View Categories

Security- Endpoint Security

6 min read

CONFIGURATION ASSESSMENT #

Configuration assessment is a process that ensures endpoints comply with predefined rules for configuration settings and approved application usage. It involves comparing the current configuration with established industry standards and organizational policies to identify vulnerabilities and misconfigurations.

Configuration Assessment Consists of 3 Tabs: Dashboards, inventory and events

  • Dashboard: The dashboard offers a centralized overview of your environment’s security status and compliance. This enables administrators to promptly evaluate configuration states across various systems and detect any deviations from the desired configurations.

First we have to select the Agent.

The dashboard gives overview of the selected agent. The Argus agent uses policy files to scan the endpoints under its monitoring. These files contain predefined checks to be conducted on each monitored endpoint. These benchmarks are vital guidelines for best practices in protecting IT systems and data from cyberattacks. They provide clear instructions for establishing a secure baseline configuration and offer guidance to ensure users implement effective measures to safeguard their critical assets and mitigate potential vulnerabilities.

Workflow of Security Configuration Assessment #

  1. Data Collection:
    Argus agents gather data about the system configurations.
  2. Policy Matching:
    The gathered data is checked against a set of predefined or custom policies.
  3. Alert Generation:
    If a deviation is detected, an alert is triggered, informing the security team about the misconfiguration.
  4. Remediation Guidance:
    The alerts include detailed information about the non-compliance and recommendations for fixing the issue.

For the Description and Remediation of the each checks can be access by clicking each result in the row. In the image below, you can see information

such as rationale, remediation, and a description of the check with ID 27001.

Inventory: The Inventory consists the sum up of policy, description and number of pass and fail

MALWARE DETECTION #

Malware, which stands for malicious software, refers to any software designed to harm or exploit computer systems, networks, or users. Its purpose is to gain unauthorized access, cause damage, steal sensitive information, or perform other malicious actions on a target system. There are different types of malware, each with unique functions and ways of spreading. Some common types are viruses, worms, ransomware, botnets, spyware, trojans, and rootkits.

Malware Detection consists of two tabs:

“Dashboard” and “Events” are available at the top for navigating between different views.

  • Filter Bar: Filters are applied for manager.name: ip-172-31-15-172, rule.groups: rootcheck, and agent.id: 003. Additional filters can be added.

Filters Applied:

  • manager.name: ip-172-31-15-172: This filter shows that the data is being filtered based on a specific manager, identified by the IP address ip-172-31-15-172.
  • rule.groups: rootcheck: Filters data related to the rootcheck group of rules, likely focusing on system-level checks.
  • agent.id: 003: This narrows down the data to only include information from a specific agent, identified by the ID 003.

The phrase “Additional filters can be added” highlights the ability to apply more filters for a more refined and targeted analysis based on various criteria.

  • DQL Dropdown: Likely used for more advanced querying and filtering.
  • Explore Agent: Provides the ability to view detailed information about a specific agent.
  • Generate Report: An option to create reports based on the displayed data.

Charts and Graphs:

  • Malware Activity: Displays a time series of malware activity alerts over 12-hour intervals, revealing a noticeable increase in malware activity as the end date approaches.
  • Rootkits Activity: Visualizes alerts related to rootkits over time, focusing particularly on the “Trojan version of file” alert. A significant increase in activity is seen in these alerts.

These visual representations help administrators monitor and respond to security events effectively.

Security Alerts:

The dashboard also contains a table of security alerts with the following columns:

  • Time: Displays the timestamp of each alert, including the date.
  • agent.name: Lists the agent that reported each alert (in this case, ip-172-31-0-196 for all entries).
  • rule.description: Provides a description of the triggered rule, with all entries stating “Host-based anomaly detection event (rootcheck).” This information comes from the rules configuration files.
  • rule.level: Indicates the severity level of the triggered rule, consistently marked at 7 for all entries.
  • rule.id: Shows the ID of the triggered rule, with 510 being the consistent value.
  • Count: Indicates the number of times each alert occurred, which is 2 for all entries.

Events Tab:

The Events tab in Argus allows users to efficiently aggregate, filter, search, and analyze security-related events, providing a streamlined approach to event monitoring and response.

FILE INTEGRITY MONITORING #

 File Integrity Monitoring (FIM) involves tracking the integrity of files and directories to detect and alert on file additions, modifications, or deletions. It provides a crucial layer of protection for sensitive files and data by regularly scanning and verifying their integrity. File Integrity Monitoring identifies file changes that might indicate a cyberattack, generating alerts for further investigation and remediation as necessary.

The Argus File Integrity Monitoring module monitors activities within specified directories or files to gather detailed information on file creation, modification, and deletion. When a file is changed, Argus compares its checksum against a pre-computed baseline and triggers an alert if a discrepancy is found.

This File Integrity Monitoring module performs real-time monitoring and scheduled scans based on the sensitivity level of the monitored files.

FIM Events refer to individual records of file changes that are detected by Argus. Each event contains detailed information about the file, the nature of the change, and the context in which it occurred.

Key Features of FIM Events:

  • Event Details: Each event records specific details about the file change, including:
    • File Name/Path: The name and location of the file or directory involved.
    • Event Type: Whether the file was added, modified, or deleted.
    • Timestamp: The exact time when the event occurred.
    • Agent: The endpoint (agent) that reported the change.
    • User: The user responsible for the change (useful for tracking insider threats or investigating user activity).
  • Correlation with Other Alerts: FIM events are often correlated with other security events, such as unauthorized access or malware detection, providing a broader context for investigation.
  • Remediation Guidance: Based on the event, Argus may provide suggestions for remediation. For instance, if a sensitive file was unexpectedly modified, the system might recommend restoring the file from a backup or reviewing access logs to determine who made the change.

Event Filtering:

  • Filter by Agent: Filter events based on which agent generated them. This is useful for narrowing down alerts to specific systems.
  • Filter by Time Range: View events that occurred within a specific timeframe to focus on recent or historical changes.
  • Filter by File Type: Events can be filtered by file type (e.g., configuration files, logs) to prioritize certain types of monitoring.

Example Event:

  • Event Type: File Modification
  • File Path: /etc/ssh/sshd_config
  • Timestamp: 2024-09-09 15:32:45
  • Agent Name: ubuntu-server-01
  • User: root
  • Action: Modified

Leave a Reply

Your email address will not be published. Required fields are marked *