Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Security operations teams know that log management is important, yet with every operating system, network device and application writing its own set of activity-related events, how do Security Information and Event Management (SIEM) system administrators decide which security logs are important and which should be ignored. Let’s spend some time looking at today’s threat environment and from there determine a suitable answer.
Most security teams know that the modern threat environment is complex and even the least capable threat actors have sophisticated tools at their disposal and can hire professional hackers to work on their behalf. Phishing and spear phishing have come a long way since the early days of bad grammar and misspelling. Many of the highly disruptive Emotet attacks recorded over the past few months in Australia have been targeted and very believable, making them more effective than ever at delivering malicious payloads. Ransomware attacks are costing Australians millions every year as attackers blend malware delivery into phishing campaigns.
Petya cyber attack – warning message on a computer screen
Nation state attacks are also prevalent in the Australian digital economy, with attackers using their technical security and hacking skills to target state and federal governments and overrun critical infrastructure systems, which is concerning. Private sector organisations are at risk from nation states as much as government departments since industrial espionage and economic advantages are on the agendas of hostile nation state attackers. A recent example of this back in July 2020 shows how hostile nation states (allegedly Russia in this case) were using various cyber weapons, including spear-phishing and tailored malware to steal research from medical companies and research labs all around the world.
The Australian government calls on Russia to cease immediately any cyber activity, or support for such activity, which is inconsistent with their international commitments
Australian Signals Directorate, July 2020
IoT devices and autonomous vehicles are also coming under attack, as adversaries use the vendors’ haste to be a market leader to their advantage, knowing that many of these products come to market with bugs and security vulnerabilities since testing is often skipped.
Each of these modern threats can be stopped using a combination of controls, some of which are architectural, such as network segmentation and limiting user privileges, and others which are process-based or operational, such as vulnerability management and protective monitoring. The problem is, when you start to consider each control, it’s scope and implementation maturity often extend to a larger than expected footprint, since security itself is a complex problem to solve. For this reason, protective monitoring is becoming increasingly important, since auditing and security incident management are the backbone of detecting and responding to what now seems like the inevitability of an attack.
A security operations centre’s (SOC) primary purpose is to monitor the organisation’s systems and applications for signs of abuse and respond to cyber incidents. Modern SOC architectures rely on technology such as SIEM tools and service management platforms to detect indicators of compromise (IoCs) and coordinate a response across the stakeholders, ensuring the right procedures are taken to quarantine threats and recover from the attack.
SOC teams have struggled for years to determine which events to gather from log sources, since looking for IoCs is akin to searching for the proverbial needle in a haystack. Digital environments are known to produce a deluge of useless information and only occasionally provide the security-relevant events needed to detect an attacker. However, with the rise in sophisticated nation-state attacks and highly evasive malware, how can SOC teams decide which events and security logs to keep and which to throw onto the digital rubbish pile?
We know that attackers continually refine their tactics and techniques to compromise their targets, rendering SOC teams that rely solely on traditional signature-based detection measures blind to these sophisticated threats. Nation state attackers employ highly evasive malware incorporating novel techniques and zero-day vulnerabilities that make the job of defenders harder than ever. The consequence of nation states upping their game and shifting to a more sophisticated adversarial model is that SOC teams need to do the same. But what does this mean to their existing operating model?
In terms of the data collected by the SOC, it needs to shift to a new approach that doesn’t differentiate between useful and useless security logs. Highly evasive attacks may well be undetectable using today’s knowledge and threat intelligence, yet given a few days or weeks, they may be discoverable. Therefore, rather than discerning which events are useful in advance of knowing how the attacks work and sink holing the rest, SOC teams are shifting to log all events coming from operating systems, network devices and applications, including cloud-based solutions and IoT systems.
Since it’s impossible to know what every suspicious activity looks like, then the whole body of auditable data produced from your enterprise is needed to properly search for and build rules for detecting threats. What might seem like an innocuous or unnecessary event today may be the artefact needed tomorrow to build a more effective correlation rule. Furthermore, given the advancement in machine learning and artificial intelligence in SIEM platforms, building a baseline of known behaviour to allow the system to report suspicious anomalies is only possible when you collect everything. Is there a reason why collecting all these events is not possible?
Huntsman Security’s Next Gen SIEM includes Behavioural Anomaly Detection (BAD), to detect unknown and unknowable threats. The platform relies on collecting all the data from your environment so the modelling algorithms can build the picture of what normal looks like. Using this baseline, BAD can provide insights and detections based on suspicious looking activity, whether by users, machines or applications operating across the network, and allows the SOC team to investigate and resolve attacks that otherwise would have been missed.
Undoubtedly, the threat environment has changed and what worked five years ago may not be effective for what we need today. Modern technology platforms can help. To discover more, please don’t hesitate to contact the Huntsman Security engineering team:
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.