APT Shaping SIEM

  /     /     /  
Publicated : 22/11/2024   Category : security


APT Shaping SIEM


Security information and event management tools must catch up with the elusive advanced persistent threat



Traditional security information event management (SIEM) systems typically dont detect a relentless targeted attack designed to avoid raising any red flags: Theyre tuned to catch unusual activity, not stealthy attacks that hide behind legitimate user credentials or normal traffic.
But with more and more commercial organizations now in the bulls eye of cyberespionage conducted by so-called advanced persistent threat (APT) actors, victim organizations are increasingly demanding more from their security management tools to help them better defend against these silent attackers. And there are signs that SIEM technology is gradually being forced to evolve to address these more stealthy attacks.
The biggest challenge with SIEM in dealing with the more sophisticated adversary has to do with the E in SIEM. These technologies are designed to alert on events, meaning they must recognize something in order to get the sec ops teams attention, says Scott Crawford, managing research director at Enterprise Management Associates. This is, of course, something that a more adept adversary seeks to avoid, which means that often they are exploiting a legitimate users privileges and keeping their activity as unremarkable or difficult to distinguish from normal user activity as possible. This makes it challenging to write alert rules: How do you alert on what appears to be normal user activity?
Signs of a new generation of SIEM features to help sniff out APT attackers have begun emerging during the past few months. HP, which sells the popular ArcSight ESM SIEM platform, recently integrated its product with Solera Networks DeepSee forensics and analytics system, and RSA this summer rolled out RSA NetWitness Panorama, which combines network forensic and log data into a common system for analysis on RSAs enVision SIEM system.
Eddie Schwartz, CSO at RSA, says this helps bring together all of the clues that an APT actor has infiltrated a network. If you get an indicator, such as a domain name or file name or user credential in an investigation ... you want to understand across the entire organization where this particular object appeared. Historically, you would have had to touch hundreds of different data sets, Schwartz says. Every data set is asking a slightly different question. Now theres a single place with a single question, and you can quickly get a single answer that spans all data sets about the rogue object associated with the attack, he says.
Security teams running traditional SIEM systems or security products cant effectively close the targeted attack window as well as those who are running products with broader and deeper analysis, Schwartz says. There is a gap. A better SIEM with faster results and operationalizing security data in a way that closes that window and risk in a more timely manner limits the amount of time the attacker has to steal information, he says.
This is a vision of what SIEM can become. Its got to become a better data management framework for security management people, he says.
But SIEM products today generally fall short when it comes to providing details about security events. ArcSight is good at correlating basic information, says Joe Gottlieb, CEO and president of SenSage. But the limitation is that they are working with a constrained dataset thats normalized, so its a lowest common denominator provided by different vendors, and they dont have the ability to drill into the details. Doing this [integration] with Solera offers details underneath what they are pointing to in their alerts.
Solera CTO Joe Levy says his firms technology fills a gap in SIEM by detecting unknown types of events. The area where SIEM is most deficient is when theres no clear indicator of compromise, Levy says.
Narayan Makaram, HP ArcSight product manager, says while ArcSight collects any malware activity that was detected, Solera drills down on those events: As the malware moves to various assets using, for example, nmap, anomalous network traffic gets detected and then collected by ArcSight, Makaram says. Solera shows you who was where on the network and what they did ... For forensics analysis, blacklisting and whitelisting alone cannot address the APT. This helps you address that type of attack.
SIEM technology is evolving into more of a security intelligence and business risk management platform, he says.
Next Page: SIEM configuration -- not technology -- as the problem
But part of the problem with SIEM missing APT attackers isnt necessarily due to the technology, but in how its configured. Most of the deployments we have today of log management and SIEM are virtually useless for detecting an APT [threat], says Matt Mosley, senior product manager at NetIQ. Its not necessarily the limitations of the technology, but on how it has been deployed in a lot of cases. The fact is, a lot of these products take a long time to configure [such that] you would be able to pick up on this type of attack.
Contributing to that is over the past couple of years, SIEM and log management purchases were driven largely by compliance requirements, such as PCI DSS. While that has helped spur adoption of security monitoring, in most cases it has resulted in huge, centralized databases of logs without much context.
I think the promise of security event management is the ability not just to filter, but to tell us whats important. APT is a particularly tough case there, NetIQs Mosley says. Even where youve configured event management to correlate and look for certain types of attacks, the most sinister APTs are those that involve zero-days.
Look for more advanced behavioral analysis for SIEM platforms, too, where you can specify what behavior is normal for a particular user or computer resource, security experts say.
We have to stop looking at SIEM as a problem of finding the bad guy, and start looking more at modeling behavior and understanding whats acceptable and whats not, Mosley says.
How can you really tell whats normal when the attackers are hellbent on blending in? That depends on what you know about a user who logged into a particular database, for example: If its from a secretarys laptop, maybe thats not normal because thats not where it should be coming from, Mosley says, adding that the time of day and other factors also must be weighed.
An activity that shows up in the system logs as authorized usually gets filtered out and ignored. [But] often thats where the evidence really is, he says.
Tying SIEM into identity management systems, NetIQs Mosley says, can help with the behavioral analysis part of the investigation. SIEM can then track the human being rather than the user ID to get better information about a particular event or activity and who its associated with, he says.
And while SIEM began as a way to correlate IDS and other network logs, thats no longer a true picture of the threat. It must also be able to detect those intrusions or threats that get around the perimeter because spearphishing attacks that dupe users and zero-day attacks are the favorite tools of the APT attacker.
You need to see what happens when they get inside. And you have to respond quickly, says Chris Petersen, CTO and co-founder of LogRhythm.
And keep an eye on the big data space, EMAs Crawford says. The technologies for collecting and managing large volumes of information more effectively become more responsive and adept at finding some of the more subtle needles that may otherwise go undetected in very large haystacks, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
APT Shaping SIEM