Security Intelligence - Logging and Event Correlation
If you don’t think your systems are compromised, you’re not looking hard enough. Persistent Threats are becoming more mainstream as threat actors are changing tactics from the quick exploitation of an organization’s data assets to a calculated, methodical approach of long term entrenchment. In the past there was a heavy reliance on malware. Now, more threat actors are becoming more organized and switching to exploiting valid credentials. This trend underscores the urgency of a comprehensive Persistent Threat Management (PTM) program.
Security Intelligence is a process of collecting real time data and analysis from all data sources. Ideally, this provides a comprehensive understanding and actionable intelligence, reducing security risks. Differentiating itself from standard rule and signature based detection appliances, security intelligence analyzes behaviors by looking for abnormal patterns across the entire infrastructure. This blog will focus on the importance of logs and event management as opposed to Incident Response, Network Behavior Detection and Forensics, each of which are important components of security intelligence and PTM.
Log and Event Management
A critical component of PTM is differentiating, from the vast volume of log data, what is potentially anomalous versus temporary changes in behavior. SecureState Incident Response investigations have found the current attack vector trend in 4thquarter 2013 is that 62% utilize social engineering as the initial entry point. Using this foothold, threat actors move through the infrastructure, compromising systems and gathering valid user credentials that obscure their subsequent movements. A surprising 38% of compromised systems didn’t use malware. This is where logging and event management plays an important role. Knowing normalized behavior permits security analysts to isolate anomalous behavior patterns for further investigation. The ability to correlate events to initial intrusion is paramount in locating persistent threats. Organizations must view and protect logs with the same urgency and commitment as other sensitive data. This is why many organizations are unaware they are compromised until the inevitable notification from an outside agency. Verizon’s Data Breach Investigation concluded that 84% of breach investigations found evidence in log data.
Creating actionable and accurate data starts with Pervasive Visibility, which is the ability to see everything occurring within the enterprise. Collecting such vast volumes of data from systems, users, and networks appears daunting, but the effort exerted is offset by its usefulness. The vast majority of breaches investigated relied on the evidence existing in logs from registries and file systems. When there is a failure to detect, it usually occurs because there was a lack of a centralized log management system and analytics to correlate events pinpointing anomalous activity. Advanced analytics applied to log data in real time identifies anomalies indicative of a breach and provide the pervasive visibility needed to detect and prevent intrusion. Normalizing data flow activity teases out suspicious actions to alert security analysts to what warrants further investigation. The ability to follow the event chain indicated in logs provides actionable intelligence to minimize liability should a compromise occur.
No matter what your current security state, it is advisable to validate any existing logging. Centralizing logs and securing against tampering ensures accuracy to any triggered event, providing an efficient incident response. Validate that events are alerting, reviewed, and stored for an adequate length of time for applicable user events, critical systems and devices.
Baseline existing systems and networks, developing a picture of normalized behaviors within the infrastructure. This facilitates the detection of potentially abnormal behavior, aiding security analysts and administrators on where to focus their efforts.
Implement an audit solution for logon events, process creations, installations, system registry changes, and account management. These logs support investigations and trigger alerts to intrusions, such as an increase in file access that deviates from the norm.
Develop and test an Incident Response Program. An organization should begin strategically with an organized approached based on corporate policy. The program should define sensitive data, where it resides, methodologies, key personnel, and response procedures. The primary goal of an Incident Response Program is to create a foundation describing preparation, identification, and the response and remediation of security incidents.
Persistent Threat Management is more than a single device or process and is only as good as the people involved. Organizations should focus on developing strategies to build a mature, efficient, and responsive security process and change from a predominantly reactive plan to proactive anticipation. SecureState can provide experienced consultants to help any organization develop, test, and implement its entire security posture.