Posts

On Wednesday May 12, 2021, President Biden signed an executive order aimed at strengthening U.S. cybersecurity. The order was prompted by a series of sweeping cyberattacks on public companies, companies supplying the U.S. Federal Government, and Federal Government networks over the past year. This includes the 2020 SolarWinds attack and the most recent attack on the Colonial Pipeline by the hacker group DarkSide.

On the 28th of August, 2021, a memorandum to the Executive Order was issued, emphasizing the need for reliable log management.

Read the full memorandum >>

Maturity Model Memorandum M-21-31

This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.


How Snare Can Help with
Memorandum M-21-31

To meet existing and updated cybersecurity requirements laid out by the Executive Order and specifically Memorandum M-21-31, Snare provides the following:

  • Centralized Access via Snare Central – Snare’s centralized logging solution Snare Central   was designed and developed to provide the type of centralized access called out in the Memorandum M-21-31.The latest version of Snare Central features:
    • Snare Management Center (SMC) – A centralized management view of multiple Snare Central systems, eliminating the need to visit each system on-site.
    • Enhanced automated alerting to improve threat hunting speed
    • New log types to expand coverage and enhance investigation capabilities
    • Cloud-based log management and reports to support cloud or hybrid environments

Learn more about Snare Central >>

Zero Trust Initiative

There can be several methods of using Snare to help detect activities. As part of the Zero Trust initiative, adequate detection is key to ensure controls are functioning correctly. If there is nothing to perform analysis on, there can be no validation of technical controls working correctly, and no information for adequate remediation in the event of a problem or incident response. Section 3(e) states that within 90 days all agencies should implement a logging solution to:

    • Collect logs from as many sources as possible – all servers, desktops, network devices, everything that can send a syslog. All devices should have some form of logging or monitoring in place.
    • Use FIM, FAM, RIM and RAM to track and monitor all key files and system configuration. Know who and when files were changing and what tools they used.
    • Use Database Activity Monitoring (DAM) to track key activity on SQL databases. Know if admin accounts are being abused and validate that key data has not been tampered with.
    • Having evidence to show if the attack vectors came in via email, USB, a web link download, a software update are all important to knowing how they got in.

The Snare software suite provides an easy-to-use solution that is fast-to-deploy using our lightweight agents and Snare Central Server centralized logging platform. Most sites are up and running in as little as an hour, and immediately capable of collecting and reporting on activity. With around 400 out-of-the box, customizable reports, dynamic query for advanced searching and drill-down on data, active dashboards, key statistics on system logs, real time alerting and threshold reporting, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team.

Customers are not penalized from collecting more data by having additional charges. Customers can collect as much data as they like and keep it for as long as they need, as they can manage the storage needs of the system for the business. Data is often needed for several years for longterm incidents where the bad actors have been in a network for an extended time and keeping a low profile to help avoid detection.

As per 7 (c,d) the Snare CLM suite helps to facilitate and compliment EDR solutions with enhanced logging and detection to provide the needed forensics with threat hunting.

As per 8(b) Snare Central uses cryptographic hashing functions to validate the logs collected have not been tampered with along with other forensic meta data in events.

 

“I tend to use Snare when customers have a lot of end points, 1,000 or more though particularly over 10K windows end points and they know they want to monitor each and every one of them. I know Snare will report in every time, all the time, even in large scale environments. Snare is well documented and easy to install. Snare also does encryption from the agent to the QRadar host, which is very important for most organizations, though in particular federal customers.”

Peter “S14” Szczepankiewicz, IBM

Learn More About Snare Can Help You Improve Your Log Management Maturity as Defined in Memorandum M-21-31

U.S. Presidential Executive Order on Cybersecurity

On Wednesday May 12, 2021, President Biden signed an executive order aimed at strengthening U.S. cybersecurity. The order was prompted by a series of sweeping cyberattacks on public companies, companies supplying the U.S. Federal Government, and Federal Government networks over the past year. This includes the 2020 SolarWinds attack and the most recent attack on the Colonial Pipeline by the hacker group DarkSide.

Both attacks are examples of criminal groups and state actors exploiting U.S. cyber vulnerabilities. To help protect the U.S. Government, agencies, and both public and private companies from future attacks, the May Presidential Executive Order calls for the Federal Government and private sector to partner to confront “persistent and increasingly sophisticated malicious cyber campaigns” that threaten U.S. security.

To learn more about Memorandum M-21-31 and the Maturity Model for Log Management, read our updated article >>

How Snare Can Help

To meet existing and updated cybersecurity requirements laid out by the Executive Order, and to improve your organization’s cyber posture, a Snare solution can help organizations in many ways.

  • Central log collection, analysis and reporting – by collecting all the important logs from all critical assets in the business, Snare facilitates the capability to do forensic analysis of what the criminal groups and other APTs are doing in the network. Without the needed logs, you’re flying blind with no clear knowledge of an incident that happened or is in progress now.
    • Government agencies and businesses need to know:
      • Who did the actions. Was it a normal user, an admin, some credentials that were breached? How much lateral movement was involved?
      • What data or systems were affected, how many were there, which networks were affected? What commands were run on each system, what parameters were used? were other tools loaded to help the attacker? Was data exfiltrated out of the environment. Have they established a beachhead in the network?
      • When the activities occurred. Covering the exact time and dates. Was it small amounts over time or a focused effort over a short period of time.
      • Where the specific actions took place.

Having Snare Central or Snare Agents in place can help security teams gather the forensic data required to answer who, what, when, where, why, and how – and ‘how bad is it’.

Zero Trust Initiative

There can be several methods of using Snare to help detect activities. As part of the Zero Trust initiative, adequate detection is key to ensure controls are functioning correctly. If there is nothing to perform analysis on, there can be no validation of technical controls working correctly, and no information for adequate remediation in the event of a problem or incident response. Section 3(e) states that within 90 days all agencies should implement a logging solution to:

    • Collect logs from as many sources as possible – all servers, desktops, network devices, everything that can send a syslog. All devices should have some form of logging or monitoring in place.
    • Use FIM, FAM, RIM and RAM to track and monitor all key files and system configuration. Know who and when files were changing and what tools they used.
    • Use Database Activity Monitoring (DAM) to track key activity on SQL databases. Know if admin accounts are being abused and validate that key data has not been tampered with.
    • Having evidence to show if the attack vectors came in via email, USB, a web link download, a software update are all important to knowing how they got in.

The Snare software suite provides an easy-to-use solution that is fast-to-deploy using our lightweight agents and Snare Central Server centralized logging platform. Most sites are up and running in as little as an hour, and immediately capable of collecting and reporting on activity. With around 400 out-of-the box, customizable reports, dynamic query for advanced searching and drill-down on data, active dashboards, key statistics on system logs, real time alerting and threshold reporting, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team.

Customers are not penalized from collecting more data by having additional charges. Customers can collect as much data as they like and keep it for as long as they need, as they can manage the storage needs of the system for the business. Data is often needed for several years for longterm incidents where the bad actors have been in a network for an extended time and keeping a low profile to help avoid detection.

As per 7 (c,d) the Snare CLM suite helps to facilitate and compliment EDR solutions with enhanced logging and detection to provide the needed forensics with threat hunting.

As per 8(b) Snare Central uses cryptographic hashing functions to validate the logs collected have not been tampered with along with other forensic meta data in events.

 

“I tend to use Snare when customers have a lot of end points, 1,000 or more though particularly over 10K windows end points and they know they want to monitor each and every one of them. I know Snare will report in every time, all the time, even in large scale environments. Snare is well documented and easy to install. Snare also does encryption from the agent to the QRadar host, which is very important for most organizations, though in particular federal customers.”

Peter “S14” Szczepankiewicz, IBM

Learn More About Snare Central & Snare Agents

Snare is the go-to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save timesave money & reduce risk.

Cyber security risks: What do you tell the board?

Cyber security is a risk that needs to be managed like every other risk. So how does the executive team inform the board on the risks and how they are being managed? What actions does the board need to take to be responsible for cyber risk?

Your company board performs quite a few different functions, but often the starting point is governance. The board and its members are constantly asking the question, “Are we doing all the things that we need to be doing to protect the business and the shareholders?” Their focus is on ensuring the RETURN of shareholder capital before the RETURNS on shareholder capital. Of course, this oversight is multifaceted, and often one of the areas of least expertise at board level is cyber security.

Under the Australian Corporations Act one of the board’s primary responsibilities is to act “in good faith in the best interests of the corporation (Section 181.1)” – ensuring the ongoing sustainability of the business.

As a result, the starting point for quite a few IT and cyber security questions from the board are based on compliance. “What compliance mandates am I required to address and how do I address them in the most efficient way?” We all know that ‘compliant with regulation’ does not necessarily mean secure any more than meeting a building code means quality construction techniques have been employed.

So what do you do to mitigate cyber security risks and protect shareholders?

Compliance, Regulatory Risk & Business Impact

Risks can be quantified in the following ways:

  • Fines for non compliance
  • Inability to trade while non-compliant
  • Reputation and brand damage due to breaches
  • Actual physical inability to access systems due to ransomware, etc – that means business comes to a halt
  • Payment of ransoms of gain access to encrypted systems (hopefully!)
  • Cost of restoring systems and databases that have been destroyed by malware
  • Loss of IP and trade secrets through corporate espionage or the actions of nation state backed cyber criminals

Compliance is not security – but it’s at least a good starting place for boards who do not yet fully understand the broad scope of cyber risks. Most compliance regulations mandate a number of technical security controls that are foundational to your cyber security posture. Even if you don’t really understand the controls, this is a sensible start in ensuring that at least basic controls are active, being monitored, and reported on to ensure visibility and accountability.

Data Security

To add complexity to this many compliance mandates (like GDPR) mean that you need to understand what data you are storing, where you are storing it, what’s important and who has access to it in an ongoing and real time manner. When the board has to ask “Who did it?” the executive will need IT to have access to forensic log data that proves who had access to the data , what they took or changed and how they gained access.

Malicious Attacks

How do we mitigate or defend from an attack that our perimeter security can’t detect or stop? How do we know if our important files have been deleted, edited or changed? How do we know if user accounts accessed data they should not have had access to or their access privileges were increased without approvals?

Monitoring of systems and system events is critical in detecting “zero day” attacks that perimeter defense (like anti-virus or firewalls) do not have a solution for yet. We have seen many companies turn to a security expert like an MSSP to help detect threats after an initial breach has hurt the business. As a board you must ensure that your service provider can complement your internal compliance and security teams.

Breach Notification & Financial Penalties

To make things even more complex, there are also a number of legislative requirements that mandate formal disclosure of data breaches. This means that you actually need to be monitoring the databases and the access to important data – all the while ensuring that only approved staff inside your business can see the underlying data while they are monitoring the systems.

There are many studies (like the Ponemon study for example) that quantify data breach costs, but on top of this there are often fines that apply directly for not maintaining compliance or for failing to notify of a breach. In Australia the fines for failure to notify is significant – up to $420,000 for individuals and up to $2.1M for corporations. These penalties apply to businesses with a turnover as low as $3M – that’s right down to SMB.

Bottom line – it’s just not big business that needs to have a plan!

Some organizations like the US Department of Health & Human Services even maintain a “Wall of Shame” for breach reports. Fines of up to $1.5M can apply for data breaches.

What happened? Is it bad? What do we do next?

And so we come to the question that the executive leaders will be asked by the board. What happened? Is it bad? What do we do next?

It’s at this point that a good executive will have all of the forensic data on hand to be able to inform the board (and any regulators) what data has been accessed, how and when it happened, and which accounts accessed the data.

This is critical in remediating the vulnerability and ensuring that any holes are plugged, and that additional controls are put in place.

Many vendor solutions will claim to be a panacea for all your cyber and compliance ills but realistically, you will need to evaluate potential solutions carefully. In our experience, one area of huge value is the ease that any monitoring solution can be set up and installed, and managed, without hiring additional, expensive cyber system administrators. Ideally, you need a simple installation, a security policy that can be applied easily across multiple devices (sometimes tens of thousands of devices) and network, automated reporting, and alerting to help eliminate “false positives”.

(Ask us how Snare can help with this)

Visibility and Accountability

In the end, the board needs to hold itself accountable for understanding the risks and ensuring they are managed.

This means a variety of actions:

  • Gain understanding of cyber risks and mitigating strategies
  • Understand your compliance requirements and monitor compliance over time – not just at a point intime like a security or compliance audit
  • Understand the security controls and monitoring that is in place and ensure regular reporting back to the board on potential issues and threats
  • Ensure end-to-end accountability for cyber risk both at the executive level and across the organization
  • Ensure communications plans are in place to manage the multiple stakeholders in an emergency including staff, customers, partners, shareholders, regulators and any other stakeholders.

Ultimately, the security risk must be balanced with the commercial risk and cost as no-one has unlimited funds to throw at these problems. Finding an efficient and affordable approach is also important.

Snare can help as we provide substantial monitoring and reporting for not only for many compliance regulations but also provides intelligent reporting and alerting to help detect potential compromise of systems.

Resources

Australian Data Breach regulations

https://www.oaic.gov.au/privacy/notifiable-data-breaches/

IBM/Ponemon Cost of Data Breach study

https://www.ibm.com/au-en/security/data-breach

AU Govt statement on Cyber Attacks

https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks

DHHS HIPAA Breach report (wall of shame)

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf