Register now or log in to join your professional community.
If you ask me, I would suggest to watch out the following things so closely on routine basis.
1. Changes in the filesystem : This will let you know that nothing unusual is happening in your Server on Filesystem level.
2. The Storage/memory statistics : If a hacker gets into your system or the server gets attacked by some viral program, it eats up the space causing the degraded performance.
3. The Firewall Configurations : Closely monitor this. No changes shall be happened without your notice. Always close the unnecessary ports
4. Process Management: Check out the ps output on routine basis, kill unusual processes or report them. Monitor the D state/hanged processes.
5. RPM/Package Database : Watch out which are the approved packages the system has been installed with. This activity is so important as this can cause the rpm database corruption as well.
6. User Administration : Who logs in/Who logs out, monitor the secure log.
7. Disable the shutdown binary or watch it using audit : this one is important as well.
8. Look out at the activities of the sudo users and adjust there permissions and authorities.
9. Setup Auditing on sensitive files/directories to monitor user activities on the same.
There might be more, but the above is the list I can think of at the moment.
in Soc you must have many level:
1- classic : firewall , Ips, Ids ...
2- SIEM
3- some tools to monitor network devices,server and services
4- LDAP
...
A recommended and best practice for monitoring includes following but not limited to the below :
1- An industry recommended SIEM Solution for performing event correlation and root cause analysis for security incidents.
2- Advanced Network and Endpoint Malware analysis (sanboxing).
3- Network Traffic analysis using Machine learning, network forensics and Threat intelligence
4- Future trends and Proactive Threat feeds monitoring
Configure SIEM To Monitor IoA Indicator of Attacks This can give you a good visibility of Infrastructure Security
You must Know that SOC isn't only Technology but always: People-Process-Technology
a) Scalable Analytics Engine
b) Consolidated warehouse for security data or cross indexed series of data stores.
c) Centralized Management dashboard
d) Pattern based threat monitoring techniques
e) Ticketing system f) Rich correlation of incidence information
g) Full network packet capture
h) Data and Identity classification and Access Management solution
i) Integrated Compliance and governance management tools.
j) Data Analytics and Forensic tools.
For better practice you can use following ttools, i am also mentioning open source tools,
1. Firewall,IDS,IPS--> Suricata,Snort(For IDS IPS)
2.Data Loss Prevention--> Open DLP or MyDlp
3.Threat Intelligence--> Open Taxi
4.SIEM-->SIEMonster,Elasticsearch,Kibana,Logstash
After configuring check logs are properly coming or not from all devices and services(e.g Apache,tomcat)
data analytics platforms in top of a SIEM tool
Best thing that we can do is that, we have to follow the SOP of the company. Stay calm and always on top of the situation that may arise.
