AnchorPoint Security » SIEM Use Cases

SIEM & Log Management

Accelerate your threat detection and compliance with a full SIEM and built-in essential security capabilities.

ITR Use Cases

ITR Benefits with Less Effort

  • Respond to incidents faster with built-in SIEM
  • Detect and contain malware
  • Detect and report on fraud
  • Monitor privileged users
  • Pass compliance audits

ITR Use Case Examples How ITR is Better Than In-house

We designed the Integrated Threat Response, or ITR, managed service to provide the complete security visibility organizations need to detect threats, respond to incidents, and pass compliance audits. ITR works by creating a line of communication between your network environment and the AnchorPoint Security Operations Center (SOC) Our SOC Analysts then aggregate security-relevant data from your environment, and apply over 2,000 event correlation rules to identify relationships among your data and identify malicious activity. These correlation directives identify patterns that signal threats, policy violations, and other exposures.

AnchorPoint ITR delivers all of the essential security capabilities you need to be ready to start an ISO compliance program—from day 1. There is no need for purchasing, deploying, and integrating separate asset discovery, intrusion detection, vulnerability assessment, behavioral analysis and SIEM technologies. The AnchorPoint ITR service has all of these capabilities already integrated.

Incident Response & Investigation

Here are the basic steps involved with each ITR use case

  1. Identify the goal for for use case.
  2. Determine the conditions for the alert.
  3. Select relevant data sources.
  4. Determine response strategies, and document them.

Although the primary budget driver for the ITR service ITR monitoring compliance, the primary use case for ITR is to identify and investigate security incidents and breaches. Spotting attacks as quickly as possible to minimize damage requires a combination of data sources, as well as the latest threat intelligence from experienced Security Engineers and SOC Analysts.

To help you get started, we’ve put together some ITR use case examples. Please note that these examples are provided for your reference only. Make sure any use case you implement reflects your own security requirements, policies, and business priorities.

ITR Use Case Examples

Watering Hole Attack

Watering hole attacks are where the attacker compromises a website likely to be visited by a particular target group, and eventually infects members of that group when they visit the infected site. Rather than attacking the target group directly, the attacker “lays in wait” after compromising the website in question.

Following our methodology above, here are the key pieces of information to implement this ITR use case.

Goal: Identify a targeted attack on staff members and block the attacker Alert Conditions: Alert on two or more malware infections from the same compromised website Data Sources: Industry-leading reputation monitors and threat feeds, intrusion detection (IDS), log data from firewall, anti-virus, web proxy, content filtering software ITR Advantage: Continuously updated threat intelligence, integrated Network IDS, and a team of security experts with eyes on 24×7

SQL Injection Attack and other Web application Attacks

One of the oldest and most common attacks used against web applications, SQL injection attacks happen by inserting malicious SQL statements into a web-based entry field for execution (e.g. to dump the database contents to the attacker). Finding these exposures quickly is essential in order to detect system compromise and avoid information leakage.

Following our methodology above, here are the key pieces of information to implement this ITR use case.

Goal: Identify an attack on a web server in real-time and to validate that it is blocked Alert Conditions: Alert from intrusion detection system software (IDS) and host-based intrusion detection (HIDS), source IP address known as malicious according to threat intelligence sources Data Sources: Industry-leading reputation monitors and threat feeds, web server logs, web application firewall logs, intrusion detection (IDS), host-based intrusion detection (HIDS) ITR advantage: Continuously updated threat intelligence, a team of security experts with eyes on 24×7, and integrated Network IDS and Host IDS

Malware Detection & Removal

Malware remains a reliable tool for attackers. According to the latest Verizon Data Breach Investigation Report, direct installation of malware by an attacker continues to be the most common risk vector for security breaches. Successfully finding, containing and removing malware involves a series of steps, and so we’ve included each of these ITR use cases below.

Malware infection

Goal: Identify traffic from an internal address to known malicious destinations as identified by Industry-leading reputation monitors and threat feeds

Alert Conditions: Alert on any event where traffic is being sent to known malicious IP addresses Data Sources: Industry-leading reputation monitors and threat feeds, intrusion detection (IDS), host-based intrusion detection (HIDS), failed logins, log data from firewall, anti-virus, netflow ITR advantage: Industry-leading reputation monitors and threat feeds, built-in Network IDS and Host IDS, integrated netflow and custom correlation rules updated weekly for newest threats.

Malware containment

Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts Alert Conditions: Alert when 5 or more hosts on the same subnet trigger the same malware signature within a 1 hour interval Data Sources: Industry-leading reputation monitors and threat feeds, intrusion detection (IDS), host-based intrusion detection (HIDS), log data from firewall, anti-virus, netflow analysis ITR advantage: Industry-leading reputation monitors and threat feeds, Network IDS,Host IDS and netflow

Failure to Remove Malware

Goal: Alert when > 1 hour has passed since malware was detected on a source, with no corresponding removal Alert Conditions: Alert when a single host fails to auto-clean malware within 1 hour of detection Data Sources: Industry-leading reputation monitors and threat feeds, intrusion detection (IDS), host-based intrusion detection (HIDS), log data from anti-virus ITR advantage: Integrated OTX Network IDS and Host IDS

Validating IDS/IPS Alerts & Reducing False Positives

Goal: Reduce wasted time investigating alerts from IDS/IPS Conditions: Use vulnerability data and other context data about your assets to dismiss some IDS/IPS alerts Data Sources: Asset information, vulnerability information on these assets and industry-leading reputation monitors and threat feeds ITR advantage: Integrated asset discovery and inventory and vulnerability scanning information from one fully managed service

Monitoring for Suspicious Outbound Connections

Goal: Alert when there is exfiltration of data and other suspicious external connectivity Alert Conditions: Alert when outbound connections are made and data is exfiltrated Data Sources: Firewall logs, web proxy logs and network flows and industry-leading reputation monitors and threat feeds ITR advantage: Integrated netflow and Network IDS

Tracking System Changes

Goal: Alert when administrative actions across internal systems deviate from allowed policy Alert Conditions: Alert when policy is violated Data Sources: Host IDS, correlated with policy ITR advantage: Integrated Host IDS

Privileged User Monitoring

Another powerful ITR use case is to rapidly detect fraudulent activity. The challenge with implementing this use case is to imagine the most likely scenarios for fraud attempts, and then connect the activity to the appropriate data sources. Here’s a basic example that illustrates this ITR use case, but there are certainly others that you can implement to catch fraud in your organization.

Goal: To identify potential fraud activity within payment systems Alert Conditions: Two new accounts set up and used to initiate and authorize a $1B payment Data Sources: Log data from Active Directory/LDAP server and payment system application ITR advantage: Continuous log monitoring conducted by the security experts in the AnchorPoint SOC

Fraud Detection & Reporting

ITR can easily be purchased with budgetary funds from compliance projects. ITR can indeed make passing audits easier. It can provide, for example:

An array of specific regulatory reports for requirements such as PCI and HIPAA The capability to monitor changes to critical files and settings. AnchorPoint ITR gives you integrated Host IDS which provides file integrity monitoring Detailed information about all changes to Active Directory – users added, group memberships changed, escalated privileges and so on Proof that employees and contractors who leave the business no longer have access

Pass Compliance Audits

ITR can easily be purchased with budgetary funds from compliance projects. ITR can indeed make passing audits easier. It can provide, for example:

An array of specific regulatory reports for requirements such as PCI and HIPAA The capability to monitor changes to critical files and settings. AnchorPoint ITR gives you integrated Host IDS which provides file integrity monitoring Detailed information about all changes to Active Directory – users added, group memberships changed, escalated privileges and so on Proof that employees and contractors who leave the business no longer have access

AnchorPoint ITR offers SIEM without the hassle

Traditional SIEM doesn’t work for most small/medium businesses. It’s too resource-intensive to implement, integration data sources, tune and use for monitoring. It’s too expensive and does not meet needs.

   
siem-use-case-hourglass-icon.png

 

Deploy Quickly and Easily

We deploy ITR in one than one hour, with all of your IP-enabled devices discovered automatically.

siem-use-case-visibility-icon.png

 

Get Security Visibility Immediately

Get prioritized vulnerability and threat alarms within minutes of installation.

siem-use-case-isues-icon.png

 

Respond to Issue Rapidly

Pinpoint who, what, when, where,& how;in how in one dashboard or e-mailed report, with remediation guidance to act quickly.

AnchorPoint Integrated Threat Response (ITR)

Fully integrated security visibility from our top-tier SOC

AnchorPoint ITR provides intrusion detection system (IDS) with all from the essential security capabilities needed for complete security visibility – all from a single managed service provider

Deploy ITR today and get answers to questions such as:

  • Unpatched software, insecure configurations, or other vulnerabilities?
  • Devices communicating with known malicious hosts?
  • Vulnerable assets under attack?
  • Active attack attempts or malware infections?