points servers and clients.

Application white listing solutions allows the execution of specific application based on defined policies related to users, groups, systems and other attributes. The trust worthiness of an application can be determined by verifying the software vendors trusted certificates or with the path value used by the applications. Legitimacy of an application can also be checked with the hash values of files affiliated with an application using common hashing protocols.

Behavior analytics also plays a considerable role in the detection of rogue applications. It is not easy to define generic use cases for this kind of event sources. The features offered by the solutions should be analyzed case by case for developing effective use cases.

NoUse CaseEvent Type /CategoryCorrelation Rule
1Type To identify & prevent the use of unauthorized software in enterprise environment. Detect the malicious software implantation, propagation, scanning & intrusion nearly real timeRogue softwareInstallation of unauthorized software and the use of rogue applications
2Detect & prevent zero-day attack initiation & progress in enterprise environment nearly real timeZero DayDetect possible zero-day tack initiation
3To identify the data access attempts & to prevent the data loss by strict monitoring f files, directories, USB’s & other removable devices.External devicesDetect possible data exfiltration attempts.  Top and unusual Web and database application access.
4Detect & prevent malicious software infection / propagation from USB’s & other removable devices.External devicesDetect unauthorized removable device in use 
5To monitor access requests to fixed-function end-point devices, such as point-of sale (POS), medical equipment, Industrial control systems, SCADA, aeronautical system & to prevent unauthorized access attempts.POSDetect unauthorized access attempts to fixed-functions in end points
6To perform user/Administrator activity monitoring to ensure complianceUAMDetect unusual user activity
7To perform malware impact assessment to aid investigation with details like time & type of attack, mode of propagation, which endpoints have been infected and which machines are engaged in suspicious activityImpact Assessment    Detect suspicious end point Activity  

Write a Review

Your email address will not be published. Required fields are marked *