One of the most intensive and time consuming processes that any security engineer tackles is trying to put together the pieces of an attack lifecycle. From the endpoint analysis to the detection capabilities on the network devices, tracing an incident throughout your organization requires advanced technical skills and a solid methodology from the security analyst. Not only do they have to understand the firewall, but every piece of the puzzle: attack tools, IPS signatures, various network devices and packet level processes.
One of the most valuable tools in any incident investigation is the SIEM (Security Information and Event Management) Platform. SIEMs provide a holistic view of your information systems and can provide workflow, compliance monitoring, artificial intelligence, endpoint monitoring and logging. The ability to provide event correlation in real-time or spread across a time period is probably the most appealing factor of a SIEM to the “threat hunter”. To better understand the usefulness of a SIEM to a security analyst, and the organization, let’s look at a sample attack. We’ll walk through the various single events and the SIEMs ability to correlate these events and provide a layered view to the security analyst.
Without a SIEM
Bobby, a security analyst at ACME Rotors, a Midwest manufacturing company, is busy munching on lunch while looking over the alerts from a firewall IDS/IPS. He notices what looks like an NMAP scan has occurred within the past hour. Typically he finds these occur multiple times in a day and is alerted based on various thresholds he has set. He makes a mental note about the event and moves on to the better part of his lunch, the Doritos. After all, he has a mountain of logs to go through before he’s done for the day. The IPS is set to ‘high alerting to exploits’ so Bobby thinks he’s covered. No need to get worked up by a simple NMAP scan now is there?
Meanwhile, Joey, our neighborhood hacker just discovered that a web server in ACME Rotors’ network just came back fingerprinted as a Windows 2012 server with IIS. IIS, as we all know, is like a little boat with a serious bunch of holes. To Joey this looks like a seriously fun time, so he jumps in with both feet and leads with MS15-034. But here’s the key… In order to not tip off the IPS sensor at ACME that Bobby has set to high alerting, Joey uses low and slow attack techniques designed to evade detection.
Rather than attacking with a brute force method, he also attacks a benign web server in the DMZ to gain simple access. Why not go directly for a target that is considered high value? You’ll tip off the endpoint protection. It’s better to go for the long game, easy targets and then expand from there. Within a day or so the internal SQL database is compromised. Yes, the one with the database holding all of ACME’s customer information. Within another day or two, that database is on a torrent site in China. He also managed to take out three boxes and install a rootkit on a printer for a later attack.
Back at ACME, Bobby has missed most of the attack (not because his lunch was that great) because he couldn’t make the correlation between that simple NMAP scan and the attack MS15-034. Low and slow attacks are nearly 75% effective without some correlation between events.
With a SIEM
ACME Rotors has just installed a SIEM platform from LogRhythm, one of the leading SIEM vendor and security intelligence platforms. The SIEM pulls the event logs from the Windows Server with IIS, as well as the primary firewall (remember that server in the DMZ?) in real-time and performs data aggregation to avoid missing events.
After the NMAP attack, the SIEM correlates the attack spread over multiple servers (and days) on the Windows IIS Server and sends an alert to Bobby, our hungry security analyst, and his manager. Rather than looking over 100,000+ event logs hoping to find high-level events, find the attack entry point, correlate the possible threats to the IIS server and the SQL server, he opens a case and begins to pull the various pieces provided by LogRhythm into a single pane of glass for forensic analysis.
At the same time, LogRhythm has already fired an immediate automated response. Both internal and external servers have been and cutover, from both the originating public source IP, and the internal address on ports where valid services do not exist.
Want a closer look? EDCi and LogRhythm are teaming up to provide you with a closer look at LogRhythm Security Intelligence Platform. Whether it’s simple log management for compliance or a deep dive into security analytics and forensics, LogRhythm is a proven SIEM platform. Come see us at our annual Timber Rattler’s Security Seminar on Tuesday May 16, 2017. Register here.