I was invited by the ISSA Belgium chapter to talk last night about log management & SIEM (“Security Information and Event Management“). This is a very interesting topic but almost everything has been said (good as bad) on SIEM. I decided to innovate and to use some articles posted in this blog as practical examples of fraud detection. After the theory, some practice is always welcome! Let’s make your logs more valuable…
Fraud can be defined as “a deliberate deception, trickery, or cheating intended to gain an advantage“. This term is often closely linked to the world of finances. That’s why I prefer to use the word “suspicious“. an eventĀ can be flagged as suspicious if it does not follow strict baselines.
Four practical examples of suspicious activities were discussed:
- MySQL Database changes
- USB stick detection
- Rogue access to resources
- Mapping events to Google Maps
Each example was reviewed as a quick recipe to detect the suspicious event. All of them reported by OSSEC. The goal was to explain how to gain more visibility and more value from your logs at… an affordable price, read – without an (expensive) SIEM solution. Even, if smallest organizations don’t have budgets and resources, they can implement solutions to increase their security.
The presentation is available on Slideshare.com.