Looking for a SIEM fighter to clean up Dodge? Click here!
- Support your Local Gunfighter
- The Pyramid of Pain
- What good is Threat Intelligence integration in a SIEM?
- Gathering logs or gathering dust?
- Why add more hay?
There is great excitement amongst security technology and service providers about the intersection of global threat intelligence with local observations in the network. While there is certainly cause for excitement, itâ€™s worth pausing to ask the question “Is Threat Intelligence being used effectively?”
David Bianco explainsÂ that not all indicators of compromise are created equal. The pyramid defines the pain it will cause the adversary when you are able to deny those indicators to them.
Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Hash Values are often used to provide unique references to specific samples of malware or to files involved in an intrusion. EventTracker can provide this functionality via its Change Audit feature.
IP Addresses:Â or even net blocks. If you deny the adversary the use of one of their IPs, they can usually recover quickly. EventTracker addresses these via its Behavior Module and the associated IP Reputation lookup.
Domain Names: These are harder to change than IP addresses. EventTracker can either use logs from a proxy or scan web server logs to detect such artifacts.
Host Artifact: For example, if the attacker’s HTTP recon tool uses a distinctive User-Agent string when searching your web content (off by one space or semicolon, for example. Or maybe they just put their name. Don’t laugh. This happens!). This can be detected by the Behavior Module in EventTracker when focused on the User Agent string from web server logs.
Tools: Artifacts of tools (eg DLLs or EXE names or hashes) that the attacker is using, can be detected via the Unknown Process module within EventTracker via the Change Audit feature.
Tactics, Techniques & Procedures: An example can be detecting Pass-the-hash attacks as called out by the NSA in their white paper and discussed in our webinar “Spotting the adversary with Windows Event Log Monitoring”
Bottom line: Having Threat Intelligence is not the same as using it effectively. The former is something you can buy, the latter is something you develop as a capability. It not only requires tools but also persistent, well trained humans.
Want both? Consider SIEM Simplified.
Bad actors/actions are more and more prevelantÂ on the Internet. Who are they? What are they up to? Are they prowling in your network?
The first two questions are answered by Threat Intelligence (TI), the last one can be provided by a SIEM that integrates TI into its functionality.
But wait, don’t buy just yet, there’s more, much more!
Threat Intelligence when fused with SIEM can:
â€˘ Validate correlation rules and improve base lining alerts by upping the priority of rules that also point at TI-reported â€śbadâ€ť sources
â€˘ Detect owned boxes, bots, etc. that call home when on your network
â€˘ Qualify entities related to an incident based on collected TI data (whatâ€™s the history of this IP?)
â€˘ Historical matching of past, historical log data to current TI data
â€˘ Review past TI history as key context for reviewed events, alerts, incidents, etc.
â€˘ Enable automatic action due to better context available from high-quality TI feeds
â€˘ Run TI effectiveness reports in a SIEM (how much TI leads to useful alerts and incidents?)
â€˘ Validate web server logs source IP to profile visitors and reduce service to those appearing on bad lists (uncommon)
and the beat goes on…
Want the benefits of SIEM without the heavy lifting involved? SIEM Simplified Â may be for you.
Did you wrestle your big name SIEM vendor to throw in their “enterprise class” solution for a huge discount as part of the last negotiation? If so, good from you – you should be pleased with yourself for wrangling something so valuable for them. 90% discounts are not unheard of, by the way.
But do you know why they caved and included it? Itâ€™s because there is very high probability that you really wonâ€™t ever obtain any significant value from it.
You see the “enterprise class” SIEM solutions from the top name vendors all require significant trained staff to even just get them up and running, never mind tuning and delivering any real value. They figured, you probably just don’t have the staff or the time to do any of that so they can just give it away at that huge discount. It only adds some value to their invoice, preventing any other vendor from horning in on their turf and makes you happy – what’s not to like?
The problem of course is that you are not any closer to solving any of the problems that a SIEM can address. Is that ok with you? If so, why even bother to pay that 10%?
From a recent webinarÂ on the topic by Gartner Analyst Anton Chuvakin:
Q: For a mid-size company what percent of time would a typical SIEM analyst spend in monitoring / management of the tool â€“ outstanding incident management?
A: Look at my SIEM skill model of Run/Watch/Tune and the paper where it is described in depth. Ideally, you donâ€™t want to have one person running the SIEM system, doing security monitoring and tuning SIEM content (such as writing correlation rules, etc) since it would be either one busy person or one really talented one. Overall, you want to spend a small minority of time on the management of the tool and most of the time using it. SIEM works if you work it! SIEM fails if you fail to use it.
So is your SIEM gathering logs? Or gathering dust?
If the latter, give us a call! Our SIEM SimplifiedÂ service can take the sting out of the bite.
Recent terrorist attacks in France have shaken governments in Europe. The difficulty of defending against insider attacks is once again front and center. How should we respond? The UK government seems to feel that greater mass surveillance is a proper response. The Communications Data BillÂ Â proposed by Prime Minister Cameron would compel telecom companies to keep records of all Internet, email, and cellphone activity. He also wants to ban encrypted communications services.
ThisÂ approach would add even more massive data sets for analysis by computer programs than currently thought to be analyzed by NSA/GCHQ, in hopes that algorithms would be able to pinpoint the bad guys. Of course France has blanket surveillance but that did not prevent the Charlie Hebdo attack.
In the SIEM universe, the equivalent would be to gather every log from every source in hopes that attacks could be predicted and prevented. In practice,accepting data like this into a SIEM solution reduces it to a quivering mess of barely functioning components. In fact the opposite approach “output driven SIEM” is favored by experienced implementers.
Ray Corrigan writing Mass Surveillance Will Not Stop Terrorism Â in the New Scientist notes “Surveillance of the entire population, the vast majority of whom are innocent, leads to the diversion of limited intelligence resources in pursuit of huge numbers of false leads. Terrorists are comparatively rare, so finding one is a needle-in-a-haystack problem. You donâ€™t make it easier by throwing more needleless hay on the stack.”
Threat Intelligence (TI) is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. The challenge is that leading indicators of risk to an organization are difficult to identify when the organization’s adversaries, including their thoughts, capabilities and actions, are unknown. Therefore “black lists” of various types have become popular which list top attackers, spammers, poisoned URLs, malware domains etc have become popular. These lists are either community (free) maintained (eg SANS DShield), paid for by your tax dollars (eg InfraGuard) or paid services.
EventTracker 7.6 introduced formal support to automatically import and use such lists. We are often asked the question, which list(s) to use. Is it worth it to pay for TI service? Here is our thinking on the subject:
- External v/s Internal
In most cases, we find “white lists” to be much smaller, more effective and easier to tune/maintain than any “black list”. EventTracker supports the generation of such White lists from internal sources (the Change Audit feature) or the list of known good IP ranges (internal range, your Amazon EC2 or Azure instances, your O365 instances etc). Using the NOTIN match option of the Behavior module gives you a small list of suspicious activities (grey list) which can be quickly sorted to either black or white for future processing. As a first step, this is a quick/inexpensive/effective solution.
- Paid v/s Free
Free services include well regarded sources such as shadowservers.org, abuse.ch, dshield.org, FBI Infraguard, US CERT and EventTracker ThreatCenter (a curated list of low volume, high confidence sources formatted for quick import into EventTracker. Many customers in industry verticals (e.g., Electric power have lists circulated within their community.)
If you are thinking of paid services, then ask yourself:
- Will the feed allow me to detect threats faster? (e.g., a feed of top attackers updated in real-time v/s once in 6/12 hours). If faster is your motivation, are you able to respond to the threat detection faster? If the threat is detected at 8PM on a Friday, when will you be able to properly respond (not just acknowledge)?
- Will the feed allow me to detect threats better? i.e., you would have missed this threat if it had not been for that paid feed. At this time, many paid services for tactical TI are aggregating, cleaning and de-duplicating free sources and/or offering analysis that is also available in the public domain (e.g. McAfee and Kaspersky analysis of Dark Seoul, the malware that created havoc at Sony Pictures is available from US CERT).
Bottom line, Threat Intelligence is an excellent extension to SIEM solutions. The order of implementation should be internal/whitelist first, external free lists next and finally paid services to cover any remaining gaps.
Looking for 80% coverage at 20% cost? Let us do the detection with SIEM SimplifiedÂ so you can remain focused on remediation.
Traditional threat models posit that it is necessary to protect against all attacks. While this may be true for a critical national defense network, it is unlikely to be true for the typical commercial enterprise. In fact many technically possible attacks are economically infeasible and thus not attempted by typical attackers.
This can be inferred by noting that most users ignore security precautions and yet escape regular harm. Most assets escape exploitation because they are not targeted, not because they are impregnable.
As Cormac Herley points out “a more realistic view is that we start with some variant of the traditional threat model, e.g., it is necessary and suffi cient to defend against all attacks” but then modify it in some way, e.g., defense eff ort should be appropriate to the assets.” However, while the first statement is absolute, and has a clear call-to-action, the qualifier is vague and imprecise. Of course we can’t defend against everything, but on what basis should we decide what to neglect?”
One way around this is by risk classification. The more you have to lose, the harder you must make it for the attacker. If you can make the value of the attack to be less than the monetization value then a financially motivated attacker will move on as its not worth it.
Want to present a hard target to attackers at an efficient price? Consider our SIEM SimplifiedÂ service. You can get 80% of the value of a SIEM for 20% of the do-it-yourself price.
You must have a heard light bulb jokes, for example:
How many optimists does it take to screw in a light bulb? None, they’re convinced that the power will come back on soon.
So how many people does it take to run a SIEM?
Let me count the ways.
Assuming the SIEM has been installed and configured properly (i.e, in accordance with the desired use cases), a few different skill sets are needed (these can all be the same person but that is quite rare).
SIEM Admin: This person handles the RUN function and will maintain the product in operational state and monitor its up-time. Other duties include deploying updates from the vendor and optimizing system performance. This is usually a fraction of a full time equivalent (FTE). About 4-8 hours/week for the typical EventTracker installation.
Security Analyst: This person handles the WATCH function and uses EventTracker for security monitoring. In the case of an incident, reviews activity reports and investigates alerts. Depending on the extent of the infrastructure being monitored, this can range from a fraction of an FTE to several FTEs. Plan for coverage on weekends and after hours. Incident response may require notification of other admin personnel.
SIEM Expert: This person handles the TUNE function and refines/customizes the SIEM rules/content and creates rules to support new use cases. This function requires the highest skill level, familiarity with the network and expertise with the SIEM product.
Back to the (bad) joke:
Q. So how many people does it take to run a SIEM?
A. None! The vendor said it manages itself!
In the last few weeks of 2014 and in the aftermath of the Sony hack, the attacks at many retailers and the incessant news on shell shock, poodle and many other vulnerabilities, many manager are considering 2015 budgets and the eternal question “how much to invest in IT security” is a common one.
It sometimes see that there is no limit and the more you spend, the lower your risk. But the Gordon-Loeb model says that is in fact not the case.
As pointed out by the RH Smith College at the University of Maryland:
The security of information is a fundamental concern to organizations operating in the modern digital economy. There are technical, behavioral, and organizational aspects related to this concern. There are also economic aspects of information security. One important economic aspect of information security (including cybersecurity) revolves around deriving the right amount an organization should invest in protecting information. Organizations also need to determine the most appropriate way to allocate such an investment. Both of these aspects of information security are addressed by Drs. Lawrence A. Gordon and Martin P. Loeb – See more here.
The focus of the Gordon-Loeb Model is to present an economic framework that characterizes the optimal level of investment to protect a given set of information. The model shows that the amount a firm should spend to protect information should generally be only a small fraction of the expected loss. More specifically, it shows that it is generally uneconomical to invest in information security activities (including cybersecurity related activities) more than 37 percent of the expected loss that would occur from a security breach. For a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information sets vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
Want the most for your 37% of expected loss? Consider SIEM Simplified.
Solution Providers for Retail
Guest blog by A.N. Ananth
Cybercrime and stealing credit cards has been a hot topic all year. From the Target breach to Sony, the classic motivation for cybercriminals is profit. So how much is a stolen credit card worth?
The reason it is important to know the answer to this question is that it is the central motivation behind the criminal. If you could make it more expensive for a criminal to steal a card than what the thief would gain by selling them, then the attackers would find an easier target. That is what being a hard target is all about.
This article suggests prices of $35-$45 for a stolen credit card depending upon whether it is a platinum or corporate card. It is also worth noting that the viable lifetime of a stolen card is at most one billing cycle. After this time, the rightful owner will most likely detect its loss or the bank fraud monitor will pick up irregularities and terminate the account.
Why is a credit card with a high spending limit (say $10K) worth only $35? It is because monetizing a stolen credit card is difficult and requires a lot of expensive effort on part of the criminal. That is contrary to popular press which suggest that cybercrime results in easy billions. At the Workshop on Economics of Information Security, Herley and Florencio showed in their presentation, “Sex, Lies and Cybercrime Surveys,” that widely circulated estimates of cybercrime losses are wrong by orders of magnitude.For example:
Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the popu- lation. One unverified claim of $7,500 in phishing losses translates into $1.5 billion. …Cyber-crime losses follow very concentrated distributions where a representative sample of the pop- ulation does not necessarily give an accurate estimate of the mean. They are self-reported numbers which have no robustness to any embellishment or exaggeration. They are surveys of rare phenomena where the signal is overwhelmed by the noise of misinformation. In short they produce estimates that cannot be relied upon.
That’s a rational, fact based explanation as to why the most basic of information security is unusually effective in most cases. Pundits have been screaming this from the rooftops for a long time. What are your thoughts?
ReadÂ more at Solution Provider for Retail guest blog.