The goal for this article is to help our customers understand the rich capabilities of the event stream data collected by the Threat Stack Agent and provide examples on how it can be applied to monitoring and alerting on a few of the common cloud security use cases.
There are three fundamental constructs around how we operationalize security monitoring use cases within the Threat Stack application
- Threat Stack Agent collects events of interest around system, process, and user actions and streams it to the backend application (Please refer to relevant articles on What do we collect ? and How the Agent Communicates ?)
- Events are processed against system and/or user-defined Rule Sets to identify critical events of interest; this is to isolate Signal from Noise for key issues of interest.
- The identified issues of interest generate Alerts which generate Notifications (ex: email or PagerDuty) based on user configuration in addition to capabilities for suppressing any known false-positives.
The Threat Stack Agents collects events around user activities, process, host and network Events and our application backend correlates the event stream data to provide a context for common security use cases. Let’s explore some of these events and the applicable use cases below with some examples from our demo system.
Use case Category : User Access Monitoring (UAM)
- UAM1: Events of interest for any user and group modifications (Add/Remove/Modify) on production systems
- UAM2: Events for any user privilege escalations, a typical scenario is for customers to have an approved list of sudo users and wants alerting and log trail for any violations
- UAM3: Detect unauthorized changes on production system. Only the configuration management agent (Chef, Puppet, Ansible, Salt) is authorized for deploys/file copy/install; track any user violations for change operations
- UAM4: Generate detailed events and an audit trail for all users' TTY sessions for activity monitoring
- UAM5: Monitoring for any privileged application user accounts usage
- UAM6: Abnormal user login/access attempts (rate or login/brute forcing/password attacks)
Use case Category : System Integrity Monitoring
- SIM1: An unauthorized system kernel module or package is loaded or initialized on production systems (indicators of rootkit, APT type malware)
- SIM2: Detect for deviations for any changes in authorized Ports/Services (Process binds/open)
- SIM3: Events for any new process connection states. Typically new ACCEPT/CONNECT, this indicates possible intrusion or command-and-control type of activities for unauthorized connectivity
- SIM4: Track any unauthorized or abnormal process Start events by user or processes
- SIM5: Audit trail activity for any critical file system changes/reads/transfers and permissions changes
Use case Category : File Integrity Monitoring
- FIM1: Monitoring critical credential file access/modifications for misuse/abuse typically indicates insider threat activities.
- FIM2: Monitor Critical system directories (/boot/, /lib , /usr/lib , /bin/ , /sbin, /etc) for new executables or binary replacement/modification typical indicates intrusion or command-and-control activities
- FIM3: Monitor unauthorized modifications to system and application configuration files (e.g: sshd.conf, ntp.conf, resolv.conf Apache, MySQL, etc)
- FIM4: Monitor for any data exfiltration type of activities on critical identified files (OPEN, COPY, TRANSFER) - Insider threat scenarios typically related to stolen credential files, SSH Keys, certificates
Use case Category: Network Activity Monitoring
- NAM1: Monitoring for any critical system services changes (NTP, DNS, Syslog) daemon re-configuration/port/destination or source changes
- NAM2: Monitoring for any System Application Service changes (Apache, DB Server Binds, Proxy, Application Services)
- NAM3: Monitoring for insecure protocol usage for System access (Telent, FTP)