SIEM is only as good as the data it consumes

Transcription

1 SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to be proposed This Kill Chain is made up of technical and non-technical detection measures The SIEM engine can be augmented by the addition of Endpoint Threat Detection feeds By using the combination of traditional log data and an endpoint threat feed from ZoneFox, it s possible to gain visibility across the entire organisation and interrupt the insider Kill Chain at any point Introduction: Cyber Security evolves as it reacts to the ever-changing threat landscape. This whitepaper discusses the value of correlating security events from a range of data sources and focusses on disrupting a Kill Chain and specifically on the importance of endpoint visibility in quickly detecting malicious activities and therefore reducing the impact and cost of a data breach. The Cyber Kill Chain Lockheed Martin coined the term Cyber Kill Chain to describe the most common sequence of events observed in the majority of cyber-attacks on organisations. They defined the stages in the Kill Chain as: Weaponisation Delivery Exploitation Installation Command and Control Actions on Objectives The classic Kill Chain is typically representative of an external attacker attempting to gain entry to an organisation through a perimeter. The cyber security landscape has evolved since the model was proposed and recently analysts have observed that organisations have begun to focus on the

2 detection of breaches - from both internal and external sources in addition to the existing focus on prevention of breaches from an external attacker. This shift reflects the growing belief amongst cyber security experts that it is impossible to thwart all attacks and your security stance should assume that you will be breached at some point and that you need the tools and resources to identify, investigate and remedy this inevitable breach as quickly as possible. Over the past few years ZoneFox has worked with partners and customers to help them identify the Kill Chain that best represents the insider threat. As a result we have come to recognise that we need to define an additional Kill Chain that doesn t just focus on external attackers as there s risk from insiders whether they are your employees, contractors or partners. These are the people that have access to your systems and data and yet they are often partly overlooked when considering where data loss may occur. Based on our experience, a new proposed Kill Chain would look like this: Recruitment or Data Acquisition Exfiltration of Data Recruitment or There are many reasons for someone inside your organisation to decide to maliciously steal information from your organisation. Existing employees can reach a tipping point where they have been coerced or tempted by an external party to steal for financial gain, or have a grudge against the

3 organisation. The Insider Threat can also manifest in the form of contractors and service providers, or business partners. Once an insider is within your organisation, or they have reached the their initial aim will be to search for valuable data on their own system or to find systems which could them access to valuable data. Exploitation When the insider has identified systems that contain valuable data, they must gain access to the data. This may involve using their existing credentials and systems, or gaining access to new software, credentials and methods of accessing your valuable data. Acquisition Once valuable data has been identified and accessed, an insider will aim to collect extracts of this data in a central location or series of locations prior to removing the data. Exfiltration The data has been identified, accessed, prepared for removal and the final stage in the data theft is to exfiltrate the acquired data. All stages of this Kill Chain are difficult to identify due to the fact that internal employees are typically granted access to critical data, and are given permission to install applications which may be used to identify and acquire data for exfiltration. Combine that with the rise in shadow IT, and you have a number of real blind spots within your organisation. Interrupting the Kill Chain by Correlating Security Events In order to reduce the impact and cost of a data breach, it is important to disrupt the Kill Chain and to disrupt the chain of events as early as possible. Possibly the most effective way of disrupting the Kill Chain is by correlating events from a variety of sources using a SIEM (Security Information and Event Management) application. The following section compares the ease with which the Kill Chain can be interrupted through the use of a SIEM using only traditional, network-based data feeds and server or firewall logs with a SIEM which combines these traditional network feeds along with a feed from an endpoint threat detection

4 solution that provides continuous monitoring of user behaviour covering all machines in an organisation. A SIEM can alert security operators to suspicious behaviours by correlating separate, apparently innocuous, unrelated activities from a variety of data feeds. Data from a firewall or IDS (Intrusion Detection System) may indicate that someone has failed on a couple of occasions to log into a machine using an administrator account which may not be overly suspicious in isolation but when combined with the information that same admin account started creating network connections to numerous internal or external machines, the combination of these events could indicate more insidious behaviour. The power of a SIEM lies in the fact that it can collect, analyse and correlate events from a variety of sources. Traditionally these data feeds have been collected from network monitoring equipment and possibly logs of summary, high-level information from servers or other key hardware. We know that the value of a SIEM is increased significantly when it has access to a feed of threat-detection data from not only servers but all endpoints within an organisation. With such an endpoint data feed, you would gain the following benefits: Knowledge of all user activity including all file and data access Visibility of new and changed processes on all endpoints Detection of threats when connected any network not just a corporate network The value of endpoint visibility is clear but existing tools have struggled to capture data in real-time and feed it to a SIEM without causing significant performance issues on the endpoint. Windows Auditing does allow you to record events on servers but, if you enable auditing of all file and directory access which would be required to pick up on Insider Threat behaviour, system performance will be affected, and you will rapidly fill the Windows security log. Collected data must also be sent in realtime to a SIEM server without overloading the network or SIEM server. Endpoint monitoring and threat detection tools give you the capability to record all user, application, file and machine activity without impacting system performance and they make this data available to a SIEM in near-real-time.

5 To what extent does this data feed increase the efficacy of your SIEM? The table below contrasts the ability of a SIEM to disrupt the Kill Chain when only taking data feeds from network-based monitors with a SIEM that combines the network-based data with true endpoint visibility. Stage SIEM with Traditional Controls SIEM with Endpoint Visibility Non-technical X X HR Processes and Training Search / Possibly Yes X Data Acquisition Possibly Yes X Exfiltration Possibly Yes X Let s investigate each of these phases and the technical and process measures that can be used to disrupt the Kill Chain both with and without visibility of endpoint activity.

6 Disrupting the phase It is possible to disrupt the Kill Chain at the first stage through effective recruitment including thorough screening of personnel, and ensuring that employees are motivated and adequately rewarded. Simple measures including staff satisfaction surveys will give you data on whether there is widespread dissatisfaction or where potential pockets of concern are. Combining this data with effective processes help ensure that you don t employ people with malicious intent and that you are aware of existing employees who have the potential to become a threat. Linking HR with your security team will help to identify leavers, and allow them to increase monitoring during their final weeks in their role. Also, training managers to identify signs of personal distress or any other stressful incidents in the life of an employee can help to introduce measures to aid the person before an incident occurs. Disrupting the phase

7 reconnaissance can often be mistaken for innocent behaviour and for this reason it is often difficult to find the valuable information amongst the large amount of data that can be collected by a network based event feed. Additionally, if a user restricts the majority of his or her malicious actions to a local machine - for example searching a local machine or installing new software on their machine to aid in the search for data - it is possible that these activities cannot be detected without direct visibility of endpoint activity. Disrupting the Exploitation phase Users attempting to acquire data will often first attempt to gain access to other machines on the network (lateral access) through the use of their own credentials or use 3 rd party tools to compromise other accounts. Where a user tries to use an account to access numerous machines on the network, such activity could be detected by network sensors and correlated by a SIEM. However, if a user uses software on a single machine to crack cached security credentials and then uses a compromised account to perform a single, successful login to a single remote machine, it is unlikely that this will appear on the radar of any network system. If you have a security feed from the endpoint, you will see the installation of cracking software and what activities it performs. With this additional information, it is far more likely that a SIEM will correctly identify malicious behaviour.

8 However, more often than not, the employee can mere exploit the fact that incorrect access permission or controls have been configured. Disrupting the Acquisition phase Acquisition of data, especially an employee s work-related data is often very difficult to spot without endpoint visibility. To effectively protect against an insider stealing data, it is vital to model a user s normal behaviour and regularly compare this to observed actual behaviour using both network and endpoint monitoring. Using network monitoring alone leaves a large blind-spot of user activities, especially if the user is a mobile or remote work using a variety of private and public networks. Without visibility of activities at the endpoint, you are also blind as to whether a user has circumvented an existing endpoint control. It is during this phase that The Insider may have installed software in order to aid them in the data exfiltration process. For example, installing a network transfer client, or an archiving application to automatically retrieve desired files.

9 Disrupting the Exfiltration phase Disrupting the Kill Chain at the exfiltration phase is the last possible point at which you can prevent the loss of data. Exfiltration is often the point at which network-based controls spot malicious behaviour but by this point, a user has gained access to and collected sensitive data. A reliance on stopping all breaches this late in the chain is high-risk and an investigation into user activity at this stage can be costly without the correct form of continuous logging capabilities in place. Stopping a breach at this stage is not fool-proof as an insider using a network conduit to move the data outside the organisation may not be picked up by a web proxy or firewall. Detection is not guaranteed as the use of VPNs, encrypted web traffic or 3 rd party proxies may make it difficult to detect a data loss amongst all the other legitimate traffic passing through your perimeter controls. Combining your perimeter controls with information about activity on the endpoint can tell you what file has been uploaded via a browser or cloud backup software, whether software was used to create a VPN or to connect to a proxy, or what was copied to a removable device. It could also tell you that a user has been printing sensitive data. Conclusion Cyber security has evolved and there is now a wide acceptance that prevention is no longer sufficient to minimise loss from a data breach. Momentum has grown behind the combination of augmenting existing prevention mechanisms with detection. The realisation that insiders can be as significant a threat as external attackers has led to the development of a new Cyber Security Kill Chain. Combining technical measure with robust HR, IT and technology policies and procedures will help to disrupt early stages of the Kill Chain. Beyond this, a

10 SIEM can correlate Thereat Detection Feeds from but without an Endpoint feed, your SIEM has significant blind spots and this increases the risk of financial and other loss caused by a Cyber Attack. About ZoneFox ZoneFox is a highly innovative Endpoint Monitoring & Threat Detection solution that helps our customers protect their business-critical assets: data and intellectual property (IP) from malicious and accidental insider threats. ZoneFox has a proven track record of protecting reputation, sales revenue, and competitive advantage by providing next generation data monitoring, security analytics and endpoint security. Through its continuous monitoring capability, ZoneFox provides a unique perspective on user activity tracking. Our lightweight software agent, resident on each machine under surveillance, monitors user behaviour as a series of fine-grained events in real-time. This provides timely threat detection of data breaches, informing and facilitating a relevant response and enabling: Policy compliance monitoring Monitoring the effectiveness of security controls Protective monitoring of user risk Data and IP Protection