Part 1 of the Watch Your Back series: Why you Must have a SIEM
Recently, an article was published on Wired about, Rob Joyce, Chief of the NSA’s Tailored Access Operations and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers. There are quite a few areas that Joyce discusses that make life miserable to the NSA. The things that make them the most miserable are the following: Security Incident and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all are competent System Administrators that use these technologies. Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.
Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smart phone, or printer a trail of events and information is created like a receipt you would get from grocery shopping. Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.
Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it like having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.
SIEM stands for Security Incident and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns, and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can actually find the needle in haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).
SIEMs need to be constantly updated in order for them to be effective. The information that updates the SIEM is called Indicators of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access, or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon. As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.” And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.
Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving. The responsibility doesn’t stop at them watching the bad guys do bad things. Like Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will definitely be compromised and the hacker wins.
Don’t let the hackers win.