Enabling Faster and More Efficient Cyber Security Incident Response with LogPoint SIEM and DFLabs SOAR

Cyber Security Incidents: The Problem and Challenges

Cyber security incidents are complex, potentially involving numerous assets being monitored by a myriad of different prevention and detection technologies. Investigating a cyber security incident requires the involvement of many different people, processes and technologies, all of which must work together seamlessly for an effective and efficient response. Failure to properly orchestrate these many moving parts can lead to increased risk, exposure and losses.

During a cyber security incident, context is key. Without proper context, analysts and managers are unable to make informed decisions regarding potential risk, containment, and recovery. Providing this necessary context can be a manual, time-consuming tasks, wasting valuable time as attackers continue to move throughout the network unobstructed.

Therefore, it is critical for security programs to implement an overall solution that aims to solve three key challenges:

  1. How can I use my existing resources more effectively?
  2. How can I reduce the mean time to detection (MTTD)?
  3. How can I reduce the mean time to response (MTTR)?

Combine the Power of LogPoint SIEM with DFLabs SOAR to Enable Faster and More Efficient Cyber Security Incident Response

The DFLabs and LogPoint Solution

DFLabs IncMan Security Orchestration, Automation, and Response (SOAR) platform automates, orchestrates and measures security operations and incident response tasks including threat validation, triage and escalation, context enrichment and threat containment. IncMan uses machine learning and Rapid Response Runbooks (R3 Runbooks) as a force multiplier that has enabled security teams to reduce average incident resolution times and increase incident handling.

LogPoint’s SIEM system is designed from the ground up to be simple, flexible, and scalable, providing a streamlined design, deployment, and integration tools to open the use of SIEM tooling up to all businesses. This means that the architecture can be continuously extended with additional functionality without the need for a full major release, to continue to support your business’s growing and changing needs.

Each as their standalone solution has their merits but also have their limitations. SIEMs are traditionally more commonly used within security operations infrastructure, ingesting large volumes of data, providing real-time analytics while generating alerts, but not all of these alerts can realistically be handled manually by security analysts. Orchestration and automation are critical components in responding effectively and efficiently to a cyber security incident. DFLabs IncMan SOAR platform is layered on top of the SIEM to manage the incident response process to each alert. Combing the aggregation, storage and analytics power of LogPoint with the orchestration, automation and response power of IncMan drastically multiplies the impact of the existing security program by removing the analyst from the repetitive, mundane tasks, allowing analysts to focus their time and energy where they can have the greatest impact.

Together they can provide security programs with the ability to:

  1. Automate repeatable, mundane tasks.
  2. Orchestrate actions across multiple security tools.
  3. Enrich raw data, allowing for more informed, effective decisions.
  4. Reduce the mean time to detection and mean time to response, minimizing potential risk.
Use Case in Action

A proxy has observed an internal host communicating with an IP address which is known to be a command and control server used by malicious actors.  The proxy generated an alert, which was forwarded to LogPoint. Using the IncMan app, Logpoint automatically forwarded the event to IncMan, which automatically generated an incident and began an automated response, including executing the R3 Runbook shown below.

The runbook begins by performing several basic Enrichment actions, such as performing a Whois query and an IP geolocation search. These Enrichment actions are followed by a Containment action, which is used to block the malicious IP address at the perimeter firewall.

Once the initial IP address is blocked, an additional Enrichment action is used query LogPoint for a list of all IP addresses the internal host has communicated within the past 30 minutes. Next, an Enrichment action is used to query each of these IP addresses against the organization’s threat reputation service of choice (for example, VirusTotal, Cisco Umbrella or McAfee ATD).

Any IP addresses which have a negative reputation will undergo a similar process to the initially identified malicious IP address; first utilizing several Enrichment actions to perform basic data enrichment, then being blocked at the perimeter firewall using a Containment action.

Once these IP addresses have been blocked to prevent any additional risk, LogPoint is again queried; this time for any other internal hosts which may have been communicating with these additional malicious IP addresses.

If any other internal hosts have been observed communicating with any of these additional malicious IP addresses, a final Enrichment action will be used to gather further information regarding each internal host from the IT asset inventory. This information will be automatically stored within the IncMan Incident and will be available for an analyst for review and follow up.

To ensure that each additionally potentially compromised internal host is further investigated by an analyst, a Notification action is used to immediately notify security team leaders about the identification of these additional potentially compromised hosts. If the organization were utilizing an IT ticketing system, an additional integration could be used to automatically generate an IT ticket to ensure additional accountability.

Minimizing the time from threat discovery to resolution from hours to seconds

The combination of a SIEM and a SOAR solution can provide real end-to-end visibility to neutralize potential cyber threats. By providing early detection and faster remediation of security incidents it can totally transform the security operations and incident response capability of any organization’s security program. Adopting this structure will inevitably minimize the time from threat discovery to resolution but can also have a positive impact on many other factors including improved operational performance, increased return on investment of existing security technologies, reduced risk resulting from security incidents while meeting legal and regulatory compliance.

Visual Event Correlation Is Critical in Cyber Incident Associational Analysis

I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.

Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.

We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:

a. Large amounts of data;

b. Data delivered from a number of different resources (IoT);

c. Data which may be trickling in over an extended period of time and,

d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”

How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:

1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.

2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.

3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.

4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.

The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.

According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.

As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.

The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]

A Weekend in Incident Response #27: Small Businesses Need to Improve Their Ability to Respond and Eradicate Cyber Incidents

Small businesses may not be the first thing that comes to people’s minds when talking about prime targets for cyber attackers. This is because government agencies, corporations, along with organizations and companies that are part of a country’s critical infrastructure are much more coveted targets, due to the high reward potential associated with them – both in terms of financial gains and retrieving confidential information. However, data breaches and other types of cyber incidents have recently become a common occurrence for many small businesses. Hackers are increasingly trying to gain access to the emails and acquire personal and other confidential information of their employees that are in charge of handling the companies’ finances.

One of the reasons why small businesses are seeing a rise in cyber attacks and data breaches is that cyber criminals have become increasingly aware of the fact that hacking into a small business’ computer network is fairly easy, in part due to the low cyber-security awareness of their employees. Additionally, the cyber defense programs and solutions that small businesses utilize are weak or even non-existent, thus making them easy prey despite not having a particularly high financial reward potential for cyber criminals. Lastly, small businesses have adapted to cloud services to conduct a large portion of their operations, and most cloud providers offer data encryption, making them extremely vulnerable to cyber threats.

What Criminals Are After

In most cases, the typical cyber attack on a small business’ computer network aims to retrieve a company’s financial information, employee records, customer records, as well as customer credit or debit card information, which they could later use to steal company funds, commit financial fraud, identity theft, or extortion.

The most common types of cyber security events faced by small businesses include phishing, SQL injections, malware, ransomware, DDoS attacks, and web-based attacks. The first line of defense against these attacks are a company’s employees. They need to go through cyber-security training to be able to recognize and detect a cyber threat – with statistics showing that a large part of data breaches are related to employee inattention.

Security Automation Is the Next Line of Defense

While cyber-security training for employees is something that every company needs to provide in this age of constant threat of cyber attacks, that alone is not enough to protect businesses against all potential cyber security incidents. Raising employee cyber-security awareness should be followed up by implementing appropriate solutions aimed at detecting, tracking, and eradicating cyber security incidents. In that regard, small businesses could use a security automation and orchestration platform, which can greatly reduce their reaction time following a cyber incident, and prepare them for more timely detection and prevention of future attacks.

Such a platform can help you protect customer and employee information, as well as valuable financial information, since it is capable of assessing the scope of the incident, identifying the affected device or devices, and containing the damage, by providing complete reports on the damages occurred, in addition to providing specialized rules and strategies that allow cyber-security professionals to react much more quickly and effectively to eradicate the incident. These types of platforms are the most straightforward and effective solution for small businesses’ concerns regarding cyber threats, which they are only going to see more of in the near future.

A Weekend in Incident Response #25: Closing the Gap in U.S. Federal Agencies Cyber Security

In March, the U.S. Office of Management and Budget (OMB) released a report on the cyber performance of federal agencies, revealing that a total of 30,899 cyber incidents were reported by them in fiscal 2016. The OMB states that this is an alarming figure and that it indicates that there are significant gaps in the cyber defenses of federal agencies across the country.

According to the report, federal agencies have made good progress in improving their cyber defenses last year, but are still quite vulnerable to cyber attacks and need to ramp up their efforts for protecting their networks and data. Of the almost 31,000 incidents in 2016, a total of 16 have been designated as major incidents, which means they had the potential to threaten national security, the economy, civil liberties, or relations with foreign countries. With this in mind, federal agencies need to keep stepping up their efforts for strengthening their defense against cyber attacks.

Detecting and Preventing Malware and Phishing Attacks

Given that the report states the vast majority of cyber incidents reported by federal agencies involved phishing attacks and malware infections, they are now advised to look into improving their capabilities to respond to these types of attacks and detect and prevent them in the future. There are a couple of ways this can be done. When talking about cyber incident response, one of the most cost-effective and efficient solutions is employing an automation-and-orchestration cyber incident response platform, capable of keeping cyber security events under control, mitigating risks and improving an organization’s ability to prevent future attacks.

These platforms have wide-ranging features that give Computer Security Incident Response Teams (CSIRTs) the opportunity to detect, track and predict cyber security breaches immediately. There are platforms that can help reduce reaction times when responding to an incident, through the employment of automated playbooks designed to accelerate the response to specific types of attacks – such as malware or phishing attacks, which are often faced by government agencies.

Integrated Knowledge Base to Guide You Through the Response Process

Through the use of those playbooks, as well as the available integrated knowledge base, cyber security professionals can quickly identify where an attack is coming from and determine the location of the infected or breached device or part of the network, and follow that up with the containment of the damage to prevent it from spreading.

What’s more, these types of platforms can create automatically generated reports on every incident, in addition to collecting digital evidence for forensic investigations, allowing for the quick notification of law enforcement and provide them with the necessary documentation, thus complying with data breach notification and reporting regulations.

This approach can increase cyber security teams’ ability to resolve incidents in a timely manner and prevent government agencies from losing valuable and sensitive data that could be used by attackers for ransomware or to damage the country’s critical infrastructure.