Incident Detection and Analysis
Incident Detection
- SIEM and intrusion detection systems (IDS) tools form the foundation of incident detection
- but detection techniques should cover a broad range of activities
- Other detection methods:
- users report a security issue
- discrepancy or oddity in an application
- advanced techniques such as threat hunting
- Detection methods depend on whether a threat is known or unknown
Analyze Incidents
- SIEMs help security analysts perform data and log analysis to detect and investigate security incidents
- collect and analyze data from various sources
- Specialized algorithms help to identify suspicious patterns and anomalies in log data
- can detect suspicious login attempts, abnormal network traffic, or unusual system activity
- provides real-time alerts to security analysts when potential security incidents are detected
- enrich vast amounts of simple text-based log data to provide useful and intuitive visualizations
- enables historical analysis of security logs and data
- separating false positives from actual indicators is critical
Common Indicators of Compromise (IoCs)
| Source | Indicator Example |
|---|
| Antimalware software | An alert is generated when a virus signature is detected on a host system. |
| Network intrusion detection system/network intrusion prevention system (NIDS/NIPS) | An alert is generated after an automated port scan is detected. |
| Host intrusion detection system/host intrusion prevention system (HIDS/HIPS) | An alert is generated after the cryptographic hash of an important file no longer matches its known, accepted value. |
| System logs | Entries in the Windows event log indicate a log-on with new credentials that was allocated special privileges. |
| Network device logs | An entry in the firewall log indicates a dropped connection intended for a blocked port. |
| Security information and event management (SIEM) | An alert is generated if anomalous behavior is detected in any relevant logs. |
| Flow control device | A higher amount of traffic than normal across the network indicates an attempted denial of service (DoS) condition. |
| Internal personnel | Employee testimony indicates a possible breach in progress. |
| People outside the organization | An external party claims to be responsible for an attack indicates that this is the case. |
| Cyber-threat intelligence (CTI) | Third-party research and vulnerability database information indicates a new threat that could be targeting your organization. |