The Great Correlate Debate
SIEMs have been pitched in the past as “correlation engines” and their special algorithms can take in volumes of logs and filter everything down to just the good stuff. In its most basic form, correlation is a mathematical, statistical, or logical relationship between a set of different events. Correlation is incredibly important, and is a very powerful method for confirming details of a security incident. Correlation helps shake out circumstantial evidence, which is completely fair to use in the incident response game. Noticing one alarm from one host can certainly be compelling evidence, but in many cases it’s not sufficient. Let’s say my web proxy logs indicate a host on the network was a possible victim of a drive-by download attack. The SIEM could notify the analysts team that this issue occurred, but what do we really know at this point? That some host may have downloaded a complete file from a bad host – that’s it. We don’t know if it has been unpacked, executed, etc. and have no idea if the threat is still relevant. If the antivirus deleted or otherwise quarantined the file, do we still have anything to worry about? If the proxy blocked the file from downloading, what does that mean for this incident?
This is the problem that correlation can solve. If after the malware file downloaded we see port scanning behavior, large outbound netflow to unusual servers, repeated connections to PHP scripts hosted in sketchy places, or other suspicious activity from the same host, we can create an incident for the host based on our additional details. The order is important as well. Since most attacks follow the same pattern (bait, redirect, exploit, additional malware delivery, check-in), we tie these steps together with security alarms and timestamps. If we see the events happening in the proper order we can be assured an incident has occurred.
Read More »
Tags: CSIRT, csirt-playbook, incident response, infosec, logging, logs, NCSAM, ncsam-2013, playbook, security, SIEM
Does BYOD really mean that my device will become the company’s device? Do I control my private data or does my employer? How can I make sure I maintain a work-life balance when my personal device is also my work device? Will my company support any device I choose?
Some of these questions might seem familiar as more business employees consider adding their own device to their company’s network. These questions also represent an important part of a comprehensive mobile strategy: User buy-in.
Recently, I read an interesting CIO article by Adam Bender that highlighted the importance of getting employees on board when implementing a BYOD policy. The article discusses that according to Frost & Sullivan analyst, Audrey William, many employees are worried that they won’t be able to control data on their device once they begin using it for work. In addition, William states that employees are also concerned about the lines blurring between work and play when both personas are merged onto one single device.
Although the concept of BYOD is not new, these concerns have important consequences in our networked world. So, what’s the answer?
An honest, safe, and secure MDM solution and effective policy communication. Read More »
Tags: bring your own device, byod, Cisco, enterprise mobility, ISE, mobile, mobile device, mobility, network, security, unified access, wi-fi, wifi, wireless, wireless network
As we pass the halfway point of National Cyber Security Awareness Month (NCSAM), I wanted to call attention to some of our colleagues over on the Cisco Government Blog. Patrick Finn and Peter Romness have been busy this month espousing the need for security and we thought it would be beneficial to expose our readers to their thoughts on security that have been published on the Cisco Government Blog space. Read More »
Tags: government, NCSAM, ncsam-2013, security
Many organizations make the error of thinking that basic defensive software is sufficient to protect critical data and infrastructure. When in reality, in order for government and enterprise organizations to keep their data protected from increasingly advanced cyber threats, comprehensive defensive security approaches are critical. And even with advanced, comprehensive solutions, there are still risks.
No organization is ever going to be able to protect 100 percent of its assets 100 percent of the time, which is why I work on the 95/5 principle. No matter how many security solutions are deployed, if attackers are determined enough, they will find a hole. Humans make mistakes and without fail, attackers will take advantage of them.
With comprehensive security approaches, we can regularly block at least 95 percent of threats—but there is always going to be a margin of error—the other 5 percent. A proactive, continuous approach can help ensure the vast majority of offensive moves are rejected.
Read More »
Tags: critical infrastructure, cybersecurity, ncsam-2013, security
DNS is like the town gossip of the network infrastructure. Computers and apps ask DNS questions and you can ask DNS who has been asking to resolve malware domains. When internal trusted systems are using DNS to resolve the names of known malware sites, this can be an Indicator of Compromise and a warning to clean the potentially infected systems and block traffic to the domain.
Blacklisting the known malware domains using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) is a great way to add an extra level of security in organizations. But what if you are just getting started in the process of cleaning systems and just need some situational awareness? Or, how can you manually check to see if these devices are working as expected? How can you determine independently of security devices, and at any point in time, that client systems are not reaching out to malicious domains? You can use dig but this post focuses on a Python example. Let’s first take a look at some DNS mechanics.
Read More »
Tags: dns, malware, ncsam-2013, network, security