Sep 23 2022

Diving Deeper to Understand the Windows Event logs for Cyber Security Operation Center (SOC)

Category: Security Operations CenterDISC @ 9:02 am

Cyber Security operations center is protecting organizations and sensitive business data of customers. It ensures active monitoring of valuable assets of business with visibility, alerting and investigating threats and a holistic approach to managing risk.

Analytics service can be in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.

Events – Security operations center

Events are generated by systems which are error codes, devices generate events with success or failure to its normal event logging plays an important role to detect threats. In the organization, there are multiple number and flavors of  Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware etc.

These devices usually track attackers footprints as logs and forward to SIEM tools to analyze. In this article, will see how events are pushed to log collector. To know more about windows events or event ids refer Here.

Log Collector

It’s a centralized server to receive logs from any devices. Here I have deployed Snare Agent in Windows 10 machine. So we will collect windows event logs and Detect attacks to windows 10 machine attacks using Snare Agent.

The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.

Windows Event logs

Snare Installation

The Snare Agents are issued as both a free open source download, Snare Lite, as well as a commercially supported Enterprise Edition.

Modern Security Operations Center

Tags: Modern Security Operations Center, Security Operations Center, SOC

Jul 21 2022

Microsoft adds default protection against RDP brute-force attacks

Category: Security Operations CenterDISC @ 9:37 am

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.

Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.

Minimizing the RDP attack vector

The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold – a specific number of failed logon attempts – after which a user account will be locked.

Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is “guessed”.

From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.

The revelation has set off calls for the control to be backported to older Windows and Windows Server version – a move that’s apparently in the works.


Minimizing the effect of Brute Force Attack 

Tags: Microsoft, RDP brute-force attacks

Mar 04 2022

What Security Engineers Hate About SIEM

SIEM Satisfaction is Mediocre

When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of users’ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools. 

Data Coverage and Data Use

Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.

Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind. 

These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.

OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.

Moving From Static to Dynamic

Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds. 

SIEMs were designed over ten years ago when the world was a very different place. The technology hasn’t evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.

Security Information and Event Management (SIEM) Implementation 

Tags: SIEM

Jan 05 2022

How can SMBs extend their SecOps capabilities without adding headcount?

Category: Security Operations CenterDISC @ 9:08 am

Outsourcing security: What’s on offer?

Fortunately, there is an alternative way for procuring security expertise: by retaining the services of managed security service providers (MSSPs) and managed detection and response (MDR) providers.

MSSPs usually assist organizations’ IT departments in managing the IT infrastructure and keeping it secure by managing security equipment/systems, monitoring security logs, supervising patch management, and similar preventative security measures. MDR providers concentrate on monitoring network traffic and data, providing threat hunting/detection services and responding to discovered threats – capabilities that are difficult for most SMBs to cultivate in-house due to resource limitations.

For example, when the existence of the Log4Shell vulnerability and a PoC for it was revealed, Milton Security, a California-based MDR provider, has been inundated with concerns and requests from customers, prospects, and the public asking to help make sense of the situation, provide credible and timely updates, and monitor networks for any suspicious activity that might be related to Log4j exploitation.

But they have also been getting a lot of requests for their application security testing, penetration testing, incident response, and even their vCISO service.

Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)

Tags: SecOps, SOC

Sep 18 2021

‘OMIGOD’ Azure Critical Bugfix? Do It Yourself—Because Microsoft Won’t

Category: Security Operations Center,Windows SecurityDISC @ 10:47 pm

Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably don’t know whether you’re using OMI or not.

Y’see, Open Management Infrastructure (OMI) is often silently installed on Azure—as a prerequisite. And, to make matters worse, Microsoft hasn’t rolled out the patch for you—despite publishing the code a month ago. So much for the promise of ‘The Cloud.’

What a mess. In today’s SB Blogwatch, we put the “mess” into message.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Difficult Hollywood.


What’s the craic? Simon Sharwood says—“Microsoft makes fixing deadly OMIGOD flaws on Azure your job”:

Your next step”
Microsoft Azure users running Linux VMs in the … Azure cloud need to take action to protect themselves against the four “OMIGOD” bugs in the … OMI framework, because Microsoft hasn’t. … The worst is rated critical at 9.8/10 … on the Common Vulnerability Scoring System.

Complicating matters is that running OMI is not something Azure users actively choose. … Understandably, Microsoft’s actions – or lack thereof – have not gone down well. [And it] has kept deploying known bad versions of OMI. … The Windows giant publicly fixed the holes in its OMI source in mid-August … and only now is advising customers.

Your next step is therefore obvious: patch ASAP.

‘OMIGOD’ Azure Critical Bugfix? Do It Yourself—Because Microsoft Won’t

Tags: Azure Critical Bugfix

Aug 17 2021

How building a world class SOC can alleviate security team burnout

Category: Security Operations CenterDISC @ 11:04 am

Recent research indicates that 51 percent of SOC teams feel emotionally overwhelmed by the impossible volume of security alerts they must deal with, with the stress impacting their home lives.

Increasing the maturity of a SOC allows analysts to stop fighting fires and focus on higher value work. With careful planning and the right combination of automation and standardized processes, a mature, effective, and world-class SOC can be established.

The danger of alert overload

The cybersecurity landscape has become increasingly hostile, and teams must deal with an ever-increasing barrage of security alerts. Teams have reported spending nearly a third of their time simply dealing with false positives, and we have long since passed the tipping point where these numbers can be dealt with on a manual basis.

This is exacerbated by the fact that the on-going skills gap means recruiting and retaining a full team of analysts has become an increasingly costly proposition. Few firms can afford large teams, and even an army of analysts will not be able to comfortably tackle hundreds of alerts a day in addition to their other duties.

In addition to the sheer number of alerts they must deal with, SOC teams are hampered by inefficient processes. Many analysts end up using an ad-hoc suite of security solutions cobbled together from different providers and great deal of time can be wasted every day as analysts swap back and forth between different solutions. There is no easy way to compare data from different tools to identify trends and more complex threats. Uniting solutions under a single management system can help to win back lost time and establish a single view of threat data.

How building a world class SOC can alleviate security team burnout 

The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services

This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible.

Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation.

This guide will be indispensable for everyone responsible for delivering security services―managers and cybersecurity professionals alike.

* Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology
* Identify, recruit, interview, onboard, and grow an outstanding SOC team
* Thoughtfully decide what to outsource and what to insource 
* Collect, centralize, and use both internal data and external threat intelligence
* Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts
* Reduce future risk by improving incident recovery and vulnerability management
* Apply orchestration and automation effectively, without just throwing money at them
* Position yourself today for emerging SOC technologies

Tags: Security Operations Center, SOC

Apr 18 2021

Six Essential Ingredients for Building a Successful Security Operations Center (SOC)

Category: Security Operations CenterDISC @ 6:43 pm

Tags: Security Operations Center