Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm s SIEM Platform

Transcription

1 Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm s SIEM Platform A SANS Product Review Written by Dave Shackleford May 2014 Sponsored by LogRhythm 2014 SANS Institute

2 Introduction The Critical Security Controls for Effective Cyber Defense (CSCs) represent an established and solid set of guidelines for the government, financial, education, manufacturing and health care sectors, according to a 2013 SANS survey on the CSCs. 1 In it, 73 percent of nearly 700 respondents were adopting or planning to adopt the CSCs, mainly for the purpose of better visibility into their enterprises and to reduce security events. Only 10 percent of respondents felt they had done a complete job of implementing the controls. Respondents indicated that several obstacles hinder their implementations: 73 % Survey respondents adopting or planning to adopt the CSCs SANS had the opportunity to review numerous features of LogRhythm s security information and event management (SIEM) platform with new security intelligence features built in for compliance. In our review, we focused on LogRhythm s ability to ease some of these pain points while meeting 10 of the most valuable CSCs. These include: It could be argued that LogRhythm s approach aligns with many of the other controls although less directly. However, due to length, we are focusing on the above controls and how LogRhythm can help security teams not only meet control requirements but also actually improve the state of monitoring and response. Overall, we found the LogRhythm 6.x software easy to use, with a broad range of rules together a more comprehensive monitoring and alerting strategy that, in turn, can be used to develop baselines of events and behavior across the IT infrastructure. 1 The Critical Security Controls: the SANS 2013 Critical Security Controls Survey: 1

3 Inventory and Assess For good reason, the first of the Critical Security Controls focuses entirely on maintaining CSC 4. Some of the things to consider for this control include inventory management systems, Figure 1. Creating an Unauthorized Hosts AI Rule Description 2

4 Inventory and Assess (CONTINUED) The tool easily caught new systems we spun up to test this feature. Figure 2 depicts a and triggering a log event. Detecting a new host rapidly is important in detecting malicious behavior and quarantining affected systems to contain damage. Figure 2. Rogue Host Event The ability to detect new devices in the environment is useful for discovering rogue detecting malicious behavior and quarantining affected systems to contain damage. as users and groups set up their own infrastructure with convenience as a priority, rather than security. 3

5 Inventory and Assess (CONTINUED) vulnerabilities are associated with them. Security teams need to continually scan for as possible. They need to do this day in and day out because new vulnerabilities appear regularly. LogRhythm helps to meet CSC 4 in two ways. First, it correlates logs and events indicating what software has been installed on systems and when with vulnerability detection by scanning tools. This is useful when determining whether specific installations and software are responsible for new vulnerabilities that appear in the environment. Second, it is also useful for monitoring new vulnerabilities over time to determine if and when they are patched or remediated. We reviewed a number of vulnerability-focused events and dashboards in the LogRhythm interface, including vulnerability logs and events as both highlights from the As a part of the vulnerability management life cycle, security teams should also track vulnerabilities once they re found, and scan results should be compared to previous reports to determine what vulnerabilities have been successfully remediated. Security teams should also conduct vulnerability scans using system and application credentials that allow for deeper probes and assessment of the systems being tested. Analysts can validate the results of these tests with local system logs, which can also indicate when software was installed on the systems that may expose them to attacks. Finally, incident responders can correlate vulnerability scan results with attack attempts and other related security events to ascertain whether a targeted system is truly vulnerable. 4

6 Inventory and Assess (CONTINUED) Examples of events we noted and investigated included Windows and Linux events all of which would naturally lead to deeper investigation or remediation actions. See Figure 3. Figure 3. Top Vulnerabilities Dashboard 5

7 Defending Systems Assessment and patching of systems are strong preventive measures. However, protective measures, including malware defenses and application security, are also operate undetected. Malware has been a challenge for security and operations teams for many years. In the that generate alerts when they detect malware. limit the use of removable media and carefully filter attachments coming into domains. malware samples for analysis and reverse engineering. infections. and infected hosts, as well as the event sources themselves. In our review test bed, we saw events coming from numerous Windows systems with antimalware agents installed, 6

8 Defending Systems (CONTINUED) We reviewed numerous worm and bot detection events within this dashboard and watched the time range of malware events detected. The logging of events from host that we reviewed. An example of this dashboard is shown in Figure 4. Figure 4. Top Malware Defenses Dashboard provide actionable intelligence into the type of malware and its impact on previously applications and code, code review and testing, database security and training for developers in secure coding techniques. 7

9 Defending Systems (CONTINUED) Figure 5. Creating an AI Rule for Alerting on User Agent Strings To coincide with this type of alerting rule, lists of strings and attributes can be compiled, and LogRhythm has a number of these available out of the box. Figure 6 shows some and easy to edit. Figure 6. Application Security Lists 8

10 Defending Systems (CONTINUED) example of simple text-based pattern matching strings, which you can add to or edit as needed. Figure 7. Malicious User Agent Strings List 9

11 Defending Systems (CONTINUED) and implemented, following industry best practices such as those from the Center for Internet Security. 2 authentication when possible, and device management functions should be isolated were able to correlate changes with data from change control systems to determine whether a change is approved, and alerts can be generated when unplanned changes occur. We even examined the LogRhythm SmartResponse engine and witnessed it shutting trigger if configuration changes are made on them

12 Defending Systems (CONTINUED) Figure 8. Network Device Log for Configuration Events We also reviewed a number of charts within the main LogRhythm console for themselves and their configurations, as shown in Figure 9. Figure 9. Network Device Configuration and Behavior Monitoring 11

13 Defending Systems (CONTINUED) summary table from one of these reports is shown in Figure 10. Figure 10. Detailed Network Device Configuration Change Report them with approved change requests removed the threat of rogue changes by 12

14 Keeping a Clean Environment Many of the remaining Critical Controls that LogRhythm supports are around good hygiene, including limitation of ports and services, controlled use of administrative privilege, properly executed boundary defense, maintenance of audit logs and monitoring of account use. A DVICE: Run critical services on dedicated systems within restricted network subnets, and use VLANs and private IP addresses to isolate and restrict access to services from the Internet. IT groups can also implement so-called application firewalls to limit access to critical services and protect them from attack. control. LogRhythm helps meet the requirements of this control in two ways. First, it monitors port scanner results as well as logs and events from individual systems that indicate available and in use over time and then alerts on deviations from the baseline. As part scans, the output of which is shown in Figure 11. Figure 11. Logs of Port Scan Behavior scanned and timestamps of the data from log events. This type of report data is helpful in 13

15 Keeping a Clean Environment (CONTINUED) LogRhythm has a variety of built-in port scan detection rules and monitoring tools. One example of a rule we reviewed sets time thresholds on ports being scanned, Figure 12. Detection Rule for Stealthy Port Scanning 14

16 Keeping a Clean Environment (CONTINUED) LogRhythm also monitors hosts to determine what processes are running in a normal baseline mode and then alerts if changes are detected to that baseline. Figure 13 shows a rule we used to trigger if the list of processes running on a host is less than 80 percent similar to the process list from the previous day. Figure 13. Abnormal Process Activity Rule This rule may indicate that something significant has changed on the affected platform, warranting additional follow-up investigation, for example. 15

17 Keeping a Clean Environment (CONTINUED) LogRhythm also targets specific applications and services for monitoring, based on LogRhythm test environment and then used the LogRhythm console to review detailed log information related to a syslog event that had been triggered by the SSH rule, as shown in Figure 14. SSH is often used to hide malicious activities and sensitive information being sent out of the organization. Figure 14. SSH Event Log Although tuning the software to see the most interesting events related to services, information to be invaluable in developing behavioral baselines and detecting anomalies in the environment. 16

18 Keeping a Clean Environment (CONTINUED) privileges, CSC 12 focuses on the restriction of administrative privileges on systems and within applications. It also includes continuous monitoring of all administrative account and activities. A DVICE: Use strong passwords with complexity and aging policies in place for all administrative accounts. Log all administrator activity and logins (both successful and failed), and require multifactor authentication for administrator access, when possible. Require lowerprivilege accounts for all initial access and day-to-day activity by administrators, with greater privileges assumed only when needed. LogRhythm addresses this control by monitoring accounts defined on systems, as well as enables simplified monitoring and privileged accounts and detection of their activities, is installed by default. This module is merely one of a range of event detection options for privileged user activity, including rule-based monitoring. We reviewed several default LogRhythm rules that accomplish the goals of CSC 12. For example, we reviewed a rule that detects attempted privilege use on Linux platforms that would trigger any time someone not listed in the /etc/sudoers file attempted to run a privileged command. See Figure 15. Figure 15. Details of a Linux Privilege Use Rule 17

19 Keeping a Clean Environment (CONTINUED) A similar rule for Windows platforms is shown in Figure 16; if a nonprivileged user right- Figure 16. Details for a Windows Privilege Use Rule 18

20 Keeping a Clean Environment (CONTINUED) of privileged user activity and attempted activity. One example of this type of report is shown in Figure 17, in which we select a specified group of privileged users, grouped by login and then by common events. Figure 17. Privileged User Monitoring Report Monitoring system events related to privilege use and potential misuse helps prevent the build-up of shadow IT setups and other insider threats. It is also important for 19

21 Keeping a Clean Environment (CONTINUED) especially at the perimeter. LogRhythm supports CSC 13 in a number of ways, including the ability to: settings that may not meet enterprise standards for hardening and security profiles We observed all of this in our review, starting with the different types of threat intelligence sources and lists that LogRhythm can consume and integrate for monitoring, analysis and response rules and actions, as shown in Figure 18. By default, the list has a large number of prebuilt sources, but more can easily be added by simply editing the list. Figure 18. Third-Party Threat Intelligence Sources 20

22 Keeping a Clean Environment (CONTINUED) Figure 19. Zeus Malware Threat List Details By incorporating both internal and external intelligence sources and allowing analysts to more up-to-date monitoring and alerting. 21

23 Keeping a Clean Environment (CONTINUED) CSC 14 focuses on collection and analysis of logs, with specific control items covering of logging anomalies. This control also specifies using central log servers for all logs, The LogRhythm platform manages and monitors all types of log data and has an extensive range of log monitoring and alerting rules and dashboard reports available out of the box. We monitored and verified log sources and destinations to ensure logs were being collected properly and log data was processed and correlated with other information from the environment. Figure 20 is an example of a dashboard displaying LogRhythm s comprehensive log monitoring capabilities. Figure 20. Log Monitoring Dashboard This dashboard shows the major types of log events in the top three graphs (events by detailed lists of the alarms that were triggered related to the log data it gathered and SANS has strongly recommended leveraging log data for security monitoring for many data to build security intelligence. 22

24 Keeping a Clean Environment (CONTINUED) not properly set up, maintained and monitored. CSC 16 specifies that all accounts should have a purpose and a life cycle policy. A DVICE: Routinely monitor account use and conduct audits for dormant accounts and suspicious account activity. Log failed attempts to access accounts, store and transmit account credentials using adequate encryption and use account lockout features, where available. other related user activities on systems. It also correlates user activity to defined lists of accounts to ensure that they are legitimate and still active. Figure 21 shows a monitoring dashboard we used to review account login activity, top accounts with access changes, account life cycle activity (i.e., creation, modification and deletion of accounts) and audit events. Figure 21. Account Monitoring Dashboard 23

25 Keeping a Clean Environment (CONTINUED) within a five-minute timespan, shown in Figure 22. Figure 22. Repeat Login Detection Rule By monitoring account use and activity, LogRhythm helps detect or prevent illicit activity caused by compromised accounts or new accounts created for malicious purposes. 24

26 Conclusion Implementing the Critical Security Controls is not easy. However, the LogRhythm platform satisfies many of the CSCs, with emphasis on the 10 mentioned in this review. easy configuration rules for vulnerability and threat detection and reporting. It meets support for secure configuration, privilege user controls and more. Because this one tool meets so many of these controls, LogRhythm also helps meet the CSC goal of automating as many processes as possible to reduce human-induced tools such as LogRhythm go a long way to defining and augmenting a foundation of security controls overall. As the CSCs continue to improve, it is our hope that intelligent challenge IT security departments. 25

27 About the Author instructor and course author, and a GIAC technical director. He has consulted with hundreds Virtualization Security. Recently, Dave co- serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank this paper s sponsor: 26