LOGTITAN Rule As a Code [1] streaming platform detection capability is more than the traditional SIEM correlation engine. LOGTITAN is a real-time security analytics platform that ingests, normalizes, enriches, triages, and manages application and security data at scale.
Let’s look at a chain of suspicious events. A user clicks on a phishing email, then visits a website and downloads a malicious file. The user then executes a file and installs malware, which leads to some lateral movement and CNC traffic.
LOGTITAN SIEM streaming platform keeps track of the state of the entity and the relationships between them. Think of the LOGTITAN Profiler Engine [2] as an analytical machine that sits on top of a standard rules engine and is constantly evaluating alerts against the entity as they come through.
Additionally, traditional SIEM correlations are not good at holding state for long periods of time. LOGTITAN multidimensional relationship management mechanism and smart list mechanism solves this traditional SIEMs drawbacks.
Also, LOGTITAN streaming correlation engine has the capability to develop advanced boolean logic statements to correlate between data sources. If there are rules for the data source, LOGTITAN automatically correlates between disparate data sources [4].
There are many standard use cases like:
- Detect SSHD authentication on Linux
- Successful authentication after brute force
- Repeated login failure
- MySQL Authentication bypass through a zero-length password
- Account deletion after DoS attack
- Attempts to compromise user credentials
- Self escalation
- Short-lived accounts
- Instances of Denial of Service such as abnormal number of requests from multiple ports or the same IP address
Those standard use cases supported by most of the SIEM solutions.
There are some advanced use cases (rules) like:
- Warn if Powershell command with base64 format and more than 100 characters appears
- Password changes for the same user more than 3 within 30 days
- If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
- Misuse of an account
- Lateral movement
Some SIEM solutions support some of those use cases. But not all of them. LOGTITAN supports all of those kinds of use cases.
There are use cases specific to Next-Gen SIEM solutions like:
- Returns days where a user accessed more than his 95th percentile number of assets
- Look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of the week [2],
- If a user number of failed authentication ratio to the number of successful authentication is %10, alert
- Data loss detection by monitoring all endpoints for an abnormal volume of data egress
All those Next-Gen use cases detected by LOGTITAN SIEM.
Besides those Next-Gen use cases, LOGTITAN uses supervised machine learning [7,8] to detect
- Suspicious/Malicious Processes
- Suspicious/Malicious Files
- Suspicious/Malicious services
- Malwares
Also LOGTITAN measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade [6].
DGA detection using entropy is another Next-Gen SIEM feature of LOGTITAN [5].
Real-time detection is critical for SIEM. Use cases such as unauthorized changes to configs or deletion of audit trails are very crucial. These should be escalated immediately to stop the damage and minimize further risks. All LOGTITAN detections are in real-time.
References:
- https://www.logtitan.com/rule-as-a-code/
- https://www.logtitan.com/logtitan-ng-siem-profiler/
- https://www.logtitan.com/user-behavior-analytics-module-uba/
- https://www.logtitan.com/blog/anatomy-of-an-intrusion-detection-using-logtitan/
- https://www.logtitan.com/blog/domain-generation-algorithms-detection-in-logtitan-ng-siem/
- https://www.logtitan.com/blog/critical-process-masquerade-detection-in-logtitan-ng-siem/
- https://www.logtitan.com/blog/hunting-malware-by-detecting-random-strings-in-logtitan-ng-siem/
- https://www.logtitan.com/blog/detecting-4-most-commonly-used-hacking-tools/