Use Case Scenarios for Webese, McAfee ePO, Splunk and Palo Alto FW

Looking for use case scenarios for Websense, Hybrid Module Solution, McAfee ePO, Splunk and Palo Alto Firewalls. Also, the methodology for performing analysis within each tool.
Rocky CortezCyber Security EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Websense - web proxy cum content filter to block usage and surfing to blacklisted or ill repute websites as well as mal-advertisement laden site, waterholed sites,

McAfee ePO - central Patch mgmt of McAfee endpoint with its HIPS or AV, more of endpoint baseline safeguard which can further have appl whitelisting and device control of ext storage media like USB. Mobile device can be supported as well with MDM from McAfee and managed via ePO centrally.

Splunk - "google" search tool which can be the SIEMS or log aggregator quick search analytics, with vulnerability in its db. Check out its Apps for each device sources

PAN - Perimeter defence which front as extended traditional FW and UTM, it is not a Web app FW (WAF) though it is app aware, content aware and user aware. The security block due to DoS, intrusion attempt, port knocking etc are things to flag to log aggregate systems.

I suggest all security log (endpoint, FW, Web proxy) to pipe into Splunk as SIEM for analyst to triage the alerts and build anomalies use case like data leakage, mass infection spread and insider threat behaviour with rule on indicator of compromises (SEI has some indicator and also NIST Security testing)

Eventually if it can be able to trace down the timeline to illustrate a cyber kill such as attacker infiltrate, propagate, arrogate and exfiltrate, you will have good time preventive the gaps exploits to start that chain ... or any part of the defence chain that is broken or abused for such bypass
1
btanExec ConsultantCommented:
no best means to establish false positive triggers without going into specific use case of anomalies. It normally has to be log driven starting with
(0) verifying both the source, and dest which on concurrent track drill further on the truth of the message e.g. legit, blacklisted, addition errors, external intel feeds, eventually it may stop here .. unless
(1) we surface interesting stuffs like country, specific located source (email contact) or malware sample then the various analysis will proceed.
(2) But experience tells the know mentioned above must not "hit" first otherwise, the next tier 2/3 analyst will be flooded by tier 1.
(3) SIEMS need to tune their rules with known threat (port/hash, behavioural signature) then unknown once will be triage to next tier to do further depth

I written an article on the sort of of investigative (more like incident response)  question though it can be extended further...will be drafting also IoC based for analyst scrap book (if time allowed). But it is also verification to kick off false alerts and sweep away those "noise to triage the confirmed hits as actionable...
http://www.experts-exchange.com/articles/15659/Ask-Cyber-Savvy-Question-s-There-are-many-ways-to-skin-a-cat.html

Some extract from my other draft though not specific but areas for analyst to work further
>>Common false alert categories can be divided include:

Reactive/Equipment-based Traffic errors: Traffic caused by another network event and mostly non malicious. E.g. NIDS device triggers off an ICMP flood alarm when it is in state of many failed and unreachable destination packets caused by equipment. Include cases unrecognized or proprietary unsupported packets from network equipment.  Some old load balancers may be source of such trigger .

Detective/ Protocol violations: Unrecognized network traffic caused by poor or "lousy" developed client software. E.g. true false positives generated by an IDS from non-existence event or source device (and be of "unknown reason"). Tends to be again another those (need to be patched) software bugs. This can applies to fake AV signatures for endpoint HIPS.

Preventive/"Innocent" alarms: Really we should prevent such real occurrence that is totally non-malicious in nature, especially those of experimental and coming from isolated environment (or of Honeynet/pot based testing) that is supposedly not to be leaked out.

Preventive/ Design/ Operational "bugs": Network design flaws such as improper port spanning on switches and traffic exceeding the ability of a switch or hub, IDS is unable to understand encrypted traffic, prior maintenance work or server changes that are not properly communicated to security ops team (SOC), IDS/AV signature in tuning but configured to block production or not maintain for detecting mutations of the attack due to poor design or signature implementation.​

Nature of Exploitation
Domain Generation Algorithm
Malicious web drive-by
Suspicious Java download
Infection with ransomware
Bitcoin mining
Use of virtual Cyrillic keyboard
Remote access attack linked to dangerous malware

>>Nature of Malicious Network Movement
Peer-to-peer connections with the Far East
Use of ‘Tor’ anonymizing network
Port-scanning for internal company resources
Connections to website linked to Advanced Persistent Threats
Attempted connections to non-existent domain names

>>Checking for anomalous account service
-the "net user" command shows all user accounts defined locally on the machine.
-the "net localgroup" command shows groups,
-the "net localgroup administrators" shows membership of the administrators group
-the "net start" command shows running services.

>>Nature of Account compromise
Illegitimate access to database server
Unauthorized use of administrator credentials
Fast travel indicating password compromise
Risk from ‘bring-your-own-device’ (BYOD) policies

>>Checking for anomalous network activity
-for unusual and unexpected connections in the output of netstat, run : C:\> netstat -nao
-besides TCP and UDP, interested in ICMP, netstat run : C:\> netstat –s –p icmp
-list the TCP and UDP ports in use on a machine every 2 seconds, run: C:\> netstat –na 2
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.