CSIRT, I have a project for you. We have a big network and we’re definitely getting hacked constantly. Your group needs to develop and implement security monitoring to get our malware and hacking problem under control.
If you’ve been a security engineer for more than a few years, no doubt you’ve received a directive similar to this. If you’re anything like me, your mind probably races a mile a minute thinking of all of the cool detection techniques you’re going to develop and all of the awesome things you’re going to find.
I know, I’ll take the set of all hosts in our web proxy logs doing periodic POSTs and intersect that with…
You shouldn’t leap before you look into a project like this. Read More »
Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, playbook, security, SIEM
Is it the end of October already? As has been true for centuries, there is a tradition for children to wear costumes and disguise themselves while going door to door with a simple question: “Trick or treat?” While I am not sure there is a coincidence, but having National Cyber Security Awareness Month (NCSAM) end on a day characterized by pranks, false identifications and the like seems appropriate. And what scary stories we had to tell!
Read More »
Tags: byod, cloud, cryptography, dns, ncsam-2013, patch, security
On October 22, 2013, Cisco TRAC Threat Researcher Martin Lee wrote about Distributed Denial of Service (DDoS) attacks that leverage the Domain Name System (DNS) application protocol. As Martin stated, the wide availability of DNS open resolvers combined with attackers’ ability to falsify the source of User Datagram Protocol (UDP) packets creates a persistent threat to network operators everywhere.
Read More »
Tags: DDoS, dns, security, TRAC
The Great Correlate Debate
SIEMs have been pitched in the past as “correlation engines” and their special algorithms can take in volumes of logs and filter everything down to just the good stuff. In its most basic form, correlation is a mathematical, statistical, or logical relationship between a set of different events. Correlation is incredibly important, and is a very powerful method for confirming details of a security incident. Correlation helps shake out circumstantial evidence, which is completely fair to use in the incident response game. Noticing one alarm from one host can certainly be compelling evidence, but in many cases it’s not sufficient. Let’s say my web proxy logs indicate a host on the network was a possible victim of a drive-by download attack. The SIEM could notify the analysts team that this issue occurred, but what do we really know at this point? That some host may have downloaded a complete file from a bad host – that’s it. We don’t know if it has been unpacked, executed, etc. and have no idea if the threat is still relevant. If the antivirus deleted or otherwise quarantined the file, do we still have anything to worry about? If the proxy blocked the file from downloading, what does that mean for this incident?
This is the problem that correlation can solve. If after the malware file downloaded we see port scanning behavior, large outbound netflow to unusual servers, repeated connections to PHP scripts hosted in sketchy places, or other suspicious activity from the same host, we can create an incident for the host based on our additional details. The order is important as well. Since most attacks follow the same pattern (bait, redirect, exploit, additional malware delivery, check-in), we tie these steps together with security alarms and timestamps. If we see the events happening in the proper order we can be assured an incident has occurred.
Read More »
Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, NCSAM, ncsam-2013, playbook, security, SIEM
Does BYOD really mean that my device will become the company’s device? Do I control my private data or does my employer? How can I make sure I maintain a work-life balance when my personal device is also my work device? Will my company support any device I choose?
Some of these questions might seem familiar as more business employees consider adding their own device to their company’s network. These questions also represent an important part of a comprehensive mobile strategy: User buy-in.
Recently, I read an interesting CIO article by Adam Bender that highlighted the importance of getting employees on board when implementing a BYOD policy. The article discusses that according to Frost & Sullivan analyst, Audrey William, many employees are worried that they won’t be able to control data on their device once they begin using it for work. In addition, William states that employees are also concerned about the lines blurring between work and play when both personas are merged onto one single device.
Although the concept of BYOD is not new, these concerns have important consequences in our networked world. So, what’s the answer?
An honest, safe, and secure MDM solution and effective policy communication. Read More »
Tags: bring your own device, byod, Cisco, enterprise mobility, ISE, mobile, mobile device, mobility, network, security, unified access, wi-fi, wifi, wireless, wireless network