AIS Managed SIEM

Technology has transformed what’s possible for today’s small and medium-sized organizations, but it also increases exposure to potential security risks. The AIS Managed SIEM (Security Information Event Management) platform changes all that with enterprise-level, cost-effective protection for SMBs.

The AIS Managed SIEM (Security Information Event Management) Platform supports threat detection and security incident response through real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It provides real time analysis of security alerts generated by network-connected devices and on-premise, Cloud, and SaaS applications.

AIS Managed SIEM Quick Intro Video

WHY AIS MANAGED SIEM IS DIFFERENT

AIS combines access to an experienced team with an innovative approach to technology to eliminate the high cost and complexity when compared with existing Enterprise SIEM platforms.

  • Delivery: The SIEM can be delivered solely as a managed SIEM platform or as a turnkey managed service. AIS’ IT consultants can implement, configure, and maintain the SIEM, while its SOC team can monitor and respond to security alerts.
  • Technology: The platform architecture utilizes both proprietary code and open-source packages, allowing for efficient development that results in faster-to-market functionality and more robust product features.
  • Integration: AIS Managed SIEM is agnostic in terms of device brand and infrastructure architecture. It can aggregate information from network-connected devices as well as on-premise, cloud (AWS, Azure, etc.), and third-party SaaS tools, or even hybrid infrastructure architectures.

THE BENEFITS

With AIS Managed SIEM, organizations can:

  • Reduce costs and internal IT resource strain with an affordable turnkey managed service for reduced root cause analysis time for security, performance, reliability issues
  • Confidently manage evolving threats proactively across all devices and platforms
  • Increase ROI by maximizing the value of security investments and identifying opportunities for Cloud service cost savings
  • Reduce audit effort and expense for PCI, HIPAA, and other standards

Sections on this page

Features

AIS SIEM Overview
Service Log Consolidation
AIS SIEM Convenience
AIS SIEM Effects On Performance And Reliability
SIEM Security Features
SIEM Flexibility
AIS SIEM Alerting

Benefits

AIS SIEM Convenience
SIEM Flexibility
AIS SIEM Benefits
5 Ways SMBs Can Save Money On Security
Ryuk Ransomware Incident Report
Is Your Organization Safe From Virtual Threats?
Think You Are Too Small To Be Targeted By A Cybercriminal?
Has The Remote Work Initiative Your Company Just Deployed Told Hackers When, Where And How To Hit Your Company?
AIS Managed SIEM One Pager
City Of Warrenville Case Study
Eisenhower School Case Study
Ebook 6 Ways To Protect Your Organization From Ransomware
Ebook Combating Cybercrime On An SMB Budget
SIEM Frequently Asked Questions
AIS Managed SIEM Overview

General Use Cases

External Vulnerabilities
Login History
User Behavior Analysis
Threat Intelligence Alert Destination IP Threat Indicated

Event destination IP address is listed on one of more blocklists as having an IOC - Indication of compromise.

Threat Intelligence Alert Source IP Threat Indicated

Event source IP address is listed on one of more blocklists as having an IOC - Indication of compromise.

Technical Use Cases

Anomalous Logins
Compromised Passwords
Accidentally Deleted Emails

IP Address Log data for Deleted Emails/Lost Data- The SIEM logs provide data down to the IP Address so IT Staff are able to tell exactly who deleted the email, at what time and from where.

Proprietary Applications Security

Realtime Security Risk Analysis on Proprietary Applications- The SIEM provides real time analysis of Proprietary Applications to look for security gaps and identify patterns of suspicious activity that can identify a breach has occurred

Unauthorized 3rd Party Application Detection

3rd Party Application Detection and Remediation- The SIEM identifies unauthorized 3rd Party applications that have been granted access (a backdoor) into your network and provides you a portal to confirm applications in your environment

Unauthorized 3rd Party Application Detection

3rd Party Application Detection and Remediation- The SIEM identifies unauthorized 3rd Party applications that have been granted access (a backdoor) into your network and provides you a portal to confirm applications in your environment

SIEM Office 365 Alerts

SIEM Office 365 Alerts

SIEM Windows Event Log Alerts
SIEM Firewall Alerts

Firewall Filter and IPS/IDS Log Analysis

SIEM Syslog Alerts
Windows File Modification Monitoring

Ransomware activity detection

Server SSH Key Access Monitoring

User logged into a Server using an SSH public key

SIEM Microsoft Events To Monitor

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor#appendix-l-events-to-monitor

Windows Application Whitelisting

Application whitelisting events should be collected to look for applications that have been blocked from execution. Any blocked applications could be malware or users trying to run unapproved software. Software Restriction Policies (SRP) is supported on Windows XP and above. The AppLocker feature is available for Windows 7 and above Enterprise and Ultimate editions only. Application Whitelisting events can be collected if SRP or AppLocker are actively being used on the network.

Windows Application Crashes
Windows System Or Service Failures
Windows Windows Update Errors
Windows Windows Firewall

If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status. For example, if the firewall state changes from on to off, then that log should be collected. Normal users should not be modifying the firewall rules of their local machine. The below events for the listed versions of the Windows operating system are only applicable to modifications of the local firewall settings.

Windows Clearing Event Logs

It is unlikely that event log data would be cleared during normal operations and it is likely that a malicious attacker may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Centrally collecting events has the added benefit of making it much harder for an attacker to cover their tracks. Event forwarding permits sources to forward multiple copies of a collected event to multiple collectors thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.

Windows Software And Service Installation

As part of normal network operations, new software and services will be installed, and there is value in monitoring this activity. Administrators can review these logs for newly installed software or system services and verify that they do not pose a risk to the network.It should be noted that an additional Program Inventory event ID 800 is generated daily on Windows 7 at 12:30 AM to provide a summary of application activities (e.g., number of new application installations). Event ID 800 is generated on Windows 8 as well under different circumstances. This event is beneficial to administrators seeking to identify the number of applications that were installed or removed on a machine.

Windows Account Usage

User account information can be collected and audited. Tracking local account usage can help detect Pass the Hash activity and other unauthorized account usage. Additional information such as remote desktop logins, users added to privileged groups, and account lockouts can also be tracked. User accounts being promoted to privileged groups should be audited very closely to ensure that users are in fact supposed to be in a privileged group. Unauthorized membership in privileged groups is a strong indicator that malicious activity has occurred.Lockout events for domain accounts are generated on the domain controller whereas lockout events for local accounts are generated on the local computer.

Windows Kernel Driver Signing

Introduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves defenses against insertion of malicious drivers or activities in the kernel. Any indication of a protected driver being altered may indicate malicious activity or a disk error and warrants investigation.

Windows Group Policy Errors
Windows Windows Defender Activities

Spyware and malware remain a serious problem and Microsoft developed an antispyware and antivirus, Windows Defender, to combat this threat. Any notifications of detecting, removing, or preventing these malicious programs should be investigated. In the event Windows Defender fails to operate normally, administrators should correct the issue immediately to prevent the possibility of infection or further infection. If a third-party antivirus and antispyware product is currently in use, the collection of these events is not necessary.

Windows Mobile Device Activities

Wireless devices are ubiquitious and the need to record an enterprise’s wireless device activities may be critical. A wireless device could become compromised while traveling between different networks, regardless of the protocol used for communication (e.g., 802.11 or Bluetooth). Therefore, the tracking of which networks mobile devices are entering and exiting is useful to prevent further compromises. The creation frequency of the following events depend on how often the device disconnects and reconnects to a wireless network. Each event below provides mostly similar information with the exception that additional fields have been added to certain events.

Windows External Media Detection

Detection of USB device (e.g., mass storage devices) usage is important in some environments, such as air gapped networks. This section attempts to take the proactive avenue to detect USB insertion at real-time. Event ID 43 only appears under certain circumstances. The following events and event logs are only available in Windows 8 and above.Microsoft-Windows-USB-USBHUB3-Analytic is not an event log per se it is a trace session log that stores tracing events in an Event Trace Log (.etl) file. The events created by Microsoft-Windows-USB-USBHUB3 publisher are sent to a direct channel (i.e., Analytic log) and cannot be subscribed to for event collection. Administrators should seek an alternative method of collecting and analyzing this event (43).

Windows Printing Services
Windows Pass The Hash Detection

Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options. The event query language is based on XPath. The recommended QueryList below is limited in detecting PtH attacks. These queries focus on discovering lateral movement by an attacker using local accounts that are not part of a domain. The QueryList captures events that show a local account attempting to connect remotely to another machine not part of the domain. This event is a rarity so any occurrence should be treated as suspicious.These XPath queries below are used for the Event Viewer’s Custom Views.The successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the Security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To clearly summarize the event that is being collected, see event 4624 below.In the QueryList below, substitute the section with the desired domain name.A failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To clearly summarize the event that is being collected, see event 4625 below.

Windows Remote Desktop Logon Detection

Remote Desktop account activity events are not easily identifiable using the Event Viewer GUI. When an account remotely connects to a client, a generic successful logon event is created. A custom Query Filter can aid in clarifying the type of logon that was performed. The query below shows logins using Remote Desktop. Remote Desktop activity should be monitored since only certain administrators should be using it, and they should be from a limited set of management workstations. Any Remote Desktop logins outside of expected activity should be investigated.The XPath queries below are used for the Event Viewer’s Custom Views. Event ID 4624 and Event ID 4634 respecively indicate when a user has logged on and logged off with RDP. A LogonType with the value of 10 indicates a Remote Interactive logon.

Windows DNS-and-Directory Services

Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names. The collection of DNS queries and responses are recommended in order to enable discovery of compromise or intrusion through security analytics.A number of the below event IDs will only be recorded with enhanced auditing enabled. See Network Forensics with Windows DNS Analytical Logging for more information.

Windows PowerShell Activities

PowerShell events can be interesting as Powershell is included by default in modern Windows installations. If a PowerShell script is failing, it may indicate misconfiguration, missing files, or malicious activity. Use of the Get-MessageTrackingLog cmdlet can be used to enumerate Exchange Server mail metadata, returning detailed information about the history of each mail message traveling through the server.

Windows Task Scheduler Activities

Scheduled tasks can be maliciously created or deleted. The Task Scheduler can be used, for instance, to create tasks that wait for certain preconditions before downloading malicious files or to load malicious software into memory.

Windows Microsoft Cryptography API

The Microsoft CryptoAPI can be used for certificate verification and encryption/decryption of data. There are a number of interesting events that should be logged for suspicious behavior or for future auditing.

Windows Certificate Services

Certificate Services receives requests for digital certificates over RPC or HTTP. For organizations that do not rely upon external certification authorities, policies and settings can be customized in order to support the organization’s requirements. The below events can be collected to ensure expected use.

Windows Network Policy
Windows Boot Events
Windows System Integrity

Financial Use Cases

Financial Analysis Of IT Solutions

Ingest Logs from IT Business Solutions (Cloudflare) being used in your environment and Turn Data into Actionable tasks- The SIEM can ingest logs and data from other data sources/solutions and give IT Departments insight and the ability to make data backed decisions around cost removing uncertainty.

Business Intellectual Property

Data Loss Prevention/Information Lockdown- The SIEM can detect if files are being exported/imported instead of being stored where the information security policy dictates.

Qualification Questions

AIS Managed SIEM(Per GB) Service Per 100GB Ingested And Retained (Monthly)
Is Managed Security Operations Center(soc) Services 8x5 Monthly Required? If So, How Many Users?
Is Managed Security Operations Center(soc) Services Required? If So, How Many Environments?
Is Soc Policy Creation Required? If So, How Many Policies?
Is Windows Server File Activity Logging Required? If So, How Many Servers?
Is End User Vpn Activity Logging Required? If So, How Many Vpn Servers?
Is Firewall Ids-and-ips Activity Logging Required? If So, How Many Firewalls?
Is Managed Security Operations Center(soc) Services 24x7 Monthly Required? If So, How Many Block Hours?
Is Windows Event Log Monitoring Required? If So, How Many Units?

Recurring Tasks

Review Customer Specific Alerting Criteria
  • Review Monitoring Conditions

Scope Of Work

Discovery
  • Kickoff Call
    • Lead Kickoff Call
    • Confirm Device-and-data Source List Will Be Provided
    • Send Recap Email
  • Requirements Gathering
    • Data Source List
    • List Of Devices To Be Monitored
Implementation
  • Alert And Dashboard Review Meeting
    • Review Standards Used
    • Discuss Alert Notifications
    • Identify Any Custom Alerts Requested
    • Review Standard Dashboard Widgets
    • Identify Any Custom Widgets Requested
  • Alert Conditions And Configuration
    • Define Review Of Customer Specific Alerts
    • Define Level Of Effort, When Root Cause Analysis Is Required (ticket Hours)
    • Decide When Client Prior Approval Is Required
    • Determine If Low Severity Alerts Silence By Default
    • Alert Category (issue Type) Security Breach Performance Reliability Data Loss
  • Customize Grok Patterns To Ensure Fields Are Extracted Properly
Validation
  • Customer Diligence AIS SIEM Compliance Docs
Recurring Quarterly
  • Review Customer Specific Alerting Criteria
    • Review Monitoring Conditions

Last modified April 15, 2021