Stop-think-connect is not only for kids. Everyone, including nerds like me and network and security professionals, should pay more attention before connecting any device to the Internet. Routers (wireless and wired), industrial control systems, video surveillance cameras, fire alarm systems, traffic cameras, home and building automation systems, and many other devices are being connected to the Internet every single day, wide open. If you don’t believe me do a quick search on SHODAN.
The Great Correlate Debate
SIEMs have been pitched in the past as “correlation engines” and their special algorithms can take in volumes of logs and filter everything down to just the good stuff. In its most basic form, correlation is a mathematical, statistical, or logical relationship between a set of different events. Correlation is incredibly important, and is a very powerful method for confirming details of a security incident. Correlation helps shake out circumstantial evidence, which is completely fair to use in the incident response game. Noticing one alarm from one host can certainly be compelling evidence, but in many cases it’s not sufficient. Let’s say my web proxy logs indicate a host on the network was a possible victim of a drive-by download attack. The SIEM could notify the analysts team that this issue occurred, but what do we really know at this point? That some host may have downloaded a complete file from a bad host – that’s it. We don’t know if it has been unpacked, executed, etc. and have no idea if the threat is still relevant. If the antivirus deleted or otherwise quarantined the file, do we still have anything to worry about? If the proxy blocked the file from downloading, what does that mean for this incident?
This is the problem that correlation can solve. If after the malware file downloaded we see port scanning behavior, large outbound netflow to unusual servers, repeated connections to PHP scripts hosted in sketchy places, or other suspicious activity from the same host, we can create an incident for the host based on our additional details. The order is important as well. Since most attacks follow the same pattern (bait, redirect, exploit, additional malware delivery, check-in), we tie these steps together with security alarms and timestamps. If we see the events happening in the proper order we can be assured an incident has occurred.
Security information and event management systems (SIEM, or sometimes SEIM) are intended to be the glue between an organization’s various security tools. Security and other event log sources export their alarms to a remote collection system like a SIEM, or display them locally for direct access and processing. It’s up to the SIEM to collect, sort, process, prioritize, store, and report the alarms to the analyst. It’s this last piece that is the key to an effective SIEM deployment, and of course the most challenging part. In the intro to this blog series I mentioned how we intend to describe our development of a new incident response playbook. A big first step in modernizing our playbook was a technology overhaul, from an outdated and inflexible technology to a modern and highly efficient one. In this two-part post, I’ll describe the pros and cons of running a SIEM, and most importantly provide details on why we believe a log management system is the superior choice.
Deploying a SIEM is a project. You can’t just rack a new box of packet-eating hardware and expect it to work. It’s important to understand and develop all the proper deployment planning steps. Things like scope, business requirements, and engineering specifications are all factors in determining the success of the SIEM project. Event and alarm volume in terms of disk usage, and retention requirements must be understood. There’s also the issue of how to reliably retrieve remote logs from a diverse group of networked devices without compatibility issues. You must be able to answer questions like: Read More »
As we pass the halfway point of National Cyber Security Awareness Month (NCSAM), I wanted to call attention to some of our colleagues over on the Cisco Government Blog. Patrick Finn and Peter Romness have been busy this month espousing the need for security and we thought it would be beneficial to expose our readers to their thoughts on security that have been published on the Cisco Government Blog space. Read More »
As our team has prepared for Educause 2013 this week, we have been talking a lot about technology in higher education and how it’s impacting colleges, universities, students and staff. Of course, robot soccer was not the first thing that came to mind, but it’s a great example of how different technologies are changing education forever.
Bowdoin College, which you may remember from last year’s #1 Most Connected College, is one of my favorite case studies because it points out that people have to TRUST technology for it to really be effective. Trust is a big word, really – I know I’m not the only person who is a little gun shy when I think about updating my phone to a new software version. So, when a professor has a class full of students and says “let’s all stream this video right now”, it’s important that it actually works – or professors risk losing student attention, losing time and facing maximum frustration levels.