SIEM Design

SIEM Design

Calculating (EPD or Storage Requirements)

  • Average per day
  • Peak/burst Max

Devices to Monitor

Networking Devices

Security Devices

Server Operating Systems

Security Applications


Cloud Platforms


User Cases

  1. 1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
    2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
    3- Ping Sweep
    4- XSS Attacks
    5- SQL injection
    6- If a new port has opened on the firewall for in/out traffic
    7- If FTP site has been accessed from unknown address
    8- If tunneled data is detected on the network
    9- If RAR files are being continuously uploaded in some fixed partition size format
    10-If online messengers are used to chat and transfer files
    11-If malicious traffic is seen hitting critical servers of the infra
    12-detecting bit torrent or P2P traffic
    13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
    14-If x number of changes have been made on a firewall over x period of time by x user
    15-If a new user/admin has been created on critical server or network device or firewall
    16-If machine’s time has changed
    17-If a remote session was taken to a critical server for more than an hour
    18-Network resources have been accessed in non working hours
    19-If on leave/ex-employee user credentials have been used in anyway
    20-If credentials are sent in clear text
    21-Any config change
    22-Agent has been tampered
    23-If an infected machine receives an SSH log in attempt
    24-What recent servers were attacked with an exploit against a recent scan of the same server
    25-OS fingerprint event has occurred by an attacker
    26-Auditing has been removed, changed or altered
    27-Access to any device from other than the admin or authorized users
    28-Similar account login from different geographical places
    29-Multiple login failures from the same username ip address to the same destination and followed by success
    30-taking sessions ssh, telnet etc on non standard port
    31-success login to disabled accounts
    32-Restart/Shutdown critical servers
    33-Hostile email attachments
    34-Attacks on internet gateways
    35-Track on each new virus detected on the environment


Generic OS

  • Privileged user login
  • Failed login by privileged user
  • Excessive failed logins for a single host
  • Excessive failed logins for a user across multiple hosts
  • Deactivated/terminated user login
  • Same user logged into multiple machines
  • High rate of configuration changes
  • High rate of errors by a single host
  • Logging service stopped
  • Critical service stopped
  • Important account lockout
  • Abnormal OS restart
  • Modification of networking configuration


Linux Specific

  • User added to ‘root’ or ‘wheel’ group
  • ‘su’ or ‘sudo’ to root account
  • Syslog stop/start/restart
  • Auditd stop/start/restart
  • Excessive failures to “SU”


Windows Specific

  • High rate of logins by service account
  • Privilege escalation by unauthorized user
  • Virus detected on Windows Server
  • Important account lockout
  • Audit log cleared
  • Malware not removed from a critical asset
  • Detecting audit policy was altered


  • Authentication: ‘logined’, ‘login failed’, ‘locked’, ‘unlocked’
    • The ‘logined’ events provide the ‘from’ IP address, which could be used to check for user credential compromise.
      • Examples: a user logged in from unexpected site(s) or geographic location, or a user logged in from multiple locations within a specified period of time.


  • The ‘login failed’ events provide the # of failed attempts, which can be useful for correlation(s)/escalation(s) to alert when a user if approaching (or has surpassed) a tolerated threshold.


  • The ‘locked’ and ‘unlocked’ events could potentially be tracked to see how long it takes a user to be unlocked (useful for improving business operations/efficiency as well as validating unlock was done by appropriate, authorized, person)


  • Modification: updated user, update configuration (tends to be group attribute updates)
    • These logs could potentially be checked against a list of permissions, to ensure that a user hasn’t received unexpected higher level privileges. Can also be reviewed based on time to ensure maintenance windows for change are adhered to.


  • Operation:

The ‘Added User’ and ‘Delete User’ events are the most interesting from this section and should be matched to active (or suspended/removed) accounts.

Log Source Protocols

  1. Syslog
  2. JDBC
  3. JDBC – SiteProtector
  4. Sophos Enterprise Console – JDBC
  5. Juniper Networks NSM
  7. SDEE
  8. SNMPv1
  9. SNMPv2
  10. SNMPv3
  11. Sourcefire Defense Center Estreamer
  12. Log File
  13. Microsoft Security Event Log
  14. Microsoft Security Event Log Custom
  15. Microsoft Exchange
  16. Microsoft DHCP
  17. Microsoft IIS
  18. EMC VMWare
  19. SMB Tail
  20. Oracle Database Listener
  21. Cisco Network Security Event Logging
  22. PCAP Syslog Combination Protocol
  23. Forwarded Protocol
  24. TLS Syslog Protocol
  25. Juniper Security Binary Log Collector Protocol
  26. UDP Multiline Syslog Protocol
  27. IBM Tivoli Endpoint Manager SOAP Protocol, REST API





Microsoft Security Technologies

Microsoft Security Technologies


ISM Info

ISM Info


Security Maturity Model Questionnaire

Security Maturity Model Questionnaire


Underprepared • Implement security processes with formal guidelines across all departments • Automate cybersecurity processes wherever possible • Conduct periodic reviews to fine tune security operations In Transition • Assess suppliers and contractors to ensure they fulfil information security assurances • Align business needs with security requirements to avoid competing objectives and ensure the entire organisation pursues the same goal • Implement incident response and management procedures that enable users to take immediate action Security Leaders • Automate as many cybersecurity processes as possible • Integrate threat intelligence into automated processes to help tools find threats that slipped through network defences • Align business and security needs to achieve cloud adoption and other digital transformation business objectives


Organisation Culture

  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it
  3. A CISO exists and sets security strategy for the organisation
  4. Information security is implemented throughout customer facing, operations, and support functions
  5. Suppliers and subcontractors are assessed to ensure they fulfil security assurances

Technology and Controls

  1. Standard network security tools are used (main objective = preventing network breaches)
  2. Standard network security tools are used to gain visibility of which data assets are being secured (main objective = detecting threats)
  3. Security processes are semi-automated to defend against threats; Static “normal” network behaviour and context are created to understand the status of risk profiles at a single point in time
  4. Advanced tools are used to anticipate and prepare for unknown threats
  5. The majority of security processes are automated; Leveraging threat intelligence is a business objective; Adaptive network behaviour and context are created to understand the real-time status of risk profiles

Security Operations

  1. Security practices are implemented without formal guidelines
  2. Security practices are embedded in formal guidelines to be used by IT and information security teams Guidelines and security processes are established in all IT, customer facing, operations, and support functions; Incident response procedures are defined
  3. Periodic reviews are conducted to fine-tune security operations, and incident response procedures are implemented
  4. Continuous tests of security operations are conducted, including automated incident response and management with technical, customer facing functions, operations, and support staff


  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it IT and information security teams are aware of AND carry out security practices as defined by formal guidelines; Training is received to ensure both teams are kept up to date
  3. Technical, customer facing functions, operations, and support staff receive training and education to keep up to date on information security risks
  4. Technical, customer facing functions, operations, and support staff regularly participate in incident response activities


Cloud Adoption

  1. No organisation-wide cloud strategy
  2. Cloud infrastructure is fully automated Cloud strategy set by IT and business units (but without security inputs) to re-set business processes to achieve desired outcomes
  3. Cloud strategy set by IT, business units and security Have optimised internal processes as a result of cloud and automated controls are enabled to allow for distributed clouds






Open Source Threat Detection and Response

Open Source Threat Detection and Response


DDoS Attack Types

DDoS Attack Types

  1. Volumetric attacks, which are believed to comprise more than 50 percent of attacks launched, are focused on filling up a victim’s network bandwidth. Among the most common volumetric attacks are User Datagram Protocol (UDP) flood attacks, where an attacker sends a large number of UDP packets to random ports on a remote host. UDP floods accounted for approximately 75 percent of DDoS attacks in the last quarter of 2015, according to the Versign DDoS Trends Report. A common form of UDP flood attack relies on reflection and amplification. UDP is a connectionless protocol (that is, it doesn’t require that the two ends of a conversation establish a connection before exchanging data). An attacker can therefore forge UDP packets with fake source addresses, and use those packets to generate reply traffic. By setting the source of the UDP packets to be the IP address of the intended victim, and then sending those packets to various servers for UDP-based applications, the attacker will cause the servers to send reply traffic to the forged source IP address–the victim. This reply traffic is the “reflection” part of the attack. It’s a lot like calling every pizza place in your county, and ordering a lot of pizzas to be delivered to someone you really don’t like. The “amplification” part comes in when you understand that many UDP services generate replies that are much larger than the initial request size. For instance, the Domain Name Service (DNS) has a bandwidth amplification factor of 28 to 54 (the reply to a DNS request can be between 28 and 54 times larger than the request). The Network Time Protocol (NTP) has a bandwidth amplification factor of 556. By combining reflection (the server sends reply traffic to a spoofed source address) with amplification (the reply traffic is a lot larger than the initial request), attackers can do a lot of damage to a victim with very little effort on their part. A number of UDP-based applications and services can be used to generate amplification and reflection attacks, including DNS, NTP, Simple Service Discovery Protocol (SSDP), and Simple Network Management Protocol (SNMP).
  2. Protocol attacks (sometimes also called state-exhaustion attacks) target a weakness in how a protocol operates. A well-known protocol attack is the SYN flood, which targets the three-way handshake mechanism in TCP. When a server receives a SYN packet, this is a signal to the server that another machine wants to open a TCP connection. The server will allocate some of its resources to this half-open connection, and send a SYN ACK packet back to the initiating machine. Under normal circumstances, the initiator will then send an ACK packet to the server, the three-way handshake is complete, and the machines will then exchange data. In a SYN flood attack, an attacker sends a rapid succession of TCP SYN requests–typically from spoofed source IP addresses–to open a connection to a network server. The server sends SYN ACK packets back to the source addresses, which never reply with an ACK. The server keeps the half-open TCP connections around, using up resources, until the server is no longer able to accept any new connections.
  3. Application attacks target weaknesses in how an application works. One well-known application attack is Slowloris, which targets web servers. In a Slowloris attack, the attacker sends HTTP requests to a web server without ever completing the requests. Periodically (and slowly–hence the name), the attacker will send additional headers, thus keeping the request “alive” but not finished. Similar to a SYN flood, this forces the web server to maintain open connections for these partially completed HTTP requests, eventually preventing it from accepting any new connections.

CISO Strategy

CISO Strategy


What the CISO Should Do to Help the Board Make Informed Decisions Around Security and Risk

  1. Develop and communicate a security mission statement rooted in business enablement
  2. Determine your risk appetite and document your risk tolerance in layman’s terms
  3. Choose a security framework and map initiatives to that framework
  4. Establish unbreakable rules around security responsibility and information sharing
  5. Keep the board updated on security trends and be prepared to discuss specifics, such as how the organization is responding to a specific threat drawing headlines

What the Board Should Do to Support a Culture of Security Awareness and Accountability

  1. Approach and understand cybersecurity as an enterprise-wide risk issue
  2. Learn the legal implications of cyber risks
  3. Access cybersecurity expertise by giving cyber risk discussions adequate time on the board meeting agenda
  4. Set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget
  5. Discuss cyber risks from the perspective of identifying which risks to avoid, mitigate, accept, or transfer through insurance, as well as specific plans associated with each

Personally identifiable information (PII) Examples

Personally identifiable information (PII) Examples

PII is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.



  • John Smith + Trustwave = GDPR
  • John Smith + Phone Number = GDPR
  • = GDPR
  • PII; car number plate, national insurance , passport number, NI Number all = GDPR
  • 407 Southway Drive Plymouth + John Smith = GDPR (fictitious address)
  • Post Code + car reg = GDPR
  • Medical record = GDPR
  • Cookies = GDPR
  • IPaddress = GDPR
  •  Princess Diana  does not apply to GDPR as she has deceased.
  •  Prince William = GDPR
  •  Essentially any information that can identify a living person can be in scope of GDPR even indirectly can come into scope of GDPR:
  •  For example if I was to write a blog then just by the content of the blog if I can be identified , i.e. by style of writing or subject it could indirectly come into GDPR