Posts

Security Overhaul: Migrating from a Legacy MSSP to a Splunk MDR Service Provider

Why Change?
In the early 2000s, when Security Information and Event Monitoring systems (SIEMs) came onto the market, they were often expensive and complex to manage. But many organizations were required to collect, analyze and store security logs to meet compliance requirements, and a SIEM was the perfect tool for the job. Today most IT organizations expect much more from their SIEM than meeting compliance requirements. Modern SIEMs must detect advanced threats and provide automated response and containment functions.

For all but very large organizations, the most practical approach to security monitoring was to partner with a Managed Security Service Provider (MSSP). MSSPs were responsible for monitoring and investigating security events and managing SIEM systems. Some MSSPs extended this role by developing their own SIEM.

As technology has evolved and cybersecurity has become increasingly complex, many users found that older SIEMs are not only complicated to properly run and maintain, but also haven’t evolved enough to stay ahead of today’s cyberthreat landscape. Older SIEMs struggle to ingest all data types and have slow or difficult search capability, poor user interfaces and lack scalability. And as these platforms age, there is often less support available from the vendor or the MSSP, leading to frustration and lengthy problem resolutions.

Finding the Right Tool

If you’re leading your organization’s transition away from its legacy SIEM, where do you start? The first step in selecting a SIEM is determining your objectives and needs. Questions you should ask include:
• What’s my budget for the solution?
• What is my risk profile?
• What are my critical digital assets that must be protected?
• What is my timeline for implementation?
• Do you want to host the system on-prem or in the cloud?
• How much data will be ingested?
• Which data sources are being sent?
• Are there any critical use cases that I need to move over?
• Will I build my own security content, or do I want a pre-packaged solution?
• What response and containment functions must be automated?
• What role should AI and Machine Learning play in detecting and responding to threats?
• Can I scale my environment and team over time?
• What are my business continuity goals?

Once you gather the requirements for your new solution, you will have a better idea which solutions to focus on in your search. Today many organizations select Splunk as their SIEM. Splunk is a Leader in the Gartner SIEM Magic Quadrant and highly regarded for its search ability and powerful data analytics. Splunk’s unique approach to data ingestion and robust library of apps allows you to send a wide range of log sources directly to their system and define use cases for your data.

Splunk software can be installed in your organization’s IT infrastructure or hosted in the cloud. Splunk offers a managed cloud-based service and some MSSPs also offer to host Splunk in their own cloud infrastructure. The decision to deploy your Splunk SIEM on-premise or in the cloud rests on trade-offs between control, scalability, and access to in-house expertise. Some MSSPs have built their use cases and content as an extension to Splunk Enterprise while others fully support Splunk ES. Further, Splunk offers Phantom for Security Orchestration and Automation and User Behavioral Analytics that can also be part of your technology solution.

Setup for Success

Once you’ve determined what Splunk deployment you need, you have to decide how you will manage the platform. While your choice of platform and deployment architecture will guide your decision, many organizations find it’s best to partner with a team of Splunk experts for the implementation, as well as the security monitoring.

There are many things to consider when selecting a service provider to partner with. MSSPs come in all shapes and sizes. Some focus on offering a fully managed solution, while others offer a co-managed or hybrid approach. Some MSSPs differentiate themselves on their ability to customize their services while others offer a pre-set package of solutions.

Do you have the in-house expertise, or will you need a partner who can help you with the process, from migration to on-going monitoring and even management?

Managed Detection and Response (MDR) providers deliver 24×7 threat monitoring, detection and response services to their clients. Partnering with the right MDR provider gives you the benefits of a 24×7 Security Operations Center (SOC), plus extends your team with access to a wide range of Splunk experts. These experts are available from start to finish, giving you a well-thought out installation design, as well as creating strong use cases with actionable alerts, specific to your log sources, and expert back-end management.

See Proficio’s MSSP Checklist for our suggestions on what to look for in an MSSP.

Orderly Transition

Now that you’ve selected your solution and a partner who can help you deploy it, it’s time to plan for the transition over into a new system. Before you remove your legacy SIEM, you’ll want to ensure you have properly phased out your current SIEM and MSSP, if you have one.

Ideally, when you entered into an agreement with your legacy MSSP, you defined a process to transition to another partner or to in-house approach. This includes how and when to give notice of termination, ownership of information pertaining to your operations and policies, and access to historical security logs. Professional MSSPs understand that business relationships may not last forever and should work with you through the transition.

Deployment Begins

Implementation Timeline
The best way to migrate over is to plan ahead and leave at least 30-60 days of overlap to properly implement and setup Splunk. This also allows you time to verify that your data ingestion is aligned in both systems, ensuring you’re not missing any critical data. A well thought implementation ensures you get the most of your investment from the start.

Data Retention
If your organization has data retention requirements to adhere to, you should keep that in mind when you plan for the transition. Plan ahead to ensure that your archive data will not be lost when you offline your legacy SIEM and determine the process for recovery if access is needed later. For hot, searchable data, build your implementation overlap to keep this data on both SIEMs for this period so that you can easily access it.

Audit
You’ve spent a long time setting up your legacy SIEM to be exactly the system you want. This includes everything from data ingestion to creating security use cases, dashboards and reports. Use this transition as a chance to audit everything you’ve set up and created, to find what you want to move in to Splunk and what’s most important. Give yourself ample time to transition to ensure all of the high value data is coming through.

Define and Refine

Data and Use Cases
It’s important that you not only send the appropriate data sources to Splunk, but also have strong use cases in place to ensure you’re capturing the right incidents and not missing critical alerts. When looking at your data, consider what sources are overactive, or always quiet. Are these still relevant? Do they need to be tuned better?

For use cases, look at what’s catching important incidents or hasn’t alerted in a year. If you begin by looking at the data you’ve ingested, and content you’ve built and how it’s working, you can determine where to start and what you should rebuild in your new system.

Your service provider should offer insight into what data is most essential to keep your organization safe. Look at what use cases or log sources are most critical and start with those high value assets first. They should also be able to assist you in controlling your data ingestion, so that you are only paying for the data you need.

If your legacy SIEM is still running when you deploy Splunk, you should look for consistency between the two platforms. This will help you gauge whether your use cases are properly tuned and accurately sending you alerts for security incidents.

Outline your Policies
If you’re currently using an MSSP or service provider, this is the time to review all the runbook and escalation procedures you’ve put in place. This should be the base for your new service provider, so that you can get off on the right foot and be setup for a successful relationship. Good service providers should help you define business context modeling, so they know what your critical assets are and provide you with a dedicated team for your account.

Test, Tune, Go Live…

Once everything is configured, it’s time to start the testing phase. If possible, give yourself a few weeks to compare your Splunk setup to the legacy SIEM. Make sure that all the data is coming in properly and your use cases are firing as expected. Once you’ve fine-tuned your environment and are happy with your setup, you can officially retire your legacy SIEM.

Proficio’s team of Splunk experts can help you with your migration and continue with management of your environment once deployed. Contact us to learn more about how we can help you upgrade your cybersecurity with Splunk.

SIEM challenges: Why your security team isn’t receiving valuable insights

Today, many enterprises use security information and event management (SIEM) software to help detect suspicious activity on their networks. However, to be effective organizations need to surround a SIEM with security experts, advanced use cases, threat intelligence, and proven processes to investigate and respond to threats.

Misperceptions: Why not set and forget?

Since a SIEM collects millions of security events per day, the most common misperception is that it’s going to immediately identify indicators of attack and compromise and provide meaningful insights out-of-the-box. Many think “hey, that’s why I bought it!” However, a SIEM is only a tool kit. A SIEM, unfortunately only comes with baseline content built into it, it’s not a fully operational cybersecurity solution, even if a vendor installed it for you.

IT security teams need to continually build processes, correlation rules and use cases to truly benefit from its capabilities. In short, a SIEM is not static – it’s a living, breathing environment that needs constant maintenance and operationalization.

Help, we are drowning in false positives!

Are you experiencing an unmanageable number of high priority alerts (also called notables)? That can be an indication that your IT security team doesn’t have effective use cases in place for suppressing false alerts or finding more advanced attack scenarios. Therefore, the SIEM is delivering poor information that can make it difficult to sift through and have visibility into high priority and relevant events.

If an enterprise doesn’t have operational workflow or a documented escalation runbook, security analysts won’t have a playbook to validate alerts, integrate with other threat sources to confirm whether the event needs to be addressed, and then determine what to do about it. If companies don’t have a clear remediation process, they are not ready to respond effectively and in the worst case they are just stumbling around inside the tool as if they’re trying to find the light switch in a dark room. Everything from performing the escalation to containment to incident response should be documented and tested. Otherwise, analysts are lacking the operations side of the SIEM environment.

Find your road map: Making sense of the data

While a SIEM can collect and aggregate a wide range of information, it needs to know what to look for in order to be successful. Like any computer-based problem-solving, you must tell the computer what logic to follow in order to get the desired data. Ask yourself: What data do I need to analyze to identify potential threats? Then program the logic into the tool so that the data filters will identify those key outliers; this is classified as a use case. In the SIEM world, creating uses cases is critical to the success of any SIEM implementation. Enterprises must know what they’re looking for, and what data is being entered into the system to gauge the validity of what’s going to come out of it.

A SIEM will traditionally look for known indicators of suspicious behavior. Depending on the use case and correlations with other variables, it may still require human oversight and validation to confirm the alert is legitimate. For example, an employee that normally works in the US may access a database from China. While this may look suspicious, it may be legitimate. In a security operations center (SOC), analysts are often looking for indicators of bad activity that are not based on a structured use case. Hunting for unknown bad indicators is important activity to detect advanced persistent threats (APTs). Advanced analytics help a SIEM look for the unknown indicators based on previous suspicious activity, outliers, and risk.

To build effective uses cases, IT security teams need to prioritize different security events, define critical assets, and consider their business context. From there, they’ll need to continuously evolve those use cases as hackers use new forms of attacks. This is a constant process. Uses cases that are in place now probably won’t work in six months to a year because of how fast the threat landscape changes. Typically, a security team will need to maintain a minimum of 50 use cases to model a SIEM to the business environment.

Using data to maintain compliance and pass audits

Beyond identifying potential threats or vulnerabilities, a SIEM can be used to manage future audits and meet compliance more easily. If companies fail an audit, they need to figure out where there are gaps in their security policies and processes, and what is specifically required to meet the audit. Companies need to also understand how to be efficient while maintaining compliance.

All compliance regulations and frameworks require enterprises to centrally collect logs, actively monitor those logs, and actively respond to indicators of attack, compromise, and policy violations. This is where a SIEM comes in. Often, companies fail to model their assets, which means they lose the context of whether there is critical data on a server or what behavior is appropriate for a device. For example, a hospital should closely monitor assets that store patient data and would not expect medical devices to communicate to random IP addresses outside their network.

Enterprises should instead evaluate which regulations they’re adherent to, and identify the assets, devices, applications, and users that require a compliance review. To identify vulnerabilities and policy violations, enterprises need to identify the assets they’re monitoring. Without doing so, it’s extremely difficult to create controls around them to identify whether there’s been an attack targeted to a specific asset.

It’s not just the SIEM, it’s the process

It’s not just about managing the SIEM, it’s about managing processes and use cases, threat discovery, and response. IT security teams that continually build and maintain use cases and apply correlation rules appropriate to their business environment will start to receive more valuable insights from their SIEM to maximize their investment in the tool. Similarly, those organizations that nail down the operational workflow are much better prepared to manage the lifecycle of an event from discovery to response, no matter what SIEM software the enterprise has purchased.

OPTIMIZING YOUR SPLUNK INVESTMENT

Using SIEM Technology to Streamline HIPAA Compliance

There are 154 separate risks underlying the HIPAA compliance security standard. Addressing and continually monitoring each of these risks individually can be an enormous task for a security officer. SIEM technology allows most of these risks to be identified, addressed and monitored.

SIEM technology allows for the collection of security events across devices, with automated cross-correlation of activity. HIPAA specific use cases built into a SIEM tool allow ePHI risks to be displayed in dashboards, channels, or reports.

For example, the login events from a Windows Active Directory server can be correlated against access events from a badge reader system. Where a login of an employee with credentials to a system containing ePHI does not match the recent access logs from the badge reader system, an alert is sent to the Security Officer. This alert contains actionable information to allow for fast remediation of a potential compliance issue. If the Security Officer wishes to look deeper into the issue, they can then open a web based portal to the SIEM, verify both login and badge reader activity and quickly resolve a potential breach of Access control and Validation procedures – Physical Safeguard §164.310(a)(2)(iii).

Use cases such as the above example can be created for the majority of the Security Standards.

The framework for ePHI compliance can be built into the structure of SIEM content, allowing for compliance to be reviewed by the individual security standards.Reviewing the reports, dashboards, and channels by Security Standard allows a Security Officer to identify compliance gaps, and monitor their remediation. Should the Security Officer face a HIPAA audit, they can pull up reports by Security Standards all from a single interface.

Proficio’s ProView web portal provides reports and dashboards tailored to specific HIPAA requirements allowing security and compliance officers to quickly visualize their compliance posture.

Simple Cross-Device Correlation is No Longer Enough

In today’s demanding security environment, companies are more than ever challenged to identify serious threats before they lead to a data breach. Using a SIEM tool to correlate security events is a good start, but an effective defense requires a combination of both advanced cross-device correlation and alert prioritization. We wanted to provide you some examples of how we at Proficio address this requirement for our customers.

Suspicious activity cannot always be identified by looking at just a single set of logs and rarely by only monitoring perimeter devices. That is why correlation among multiple devices and formats is critical. In addition to correlation, the Proficio ProSOC SIEM will assign prioritization. If there are several events happening at once, an analyst needs to respond to the most critical one first, and this allows us to quickly and efficiently do so.

For example, consider an attack at an semi-conductor manufacturer. If an insider is simultaneously attacking both a print server in the marketing department and a CAD server containing confidential schematics of a new chip design, the threat priority for the CAD server should be given higher urgency. With our correlation rules, our system will determine this based on the system’s content, and act accordingly, even though both servers are running on the same operating systems and patches, and are vulnerable to the same attacks.

Another example is an attack that includes the following security events:

  • Accept packet on the firewall
  • Network IDS alerting that the packet represents an attack
  • Target system’s application logs producing anomalistic output
  • Asset and vulnerability data stating that this is a mission-critical server and that it is in fact vulnerable to the attack detected by the IDS alert

Calculating vulnerability and asset information plus cross-correlating a wide range of events into our threat prioritization algorithm helps Proficio ProSOC to effectively set priorities; this allows us to minimize false positives and ensure that the most critical events are quickly brought to the attention of our customer. All thanks to our pre-determined alerting, escalation, case management and response procedures.

Let us know if you would like a demo to see how this works in practice.

SIEM for the Rest of Us

SIEM systems were first created for large enterprises and government agencies that were frequent targets of advanced cyber attacks. Back then, smaller and lower-profile organizations were able to get by with basic security tools as they were seldom the target of hackers. The world has changed and today cyber attacks have become so widespread and complex that small and medium-sized organizations need the same next-generation SIEM tools as large enterprises.

Next-generation SIEM technology uses advanced correlation techniques encompassing applications, transactions, pattern and behavior discovery, statistical and moving average anomalies, business process management, risk management, and global threat intelligence feeds.

Many organizations are caught between a rock and a hard place. They need industrial strength security, but do not have the people or the budget to run a security operations center (SOC) and administer a SIEM system. SIEM systems are typically complex to administer and require teams of people for monitoring events, experts for authoring use case content, and a lot of care and feeding.

We recommend resource-strapped organizations look at cloud-based offerings from new companies providing a SOC-as-a-Service. This new breed of Managed Security Service Providers (MSSPs) uses a cloud-based shared services model. There is no upfront investment in hardware and software and no requirement to hire a team of security and SIEM experts – instead customers pay subscription fees for a turnkey service.

Next-generation MSSPs also leverage advancements in SIEM technology to enable operational effectiveness and customize security use cases to address the requirements of each customer. Plus they have real-world end user experience and can discern which events require action and which need to be watched for further suspicious behavior, thereby avoiding flooding their customers with false positive alerts.

What should you look for in a Next-Generation MSSP?

  • Support for large diversity of log collection sources with a large variable selection of device types, vendors, applications, and users
  • Support for non-log data Intelligence and ability to actually correlate information
  • Support for user monitoring, identity and actor profiling or behavior analysis
  • Asset and business process modeling
  • Advanced methods of correlation from multiple devices and vectors
  • Advanced Use Case applicable to your business
  • Active Lists for correlation with items like former employees, contractors, trusted partners, or suspicious addresses
  • Escalation of threats to higher level alert priorities as suspicious activity persists
  • Prioritization of threats based on Asset Criticality, Model Confidence, Relevance, and Event Severity
  • Automated remediation response to specific Very High Level Alerts
  • Compliance content packages and simple reports for compliance including HIPAA, PCI, SOX, FFIEC, etc.
  • Threat Intelligence and Reputation Active List correlation with globally known abusive attackers, command and control servers, and malicious IP addresses
  • Correlation of vulnerability scan data and specific vendor IDS threat definitions to determine if an exploit is targeting an existing vulnerability, indicating a high probability of success
  • Easy-to-Use Web Portals with graphical dashboards
  • Case management and Workflow
  • 24×7 Expert support

Using a SIEM to Detect Cryptolocker Attacks

As cybercriminals continue to use ransomware as a means for profit such as Cryptolocker and Cryptowall, organizations must develop detection capabilities around this threat. SIEM technology combined with threat intelligence can be effectively used to detect ransomware. We recommend you ask your MSSP or SIEM Administrator to create the following use cases:

Antivirus Repeat Infection
Leverage the SIEM to track systems that have had antivirus finds within the last twenty-four hours with a list. If any of those systems have any additional antivirus finds after a half an hour of the initial signs of infection, this could indicate the antivirus installed on the client is not a fully remediating infection. Because cybercriminals have recently used ransomware as one of the primary means of system compromise, these repeat infections will sometimes be cases dealing with ransomware that is not being fully remediated by your client antivirus.

Antivirus Detection Outbreak
Leverage the SIEM to track the findings identified by your antivirus data sources. If the same type of threat is identified on multiple systems, say five within the same hour, then multiple hosts have been exposed to the same type of malicious code. If the threat detected turns out to be related to ransomware, you may have a phishing campaign or massive drive-by attack that may have attempted to install ransomware on several systems.

Tor IP Reputation Traffic
Leverage the SIEM to track outbound connections from your user subnets to IP addresses associated with Tor. You can usually identify IP addresses associated with Tor by importing threat intelligence into your SIEM. Although not all ransomware uses Tor, recent ransomware such as Cryptowall has used Tor for command and control. Tracking Tor could identify command and control of certain types of ransomware and identify suspicious user browsing habits.

Outbound IP Watchlist
Although a simple use case, making a destination IP watchlist in a SIEM and engaging outbound traffic to the IP addresses on the watchlist can be effective with the right indicators. This is especially true with recent well-known ransomware IP indicators of compromise. If your organization has a dedicated threat intelligence resource, browsing sources of threat intelligence for IP indicators that have recently been circulated within the cybersecurity community and importing them into your SIEM watchlist for correlation can identify potential ransomware command and control. It should be noted these IP addresses should be tested before being placed on a watchlist. These IP addresses could host legitimate web activity on additional domains that could cause false positives.

IDS/IPS Triggers
Aggressive IDS/IPS products will create signatures around ransomware command and control activity. Creating a watchlist to look for these signatures, or setting a “name contains ‘ransom’ or ‘crypto’ “ in the SIEM field tracking the signature name, and when the signature is categorized as related to a malware/botnet type of signature, may indicate ransomware command and control.

In addition to monitoring the above use cases, we recommend you take all the standard precautions against email malware and, of course, backup your data!