ORGANIZATIONS THAT START to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced persistent threats (APTs). The Sony Pictures Entertainment hacking incident in 2014 underscored the importance of security monitoring and rapid incident response to clamp down on damages before disaster strikes. IT security managers cannot protect what they cannot see, and to \u201csee\u201d associations or patterns that can help detect APTs enterprises must have comprehensive logging in place across multiple layers within a network. The greater the visibility, the larger the machine data, and the harder it is for cybersecurity incident response teams to \u201cfollow the thread\u201d and correlate security events with threat intelligence in a meaningful way. The answers to many security questions about fraudulent activity, user behavior, communications, security risk and capacity consumption lie within these large data sets.<\/p>\n
COMPREHENSIVE LOGGING<\/p>\n
All of this logging can result in close to a million pings a day about potential security events at larger enterprises and terabytes of logging data a month. While comprehensive logging is needed, several factors have to be considered when you increase logging across the enterprise. Infrastructure that is already heavily utilized might experience performance issues with additional logging. The network team should be involved in the design of the logging infrastructure to make sure the aggregation of enterprise-wide logging does not affect performance when all log sources are pointed at a few destinations. It\u2019s important to involve key stakeholders in the design and to balance the need for logging with the function of the applications. To see across an enterprise, verbose logging should be enabled throughout as follows:
\n\u25a0 Layer 2 switching and choke points on enterprise distribution switches.<\/p>\n
\u25a0 NetFlow enabled and logged where possible.<\/p>\n
\u25a0 Critical services to send access and systems\u2019 logs. \u25a0n AD to log user behaviors. \u25a0n All Internet-exposed devices to log access and system events.<\/p>\n
\u25a0 Endpoint protection systems to log alerts.<\/p>\n
\u25a0 All firewall devices to log inbound access (accepts) and outbound (accepts and denied).<\/p>\n
\u25a0 Other security devices to log alerts and access.
\nWhy so much logging? Most advanced adversaries gain access to a victim\u2019s network via malware, driveby links or Web shells. Once the initial attack \u201cphones home\u201d\u2014malware will initiate outbound connection to C2 hosts to get around inbound firewall rules\u2014rootkits are delivered, and they quickly gain access to a user account and drive around the network as a fully credentialed user. It is difficult to lock down a Microsoft network in any meaningful way without destroying its functionality. A successful strategy to defeat this type of attack includes the following:
\n\u25a0 Detect the malware or drive-by links before users click on them. To do this a cybersecurity incident response team has to be able to compare user behavior against threat intelligence. This requires full packet logging of all ingress and egress traffic on an enterprise\u2019s edge.
\n\u25a0 Detect malware or rootkit delivery to the endpoint. To do this the cybersecurity team needs verbose logging
\non antimalware and endpoint protection systems.
\nThe cybersecurity team needs to be able to analyze user behaviors and access across the entire enterprise. Security information and event management (SIEM) tools can alert you to unusual activity, such as account usage during off hours. This is only possible with comprehensive logging of Active Directory (AD) and host access events.<\/p>\n
actions and input within the applications, so you can understand if they are being used as a bridge to your network. This logging should include not only internally developed Web applications and services but also vendorprovided appliances and applications that reside on those systems. The logging needs to enable you to see what is behind all network communications to and from your environment. Any security device or system software within your network should also create logs. These security systems usually include, but are not limited to, antivirus or other host intrusion detection software. You can review the host logs on the systems to gain an understanding of the network accounts and computer systems that are used within the scope of the threat. Host firewall logs can be critical to understanding how the threats are moving around within the network after an initial compromise. Similar to the host-based firewall logs, NetFlow can help monitor the traffic within your network and identify areas that require further investigation. NetFlow can alert your team to data-transfer activity that is happening within your network that might not be authorized or sensitive information that is being prepared for transmission outside of your network.
\nCENTRALIZED SYSTEM<\/p>\n
Network authentication logs from AD and other LDAPbased services used for central authentication of users
\nMost security programs begin with logs from the devices at the edge of the network, because those are usually easier to obtain. Firewall, network intrusion detection system and other network-based security products have robust and mature logging capabilities that most companies are already using. The level at which the logging is configured is paramount for visibility into the various APT traffic as it is leaving or entering your environment. This means that if there is an active intrusion, traffic coming and going from the network edge has to be correlated with the suspicious traffic to see the entire communications channel\u2014malicious actors infiltrating the network, driving a compromised account, and then moving laterally across the enterprise. It\u2019s critical to be able to see both successful and denied traffic at the network edge to get a profile of what is normal for your business.
\nNETWORK CONNECTIVITY AND COMMUNICATIONS At the network edge, be sure that your logging doesn\u2019t have additional blind spots to traffic that can be used to bypass your security controls. Encrypted traffic, such as SSL\/HTTPS, and services that are traditionally used for communication and data transfer, such as IRC and FTP\/ SFTP\/SSH, should also be logged with detail. Logging of services available to the public Internet is also of great interest, as these systems are the gateways to and from your infrastructure. Any Web server should log not only the connections into the server, but also the\u00a0and network systems enable you to trace access within your environment and begin to frame up which systems are involved with the threat. Many of the applications and systems in this list will have the capability to send logs off to a centralized system, either through syslog or another facility. Having a central log collection and analysis system is crucial because trying to look in all of these systems, with multiple sources and locations, for the log information is tedious work. This log information will be written to system logs on the hosts, which systems administrators will want to constrain so the data doesn\u2019t consume usable system disk space. Security logs kept on systems will usually contain data for a few days at most, and in many situations only a few hours. This is not sufficient time to allow for analysis and review. Most intrusions are not detected for months after the initial compromise (which may have been the case with Sony). If log data is not collected and retained during those months, the ability to identify the system of source or persistence is impossible, and the threat may remain within your network for a very long time.
\nBIG DATA PROBLEM<\/p>\n
When the cybersecurity incident response team investigates an incident they must be able to follow the thread of events through logged data, and that path is interwoven through the Microsoft domain, security devices, edge devices, switches and routers. During a security event,
\ntime is essential in stopping the unauthorized exfiltration of data from a network. From the point of discovery to when an active defense is put in place and the adversary is stopped is a critical time. To be successful in seeing, stopping and investigating a cyberevent, an enterprise must have the ability to quickly query very large sets of machine data. The notion of having a commercial off-the-shelf tool that has all the answers programmed into its graphical user interface is a fallacy. There is no fixed solution. Queries against large sets of machine data must be dynamic, and results must be presented quickly. For security analysts to be successful, they have to be able to manage big data. As the number of log sources grows, so does the volume of the log data being collected. This growth never follows a linear path. Each system generates more and more data; and with each system, another system comes into the scope. If all systems and devices are sending logs to a centralized system, which is the ultimate goal, the volume of data quickly becomes unmanageable. With systems now producing more log data than ever before, and diverse data sources required to search out and locate a threat within the network, a new way to perform data analysis and identify correlated events is needed. The commercial SIEM companies are trying hard to play catch up and positioning their products to support the large volumes of data produced and collected.<\/p>\n","protected":false},"excerpt":{"rendered":"
ORGANIZATIONS THAT START to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced<\/p>\n","protected":false},"author":3,"featured_media":750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[],"class_list":["post-749","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1362%2C568&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-c5","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":760,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/3-major-challenges-in-cloud-security\/","url_meta":{"origin":749,"position":0},"title":"3 major challenges in Cloud security","author":"Daniel Draga","date":"November 17, 2016","format":false,"excerpt":"Is your institution planning to leverage cloud computing and mobile computing in order to improve service agility, increase increase student and research success and lower costs of ownership, and lower capital expenses? If so, you are no doubt aware that your institution is also increasing its attack surface. Cloud-based technologies,\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":784,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/targeted-attacks\/","url_meta":{"origin":749,"position":1},"title":"Targeted Attacks.","author":"Daniel Draga","date":"December 2, 2016","format":false,"excerpt":"More Data than Sense. As we look at the responses, most of these detection and correction efforts combine human expertise with tools and data. All efforts can be improved through access to and better interpretation of relevant data, policy-based workflows, and appropriate and facilitated automation. So what\u2019s holding these valiant\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":786,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/threat-defense-isnt-just-about-detection\/","url_meta":{"origin":749,"position":2},"title":"Threat Defense Isn\u2019t Just About Detection.","author":"Daniel Draga","date":"December 3, 2016","format":false,"excerpt":"An intelligent endpoint is one that is highly automated to detect security problems faster and more accurately, respond immediately and remediate problems fully. If done correctly, intelligent endpoints provide invaluable insights and forensics into threat behaviors. In order to stop increasingly sophisticated threats, many security and IT organizations have focused\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/16673209002_4901b0e2c3_b.jpg?fit=846%2C480&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/16673209002_4901b0e2c3_b.jpg?fit=846%2C480&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/16673209002_4901b0e2c3_b.jpg?fit=846%2C480&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/16673209002_4901b0e2c3_b.jpg?fit=846%2C480&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1818,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/blackbaud-hack-for-ransom-universities-data-compromised\/","url_meta":{"origin":749,"position":3},"title":"Blackbaud Hack for Ransom: Universities data compromised","author":"Shreyash Sharma","date":"July 30, 2020","format":false,"excerpt":"Blackbaud, one of the largest providers of education, fundraising, and financial management programs in the world and headquartered in the United States, was hacked. The hack was made in May 2020 and the news was not revealed until July after Blackbaud paid a ransom to the hackers. \u00a0\u00a0 The hacker\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/07\/image-29.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/07\/image-29.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/07\/image-29.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":763,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/fighting-mobile-data-security-hurdles\/","url_meta":{"origin":749,"position":4},"title":"Fighting Mobile Data Security Hurdles","author":"Daniel Draga","date":"November 18, 2016","format":false,"excerpt":"As mobile devices and applications continue to flood the business landscape, the security holes that these consumer devices pose put your entire enterprise network at risk. Fortunately, there are a number of steps you can take to not only heighten your mobile data security, but overcome common hurdles. In this\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":676,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/data-security-in-cloud-computing\/","url_meta":{"origin":749,"position":5},"title":"Data Security in Cloud Computing","author":"Daniel Draga","date":"October 3, 2016","format":false,"excerpt":"\u0097With the development of cloud computing, Data security becomes more and more important in cloud computing. This paper analyses the basic problem of cloud computing data security. . \u0097Cloud Computing provides the way to share distributed resources and services that belong to different organizations or sites. Since Cloud Computing share\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/749","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=749"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/749\/revisions"}],"predecessor-version":[{"id":751,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/749\/revisions\/751"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/750"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}