I am a big fan of Security Information Event Management (SIEM), I mean if you don’t know what is actually happening in your environment you certainly can’t claim to be secure.
Your SIEM solution will see new users created in Active Directory, it will see new software installed, it will see a login in to your network from a foreign IP address, but here is the problem. As the attacks from external sources become more sophisticated it become harder to understand what to look for within the audit logs. What does a breach look like? What do we need to search for or alert on within the auditing data?
If you are not a hacker or if you don’t have easy access to hacking tools, you will have little understanding of what traces will be left in the audit logs and therefore what to look for. Over the years I have been the technical sales guy for a log management company, and three SIEM companies. What I can tell you is that on numerous occasions I have “sold” a solution to a customer, only to return weeks or months after implementation to find the SIEM solution sitting in a corner, being pretty much ignored.
The reason is because the average security guy does not know what to look for within the SIEM tool. This has lead to a new trend in the market, everyone wants to outsource security, well, they probably want to hire internal experts, but as there is a huge shortage of good security people, they are expensive and hard to find, hence the trend towards outsourcing.
The big boys are getting in on the game, IBM offer a fully outsourced SOC, based on their Q1 SIEM tool. The security team over at HP also offer a fully outsourced SOC based around their Arcsight tool. Both being large outsource companies they have a tendency to meet the needs of the top end of the market. However there are some niche players filling the gaps.
The team over at CYSEC (short for Cyber Security) offer a managed service that covers a broad range of situations, such as you keep your SIEM and they train your team on what to look for, you keep your SIEM and they monitor your environment for breaches, alerting you to the problems or a fully managed service where they find the problems and help you clean them up. Speaking with Adam Jones, one of their senior technical guys, I queried him on what are the top five indicators of compromise you should be looking for in your audit logs.
The first he suggested was user accounts created. A hacker will want to make themselves persistence, one way to do that is to create a back door account, one they control. The second step of this process is to escalate privileges of this account by adding user to a privilege group, such as an administrators group. Experienced hackers will add themselves to a local administrators group rather than an Active Directory group, conjecturing that the local administrators group on your three thousand servers is less likely to be monitored than your primary domain active directory Administrator groups.
The third recommended monitoring rule is new software or service installation. Most hacking tools do actually leave a trace of their installation, it will generate an audit log in to your system event log in Windows or to the auditd in Linux. Something you can alert on easily enough.
The fourth suggestion is a bit more complicated, it requires that your SIEM tool has behavioral analysis capability. You want to monitor “who”normally logs in to each server and alert when an admin account that does not normally logon to that specific server successfully authenticates. Then logic being that most admins login to a range of typical servers. If your behavioral analytics can monitor “where” and “when” the admin normally logs in from, then even better. Remember, admins are the gateway to your network, so as a hacker is the account they want most.
The final suggestion from the team at cysec.com was to monitor out bound connections. If hackers manage to get in to your network and establish themselves they will want to get data out of your network or communicate with the external command and control. Obviously if you are blocking out going connections and limiting connections to known approved applications, email, web and VPN, then you will see “bad”applications attempting to communicate out, such as x-Windows, a common application used by remote access tools (RATS). The good news is that these blocked outbound connections will give you a list of “bad IP numbers” that you can use as a reference for other SIEM alerts and blocking rules on your firewalls.
The tip from the cysec.com team is to monitor multiple internal servers making outbound connections to the same external IP number within a short period of time. Most RATS will schedule a connection back to their command and control, normally multiple times a day, if you have one machine infected you most likely have multiple machines infected, they will all attempt to connect out to their command and control on a predefined schedule, this is behavior that can be motioned and alerted on.
No system is perfect, as I said at the beginning of this article, I am a fan of SIEM’s, but if you have no idea what to look for they don’t provide a lot of value. If you are lacking those skills maybe out sourcing is the answer, or at least get some training from the team over at CYSEC, IBM or HP.