SIEM for IT and IB

With the advent of the first information security tools, the first pressing questions arose: how do you know that the erected barricades work and protect? How to quickly respond to alerts? How to understand what threats have been prevented? Whether our firewall works, you can find out by performing ICMP ping: if the rules in the ACL (access control list) work, then there should be no answers containing echo reply. You can view the event log through the device console, sorting out hundreds or thousands of lines manually and trying to see the threat reflected or identified.

Time is money

There are a lot of event logs received from active protection tools alone, not to mention critical servers, databases, applications. Using these logs, you can identify unauthorized access attempts, network attacks, anomalies, leading to a breach of business continuity or security policies. To open the event log, you need to perform a sequence of actions that take time: start the application, connect to the console, display the list of events and examine it. Even if one assumes that one employee is only responsible for monitoring antivirus software (suppose there is a centralized management console), installing updates and IPS (assuming that there are no more than 2–4), viewing events from these sources and analyzing problems for the last day he will take about an hour. We note the human factor: the officer may be loaded with other things, may be ill or on vacation, distract from work or carry it out for pro forma. Now calculate the number of man-hours needed to analyze event logs on critical assets at least once a day? Consider in the calculations the salary of a qualified employee who is able to identify threats in these event logs, consider the time required to connect to the GIS in your branch via slow communication channels. Expensive? Yes, there is a round sum, calling which leadership, you, most likely, will be exhibited from the office.

So, you have installed the remedies, set them up, they work, - what else do you need? SIEM replaces more than a dozen people working promptly and will not ask for a salary increase.
')

Business protection

The main task of the IB is to ensure the protection of business and business continuity. What is needed for this? Business processes are described, assets are determined, they are audited (including scans and pentests), an intruder is drawn up, risks are studied, and a minimization plan is drawn up. What measures are being taken to minimize the risk? Policies are created, users are trained, information security tools are installed, configurations are changed, updates are installed ... We all did it - and left it as it is? until the next PDCA cycle?

Keep your finger on the pulse

The principle of "put and forget" in IB is not applicable. There is no absolute protection, and the most unlikely risks can come back to a halt in business and huge financial losses. Any software and hardware may stop working or be misconfigured - and skip the threat. Have you seen the control panel in modern aircraft? All important indicators are collected together with respect for ergonomics and priority. The pilot and his assistant cannot fail to see the violation of a critical indicator. The same goes for SIEM: in the event of any deviation from the baseline or policies (aircraft course) or damage to the asset as a result of failures or threats (equipment problems), the pilot operators will be immediately notified.

Why immediately and what will happen in an hour? Viruses spread in seconds, intruders have automated systems for analyzing and exploiting vulnerabilities. The event of a sprinkled RAID-array in a system in industrial use, tomorrow you will not be interested, because some of the data (or even all) will be lost. The sooner you are informed, the faster you take action, the less financial losses your business will suffer. It’s good if the incident doesn’t have any consequences (returning to the planes: “Vasya, count up! Yesterday we flew from Paris to Moscow on one engine!”).

No proactive protection exists.

If we install centralized anti-virus software, you need to make sure that it is installed everywhere, correctly configured, and works with current databases. How? Using event logs.

What for? Imagine that you have automated installation of corporate antivirus software and database updates. You perform an audit of the event log every two to three days, but there was a crash, the OS does not start the service on the workstation in the warehouse and is infected with a virus that spreads over the network. It’s absolutely not a fact that, for example, autostart is prohibited on all servers, all the patches are installed: in real life this is almost never the case. An auto-hosted, exploitable Trojan with autorun and distribution over a network or a forged label on a shared network resource leads to the collapse of the entire company. While you are in an emergency mode, analyze what has happened - the business will most likely be idle, and the bosses will be nervous and indignant. Financial assessment of losses from downtime of an enterprise is easy to make independently, since it is not so difficult. In addition, such failures tend to negatively affect bonuses and wages.

Controlled threat accepted risk

In practice, there are cases when security goes against business. There are situations when it is impossible to install an update to close a vulnerability (reasons for mass: certification, instability, “not tested”, conflict with other software), or, for example, it is impossible to prohibit RPC, because the business application will stop working. The cost of eliminating the threat may exceed the potential losses, so the risk is “accepted”. However, we can control such risks with the help of SIEM, respond to incidents that occur, returning funds allocated to cover operational risks at the end of the year, back to the budget. Naturally, in this case, there can be no question of the operator viewing the firewall logs without automatic analysis and recording of incidents as a way to control risks.

No reason - everyone is to blame.

You have probably come across cases where there is no data to resolve the incident: there is no information about the exact time and place of origin (we do not count calls from users), or what preceded the incident; and we can not answer the main questions - why the incident occurred and who is to blame. No, this is not necessary in order to punish the guilty (although it is also sometimes necessary). The main thing that needs to be clarified after the incident is what to do so that the incident does not happen again. And only one built-in log OS (Windows event log or syslog) may not be enough.

I am not a god, I am only a system administrator

In a mature, extensive infrastructure, administration rights are delegated to a fairly wide range of employees. Naturally, all these employees are subject to security checks, and we trust them. But in practice, human psychology often affects: the employee who destroyed the database, RAID, brought a virus on a personal flash drive, because of which the business process "got up", under pain of dismissal and a fine, cornered - sweeps away traces, deleting or forging magazines events. If you do not collect these magazines in time, then business will be harmed in the form of financial losses and damaged reputation. Collected on time and consolidated in the repository event logs will help you make the right decision on the results of the incident. It is impossible to remove data (events and incidents) from SIEM imperceptibly: records remain in the system log, integrity monitoring is performed. Evidence in the form of event logs in the SIEM-systems will help your organization in solving judicial issues.

Who knows what the script is? ..

Of course, you can build log management and some kind of event management on the "samopisnyh" scenarios. Logs through syslog or open source. You can arrange everything on PowerShell, “batch file”, sh-scripts, and report incidents by email. How convenient and cheap!

Yes, this is acceptable for a small business. Let's go back to our plane example. Mentally remove all the indicators from the dashboard (or erase their names), and we will send error messages to the pilot via SMS and e-mail ... How quickly will the pilot get bored in the pocket behind the phone and parse the incoming letters?

SIEM-systems have the function of self-diagnosis and control of the components. These are not “batniki” scattered here and there, the integrity and performance of which is very difficult to control. When using disparate scenarios, it will be almost impossible to protect against content spoofing or viewing an administrative account in an unencrypted form. Unlike SIEM: it is a complex system that reports on the continuity of gathering events, failures in the operation of its components, access to system functions, etc.

Protect more than critical assets.

Imagine that you have protected critical (in your opinion) assets, for example, a business application or database. Everything is fine, money is spent in moderation, saved on the lack of SZI for workstations and two-factor authorization for mobile users. Users "squeezed" group policies. But they did not take into account that the door with a lock, standing in the middle of the field, is absolutely ineffective. Attackers will get a user and administrative account from unprotected workstations or from mobile devices and with absolutely legitimate requests to your super-secure database, “pull out” everything they can. Destructive actions have long been out of fashion. You will learn about the leakage of information from the news - and be surprised: after all, all your servers were reliably protected! This is an example of a typical APT attack. Running processes, new libraries in OS, new services, open ports and connections, privilege escalation - all this can be seen in the event logs on workstations that, in your opinion, were not critical assets ...

Protection must be comprehensive. Proof of this are the Bit9 and RSA incidents, which for some reason did not put the protection they were developing on their workstations.

Representation

Protection means are usually signature-based, that is, they are created based on the analysis of already known threats (viruses, network attacks, even dictionaries in DLP). You can identify new threats only with the use of complex correlation algorithms (about RBR correlation — see an article in our blog — out of the question) based on millions of events and indicators, as well as baseline analysis. The human brain is not always able to comprehensively analyze this amount of data. However, the abstraction of representations in SIEM-systems contributes to the timely detection of threats by operators. The system does all the preliminary calculations and displays the indicators. At a minimum, for example, based on baseline analysis, the system reports new DynDNS traffic, that 10 unsuccessful attempts to log in from various assets on behalf of the domain administrator have been recorded. As a rule, the system is able to report a trojan or brute force (depending on the composition of the correlation rules and the capabilities of a particular system). The use of more complex correlation algorithms will allow you to find out the cause of the incident (for example, to identify the user connecting a modem, which resulted in a trojan infection and brute force). A person cannot do this analysis on the basis of millions of textual events. The ability to customize the visualization panels is useful both for individual employees and for the SOC (security operation center), as well as IT and technical support departments.

Compliance

In a number of regional, international, national, industry standards there are requirements for organizing the process of managing journals. All SIEM-systems have templates that meet international standards, and the ability to add their own templates to generate a report on compliance for the collection and storage of events. In the case of a homemade system, you have to spend significant resources to make such templates in a report format or interface for an auditor.

Accents

Incorrect incident response is comparable to the incorrect behavior of a traffic light. IB and IT departments will not be able to solve top-priority tasks in support of business processes. SIEM has the minimum necessary means of organizing the process of registering incidents (or has the ability to integrate with the support service), helping to control the resolution of incidents and the accumulation of a knowledge base. SIEM has the ability to integrate and prioritize incidents depending on their impact on business processes, on the value of the asset and the danger of the threat. In some systems, integration with risk management systems is possible.

There is an erroneous opinion that SIEM produces a large number of incidents to which the information security unit simply does not have time to respond. It is necessary to understand that SIEM is not an out-of-box solution and, as is the case with DLP systems, it requires proper implementation, integration with event sources, an individual approach to an active rule set and correlation algorithms. The flexible exception system and the correct setting of the SIEM guarantee that you focus only on critical events - without flooding.

Share events

SIEM is a system not only for information security. Errors and failures in operating systems, network equipment, software — information about this can be found in the ITEM by SIEM. The IT department also wants to know about incidents that occur not by the users' call, but in advance (especially since, like IS incidents, IT incidents can be prevented).

SIEM is not a very simple solution for the process of managing journals, and is also quite expensive for implementation in small and medium businesses. To operate it, you need to have at least one qualified employee who will control the continuity of gathering events, manage the correlation rules, adjust and update them with the advent of new threats and in accordance with changes in the infrastructure. Installing the SIEM as a “black box” with the activation of all the preset correlation rules without proper monitoring and control will result in budget waste.

With a successful implementation, you will receive:

• correlation and assessment of the impact of IT and IB events and processes on the business;
• SOC with an analysis of the situation in the infrastructure in real time;
• automating the detection of threats and anomalies;
• automate the process of registering and controlling incidents;
• audit of compliance policies and standards, control and reporting;
• documented correct response to emerging IS and IT threats in real time with prioritization depending on the impact of threats on business processes;
• the possibility of investigating incidents and anomalies, including those that occurred a long time ago;
• evidence base for litigation;
• reporting and indicators (KPI, ROI, event management, vulnerability management).

I have given only a few examples of how SIEM will help your business in providing continuity, increasing efficiency, in solving problems and incidents. You can still write a lot about automation, reactions (scenarios), incident prevention and investigation. I will try to tell about it in the following publications. Separately, we consider an extremely important point that concerns many people: how can we use SIEM to trace the influence of IT and IB events on a business?

See you! Waiting for your questions and comments.

Author: Olesya Shelestova ( oshelestova ), Research Center Positive Research.