Proactive Monitoring and Context – The secrets weapons in cyber security
Tune your SIEM to alert you when odd things start to happen
Anyone in the cyber security industry will agree that without proactive monitoring and context, organisations are blind to today’s sophisticated and tailored cyber-attacks.
Moreover, what was once the purview of highly-skilled cybercriminal groups, well-refined, multilayered malware systems, combining social engineering, zero-day vulnerabilities and custom exploits are becoming more of the norm than the exception. This is the new frontline of the cyber battleground, where daily skirmishes are leaving security operations teams battered under the withering firepower of enemy attacks. But what can you do get ahead of your adversaries? Let’s look at what matters – proactive monitoring and context.
Proactive Monitoring and Context: Business Continuity
Proactive and continual tuning of security controls ensures they remain effective in keeping out the bad guys while letting the business continue to meet its strategic objectives. Security operations teams need to quickly find breaches and clean up the mess before the attacker has a chance to cause harm – but this is not an easy task. The reality is that in Australia businesses rarely have breach detection capabilities that work or, at least, remain capable as the attackers change their tactics. In fact, even moderately sophisticated attacks are exploiting more than one vulnerability to achieve its goal.
For example, the recent WannaCry outbreak saw multiple payloads compiled together to allow the attacker to gain access to the target’s computer, then to spread laterally through the target’s network, encrypting each computer it encountered along the way. And while this malware seemed sophisticated with its layered exploits working together to make the germ even more virulent, the technology wasn’t smart at all. It required a little lateral thinking and a lot of luck to bring over 200 companies to their knees.
Furthermore, most of the organisations that were infected by WannaCry had serious deficiencies in the most basic of cyber security defences. If they’d have only patched their Microsoft Windows computers with the latest set of updates, they’d have been immune.
Proactive Monitoring and Context: SIEM technology
Patching is often not the responsibility of the security team, yet they are still expected to keep the wolf from the door. So, how can security operations teams tune their systems to detect and shut down attacks such as WannaCry when the patches haven’t been rolled out? Firstly, you need a Security Information and Event Monitoring (SIEM) system that collects the logs and security information continually being produced by your network appliances.
The source of an attack, such as WannaCry, can appear to be external when it’s coming in for the first time, or internal when it’s spreading laterally or trying to encrypt your data. But each kind of attack is different in its behaviour, which you can use to your advantage if you know how your systems are supposed to behave under normal operation. To stop an attack, you can detect these changes to normal patterns of services which act as early warning signals.
Being able to detect attacks at the beginning of the kill chain requires that you have deep insight into how you configure your systems. Knowing how they are architected and how they perform under duress will help you find anomalies. Once you have this knowledge (which we’ll call context), you can tune your SIEM to alert you when odd things start to happen. One viewpoint that security operations teams can take is that of the context of users’ assets. Furthermore, if you combine the use of contextual behaviour monitoring with real-time threat intelligence about rogue sites and IP address, you’ll be able to pre-empt the attackers and detect them during early recognisance rather than when the user calls the service desk wondering why their files won’t open.
Proactive Monitoring and Context: Focus your activities
There are several modes of context that you can use to focus your activities when building correlation rules, helping you tune your security devices against each of these viewpoints. Take the user context, for example; if you are a Microsoft Active Directory user, you can use user authentication, assignment to groups and organisation units and general privilege and ACL usage to profile how regular user activity looks. You can also use this activity to help the Active Directory team refine their access policies since you’ll be feeding back incidents to them to investigate what you might consider indicators of attack.
When you are locating false positives that might look like patterns of behaviour associated with an attack, you are helping the other technical teams in the investigation understand how the baseline appears. Any help in this space is usually welcomed and helps the organisation develop a richer understanding of what’s going on ‘under the hood.’ Other contexts that you can profile might be the system, security appliances, vulnerabilities, and even different user groups’ contexts, such as Executive, Sales, Finance and HR. You might even profile the attackers’ context. Model each viewpoint, determine what changes to the baseline indicate an attack. You can then determine if any systems need to be reconfigured to notify you of these behavioural anomalies, which can then help you tune the SIEM.
You can develop use cases within security operations that are optimized to each of your contexts, spending development time working on cross-sections of contexts to see how each of the different styles manifest in an attack.
Proactive Monitoring and Context: Get on the front foot
In security, proactive monitoring and context is everything. To get security operations finally back on the front foot, you need to understand how things work. How are systems configured? Who is authorised to access file stores and your intranet? Why is that account accessing that information repository? Once you have context, it’s so much easier to locate intruders and kick them off your network before they cause harm.