AlienVault NIDS generated an alarm for every desktop beaconing out to the same web server at around the same time. This is a tell-tale sign of a command and control center preparing for a DDOS attack. After looking into it a little further, Sedara analysts discovered that it was the customer’s patch management system. This system had each workstation call an action to access core machine information at the same time and report to an external server to request a browser update. Although this is an uncommon way of updating, it is not malicious or a threat to our customer’s systems. Knowing the destination IP, the event names, and the types of logs involved, we were able to tune out this false positive.What Alerts Should You Set? As mentioned before every environment is different so there is no cookie-cutter template, but there are non-standard custom correlation rules that are extremely important for almost every network. We prioritize these out of the box to show value very quickly in the AlienVault systems we implement. Some good examples revolve around active directory activity. A few of the questions we ask our customers to get the right kind of thoughts flowing for initial tuning include:
- Location of sensitive data
- Approved access methods
- Unapproved access methods
- Who has access and when
- What is normal network traffic
- What is authorized on endpoints
- SIEM ongoing, operating “soft” costs
- Report review and other ongoing monitoring tasks – from 24/7 to daily to weekly
- Alert response and escalation; SIEM implies correlation and automated alerting
- Other daily SIEM tasks such as reviewing the dashboards
- Uptime maintenance tasks i.e. caring for your SIEM as well as storage – backups, updates, minor troubleshooting, etc.
- Periodic or occasional “soft” costs
- SIEM rule tuning, reports creation, dashboard customization, new log source integration, other ongoing SIEM tasks
- Periodic training and related staff time costs
- Expansion: same as initial soft costs
Ready to unlock your AlienVault’s USM potential?
Contact Sedara Security, an authorized AlienVault Professional Services partner.