1.
Authentication Activities
Abnormal authentication attempts, off hour authentication
attempts etc, using data from Windows, Unix and any other authentication
application.
2. Shared Accounts
Multiple sources(internal/external) making session requests for
a particular user account during a given time frame, using login data from
sources like Windows, Unix etc.
3. Session Activities
Session duration, inactive sessions etc, using login session related
data specifically from Windows server.
4. Connections Details
Connections can be genuine or bogus. Suspicious behavior may
include connection attempts on closed ports, blocked internal connections,
connection made to bad destinations etc, using data from firewalls, network
devices or flow data. External sources can further be enriched to discover the
domain name, country and geographical details.
5. Abnormal Administrative Behavior
Monitoring inactive accounts, accounts with unchanged passwords,
abnormal account management activities etc, using data from AD account
management related activities.
6. Information Theft
Data exfiltration attempts, information leakage through emails
etc, using data from mail servers, file sharing applications etc.
7. Vulnerability Scanning and Correlation
Identification and correlation of security vulnerabilities
detected by applications like Qualys against other suspicious events.
8. Statistical Analysis
Statistical analysis can be done to study the nature of data.
Functions like average, median, quantile, quartile etc can be used for the
purpose. Numerical data from all kind of sources can be used to monitor
relations like ratio of inbound to outbound bandwidth usage, data usage per
application, response time comparison etc.
9. Intrusion Detection and Infections
This can be done by using data from IDS/IPS, antivirus,
anti-malware applications etc.
10. System Change Activities
This can be done by using data for changes in configurations,
audit configuration changes, policy changes, policy violations etc.
No comments:
Post a Comment