Tor and SIEM

I've been doing a piece of work with a client recently using a SIEM tool to monitor web and application logs for suspicious/fraudulent activity. One interesting strategy they are using is to look for Tor exit nodes in the web logs and flag activity in these sessions as suspicious. I think this is a sensible approach, these days there is a lot more to security decisions than the binary allow/deny of a traditional firewall. The fact that it is coming from a Tor exit node does not automatically make it malicious (there are plenty of legitimate uses for Tor) however it is one part of the toolkit that someone with nefarious intent may use to hide their true identity when attempting to breach your systems. This uncertainty means that the traffic from these addresses isn't an appropriate candidate for blacklisting but rather warrants further investigation. There is a wealth of data like this available, much of it freely available, that is useful to correlate with your own data in order to build a picture of the traffic which is reaching your network. For Example:

Tor Exit Nodes Matched against the source IP address
Google Safe Browsing API Matched against the referer in your web logs (anti-phishing)
SANS Top Sources Matched against the source IP address
Team Cymru Lots of interesting data
Project Honey Pot/ More interesting data
...

I suppose the drawback to this approach is that it is still a little reactive and requires human intervention to investigate which may or may not be a problem depending on volumes. One possible enhancement is to use this data as part of the decision making process (possibly with a low weighting) in a preventative mechanism that utilises a scoring mechanism to decide if traffic is malicious such as a WAF or IPS, though I'm sure this is already implemented to some extent.



0 Response to "Tor and SIEM"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme