In previous blogs, I’ve tongue-in-cheek (mostly) suggested our organisations would be a lot more protected from nefarious actors if we simply disconnected and went back to pen and paper. I may have also suggested that having employees makes enterprise security quite challenging. And Wi-Fi, visitors, BYOD, and IoT are also threat vectors: perhaps we should also get rid of them. Imagine the money we’d save.
OK, let’s assume you do need your internet connection, staff, and applications. How do we secure it all?
In earlier blogs, I’ve discussed a range of topics that look at different aspects of IT security and offered some thoughts on how best to go about building a secure and resilient organisation.
However, there’s a new kind of threat management technology emerging (we are one of the pioneers who invented it, so indulge me). It takes all of the feeds from small-footprint logging agents installed on every device and application in an organisation (think PCs, laptops, servers, and remote desktops) and intelligently profiles and flags areas of concern.
I’m not talking about SIEM here either in case you’re wondering. SIEM (security information and event management) collects the logs from our Snare agents and other syslog feeds from devices and applications, and then provides alerts and automatically remediates (in some instances) or identifies other security problems that need to be fixed.
You can see the hole. SIEM focuses on the data streams coming from the security apparatus but it doesn’t do a great job of building contextual insights from other data sources.
This is where threat intelligence comes into play.
A threat intelligence solution scans and collects everything that generates a log or provides intelligence on business operations.
It captures and secures log information coming from IT ticketing systems, configuration management databases (CMDB), change management systems, and structured threat information expression (STIX) data feeds to gain intelligence from threat actors, LDAP sources, group policy, system and application patching information, and backup status, as well as the traditional logs from Windows domain controllers, servers, desktops, mobile devices, webservers, and syslog feeds from firewalls, routers, switches, IP phones, and wireless access points.
So, pretty much anything that can have a logging agent installed on it or provide a syslog feed.
Effective logging agents (like ours at Snare) even log when someone tries to wipe a log to cover their tracks. Every log entry ends up on a highly secure central log server in near real-time. Even if an attacker deletes device logs, the agent already collected the logs and sent the logs to the central system. So, all of the malicious activity before the logs were deleted from the system was already captured and stored away from the system under attack.
As the logs are kept secure on another system away from the system under attack, we have the forensic of what occurred. The threat intelligence system will generate an alert (either on the dashboard or sent to a recipient) and, when you compare the log records, the anomaly of missing device logs will show up as someone trying to cover their tracks. Then this information can be correlated with other systems and user activity as part of the incident management process.
Once you have logs for everything, the challenge is making sense of that information. Until now, it’s been pretty difficult and often expensive.
Threat intelligence software helps to overcome that problem. It presents a cascading series of preformatted dashboards which provide visual alert cues to the health, or otherwise, of the network, devices, and applications generating logs.
The power of threat intelligence comes from two main areas:
- It collates vast amounts of log data into meaningful information. This information can be visualised on dashboards calibrated out of the box to highlight potential problems using predefined key performance indicators (KPIs) to find potential security incidents. Regardless of what kind of application, system or device is generating the log, it can offer summary and detailed insights, drilling down to the raw data. Once baselines are established, you can customise further, perhaps desensitising certain alerts and filtering out other noise to reduce false positives. Or, you can increase sensitivity on systems or applications that have highly restricted access in certain security zones. Additionally, you can easily plug in new log sources at any time from other applications that provide better context of activity or devices such as the new vending machine in the hall which polls an internet connection once a day.
- Threat intelligence looks across the entire log universe in your organisation, pulling data from many sources to help connect the dots on what is occurring. It looks for patterns and behaviours which indicate that an attack (internal or external) is being attempted, policies are breached, strange or unauthorised user activity is occurring, or a device or application isn’t behaving as expected. By reducing false positives, security teams can spend more time on real and important incidents.
While most security platforms will pick up obvious outside hacking behaviour like DDoS or multiple random user login attempts, they won’t see more subtle things like a successful change to a firewall policy conducted at an uncharacteristic time of day, or a legitimate user asking for password resets when their account is suspended while on leave (common practice for people in financial roles), or users being granted administrative access, or when an admin generates multiple user accounts or passwords over and above what they normally do, or when a switch or system is remotely switched off and on again multiple times, perhaps in an attempt to load a compromised boot file.
In short, threat intelligence solutions collect, store, and analyse everything. And, they increasingly apply machine learning to make connections within the data that simply wouldn’t be apparent to other systems, or even to highly skilled analysts as they often suffer information overload. Finding the proverbial needle in the haystack is the key.
The irony is we’ve been insisting on capturing logs for decades, and who knows how many opportunities have been lost because we simply couldn’t act on the information in real-time or understand it in the wider context of how our organisations operate. As organisations have grown and more systems are on the network the logging load has increased exponentially.
This threat intelligence capability is being coined as next-generation SIEM technology in the market. It’s pretty obvious that it will become pervasive technology very quickly as the market needs more context with security log data that is a result of incidents.
Traditional SIEM is not going anywhere soon and clearly has a role to play but, increasingly, you will see the same information going to a next-generation SIEM with threat intelligence capability in the platform, which can also take some of its data feed from the traditional SIEMs.