Event Categories and Recommended UseCase(Part1)

The guidelines provided in this article help SOC professionals in understanding and respond to security monitoring requirements in a more professional manner. Additionally, the use cases and correlation rules proposed in this article aid in making the security monitoring service more relevant to the threat landscape. The use cases recommended are for the event source category.

The major event source categories considered

Anti-spam
Anti-virus
End-point threat protection/Application control/whitelisting solution Web/Application server or database
Data loss prevention /File integrity monitor
Financial application
Host-based firewall
Single sign-on
IPS/IDS
Network-based firewall
Network user behavior analysis
Operating system
Storage
VPN
Vulnerability Scanning solution
NAC solution

Anti-Spam

There are several solutions like gateway-based filters, client-side applications, and mail server integrated solutions for anti-spam. The gateway filters are dedicated anti-spam solutions that are often coupled with anti-virus to provide an end-to-end mail filtering service.
Gateway filters off-load the performance and bandwidth consumption issues of running them on the mail server directly. Mail servers integrated anti-spam solutions run on the server directly processes the spam inline. A client-side application that runs on the end user’s system directly to process spam is not a widely-used solution in a corporate environment. However, the heuristic capabilities of these solutions and lower pricing make it the perfect choice for a home user.

Anti-Spam Detection and Processing Techniques

Anti-spam solutions use different techniques for the detection and processing of spam. These include and not limited to:

  1. Hashing or checksums
  2. Open relay checks
  3. RBL check
  4. Bayesian filter
  5. Heuristic
  6. Signatures
  7. Blacklisting and whitelisting

Hashing or Checksums

Hash values of a specific portion of the spam emails are computed and stored in the anti-spam solutions. An email that matches the stored hash will be flagged as spam.

Open Relay Checks

Open relay checks verify whether the source mail server permits relays. Mail servers that are configured to relay can be misconfigured by the attacker to limit problems with SPAM black listing. Anti-spam solutions block email from source servers that permit relaying.

RBL check

Malicious Anti-spam solutions may use real-time black lists for blocking spam emails.

Bayesian Filter

Bayesian filters use user input for calculating the statistical probability of email spam.

Heuristic

The probability of spam is calculated statistically by the combination of a variety of detection mechanisms to recognize specific patterns that indicate spam.

Signatures

Specific keywords within a message are checked for the identification of spam.

Black Listing and White Listing

In the black listing, the anti-spam solution blocks messages from a specific user-defined source address, domain, or IP. Anti-spam solutions can also be configured to permit messages from user-defined white lists only.

Anti-Spam Event Categories

As a security analyst one should consider developing and implementing at least the below set of recommended use cases and correlation rules for an anti-spam event source.
Below are the major event source categories to be considered from a security perspective.

Email spam
Instant messaging spam
Comment spam
Junk FAX (Out of Scope for Security Analytics)
Internet telephony spam
Unsolicited text messages (Out of Scope for Security Analytics)

NoUse CaseEvent Type /CategoryCorrelation Rule
1Trigger alert for the EMAIL. SPAM originated from insideGeneral Email  SPAMATYPICAL/UNUSUAL outbound Email, possible SPAM  
2Trigger alert for SPAM in the incoming Email with RBL,IP reputation & MIME header checks.General Email  SPAMATYPICAL/UNUSUAL inbound Email, possible SPAM, TOP SPAM sources reported
3Trigger Alarm if Phishing content is found in an emailGeneral Email  SPAMPHISHING content inside the email, possible spear-phishing attempt/ SPAM
4Trigger Alarm if SPAM content is found in an IM flow  Instant messaging SPAMATYPICAL/UNUSUAL Instant messaging communication, possible SPAM
5Trigger Alarm if SPAM content is found in a VOIP flow  Internet Telephony SPAM    ATYPICAL/UNUSUAL Internet Telephony communication detected, possible SPAM

Write a Review

Your email address will not be published. Required fields are marked *