White Paper Security Information and Event Management Expand the Power of SIEM with Real-Time Windows Security Intelligence www.stealthbits.com 201-447-9300 Identify Threats. Secure data. Reduce risk.
Table of Contents The Origin of SIEM... 3 The Paramount Importance of SIEM... 3 Unrealistic Expectations... 3 Meeting the Challenges with SIEM... 4 SIEM is Missing Critical Data... 5 Timely Access to the Right Data... 6 Getting the Data... 8 Hierarchical Analytics... 8 What is the Goal?... 9 About StealthINTERCEPT... 9 2
The Origin of SIEM What we know today as SIEM (), began in the mid 90 s and really started to take shape around 2000. SIEM is a cross of technologies SIM (Security Information Management) and SEM (Security Event Management). In 2005, Gartner coined the acronym SIEM and the two have lived as one since. The goal of SIEM is to connect the dots between silos of event data for the purpose of detecting patterns. Through this mining of logs, security intelligence could surface that would equip an organization with insight into threats unfolding. The Paramount Importance of SIEM It is headline news. Cyber-attacks are carried out daily against every major organization, both private and public. With the magnitude and increasing complexity of threats, the old way of defending the fort does not cut it. Simply watching firewalls and IPS output will not give you the insight you need because the source of the threat has changed. Today s threats might originate from the outside, but they often manifest from the inside. Through spear phishing schemes and other exploits, a user s computer becomes compromised. Once compromised, the attacker s software typically goes into a watch and learn mode. The software searches for details of interest, and develops a profile of its surroundings; I am in a bank or I am in a defense contractor s network. This is the first stage of many attacks and can take some time. During this phase, evidence of the breach is already present and potentially detectable but most organizations miss it. The signs of the breach are spread thin and usually seen as normal user behavior. SIEM is viewed by most security analysts as the means to pull back the curtain on the information overload and reveal the evidence that is hidden within. With SIEM s broad access to log information, a connect the dots technology should reveal patterns that tell the story and alert organizations to developing threats. This is the hope for SIEM but we are not quite there yet. Unrealistic Expectations The industry as a whole has created an image of a technology that would transform security operations. Many buyers thought of SIEM as a SOC (Security Operations Center) in a box ; 3
install and configure it, point the devices at it and threats would magically pop out the other end. Often as a result of inadequate manpower, many customer SIEM installations fall short of these expectations. While SIEM has the ability to detect threats, it still requires smart people; people to configure it and people to analyze the data that it produces. Many SIEM installations become little more than expensive log aggregators, and many organizations become disenchanted. They fulfill the critical role of meeting compliance goals to store and index logs, but that does not produce the security magic buyers are after. Vendors like Splunk have recently entered the SIEM market and gained traction with sexy dashboards and nice UI, but customers report the exact same problems. There is a pattern. Organizations settle on a SIEM technology and then a year or two later, in frustration, they shop for a replacement. Sadly, this is swapping what they know for what they do not know, and the root problem remains. Meeting the Challenges with SIEM There is no question that if you move mountains of information into a central repository and put some brains into the analysis, you can identify unusual patterns; as noted, this requires manpower. SIEM vendors know this and are trying to close the gap by investing heavily into analytics technology. Predictive analytics is generally considered the future of SIEM. While SIEM vendors invest in bigger, smarter analytics for SIEM, only part of the problem is being addressed. If the right data is not present, or it is not present in a timely fashion, no amount of analytics will provide early warning. For threats that manifest themselves within the organization, SIEM has a high probability of being found asleep at the wheel. Where a hacker makes a point of entry through a compromised workstation and slowly expands internally, SIEM will remain silent. Firewalls and IPS devices will not see this because there is little to show until the hacker phones home, and only then if it is a known server at the other end. As for Windows security logs, they will report gobs of normal noise revealing nothing special. If the right data is not present, or it is not present in a timely fashion, no amount of analytics will provide early warning. 4
SIEM is Missing Critical Data Windows computing represents roughly 90% of the enterprise computing world. For SIEM to properly detect threats, it must have insight into Windows security operations; however, this is greatly compromised in SIEM products today. Every SIEM technology relies upon the Windows event logs for security data. The event logs have a lot of data but relying on this approach is highly problematic for several reasons: It is all history - The Windows logs are history books. They contain records of events in the past. They are a great source for finding out bad things that happened in the past, but not so good for detecting things that are about to happen. There is a lot of gibberish - In an effort to capture all activities, the OS and application events become so low-level that it is often difficult to understand the user action that generated the event. They are built with operations and diagnostics in mind. If the user action is not well understood, then intelligence is lost. What do we do with these events? - The events are often missing critical details required by SIEM for analysis and binding. This reduces the value of the events as they can no longer be connected with other events on the network. Details such as: Perpetrator SID Perpetrator domain\username Affected object distinguished name (I.e. Security group, user account, etc) Source IP address Referring IP address Workstation / Server DNS names Too much noise - The vast majority of the log entries are considered noise, irrelevant to the business, irrelevant to threats. Processing and storing meaningless events is costly, wasteful and incurs big performance overhead. I thought I heard something? - Windows event ingestion causes excess SIEM load often resulting in loss of UDP packets from other network devices that could be relaying critical information. Once event transmission is compromised, intelligence 5
relaying critical information. Once event transmission is compromised, intelligence is too. Know it all? - SIEM is a correlation and analytics engine, not the expert in each domain. When processing Windows event logs, no analysis or correlation is done by an expert domain-level technology, thus, with respect to threat detection, event context and value are compromised. Whoops, I dropped that - Logs grow quickly, become extremely large and sometimes roll-over before the data can be extracted. This is particularly true with very busy domain controllers and domain controllers in remote sites. Once the log rolls over, your history book is history. The lack of native insight into internal security operations is one of the greatest challenges for SIEM technology and results in a failure to detect many types of common threats. This is not a failing of SIEM so much as it is a limitation of the Windows operating system; Windows simply does not provide the data in a manner that is suitable for a real-time threat detection system. So even if SIEM executes perfectly in collecting and assimilating all the Microsoft logs, they will still be in the dark. Timely Access to the Right Data Without timely insight into the environment where 90% of your computing takes place, SIEM will never fulfill its promise of threat detection. Many 3 rd party analytics products claim to provide additional analytics and intelligence leveraging the data in your SIEM, but you cannot analyze what is not there. Further, if the data is there but it is historical data, you are working in the past instead of finding leading indicators to a threat that is just forming. Without timely insight into the environment where 90% of your computing takes place, SIEM will never fulfill its promise of threat detection. SIEM needs an intelligent event feed; a feed of threats for each respective product or domain where expertise lives. Attempting to ingest generic events in the hope of finding threats is at a minimum inefficient, and in reality unrealistic. If SIEM can obtain threat awareness from each of its respective feeds, then top level analytics can be much more successful in connecting the dots. 6
Consider the following scenario: A workstation is compromised with a spear phishing attack. The attacker has now installed malware on the system, and the first priority is obtaining credentials of anyone that has logged onto that system by grabbing cached hashes. Days earlier, an admin used RDP to log into the desktop to provide assistance to the user for a routine IT issue. Now the attacker has an administrative credential to use in a pass the hash attack, and the hacker has now obtained access to many network systems by leveraging the captured credentials. How would SIEM detect and alert on this scenario today? Audit logs on every system that is involved from the point of capture to every point that is touched by the captured credentials must be cranked to highest levels in order to see the activity. Hundreds of millions of events from all domain controllers and end points would be collected. Now many hours (or days) later, analytics on SIEM would need to attempt to analyze all login patterns. The only data available would be the data in the logs, which would not have all the relevant information for this situation. But wait, these look like normal login patterns. The admin is supposed to log in and help the user with their workstation, right? No threat is detected. A more favorable approach would be to have a single, concise event delivered directly to the SIEM that identifies the threat, such as: Threat: Horizontal account movement detected Account: domain1\administrator Account SID: S-1-5-21-1180699209-877415012-3182924384-500 Source IP: 192.168.23.12 Attack endpoints: 192.168.22.1, 192.168.44.98, 192.168.11.42, 192.138.87.3 Attack started: 9/12/15 16:01:00 UTC Attack duration: 10m 7
The above event contains the assessed threat and details required to bind it to other sources. Now SIEM can perform analytics on the web traffic for Source IP and see that it is talking to an IP in Ukraine. Because this is all happening in real-time, the source IP can be shut down at the switch and a breach is prevented. Without this concise event feed, the probability of threat detection is greatly reduced and at best delayed until well after the event has occurred. Getting the Data Obtaining this data requires monitoring and intelligence in each respective domain. The monitoring application will detect security operations and assess risk from within its area of expertise. When a threat is detected, an event is raised to SIEM for analysis and correlation. In most organizations, Active Directory is the hub of all security enforcement. All people, all applications and all data are tied to Active Directory. Not only is access to application and data governed through Active Directory groups, but virtually every authentication that takes place is performed by Active Directory domain controllers. That is not just initial logon, but also subsequent authentications against every device on the network. For threat detection, it is imperative that SIEM be provided with an intelligent real-time feed from Active Directory, not a historical record of noisy events from a log. To accomplish this, a process must exist on the domain controller that has insight into security operations. This process must have the ability to detect threats and raise awareness in real time. Hierarchical Analytics SIEM vendors are all pushing hard toward security intelligence with the goal of detecting the bad guys. The long term goal is to predict the breach before it occurs. This is an ambitious goal that requires not just advanced analytics, but hierarchical analytics. To catch the bad guy, SIEM vendors need to stack up the IQ points of all of their partners. They need each of their feeds to be not just events, but value-added intelligence where domain level analytics is occurring High-quality, real-time event feeds from critical security event sources like Active Directory will enable SIEM to achieve new levels of threat awareness. closest to the source; the place where the expertise exists. This will allow threats to be surfaced within each domain, allowing SIEM analytics to provide the big picture risk 8
assessments. Of these sources, given that it is the hub of all security, Active Directory is one of the most critical. What is the Goal? As we move forward with SIEM, we need to revisit the goals. Do we want SIEM to provide a summary of a breach? Shall it be what we use in post-mortem assessment and forensics? Or do we want it to fulfill a more active role in preventing a breach? Is it the fire alarm or is it the report in the newspaper? SIEM vendors and the industry alike are leaning towards threat detection, early warning, and breach avoidance. To achieve this goal, feeds need to be smarter and they need to be realtime. A single layer of analytics on SIEM will lack domain expertise and will thus fall short of achieving this objective. Each feeding agent needs to provide domain level analytics and raise events of interest rather than a feed of noisy events. High-quality, real-time event feeds from critical security event sources like Active Directory will enable SIEM to achieve new levels of threat awareness. About StealthINTERCEPT StealthINTERCEPT (SI) is a security interception technology that peeks into the security operations of Windows Active Directory Domain Controllers providing unprecedented insight into authentication traffic and all Active Directory operations. With StealthINTERCEPT s security insight, organizations can detect malicious activities. StealthINTERCEPT s analytics engine further analyzes activity patterns to detect what would otherwise go unnoticed. This combination of real-time insight with analytics offers security organizations a new level of threat intelligence. 9
About STEALTHbits Technologies, Inc. Identify threats. Secure Data. Reduce Risk. STEALTHbits is a leading provider of data security solutions, protecting you most critical assets against today s greatest threats. Founded in 2001, STEALTHbits has extensive experience and deep expertise in the management of Microsoft technologies like Active Directory and Exchange, and governance solutions for unstructured data. With consistent growth, profitability, and a tenured management team that s been at it since the start, STEALTHbits has emerged as a favorite solution provider for the world s largest. Most notable organizations, as well as a preferred partner to leaders in the industry. Learn More Attend a Demo - http://www.stealthbits.com/events Browse the Resource Library - http://www.stealthbits.com/resources Ask us a Question - http://www.stealthbits.com/company/contact-us Request a Free Trial - http://www.stealthbits.com/free-trial Visit the Official STEALTHbits Blog - http://www.stealthbits.com/blog STEALTHbits Technologies, Inc. 200 Central Avenue Hawthorne, NJ 07506 P: 1.201.447.9300 F: 1.201.447.1818 sales@stealthbits.com support@stealthbits.com www.stealthbits.com 2015 STEALTHbits Technologies, Inc. STEALTHbits is a registered trademark of STEALTHbits Technologies, Inc. All other product and company names are property of their respective owners. All rights reserved. WP-SIEM-0215 10