Customized Intelligence-Based Information Security
April 16, 2015
Information security is a fast moving train, but where is it headed?
The vast selection of technologies can be mind-boggling, and often the skills required to make sense of their proper use are dispersed among multiple technical groups and, at times, completely missing from an organization's skills-matrix. With this in mind, it is a wonder that intelligence modeling capabilities are not more prevalent within the security space.
The concept of SIEM (Security Information and Event Management) is now in full transition from simple log aggregation platforms to big data analytics. Organizations globally are taking advantage of advanced analytics capabilities within their SOCs (Security Operations Centers). This is driving demand for employees who have the technical security background combined with development experience.
At Herjavec Group we take a scenario-based approach and script it to filter billions of events, to create meaningful alerts that will notify SOC personnel of anything that appears abnormal or threatening. This customization minimizes false-positives and ensures that real alerts are not buried in "noise". The true value proposition is in the tailored nature of these scenarios and being able to truly focus on a small subset of high-value alerts. For each threat scenario there are ideal technologies, which produce useful logs. Having a clear theme for each technology type and applying the specific threat scenarios accordingly is a far superior practical strategy.
Every enterprise network is unique, therefore the use of trending is key. SIEM’s often come with a barrage of canned alerts that simply flood a SOC with false positives. One common example of a false positive is password failures. Many users configure SIEM’s to trigger an alert when a user fails to enter a correct password more than 3 times. As you can imagine, in a large enterprise environment this happens thousands of times an hour. To be effective, you have to have a specific scenario that you want to detect, like a brute-force login attempt. A password brute force attack requires an attacker to try hundreds to millions of passwords to successfully crack a password. If they can crack the password in a few tries, you have bigger problems than SIEM correlation. To try thousands of passwords across a network protocol takes time. If you average 3 passwords per second, that equals 180 passwords per minute or 10,800 per hour. In this scenario you need to configure your logic to look at attacks over at least an hour period and the password failure counts need to be high.
To effectively protect against the scenario above, you need to trend how many password failures occur per user per hour over at least a week period. Many SIEM’s are unable to process that much data over such a long period of time. This is where big data analytics technologies shine. By looking at trends over periods of a month or more, it is easy to spot spikes that signify a major misconfiguration or attack. By trending over time it becomes clear what thresholds need to be set for your alerts. Analyzing threat trends will ensure that IT resources are not wasted chasing false positives.
As malicious attacks increase in frequency and scope, it is no longer effective to manually notify customers of an attack - the process is simply too slow. The capability to model attack scenarios combined with an automated threat response is going to become a critical aspect of any cybersecurity infrastructure.
Customized intelligence-based cybersecurity must introduce analytics tools that can accept customized attack scripts or flows, and be able to influence the outcome by disabling these attack vectors as they begin to take place. The customized intelligence pre-defines what is considered "normal" for the particular corporate environment and what is not. The "orchestrator" then has the ability to revoke access, terminate sessions etc. as required in a vendor-agnostic setting, when a pre-defined, customized alert is triggered. Though many of these alerts can be pre-scripted, the true effectiveness of any security strategy will continue to be defined by human intelligence.