Thanks to the widespread use of information and communication technologies, there are developments in the quality and quantity of cyber threats. Cyber threats; It targets individuals, institutions and organizations and even states. Countries carry out administrative restructuring, take technical measures and become compatible with legal infrastructures in order to ensure their cyber security. In order to prevent a possible cyber attack, institutions keep a log record of their information systems and network components. As these log records are monitored, it is necessary to detect attack techniques and detect possible cyber events by filtering them during a cyber event. It is possible to provide this detection with central security monitoring and event management systems. It is very difficult to correlate many events from different systems and to obtain meaningful results. It is also of vital importance. The Critical Infrastructure Sector (energy, electronics, communications, finance, water management, critical utilities, transportation, etc.) and all organizations that control systems within their own body need a centralized security monitoring and event management system.
It also has advantages such as centralized management of trace records in central security monitoring and incident management. Before moving on to these advantages, if we give brief information about the log records;
Log What is it? It is the recording of all activities that take place in the digital environment. Thanks to the generated log, there are data that have the quality of evidence in any situation experienced.
Thanks to the logs kept, it is possible to answer the 5W1K questions. For example;
-What?
-Unauthorized access, deletion of records, creation of authorized user…
-When?
-Friday 28 15:44:28 2015, 10/08/2015, 2015-01-30 15:45:44
-12350495043800345345, 12.01.2015 10:33:56
-Where?
-On file server, email, web service, active directory
-From where?
-Attack Guanjou Internet Provider at 99.214.77.13, Beijing China
-One of the 3rd floor of the office
-The stolen data was sent to 56.2.3.5 Karachi, Pakistan
-How?
-SQL injection, brute force attack, spam, social engineering…
-Who?
-10.2.2.4, mehmet, FF01::101, 01:23:45:67:89:AB
Teams involved in central security monitoring and event management, thanks to recorded logs;
-Can monitor logs.
-Can analyze the logs it monitors.
-It can fix a problem with logs.
-It can give information about what happened in the past thanks to the logs it has.
-Forensic evidence can be examined.
-A cyber incident response can be made.
Log Types;
-Windows Event Log
-UNIX Syslog
-Cisco Netflow
-Performance Logs
-Application Logs
-Firewall
-Checkpoint
-Juniper Netscreen
-Cisco PIX/ASA/FWSM
-IDS log formats
-Sourcefire Snort
-McAfee Intrushield
-Cisco IPS
-Tippingpoint
-Web servers
-Apache
-Tomcat
-Internet Information Systems (IIS)
Problems Encountered While Collecting LOGS
-Comparable which log is valuable for security as there is a lot of inventory to monitor.
-When logs are scattered in different places, it becomes difficult to look and analyze one by one.
-Record inspection software alone is insufficient, additional systems should be used to intervene incoming alarms.
-There are many log records of different formats and types.
-Log manufacturers have different configuration settings, that is, they do not have a standard format.
-Application-based logs are produced.
There are fundamental tasks undertaken by the team involved in creating centralized security monitoring and incident management. We can divide these tasks into 3 main headings: before, during and after the cyber incident.
To explain in order;
Before Cyber Incident
In the event that a cyber incident does not occur or does not occur in the institution, the team involved in creating central security monitoring and incident management should;
- Carrying out in-house awareness studies.
-Preparing periodical in-house bulletins on cyber security.
-Regularly conducting surveys to measure the information security awareness of the institution.
-Performing or having penetration tests for corporate information systems.
-Regular review of records.
-Log records need to be managed centrally. Centrally managed ensures that the minimum qualifications of records to be kept for obtaining reliable evidence for post-incident review are centrally maintained and managed in accordance with the document.
-Corporate SOME organizes its duties and responsibilities before, during and after the cyber incident, and the relations of the institution with other units, preparation of cyber incident management-instructions (cyber incident response, cyber incident notification process, etc.)
- Conducting cyber security exercises.
During Cyber Incident
After a cyber incident occurs in the institution and the incident is intervened, the team involved in Central security monitoring and incident management performs the following tasks:
-The opening that caused the incident is determined without delay and the lessons learned are recorded.
- Fills out the cyber incident evaluation form in accordance with the criteria determined by the USOM, sends the information about the cyber incident to USOM and, if any, to the Sectoral SOME to which it is affiliated, and records it.
- Suggestions regarding the corrective/preventive actions that can be taken in relation to the incident are submitted to the management of the institution.
-The types, quantities and costs of cyber incidents are measured and monitored.
- A cyber incident response report is prepared, in which the processes related to the cyber incident are explained in detail. It is forwarded to the senior management, USOM and, if any, the Sectoral SOME to which it is affiliated.
After the institution establishes a central security monitoring and incident management system, it should immediately create an annual report. Thanks to its annual report, it enables it to act in a planned manner from the moment it is exposed to a cyber attack. The headings that should be included in the annual report as recommendations;
Human Resources
-Staff status
-Internal awareness studies
-Trainings, conferences
Risk Analysis Process
-Information systems testing activities
-Trace records review activities
-Response and coordinated cyber incidents
Experiences gained and corrective actions implemented
Studies with internal and external stakeholders
Other activities
Capabilities of Central Records Management
– Being informed about the events from the IT infrastructure
– Ability to notify about critical events in the system
– Detection of advanced attacks
– Event association
– Risk calculation
– Detailed reporting and event tracking
– Merge of same records
– Warning, alarm mechanisms
– Visual analysis with the help of Dashboards
– Regulatory compliance
– Long-term storage of records
– Forensic analysis
– Real-time data and user monitoring
– Threat information
– Monitoring of applications
– Management from a single center
Installation stages of Central Records Management systems;
Planning
– Asset inventory of corporate information systems
– Assigning risk value to assets in asset inventory
– Extracting the corporate network topology
– Prioritizing and determining the logs to be collected
– Planning of Central Records Management and Security Monitoring System components
Installing Components
– Installation of log servers
– Installation of central security monitoring server
– Installation of sensors
– Installation of reporting tools
– Installation of storage areas
Collection of Records
– Applications
– Web / application servers
– Databases
– Authorization servers
• LDAP
• AD
• Aruba Radius
– Operating systems
– Windows
– Linux
– Virtualization system
– Backup system
– Safety devices
• Firewall
• Intrusion detection and prevention system (IDS/IPS)
• Antivirus systems
• Content filters
• Data leakage prevention system
– Network and active devices
• Routers and switching devices
• Network flow records (Netflow)
Integrating Intrusion Detection Systems
Intrusion Detection Systems are devices/software used to monitor malicious activities against networks or systems, or political violations within the organization. Any malicious activity detected is monitored on the dashboard, which shows that it is collected and presented centrally thanks to STS systems as a notification. STS systems combine output from various sources and use alarm filtering techniques to separate malicious alarm from false alarms. As an example of the most common STS systems; network intrusion detection systems (NIDS), computer-based intrusion detection systems (HIDS), SIEM, SOAR, IDS, IPS. The main task of this system is to identify malicious activities and report the type of attack.
– IDS installation and configuration
– IPS installation and configuration
– DMZ intrusion detection and prevention setup and configuration
– For keeping audit (logging) records on critical servers
making configurations
– SIEM systems installation and configuration
– Event association systems (SIM) installation and configuration
– Installation and configuration of SOAR systems
Free Open Source Systems
•ACARM-ng
•AIDE
•Bro NIDS
•Fail2ban
•OSSEC HIDS
•Prelude Hybrid IDS
•Samhain
•Snort
•Suricata
Attribution and Attack Scenarios
– Adapting ready-made association rules and determining possible attack scenarios and creating rules
– Brute force
– Port scan
– Pass the hash
– Symmetrical connections
– Out-of-hours activities
– Excessive bandwith usage
– Login of the same account on more than one machine
– Attempts to access system admin machines
– Attempts to access critical users
– Attempts to access critical servers from unauthorized networks
– Determination of warning/precautionary mechanisms
– Creation of e-mail alert mechanisms
– Setting the working mode as intrusion prevention or intrusion detection system
Dashboard Design
Incident Response and Alarm Generation
– Generated alarms are examined
– Relevant units are activated when necessary
– The problem is solved by taking the necessary actions
– The system is restored
– The source of the problem is reported
– All transactions are recorded
- Relevant measures are taken to prevent the same problem from happening again.
Reporting
– Determining the reports to be produced
