Part 1 of a series of white papers and blogs that illustrate how Snare helps you identify and resolve issues highlighted in the Mitre ATT&CK knowledge base.

U.S. Presidential Executive Order on Cybersecurity

On Wednesday May 12, 2021, President Biden signed an executive order aimed at strengthening U.S. cybersecurity. The order was prompted by a series of sweeping cyberattacks on public companies, companies supplying the U.S. Federal Government, and Federal Government networks over the past year. This includes the 2020 SolarWinds attack and the most recent attack on the Colonial Pipeline by the hacker group DarkSide.

Both attacks are examples of criminal groups and state actors exploiting U.S. cyber vulnerabilities. To help protect the U.S. Government, agencies, and both public and private companies from future attacks, the May Presidential Executive Order calls for the Federal Government and private sector to partner to confront “persistent and increasingly sophisticated malicious cyber campaigns” that threaten U.S. security.

To learn more about Memorandum M-21-31 and the Maturity Model for Log Management, read our updated article >>

How Snare Can Help

To meet existing and updated cybersecurity requirements laid out by the Executive Order, and to improve your organization’s cyber posture, a Snare solution can help organizations in many ways.

  • Central log collection, analysis and reporting – by collecting all the important logs from all critical assets in the business, Snare facilitates the capability to do forensic analysis of what the criminal groups and other APTs are doing in the network. Without the needed logs, you’re flying blind with no clear knowledge of an incident that happened or is in progress now.
    • Government agencies and businesses need to know:
      • Who did the actions. Was it a normal user, an admin, some credentials that were breached? How much lateral movement was involved?
      • What data or systems were affected, how many were there, which networks were affected? What commands were run on each system, what parameters were used? were other tools loaded to help the attacker? Was data exfiltrated out of the environment. Have they established a beachhead in the network?
      • When the activities occurred. Covering the exact time and dates. Was it small amounts over time or a focused effort over a short period of time.
      • Where the specific actions took place.

Having Snare Central or Snare Agents in place can help security teams gather the forensic data required to answer who, what, when, where, why, and how – and ‘how bad is it’.

Zero Trust Initiative

There can be several methods of using Snare to help detect activities. As part of the Zero Trust initiative, adequate detection is key to ensure controls are functioning correctly. If there is nothing to perform analysis on, there can be no validation of technical controls working correctly, and no information for adequate remediation in the event of a problem or incident response. Section 3(e) states that within 90 days all agencies should implement a logging solution to:

    • Collect logs from as many sources as possible – all servers, desktops, network devices, everything that can send a syslog. All devices should have some form of logging or monitoring in place.
    • Use FIM, FAM, RIM and RAM to track and monitor all key files and system configuration. Know who and when files were changing and what tools they used.
    • Use Database Activity Monitoring (DAM) to track key activity on SQL databases. Know if admin accounts are being abused and validate that key data has not been tampered with.
    • Having evidence to show if the attack vectors came in via email, USB, a web link download, a software update are all important to knowing how they got in.

The Snare software suite provides an easy-to-use solution that is fast-to-deploy using our lightweight agents and Snare Central Server centralized logging platform. Most sites are up and running in as little as an hour, and immediately capable of collecting and reporting on activity. With around 400 out-of-the box, customizable reports, dynamic query for advanced searching and drill-down on data, active dashboards, key statistics on system logs, real time alerting and threshold reporting, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team.

Customers are not penalized from collecting more data by having additional charges. Customers can collect as much data as they like and keep it for as long as they need, as they can manage the storage needs of the system for the business. Data is often needed for several years for longterm incidents where the bad actors have been in a network for an extended time and keeping a low profile to help avoid detection.

As per 7 (c,d) the Snare CLM suite helps to facilitate and compliment EDR solutions with enhanced logging and detection to provide the needed forensics with threat hunting.

As per 8(b) Snare Central uses cryptographic hashing functions to validate the logs collected have not been tampered with along with other forensic meta data in events.

 

“I tend to use Snare when customers have a lot of end points, 1,000 or more though particularly over 10K windows end points and they know they want to monitor each and every one of them. I know Snare will report in every time, all the time, even in large scale environments. Snare is well documented and easy to install. Snare also does encryption from the agent to the QRadar host, which is very important for most organizations, though in particular federal customers.”

Peter “S14” Szczepankiewicz, IBM

Learn More About Snare Central & Snare Agents

Snare is the go-to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save timesave money & reduce risk.