fbpx

Your SIEM needs a Hedgehog!

by | Jan 30, 2018

At Cybriant, we are big fans of Jim Collins’s book, Good to Great. This is a classic book for business leaders that describes how Mr. Collins and his team researched 1,435 established companies to find common traits of those businesses that made a leap from average to great results. The principles that are discussed in the book include lessons on eggs, flywheels, hedgehogs, and other essentials of business.

Let’s talk Hedgehogs

In his famous essay “The Hedgehog and the Fox,” Isaiah Berlin divided the world into hedgehogs and foxes, based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Mr. Collins asks in his book, ” Are you a hedgehog or a fox?”

Cybriant understands that when it comes to managed SIEM, we are hedgehogs. According to the book Good to Great, a hedgehog concept is a simple, crystalline concept that flows from deep understanding about the intersection of three circles: 1) what you are deeply passionate about, 2) what you can be the best in the world at, and 3) what best drives your resource engine.

We are hedgehogs because we are deeply passionate about understanding SIEMs – how they work, how to get the proper data out of them, and what to do with that data. We are the best in the world at this because we have the top talent on staff, of course! What drives our resource engine is SIEM, SIEM, SIEM. SIEM implementations, training, monitoring, and so much more. We live and breath SIEM.

So, why do you need a Hedgehog for your SIEM?

One of our partners, AlienVault, was included in the recent Gartner Magic Quadrant for SIEM. This is awesome news! If you already use AlienVault, you know that you are working with the best. But, not every company has the resources to make it (or whichever SIEM you chose) work properly for them.

According to Gartner, there are four “cautions” when it comes to AlienVault.  Here’s how a hedgehog, like Cybriant, can help assist with those potential weaknesses when it comes to your SIEM:

Caution #1: USM provides NetFlow capture, basic statistics, and context for assets, but cannot generate alerts from NetFlow.

With the recent 5.4.x AlienVault release the ability to generate alerts from NetFlow has been addressed, but we would always recommend using the right tool for the job.

AlienVault is a phenomenal correlation engine that can take a lot of data from disparate sources and discover threats from seemingly innocuous information.  It does this by taking data from Active Directory, antivirus engines, firewalls, intrusion detection, and/or anything that can produce a log message for analysis.  Each of these sources is simply a single slice of the pie just like NetFlow.  Additionally, there are technologies that specialize in analyzing nothing but NetFlow to discover behavioral events and how they may be a threat.  AlienVault will take those kinds of specialized tools and create a holistic threat analysis so that you get the whole pie and not just a single slice.

Caution #2: Integration of unsupported data sources is cumbersome compared with competing products. Alternatively, users can request AlienVault develop a plug-in to enable the integration.

The fact of the matter is that there is no data analysis engine that can parse and integrate every technology on the market without some sort of expertise, understanding of the data, and ability to create an integration.

Cybriant Engineers regularly write plugins and integrations for the AlienVault platform.  For simple products that are “unsupported” by AlienVault, it may take an hour to write a plugin.  For very complex products with hundreds (or more) of rule variations on messages in logs, it will take longer.  Through literally thousands of implementations, the Cybriant team has yet to find a product that cannot be integrated (or have a plugin created) as long as it outputs data.

Caution #3: Although identity activity can be linked with assets, USM provides only basic enrichment of event data with user context; and identity and access management (IAM) integration is limited to Active Directory and LDAP.

There are many tools that can integrate with AlienVault to provide enriched user data, and out of the box, AlienVault has some built-in IAM capabilities.  Additionally, the USM Anywhere product has advanced user enrichment functionality with lAM and IDM software.  However, when we encounter cases where a user had a problem with their SIEM we typically discover that one of a couple of things has occurred:

  • The necessary data isn’t being fed into the SIEM (either by lack of logging verbosity or other configuration issues).
  • The Security Analyst (or is more often the case:  Overworked Systems Administrator) performing the analysis doesn’t have the experience necessary to do a data deep dive.

Think of it this way, if you have a musical instrument and don’t correctly tune it then it will sound terrible.  Similarly, if the data isn’t correct being sent to the SIEM and the system isn’t tuned to excel at processing the data then a Security Analyst will get poor results.  Additionally, like a musical instrument, you could have the best-made instrument in the world, but if the musician doesn’t know how to play it then it will sound terrible.  With a SIEM, if the Analyst (Administrator/etc.) doesn’t have the experience and dedicated training required to be successful then the results will be poor.

At Cybriant our SIEM Analysts have a deep understanding of both how the SIEM should be configured and how to discover threats using the SIEM.  These are two distinctly different skills.  Additionally, our SIEM Analysts have direct and instant access to the rest of our team members who specialize in different fields (such as Implementations, Malware Analysis, Forensic Analysis, etc.).  This means that instead of a single Security Analyst who is hunting down alarms, Cybriant has an entire Security Task Force who is actively monitoring your infrastructure.

Caution #4: AlienVault’s workflow capabilities do not include integrations with external ticketing systems or role-based workflow assignments. 

The traditional AlienVault USM does not have integrations with external ticketing systems, and so the Cybriant Security Operations Center solves this issue by having rigorous Processes and Procedures in place.  Without Processes and Procedures, workflows and integrations are typically handled in a hodgepodge manner instead of a hedgehog manner.

Additionally, with USM Anywhere USM, AlienVault now has integrations with external ticketing systems.  And so Cybriant can simply utilize our already existing great Processes and Procedures along with the automation to keep costs low for our customers.

Learn more about Cybriant and let us know if you need a hedgehog for your SIEM!

 

Have you heard about PREtect?

5 Cyber Risk Management Services in One

FBI Warning: Hackers don’t stop for the Holidays

by | Dec 22, 2017

The FBI has released a warning about a fraudulent email scam, just in time for the holidays. According to the release, “The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyber attacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in a financial loss you should contact your bank immediately.”

I clicked! Now what?

We get it! Hackers are so good at creating emails that look very real, plus the timeliness of their messages – around the holidays –  could not be better. Many of us are waiting for packages to ship, wondering where the packages are, and hoping that they don’t get lost. If you click, you’ll probably know immediately that you messed up. The easiest way to check before you click is to hover over the link and see if the URL is one that you would trust. And then, just go to that URL and search for what you need – avoid clicking altogether.

If you click, close the browser, use task manager to end the browser process. Shut down your system and reboot.  By disconnecting, you reduce the risk of the browser reloading that malicious page once you have restarted. Immediately report to your IT team and they may recommend that you clear your cache and do a scan of your hard drive to check for malware.

Consider reporting the malicious email you received to the FBI through their Internet Crime Complaint Center (IC3). Start here: https://www.ic3.gov/default.aspx. The US is constantly being targeted by nation-state hackers and the FBI needs our help as consumers to help them learn more about these hackers and how they can protect us.

Our partner KnowBe4 has a free tool that allows your IT department (or Cybriant if you want us to manage it) to send you fake emails like the ones the FBI mentions just to see how many users at your company would click on those emails. It’s not a malicious email, so the only outcome will be that users that click on the fake emails may have to go through a little bit more security awareness training. After all, employees are the last line of defense if an email has gotten through all your organization’s firewalls, etc. Check out their free phishing security test here: https://info.knowbe4.com/phishing-security-test-partner?utm_medium=partnerurl&utm_source=Cybriant

Avoid it all together

At Cybriant, we discuss the idea of having a layered approach to security when it comes to the overall cyber risk defense of our clients. Hackers will try to get into your organization from every angle possible, so you have to be prepared, and think like a hacker. Many of the breaches you read about are the result of a small thing, like a forgotten patch, that the hackers realized before the organization’s security team. That ‘small thing’ has resulted in millions of dollars of loss for many organizations. Here’s what we recommend:

  • Real-time Vulnerability Management
  • Responsive Patch Management
  • Endpoint Detection and Response
  • 24×7 SIEM with Security Monitoring

 

Partner for Sending Data Breach Notifications

Notifying customers of a data breach is an essential step to protecting their safety and security. It gives customers the opportunity to take the necessary steps to protect their accounts.

This includes changing passwords, monitoring account activity, or even utilizing password manager accounts for extra protection. In addition to improving customer security, data breach notifications provide an important reminder to companies about the risks associated with storing sensitive information online.

Letting customers know that you are paying attention and taking action can help maintain trust and prevent any potential losses due to malicious activity. Contact Cybriant if you need a trusted partner for data breach monitoring.

Cybriant PREtect

Tell me more!

Two-thirds IT managers struggle with SIEM

by | Dec 15, 2017

As you know, security information and event management (SIEM) systems collect data from enterprise networks, applications, and logs from operating systems, databases, and other sources. Read more about why you need SIEM.

Dealing with critical incidents should be a top IT priority. Your organization should have a plan in place to resolve those issues once they’ve been detected. If you and your IT team are overwhelmed with the volume of events – you are not alone!  How many incidents are normal? According to a recent report:

The average organization logs about 1,200 IT incidents per month, of which 5 will be critical. It is a challenge to wade through all the data generated by the events that lead to these incidents and prioritize dealing with them. 70% say a past critical incident has caused reputational damage to their organization, underlining the importance of timely detection and minimizing impact.

70% of those surveyed say a critical incident has caused reputational damage to their organization. 

The mean cost to IT of a critical incident is $36,326, and the mean downstream cost to business is an additional $105,302. These two costs rise together, suggesting high cost to IT is a proxy for poor event and incident management, which has a knock-on effect on business operations.

80% say they could improve their mean time to detect incidents, which would lead to faster resolution times and decrease the impact on businesses.

The mean time to repair critical incidents is 5.81 hours, this reduces if there are fewer incidents to manage in the first place. On average, a further 7.23 hours are spent on root cause analysis, which is successful 65% of the time.

Dealing with the volume of events generated by IT monitoring tools is a challenge.

52% say they just about manage, 13% struggle, and 1% are overwhelmed. Those with event management processes that enable them to easily manage the volume of events have a faster mean time to detect incidents and fewer duplicate and repeat incidents.

Two-thirds of those surveyed admit that dealing with the volume of events generated is a problem. Dealing with incidents distracts IT, staff, from other activities; beyond the IT department incidents impact business productivity and the customer experience.

Our Recommendation? 

Outsource. By outsourcing the management of your SIEM, you are allowing dedicated security professionals to monitor the events and incidents that your IT staff may not have the time or expertise to decipher. This will not only reduce your mean time to detect, resolve, and perform root cause analysis, but it will save your organization money, reputation, and moreEarly detection will reduce the impact and cost of incidents on your IT department and your organization.

Related: What is Firewall Logging and Why Is It Important?

 

We're all about Security Monitoring!

Take a Peek

Watch Your Back: Why You Must Have A SIEM

by | Jul 17, 2017

Recently, an article was published on Wired about Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers.

There are quite a few areas that Joyce discusses that make life miserable for the NSA. The things that make them the most miserable are the following: Security Information and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies.

Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.

Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.

Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However, there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.

Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it as having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.

SIEM stands for Security Information and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can find the needle in the haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).

Related: Why is Firewall Logging and Why is it Important?

SIEMs need to be constantly updated for them to be effective. The information that updates the SIEM is called Indicators of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access, or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.

As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.”

And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.

Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.

The responsibility doesn’t stop at them watching the bad guys do bad things. As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will be compromised and the hacker wins.

Learn more about our Managed SIEM service.

Don’t let the hackers win.

Watch Your Back: Why You Must Have A SIEM

by | Aug 17, 2016

Part 1 of the Watch Your Back series:  Why you Must Have a SIEM

Recently, an article was published on Wired about, Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers.  Here’s the link to the original video: Disrupting Nation State Hackers.  There are quite a few areas that Joyce discusses that make life miserable for the NSA.  The things that make them the most miserable are the following:  Security Incident and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies.  Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.

Technology creates a lot of information, and it typically leaves a record of what it has performed in log files.  Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.  Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem.  Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created.  It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting.  However there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.

Now, there are specialized OOB devices that can analyze your network traffic.  These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port.  They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them.  This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device.  You can think of it like having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you.  Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.

SIEM stands for Security Incident and Event Management.  The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information.  It sniffs out irregularities in data patterns and makes sense out of the mountains of information.  The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can actually find the needle in a haystack.  Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).

SIEMs need to be constantly updated in order for them to be effective.  The information that updates the SIEM is called the Indicator of Compromise (IOC).  An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access or data going to an inappropriate or unauthorized destination such as a country like Russia or China.  IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.  As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving.  The static person is going to float to the back of the pack.”  And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.

Finally, we get to the most important part of defending your company or organization’s jewels:  the System Administrator.  You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.  The responsibility doesn’t stop at them watching the bad guys do bad things.  As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected.  If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will definitely be compromised and the hacker wins.

Don’t let the hackers win. Contact Cybriant for a world-class SIEM solution.