Network Anomaly Detection has typically been a premium feature of SIEM solutions and often involves the installation of hardware appliances on the customers’ network. The implementation of this technology and associated hardware has traditionally raised the cost of SIEM technology significantly.
To meet the requirement to detect network anomalies without the associated hardware costs, Secure-ISS has developed a software-based sensor solution that will, over time, detect a wide range of network-based attacks.
For each Network Segment in your Environment, consider deploying the Network Anomaly Detection Sensor on one Windows Asset.
The Sensor is not resource-hungry and does not need a dedicated machine or VM to run. Any existing Windows Server should do.
The Network Anomaly Detection solution requires your SOC Onboarding Manager to prepare the files specific to your environment. Once they have done so, you will be notified that the files are packaged and ready to go.
You will find the required files on Sharefile in a Folder named ‘Network Anomaly Detection’. On the Windows Machine you have earmarked for the deployment, copy these five files to a new folder on C: Drive like ‘Test’ or similar.
Import the Code Signing Certificate for the PowerShell Script. The certificate is named ‘Secure-ISS_Authenticode.cer’ and needs to be added to the Local Machine: Trusted Publishers Certificate Store. It can be imported manually if we are only talking about one or two machines (or globally via Group Policy). Further information on this step can be found HERE
Import-Certificate -FilePath Secure-ISS_Authenticode.cer -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
Install-Module -Name Posh-SYSLOG
If all has gone well, you should now see a new folder on C: named ‘Secure-ISS’ with the files netMonConfig.json, netMonitor_anom_gar.ps1 and setupStartup.ps1 present.
Once installed, please Restart the asset, and advise Secure-ISS. That way, we can check that the logs are being collected correctly and configure QRadar accordingly.
Repeat steps 1 through 5 for each Windows Asset on each Network Segment that is in scope for the deployment.