I published the following diary on isc.sans.org: “DNS Query Length… Because Size Does Matter“. In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securityÂ controls. DNS tunnelling is a common way to establish connections with remote systems. It is
Category: Logs Management / SIEM
[SANS ISC] Pro & Con of Outsourcing your SOC
I published the following diary on isc.sans.org: “Pro & Con of Outsourcing your SOC“. I’m involved in a project to deploy a SIEM (“Security Information &Event Management“) / SOC (“Security Operation Center“) for a customer. The current approach is to outsource the services to an external company also called a
[SANS ISC Diary] Retro Hunting!
I published the following diary on isc.sans.org: “Retro Hunting!“. For a while, one of the securityÂ trends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize, other tools may correlate them with their own data and generate alerts on specific conditions.
Getting Useful Info From the Log Hell with Awk
Getting useful info from log file should be piece of cake …if the file is properly formatted! Usually, one event is written on a single line with useful info delimited by a separator or extractable using regular expressions. But it’s not always the case, welcome to the log hell…
The Truth is in Your Logs!
Keeping an eye on logs is boring… but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing… Here is what I got in my Apache logs this morning: 22.214.171.124 – – [30/Dec/2015:06:51:22 +0100]
Tracking Administrator Sessions in Windows Environments
Tracking users with privileged access is a critical taskÂ in your security policy (SANS Critical Security Control #12). If the key point is to restrict the number of “power users” to the lowest, it’s not always easy. Most of them will argue that they need administrator rights “to be able to
Playing with IP Reputation with Dshield & OSSEC
[This blogpost has also been published as a guest diary on isc.sans.org] When investigating incidents or searchingÂ for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let’s takeÂ an example with a WordPress blog. It will,
The Art of Logging
[This blogpost has been published as a guest diary on isc.sans.org] HandlingÂ log files is not a new topic. For a long time, people should know that taking care of your logs is a must have. They are very valuable when you need to investigate an incident. But, if collecting events
Check Point Firewall Logs and Logstash (ELK) Integration
It has been a while that I did not write an article on log management. Here is a quick how-to about the integration of Check Point firewall logs into ELK. For a while, this log management framework is gaining more and more popularity. ELK is based on three core components:
Log Awareness Trainings?
More and more companies organize “security awareness” trainings for their team members. With the growing threats faced by people while using their computers or any connected device, it is definitively a good idea. The goal of such trainings is to make people open their eyes and change their attitudeÂ towards security.