Our Approach and Methodology
Through system and network base-lining, network and host-based monitoring,
and signature detection and creation, SecureState’s Threat Modeling and VIRT is
successful in identifying malicious activity and APT communication that suddenly
becomes active or hides within legitimate traffic. SecureState’s Threat Modeling
consists of three primary functionalities:
- Host-Based agents for base-lining, monitoring,
response and collection
- Network agents for base-lining, content inspection,
and remote incident response
- Data Collection Agents
These functionalities provide the following added benefits of countering
advanced threats within the environment:
- SecureState provides solutions for auditing critical
system files and directories, logon events, account
management, policy change, and registry entries to
prevent and alert on modifications or anomalous
activity. SecureState accomplishes three main goals:
disable unneeded features or settings, enable security
features that harden the system, and provide a
consistent approach to system and device configuration.
Lastly, SecureState’s methodologies are based on an
authoritative body such as NIST, CIS, SANS, or
applicable entity’s hardening guide.
- SecureState audits and evaluates the organization’s
capabilities to implement and maintain a Security
Information and Event Management (SIEM) system. A SIEM
has two main components: Security Information Management
(SIM) and Security Event Management (SEM). A system that
collects and stores security information is considered a
SIM. A SIM does nothing more than store that
information. A SEM correlates the information from
multiple devices in order to determine if an attack is
underway; however, it does not focus on storage of
security logs. A SIEM system can greatly benefit an
organization in its ability to respond to security
events. The true value in having a SIEM, logging aside,
is its ability to normalize events. Normalization is the
process of analyzing events from multiple security
sources and deriving a common value between them. A SIEM
increases the operational efficiencies of the security
team and allows the organization to analyze a greater
number of events than it would without the SIEM. The
capabilities of a SIEM can be broken down into six (6)
areas:
- Data Aggregation: A SIEM solution collects data from
many sources, including network, security, servers,
databases, and applications which help to consolidate
the monitored data. Data aggregation helps to avoid
missing crucial security events.
- Correlation: This technology performs a variety of
correlation techniques to integrate different sources,
in order to turn data into useful information.
- Alerting: The capability exists to automate the
analysis of correlated events and production of alerts,
this helps to notify recipients of immediate issues.
- Dashboards: Dashboards take event data and turn it
into informational charts to assist in pattern
identification and base-lining.
- Compliance: A SIEM can be employed to automate the
gathering of compliance data. Once this information has
been gathered, reports can be produced that adapt to
existing governance and auditing processes.
- Retention: SIEM/SIM solutions employ storage of
historical data to facilitate correlation of data over
time.
SecureState provides base-lining for egress traffic with a behavioral
inspection device to provide a benchmark of "normal" traffic issued by system
and devices within the network. Base-lining these devices will provide detection
systems or administrators with the ability to identify and alert on traffic that
does not conform to the baseline; potentially identifying unauthorized use,
malware outbreaks, or communications with an attacker-controlled system.
Additionally, base-lining will provide the organization with the ability to
monitor data between servers, supporting applications, and databases, as well as
receive alerts. Any connection attempt that is not authorized or that exceeds a
normal threshold should immediately be alerted and logged; this is a strong
course of action for identifying anomalous or malicious traffic.
SecureState concludes most organization’s main line of defense for anomalous
activity on the local system appears to be at the host level with antivirus
software. Additionally, organizations do not properly identify all systems that
do not need to initiate outbound connection attempts, nor monitor, block, and
log any attempts for outbound connections. SecureState helps ensure strong
content inspection and anomaly detection can exist on perimeter devices to
protect and ensure proper traffic control and adherence to protocol standards.
SecureState will also review company policy on what abilities users and servers
should have; full IP access and destinations probably are not needed and servers
generally do not need Internet access. Production servers and internal users
should be limited on their ability to initiate outbound sessions or contact
outbound services. Systems and servers holding sensitive information should have
enhanced controls that only allow those machines to talk to required systems.
SecureState ascertains most organizations do not provide or enable proper
auditing; or only enabling it in a limited fashion. Proper auditing should be
implemented for logon events, process creations, software installations, account
management, policy changes, and file or registry key access or modification.
SecureState will provide a roadmap and remediation plan to help enable these
auditing capabilities and securely store the logs offline. These settings will
help to track, identify and correlate attacks and anomalous behavior.
SecureState will implement best-practice segmentation based upon impact and
data classification. Network segmentation is an effective way to separate and
secure sensitive information and infrastructure, and also provides a layer of
security by restricting user access to resources and data. Proper segmentation
affords the knowledge that should an organization’s network be compromised, only
the non-segmented portion would be vulnerable. SecureState reviews if the
network is properly segmented to ensure access to one area of the network does
not necessarily mean a resource or user has access or exploration to the entire
network. Network segmentation also will allow critical information to be limited
to only those individuals or applications that have a valid and trusted
requirement for access. This review provides the ability to reduce high value
data scope and the controls that need to be implemented; and could help to
reduce the total cost of compliance and security. Developing high value data
zones and implementing segmentation and mapping of controls will thereby:
- Lower the costs by reducing scope and burden of high
value data, present and future
- More effectively protect the business by utilizing
best practices and policy
- Achieve compliance and best practice requirements
- Improve the ability of network staff to prevent,
detect, and respond to future threats