"security posture" by assigning severity to events

[mmguero]

The idea is that we assign a severity rating to logs (all logs? some logs?)

So, imagine 1 - not severe at all (blue or green), 5 - super severe (red)

in Logstash enrichment we'd do stuff like:

cleartext password - 5
connection to naughty country - 5
certain notices - 5
insecure or old versions of protocols - 4
file transfers of certain mime types - 3
connection within subnet - 1
connection to other subnet - 2
connection to outside world - 3
etc.

Of course those are just examples. I'd need to hammer out a real list.

Then in some of the dashboards, we can have "number of red events" "number of green events" etc.

[mmguero]

Some notes:

• elastic common schema (if we're going to make a new field for severity we might as well use something standard going forward)
  • field reference
    • maybe event.severity or event.risk_score or event.risk_score_norm,
  • categorization

[mmguero]

I'm going to start spitballing a list of categories that could be assigned to logs. I'll edit this list as we come up with more of them, we'll assign severities later. Also, note that a lot of these same things are already visualizations in the security overview dashboards.

One more note: these are on a per-log basis. We're not talking about bursts, trends, baselines, buckets, or anything here. Those kinds of things are a bigger issue and require some other machine learning or statistical analysis tool, and will be covered in another issue.

• file transfer of low-risk types
  • the default
• file transfer of medium-risk types
  • pdf
  • ?
• file transfer of high-risk types
  • executables
  • ?
  • what about things specific to the executable, pe.log: windows version, architecture, size, etc.?
• file transfer by protocol
  • ie., are some protocols inherently more risky than others for file transfer?
• file transfer where either or both sides of the connection is external
  • upload vs. download
• notice.log generated
  • probably with different severities for different notice categories
• signatures.log generated
• weird.log or dpd.log generated
• clear text transmission of passwords
• outdated/insecure protocol versions
• internal-to-external network connections
• cross-subnet network connections
• external-to-internal network connections
  • higher severity with "remote control" protocols like rsh, telnet, ssh, rdesktop, vns, etc.
• countries on some sort of "higher severity" list? (n. korea, china, russia, etc.?)
• possible DGA malware based on randomness/entropy score
• rank "action" for all protocols that populate it
  • this is quite a list
  • in general writes/sets are more severe than reads/gets, etc.
• any kind of access denied/file not found/login success or failure
  • ssh, telnet, http, ftp, kerberos, ldap, ntlm, radius, rdp, rfb, whatever
  • success and failure ranked differently?
• protocols that should probably be encrypted but aren't
  • smtp
  • ?
• rank connections by size
  • connection length?
  • packets?
  • bytes?
• rank connection state/history
  • see conn_state and/or history
• protocols on non-standard ports
• packet loss
  • see missed_bytes
• server/client information stuff from software.log
  • certain software categories, vendors or versions?
  • specific user agents strings?
• syslog severity/facility
• ssl certificate key length/cipher/algorithm/curves?
• tunneled traffic

[mmguero]

Kamino closed and cloned this issue to idaholab/Malcolm