Virtual Security Operations Center (VSOC) Portal Reports ... · © Copyright IBM Corporation 2010-2016 Virtual SOC Portal Reports User Guide

© Copyright IBM Corporation 2010-2016 Virtual SOC Portal Reports User Guide Page 1 of 28

Virtual Security Operations Center (VSOC) Portal Reports User Guide

December 2017


Table of Contents

OVERVIEW ............................................................................................................................................................................. 3

REPORTING HIGHLIGHTS ................................................................................................................................................... 3

REPORT DASHBOARD ......................................................................................................................................................... 4

GENERATING REPORTS ...................................................................................................................................................... 6

SCHEDULE REPORTS .......................................................................................................................................................... 7

CUSTOMIZING REPORTS WITH CSV .................................................................................................................................. 8

GENERAL SERVICE RELATED REPORTS ......................................................................................................................... 9

SERVICE LEVEL AGREEMENT REPORT ............................................................................................................................... 9 SERVICE OVERVIEW REPORT .......................................................................................................................................... 10 SECURITY MANAGER OVERVIEW REPORT ........................................................................................................................ 11

IDS/IPS DEVICE REPORTS ................................................................................................................................................. 12

ATTACK METRICS ........................................................................................................................................................... 12 GLOBAL ATTACK METRICS .............................................................................................................................................. 12 YOUR ATTACK METRICS .................................................................................................................................................. 13 EXPLANATION OF ATTACK TYPES ..................................................................................................................................... 13 ATTACKS ON VULNERABLE ASSETS .................................................................................................................................. 17 PREVENTED ATTACK REPORT ......................................................................................................................................... 18 EVENT COUNTS REPORTING............................................................................................................................................ 19 IDS/IPS EVENT TREND ................................................................................................................................................... 20

CONTENT MANAGEMENT .................................................................................................................................................. 21

URL FILTERING CATEGORY ............................................................................................................................................. 21

FIREWALL ............................................................................................................................................................................ 23

FIREWALL SERVICE OVERVIEW ........................................................................................................................................ 23 TRAFFIC ANALYSIS DENIED ............................................................................................................................................. 24 TRAFFIC ANALYSIS EMAIL ................................................................................................................................................ 25 TRAFFIC ANALYSIS WEB ACTIVITY BY WEBSITE ................................................................................................................ 25 SUSPICIOUS HOST CORRELATION REPORT ...................................................................................................................... 26 SECURITY EVENT AND LOG MANAGEMENT DEVICES (SELM) – ......................................................................................... 27 CROSS LOG TYPE REPORTS ........................................................................................................................................... 27 ALERT-BASED REPORTS ................................................................................................................................................. 27


Overview

This document enables you take advantage of the Reporting features in the IBM Security Services Managed Security Services (MSS) Customer Portal, sometimes referred to as the Virtual Security Operations Center (VSOC). Use this guide to learn about basic navigation of the Report Dashboard, or to facilitate in-depth analysis to support your Security organization. Report templates include descriptions and use cases to help you better understand the various industry standard templates and best practices available to you.

Reporting Highlights

Security Event and Trend Statistics

Firewall Traffic and Utilization Statistics

Threat and Vulnerability Research

Threat and Vulnerability Mitigation

Audit Compliancy

Workload Prioritization

Suspicious Host Detection

IP Intelligence (security analytics)

Statistical Overview of Your Services Note: Feature sets may vary based on the MSS services you have subscribed to. Appropriate Service and Service level subscription is required.


Report Dashboard

The Portal Report Dashboard contains many industry standard report templates that you can customize by device, device groups, and time intervals. Click a report template hyperlink to configure report criteria and generate a report. The report templates can facilitate research, vulnerability assessment, threat mitigation, workload prioritization and delegation, and help address audit compliancy requirements.


The report templates are grouped into several categories:

General Service Related – Reports on statistics associated with your subscribed services

IDS/IPS Devices – Reports on device statistics

Content Management Devices – Reports related to web content, anti-virus, and anti-spam

Security Event & Log Management

Cross Log Type Reports

Firewall Devices– Reports on FW statistics

Alerts-based Reports – Report of the alerts and counts associated with your SELM Service

The VSOC allows you to save report criteria for future use, and to export a report in PDF and CSV formats. You can schedule reports at fixed time intervals by selecting one of the calendar icons shown below.

The scheduling feature also allows you to email reports automatically to various members in your organization.


Generating Reports

Step 1: Select the desired time interval from the drop down. Note you also have the option to select from a saved report.

Step 2: Select the desired device or device group. Note you also have the option to report on inactive devices.

Step 3: Select the desired report options including amount and format. Note you also have options to enable, Resolve DNS, Trending and Group by Network.

Note: To save the report, check the box entitled “Save this criteria.”

Step 4: Select, “Submit Query” on the lower right-hand side.


Schedule Reports

After you have customized (named) and saved your reports you can set up auto reporting.

Step 1: Select the desired report name.

Step 2: Schedule the report by selecting the appropriate recurrence pattern (Hourly, Daily, etc.).

Step 3: Schedule the appropriate recurrence range.

Note the calendar icons for specific end date assistance.

Step 4: Select the appropriate report format (PDF, HTML or CSV).

Step 5: Verify and / or edit the recipient fields.

Step 6: Click “Create Schedule” on the lower right.

Best Practice Tip: If you need to delegate work within your security team, or adhere to audit compliancy requirements, use the report delivery options to archive reports to a centralized mailbox.


Customizing Reports with CSV

You can open a CSV (comma separated value) report in Microsoft Excel. It is a powerful and versatile format. It allows you to combine data from multiple sources, and use macros and other Excel tools to manipulate the data and create multiple views of it.

Using Excel Pivot Tables to Create Custom Reports from a CSV File

The pivot table feature in Microsoft Excel allows you to manipulate report data in many different ways, essentially creating multiple reports from one exported CSV file. For more information about how to use Excel to manipulate portal report data, refer to the video, “Exporting Portal Data and Using Excel to Manipulate Data and Create Pivot Tables (10 minutes),” which is available in the Portal Media Library .

https://portal.sec.ibm.com/mss/mediaLibrary.mss


General Service Related Reports

General Service Related reports can help you research, track, and document ticketing information, including Service Level Agreement bound tickets and security incident details. These reports can assist in audit compliancy initiatives. There are three types of service related reports: Service Level Agreement, Service Overview and Security Manager Report

Service Level Agreement Report

Report shows charts and statistics on SLA eligible tickets and associated response time. Graphs will track various types of tickets including suspected outages, maintenance and general inquires. *additional SLA levels available in full report


Service Overview Report

The Service Overview report shows graphs and charts summarizing SLA eligible tickets, ticket type breakdown and a six-month trend. *example below. Additional report contents available in full report


Security Manager Overview Report

The Security Manager Overview report shows the total security event count and security incident statistics. The report also includes a detailed Security Incident (ticket) breakdown, which can assist in organization and workload prioritization.


IDS/IPS Device Reports

IDS/IPS device reports provide statistical threat analysis information about security event threats impacting your network. Use these reports to gather statistics on security events by source and destination, as well as assist in researching attack trends. You also can use these reports for tuning initiatives.

Attack Metrics

This report requires security events from IBM appliances. It displays several graphs of data, detailing the numbers and types of attacks detected during the past 30 days. This report can help identify abnormalities within your network. It is available as Global Attack Metrics as well as Your Attack Metrics. To view more detailed information, click a graph and plot points to generate drill-in reporting.

Global Attack Metrics

Click a graph for drill-in research capabilities.


Your Attack Metrics

Explanation of Attack Types

The attack types included in the Attack Metrics report, along with brief descriptions and examples, are listed below.

• Protocol Signature

A large number of these events in a short time period could indicate an attack.

Example: TLS_Weak_Cipher_Suite

Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). An SSL server that allows weak ciphers (with key-lengths less than 128-bits) could allow a remote attacker to obtain sensitive information.

Suggested Action: Consult server documentation to disable weak ciphers.

• Pre-Attack Probe

An attempt to gain access to a computer and its files through a known or probable weak point in the computer system.

Example: Ping_Sweep

As a prelude to an attack, subnets are often swept with ICMP or other packets that elicit known responses from active hosts. This sort of probe is used to enumerate active hosts on the subnet, and identify potential attack targets. Normal hosts on a network should never engage in sweeps unless they are performing network monitoring or management tasks.

Suggested Action: Always filter inbound ICMP (other than replies to outbound requests) through your firewall or filtering router, if possible. If a stateful inspection filter is not available inbound, then block all ICMP outbound to prevent replies from reaching the attacker.


• Unauthorized Access Attempt

This usually denotes suspicious activity on a system, or failed attempts to access a system, by a user or who does not have access.

Example: SSH_Brute_Force

This event detects an excessive number of very short SSH sessions initiated by a single client to one or more servers within a specified timeframe. It may indicate a username/password guessing attack, or a DoS attack. To qualify as this type of attack, a session must have completed encryption negotiations so that a login may be attempted, and the time elapsed from the first encrypted client data until the TCP session ends with a TCP FIN or server RST must be less than the setting for pam.login.ssh.short.session.time (default 4 seconds). The signature is tunable via the pam.login.ssh.count p (default 12) and the pam.login.ssh.interval setting (default 60 seconds).

This signature also detects an excessive number of SSH Server Identifications from an SSH server within a specified timeframe. This may indicate a username/password guessing attack. The signature is tunable via the pam.login.ssh.count, pam.login.ssh.interval and pam.ssh.server.bruteforce.chars settings.

• Backdoors

Hidden programs that attackers use to access your computer without your knowledge or consent.

Example: RDP_Brute_Force

This signature detects worms, such as Win32/Morto, that allow unauthorized access to an affected computer. These worms spread by trying to compromise administrator passwords for Remote Desktop connections on a network.

Example: NetController_TCP_Request

This signature detects a request on port 6969/TCP that may indicate a NetController backdoor running on your network.

Suggested Action: Use an up-to-date antivirus program to scan the target computer to determine if it is infected with a backdoor program. If the program detects a backdoor, follow its instructions to disinfect and repair the computer.

• Denial of Service

An attack that attempts to prevent legitimate users from accessing information or services. By targeting a user’s computer and its network connection, or the computers and network of the site a user is trying to access, an attacker may be able to prevent a user from accessing email, websites, or online accounts for banking or other services that rely on the affected computer or network.

Example: Smurf_Attack

In a Smurf denial-of-service (DoS) attack, ICMP echo request (ping) packets addressed to an IP broadcast address cause a large number of responses. When each host on the subnet replies to the same ping request, the large number of responses can consume all available network bandwidth, especially if data is appended to the ping request. This can prevent legitimate traffic from being transmitted during the attack. This attack is frequently used against third parties, where an attacker forges the target's source address in a Smurf attack against a different target. At the extreme, this attack can simultaneously disable both targets.

Windows systems do not respond to broadcast pings. However, this does not mean that all Microsoft networks are invulnerable to Smurf attacks.

Suggested Action: Reconfigure your perimeter router or firewall to block ICMP echo requests on the internal network, and block ICMP echo replies from entering the network. This prevents an internal attacker


from using your network to mount a SMURF attack against another target. It also prevents an external attacker from targeting your hosts. However, neither of these actions will stop internal SMURF attacks.

Network

An attack that uses various types of network traffic and protocols for malicious activities.

Example: HTTP_eDirectory_Multiple_Connection

Novell eDirectory is vulnerable to a denial of service, caused by an error in the dhost.exe service when processing Connection headers. By sending multiple HTTP requests containing specially-crafted "Connection" headers, a remote attacker could exploit this vulnerability to consume all available CPU resources, resulting in a denial of service.

Suggested Action: Refer to Novell Security Alert Document ID: 3829452 for patch, upgrade or suggested workaround information.

Example: ICMP_Redirect

ICMP redirects detected on a network or targeted at hosts with weak TCP/IP stack implementations have been shown to cause system failures and other adverse effects. Some versions of NetWare, Windows, and embedded systems like Microware OS-9 have been shown to be susceptible to attacks using ICMP redirects. An attacker could forge ICMP Redirect packets, and possibly alter the host routing tables and subvert security, by causing traffic to flow on a path the network manager did not intend.

Caution: Various networked, embedded controllers may hang or shut down, if they receive an ICMP redirect with an invalid Code. If your network contains controllers attached to automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, do not perform ICMP redirects.

Host Sensor

Exploits and general host activity that is only visible from the local host and not through the analysis of network traffic.

Example: Security_disabled_local_group_changed

This signature detects a Windows event log message indicating that the local distribution group has been changed.

Suggested Action: Please check whether the changes that were made to the local distribution group are allowed.

Status/Control Messages

Information related to the operation of the security product.

Example: License_Notice

This event indicates that something of notice has happened to the current license state of one or more of the licensable modules. This could be generated by the installation of a license or change to any part of a license, including count, usage or maintenance dates.

Suggested Action: For information events, no particular action is required.


Suspicious Activity

Activity that indicates unusual system behavior or network traffic, due to various causes, such as possible threats by attackers, user errors, or malfunctioning equipment.

Example: Suspicious_ActiveX_Installer

This signature detects attempts to install suspicious ActiveX controls. This may indicate an attempt to install spyware on the victim's computer. This signature may be configured to ignore specific vendors by using the pam.activex.whitelist tuning parameter.

Suggested Action: If the indicated software is found to be installed and not desired, uninstall it from your system. Use an up-to-date antivirus or spyware removal program to determine if the target computer is host to a spyware program.


Attacks on Vulnerable Assets

The Attacks on Vulnerable Assets report requires subscription to the Vulnerability Management Service (VMS) and allows you to view correlated vulnerability and IDPS data for greater insight into potential security risk areas in your network. The report summarizes the timeframe, asset and source IP, CVE / NIST database links and vulnerability severity. Access the IP intelligence feature by clicking on the, “Source or Asset IP” hyperlinks.

CVE (Common Vulnerabilities and Exposures)

NIST (National Vulnerability Database within the National Institute of Standards and Technology)

This report can further assist with documenting vulnerabilities and workload prioritization.

Note: Customers with IDPS only can run the report but they will be prompted that this report is only available if vulnerability scan (VMS) data is available.

The Attacks on Critical Assets report also includes security event names, an event count summary and the source, or “Attacker,” IP address.

To generate more information on the event and threat, click a security event name link. Clicking the Source IP hyperlink generates the IP Intelligence report.


Prevented Attack Report

The Prevented Attacks report provides statistics on blocked security events, including a graph and a list of associated signatures. This report is useful for showing how your devices are protecting your network, as well as potentially flagging legitimate blocked traffic. Clicking a signature hyperlink gives you access to research options, including security information, the sources and destinations, and the associated sensors.

Vulnerability Impact Report By running this report and adding in a specific event name that was occurring at that time (for example a Brute Force attack or Failed Login Attempt), the report will notify you of what devices were being impacted by that event.


Event Counts Reporting

The various Event Counts reports are excellent for threat analysis investigation. They can help you quickly identify trends by sensors, and by top sources and destinations, impacting your network. You also can generate reports based on Security events. The example listed below is Event Counts by Source IP. Other report counts include: Destination IP’s, Event Names, Sensors, and Sensors, Event Names, and IP’s.


IDS/IPS Event Trend

The Event Trend report compares events and trends for the current period with the previous period, and lists any security incidents. Clicking a signature hyperlink provides access to additional research options.

Side-by-side event trending


Content Management

URL Filtering Category

Content Management templates allow you to research and document a summary of your network’s top web traffic by Category and Client (IP address). Each category will chart Blocked (red) and Allowed (green) traffic. The reports are useful for identifying inappropriate and unauthorized Internet use.


Below is the full view of the URL Filtering Category Summary, including trending information. To view logs, click a category name hyperlink and select, View these logs. This generates a log query, with the associated traffic, and allows you to further research and document web traffic.


Firewall

Firewall reporting will assist you in traffic analysis, rule analysis and policy optimization. This will not only improve the performance of your network, but alert you to suspicious activity that warrants further investigation.

Firewall Service Overview

The Firewall Service Overview report shows a list of top sources and destinations, including top web- and nonweb-related traffic. There is also a connections table that can help you identify anomalies.


Traffic Analysis Denied

The traffic analysis denied report details the top source and destination IPs, with port, count, and trending percentage. Spikes in dropped traffic may represent various types of scanning or other malicious intent.


Traffic Analysis Email

Use the Traffic Analysis Email report to identify high trending valid and invalid email traffic. Invalid traffic could potentially be spambot traffic. A spike in email traffic from workstations could be a sign of an infection.

Traffic Analysis Web Activity by Website

Traffic analysis by web activity (by website) report will detail top outbound web destinations by source and destination IP with trending information. In today’s world, port 80 is used for many types of malicious traffic, including infections and C&C control of botnets. Attackers use this port because it is one of the most open TCP ports in any corporate firewall. Using our traffic analysis report, you can help keep an eye on the most popular websites visited, and also the country they belong to. For example, if you are a US company and notice a large amount of traffic to a server in China, it would be something worth investigating.


Protocol Usage

helps to breakdown top firewall traffic and may identify suspicious protocol usage. This can be useful in detecting new outbreaks.

Suspicious Host Correlation Report

The Suspicious Host Correlation report uses logs from your devices to identify suspicious communication from within your network to known malicious or botnet hosts. The intelligence used to identify this traffic comes from IBM X-Force Research, IP reputation data, and trusted third parties. For the Suspicious Host dashboard, your logs are analyzed and referenced with IBM’s suspicious host intelligence near-real-time results. Use this report to help flag potential threats, and the Suspicious Host dashboard for further research and mitigation assistance.


Security Event and Log Management Devices (SELM) –

Log storage reporting across all devices including: SELM Server Device Listing by Site, Event Counts by Device or Log Aggregator, System Activity Events, Event Details, and By User.

Cross Log Type Reports

With the Cross Log Type Report, locate malicious IP addresses across all log types to help determine what a certain IP address does across multiple log types.

Alert-Based Reports

Based on subscribed services, this report is available to run to provide a summary of Alerts. These Alerts are pre-established and set up within the Alerts drop down Located as an option at the top of the VSOC Portal.

© Copyright IBM Corporation 2006-2017 VSOC Portal User Guide Page 28 of 28

© Copyright IBM Corporation 2006-2017 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America April 2017 IBM, the IBM logo and ibm.com, X-Force, Express and Express Advantage are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml. Other company, product or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.

../../AppData/Local/Administrator/Documents%20and%20Settings/Administrator/Local%20Settings/Temp/Documents%20and%20Settings/Administrator/Application%20Data/Microsoft/Templates/ibm.com/legal/copytrade.shtml