As a Security Operations Center (SOC) Analyst intern to the Cybersecurity Operations Division of Old National Bank, I became aware of the many different cyber threats that affect Old National Bank’s cyberinfrastructure. Information espionage is one of the most common types of threat. Using a network of computers for handling a large amount of data creates vulnerabilities to the computers, and the information. Networking impacts the computer security goals important to Old National Bank such as client confidentiality, information integrity, and network availability. Security breaches are inevitable, and it is imperative to have a system of protection that can provide a quick plan of action. Old National Bank uses a software tool called LogRhythm …show more content…
I would be alerted by LogRhythm SIEM alarms indicating that conditions were triggered within the alarm tool signifying an anomaly in the network that could potentially be a cyberattack. During the time I was an intern, none of the alarms signaled a true, advanced, and persistent cyber threat. I received around 60-100 alarms per day. During my internship, I spent most of my time working on addressing all of the alarms. About a third of those alarms were just informational, such as when the LogRhythm SIEM monitoring system would malfunction. The great majority of false positives were created by errors in the systems that were working in tandem. A second group of false positives occurred when someone forgot their password, and tried different combinations to access their account. A third group of false positives occurred when LogRhythm SIEM misinterpreted an update as a lateral movement account sweep, because a lot of accounts being accessed at once for the update. The last few false positives were unique events requiring further …show more content…
To create this Alarm Rule, I first logged onto LogRhythm SIEM, and clicked on the Deployment Manager icon. Then, I clicked on the AI Engine tab, before right clicking the drop-down menu, and selecting “Create New”. I then dragged a box icon, which represented the condition of the LogRhythm software’s AIE rule, to the center of the screen. I doubled clicked on the box to bring up the information needed to specify the condition of the LogRhythm software’s AIE rule. I then created the conditions needed to make a new LogRhythm software’s AIE alarm rule function. The conditions included that: 1) the origin, or impacted host, was the I-Series Servers, 2) the connection used FTP, and 3) the connection was established to or from I-Series Servers. This new rule worked well. As part of my project, this new alarm rule ran for three weeks as a testing period. Every time LogRhythm software’s AIE detected the criteria for the new alarm rule, which was an established FTP connection, it would create an alarm which I accessed through LogRhythm’s Web Client so I could note the IP address of the entity that interacted with the I-Series Servers. At the end of the three weeks, I gave the IP address list to the I-Series technician. He then returned two separate IP lists to me. One IP list was addresses