SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

  1. Access Control – Enable Multi-Factor Authentication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to access your critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identity with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud environment using an authorized laptop, from a specific location, etc.
  2. Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
  3. Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
  4. Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your environment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
  5. Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as they move outside your protected on-premise network.

While protecting your company assets from a constantly evolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Building a Successful Cybersecurity Strategy

Photo by Pixabay on Pexels.com

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

How to Avoid Ransomware

Ransomware is malware installed on your machine intended deny access to your critical files. Once you can’t access you documents, pictures, and music the attacker offers to release the files back to you for a fee. Sometimes the fee might be several hundred dollars, but for businesses the fee might be in the millions.

The attacker uses fairly standard attack methods to install software on your computer that scans your system for specific file types, then encrypts the files using a method that is usually not recoverable. Then the malware will present you with a key value to redeem for a decryption key. If you present your key and the appropriate fee, the cyber criminals provide you with a decryption key that makes you files available again. Usually. Sometimes you pay and they don’t respond or the key that is provided doesn’t work correctly.

There are some specific things you can do to make the risk much smaller of a successful attack on your computer, as well as ways to make the impact smaller so you might not have to pay the ransom. Some of these are easy for a non-technical user to tackle, but others are better suited for technical personnel at a business or government agency.

Inexpensive Ways to Reduce Ransomware Attack Success
  • Backup Your Important Data – If you have a backup of your data that hasn’t been encrypted, you probably won’t have to pay the attacker a fee. Depending on how often your data changes, you might be able to perform a weekly backup (there is a utility built into Windows 10, or you can buy a program that doesn’t a backup either to an external hard drive or the cloud). Keep backups separate from your computer so that a successful attack won’t have access to the backup files. If your files get encrypted, you can safely reload Windows 10 onto your computer and copy your files from the backup to the clean laptop.
  • Enable Microsoft DefenderMicrosoft Defender is included with Windows 10. It has some powerful feature to protect your computer from malicious attacks, but only if they are enabled and properly configured. Enable controlled folder access to prevent unauthorized applications from modifying protected files, turn on cloud-delivered protection and automatic sample submission for better protection, and enable tamper protection to prevent the protection from being disabled when you need it the most.  You should also enable the attack surface reduction rules in Defender, including rules that block ransomware activity and other activities associated with and attack.
  • Protect Systems – Don’t have anything directly on the internet that isn’t correctly hardened and patched to prevent an easy attack surface. If you don’t know how to properly configure a server or other infrastructure item, don’t guess because the hackers know what they are looking for when they stage an attack.
  • Use MFA – Enable Multi-Factor Authentication (MFA) when possible. Many online sites now allow you to enable this extra protection that requires you to know your standard account password as well as have possession of a specific device to successfully log into their systems. This can be really handy to prevent someone guessing your password and accessing your Facebook, Twitter, or O365 account from anywhere in the world.
  • Education – Educate yourself on how to detect and avoid phishing emails and potentially malicious websites.

Continue reading “How to Avoid Ransomware”

Cybersecurity: Lateral Movement

What is Lateral Movement

Lateral Movement is a technique of  a malicious user moving from one system to the next in an attempt to gain access to critical business systems.

Lateral Movement Techniques

Since this is a serious risk technique that could lead to a breach of your critical business systems, you need to be able to detect and respond to these types of attacks. This isn’t one thing you are trying to detect or prevent, but a series of attack techniques that you have to build a methodology around, with more than one response to remediate the attack type.

This attack methodology requires the additional compromise of user account credentials. Using these account credentials, the attacker attempts to access other nodes by moving laterally through the network.

Examples of lateral movement attacks include:

Lateral Movement Detection

There’s more than one approach to identifying this type of malicious activity. You might need to use a collection of detection techniques in an attempt to detect this type of attack. It won’t be simple or easy, but once you start understanding this type of attack, various techniques used, and the type of detection methods at your disposal you’ll have a better chance of preventing a successful attack. Continue reading “Cybersecurity: Lateral Movement”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

  1. Access Control – Enable Multi-Factor Autherntication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to acccess you critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identify with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud envirnment using an authorized laptop, from a specific location, etc.
  2. Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
  3. Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
  4. Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your envirnment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
  5. Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as the move outside your protected on-premise network.

While protecting your company assets from a constantly envolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

 

Building a Security Operations Center (SOC)

Cybersecurity is an important part of you business, and includes many aspects of security from development to infrastructure systems plus everything from document and data retention to how you deal with data breaches.

Cybersecurity Overview

Cyberspace and its underlying infrastructure are vulnerable to a wide range of risks stemming from both physical and cyber threats and a wide range of hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal valuable information and even money. They are also developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes are now being perpetrated through cyberspace. This includes the production and distribution of child pornography and child exploitation conspiracies, banking and financial fraud, intellectual property violations, and other crimes. All of these illegal activities have substantial human and economic consequences. These are some of the aspects of cybersecurity that you need to consider when building an environment around IT Security:

  • Rapid Detection – Building a system that allows your team to rapidly detect and prevent system compromise from an attack. This includes perimeter defenses to alert technicians of an active attack and the ability to respond to a breach as quickly as possible. This includes the ability to identify systems being actively attacked and which systems are not currently under attack.
  • Incident Response – Your technicians must have the tools available to deny access to assets when that asset is involved in a suspected incident, but they must also have the tools to quarantine the data on those systems and block additional access to any suspicious users as quickly as possible. Some tools allow for an automated response during an incident that can be helpful to smaller teams to respond quickly, but this can also be a curse if a poorly tuned system causes multiple false positives.
  • Alarm Events – Systems must send meaningful and actionable alerts to your security team. Alarms can tell you something is wrong before you can easily see the problem with your naked eye, but they could also be the source of false alarms or send alerts from redundant sources that make an issue seem worst than it really is by doubling or tripling the quantity of alerts.
  • Network Visibility – Tools that allow your team to identify new endpoints and visualize the entire network will allow them to quickly identify problems and react to unauthorized endpoints.
  • Vulnerability Prevention – The ability to identify malware and known vulnerabilities is the key to a stronger and more secure network. The ability to protect each endpoint from suspicious software, unauthorized downloads, and generating vulnerability alerts are essential to targeting corrective actions before an attacker finds these issues.

Continue reading “Building a Security Operations Center (SOC)”

PCI DSS – Centralized Log Management System

The collection of event logs is required under the PCI DSS, which would be used to reconstruct the scope and timeline of a data breach if the network of a company that accepts credit cards is compromised. This means more companies are using their security logs to detect and analyze malicious incidents. While some might say these companies could be collecting too much log data (think billions of events per day) it is easier to exclude data in your analysis than to find details of an attack without enough log data. Collect as many events as your company can afford to put in your budget.

A centralized log management system can help you collect all the relevant logs into a standardized format, help prevent editing/deletion of valuable evidence, provide a simple interface to perform analysis, limit who has access to the logged events, and provide one location to schedule a backup of huge amounts of data.

Security event logging basics

The best guide to security logging is the National Instituted of Standards & Technology (NIST) Guide to Computer Security Log Management (Special Publication 800-92). Although it was originally written in 2006, it still provides the basics of security log management, so it can be very helpful to anyone new to the process.

Continue reading “PCI DSS – Centralized Log Management System”

%d bloggers like this: