We all need to watch for compromising account credentials.
- password brute forcing/password guessing
- password reset
- credential leaks/harvesting
- drive by compromise
How do you watch this stuff in the cloud? Workstations? Users? Account breaches increase risk and gives a “bad guy” anywhere, anytime access.
Also, in regards to this interesting slide above from RSA conference. I would add:
- Crawl – Public Data
- Walk – HoneyPot Data
- Jog – Red Team Data
- Run – Shared Normalized Breach Data and Attach Methodology for PP rules (IMHO)
Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events.