Wednesday, December 21, 2011

SIEM Analysis: Correlation of Security events

SIEM Analysis: Correlation of Security events

Transaction fraud, Man in the Middle (MITb) browser attacks and various others are hard to detect from a single event and hence a correlated view is an invaluable capability. It is important to look at the application transactions and correlate that information with other requests, IT infrastructure and other relevant feeds yields the most complete picture of fraudulent transactions. By simply looking at the application transactions, only part of the fraud picture is actually understood.

Frequency/Statistical analysis

Following considerations are important while looking at the logs

• Most users only access one or two accounts from the same location; the fraudster is accessing dozens or hundreds of accounts
• The fraudster continually tries to use various, known, fraudulent social security numbers – each rejection increases the moving average count
• Most users stay logged in for minutes, the fraudster is logged in for hours
• Most users conduct three or less transactions, the fraudster is conducting dozens or hundreds of transactions

Pattern analysis

Check the browser/User agents used, if the browser is an infamous crawler or offline browser than correlate the pattern to check if the same IP address is picked for any other alert_type like Remote File inclusion, SQL Injection, XML Injection and Cross site Scripting.