Cybersecurity is a never-ending game of cat and mouse that is played between attackers (who seek to damage or otherwise misuse information assets) and defenders (who seek to ensure that those assets are only available for use as intended). In this post we’ll summarise some of the ways we are constantly honing our blue team skills.
On one side, the attackers constantly work on their Tactics, Techniques and Procedures (TTPs), looking for new ways to identify and exploit vulnerabilities. They want to gain access to their target assets, generally while attracting as little attention as possible. On the other side are the target defenders: they work to keep the information assets secure or at worst, to respond quickly when defences fail and the attackers find a way in.
In this cat-and-mouse contest, the defenders rely on a range of systems and techniques, and one of the main systems in their arsenal is a Managed Detection and Response (MDR) service which often includes or utilises a Managed Security Information and Event Management (MSIEM) service. Everyone has their own ideas regarding the exact meaning of MDR, SIEM, MSIEM and SOC but as far was we’re concerned, MDR/MSIEM provides a complete description of what we’re talking about today: A service that is able to manage information (which is derived from log-event data that is collected from a system) and events (which are observable changes in a system) and in so doing, support reporting and alerting, response-to and containment of threatening and anomalous system behaviour.
Analogies and cute dogs aside, it’s important to note that it’s not enough to just set up a MDR/SIEM service that imports some previously-identified data and reports on some previously-conceived security issues, and then leave it to continue in that state forever. Why? Because, as we noted above, the attackers are constantly working on revised and new TTPs and so the MDR/SIEM service needs to evolve along-side the new kinds of attacks. Furthermore, the SIEM service also needs to be working with the best and most up-to-date information possible: A monitored environment will (ideally) include people, processes and technology, but people, processes and technology change, come and go over time. It is therefore extremely important that the MDR/MSIEM is “made aware” of those changes as they take place, if the MDR/SIEM service is to have any hope of continuing to operate correctly and optimally over time.
Ultimately therefore, an effective MDR/SIEM service is not something that you buy and then put in some corner of the cloud to magically operate for ever after. If only! No, an effective MDR/SIEM must be tended by experienced security specialists that understand attacker TTPs and who can respond as new TTPs are discovered; experts who are trained in SIEM service deployment, design and implementation; operators who are able to prioritise threats, capture actionable intelligence, create and update detections and alerts, and respond appropriately to notifiable events that are generated by the SIEM service.
And if you’ve read this far, you know what we’re going to say next: DotSec has 12 years of MDR/SIEM experience; we are very aware of what it takes to run an MDR/SIEM service and our security specialists work continuously to ensure that our MDR/SIEM deployments evolve and remain effective, even as the monitored environments (people, processes and technology) change over time. Is this some kind of magic? No, it’s just hard work! Let’s look at some of the work that our MDR/SIEM specialists undertake to keep our clients aware of what’s going on across their computing environments:
DotSec’s MDR/SIEM professionals take on a defensive role and so form part of what is commonly referred to as the “blue team”. Of course, the best defenders also know about attacks, so our MDR/SIEM team works with the DotSec “red (or offensive) team” to identify and test TTPs that are commonly used by attackers. DotSec’s red team emulates adversary techniques in a controlled environment, enabling our blue team specialists to develop techniques that will identify threatening and anomalous behaviour in real-world environments in an efficient and timely manner.
In a world where the average time to detect a breach is in excess of two hundred days, the quality of these detections is integral to providing effective SIEM. Writing detections is easy – writing good detections is not. Consider, for example, a recent attacker-emulation exercise that we coordinated with one of our MDR/MSIEM clients. The red team was able to craft and deploy an enumeration tool that the blue team was not able to detect when it was used as part of the exercise. Of course, the customer is part of this whole exercise and so they were well-aware that the MDR/MSIEM system was bypassed by the red team, and they were also aware of the MDR/MSIEM detection-mechanism changes that we made in order to detect such an attack in the future.
But that’s the whole point of collaboration: DotSec works collaboratively with our clients who in turn get to see our work, warts and all. Both parties get to see how each other works and improve their effectiveness as a result.
DotSec collects threat intelligence from various sources – including security industry partners, vendor vulnerability notifications, and industry news.
An MDR/MSIEM is able to look at events coming in from relevant and in-scope systems, but it also needs to then be told how to look at those events. With thousands (or even millions) of events being processed each day, the MDR/MSIEM system must perform a balancing act, picking out what the system considers to be “interesting” or “unusual” activity without causing undue load. And load is an important factor: It can be load both on the server and on the operators. The wheels will fall off real quick if we bog the system down with searches it cannot complete, and/or if we drown the operator in a sea of false positives.
Identifying what is/isn’t useful information can often be difficult, and not something that can be done effectively alone. DotSec uses numerous sources for this process including industry researchers, partners (such as Splunk’s own research information), vendor notifications and even news, twitter and chat. With the relevant information to hand, DotSec develops detections and alerts that look through those thousands/millions of events for what comprises interesting/anomalous/threatening behaviour… things like attempts to access a certain address on a website, programs being run a particular way, or even one program attempting to interact with another in a specific way. The detection
methods are varied, but the goal is the same: find behaviour/events of interest to the MDR/MSIEM system and its operators.
Additionally, DotSec’s blue team researches, develops, tests and implements new detection techniques, with the goal of identifying the any activity of interest which may have gone unnoticed before. This gives the customer confidence that they have not been historically compromised by any new or ‘zero-day’ attacks. By way of example, DotSec was able to define mechanisms to detect and alert on the exploitation of the vulnerability known as Print Nightmare, before detections were made available by our clients’ SIEM vendors. DotSec’s experts figured out how to do this by investigating threat intelligence sources, and our newly-created detection was able to alert on exploitation of the Print Nightmare vulnerability in our client’s systems.
Customer environments continuously evolve, and those changes needs to be reflected in changes to the MDR/MSIEM configuration. What are some kinds of common changes? Things like:
Proactive improvement also provides other benefits such as:
The detection mechanisms used by SIEM also undergo regular testing. This testing helps to ensure that detections are accurate and that as much activity of interest is detected, while also preventing alert fatigue for both the customers and DotSec.
Another example to summarise what we wrote about above! Some time ago, we responded to a security incident for a large national retailer with a large on-line presence and over 70 physical stores across the country.
Our first goal was to determine the cause and extent of the compromise, and to then contain it as quickly as possible. In order to achieve these goals, we needed to get a holistic picture of what was going on by collecting as many logs from as many systems as possible. We therefore set up a new MDR/MSIEM instance (something we automate with Ansible and CloudFormation; the whole setup takes about 3 hours) and collected what evidence we could from the affected systems
Although we were originally tasked with investigating reports of credit card fraud, our MDR/MSIEM analysis soon indicated that in addition to the credit card-related compromise, the logs presented evidence that indicated that the organisation had also been compromised on two occasions prior to the current incident. It therefore became necessary to broaden the scope of the MDR/MSIEM across the organisation’s wider environment, in order to be able to respond to the current attack while also monitoring the systems for any more signs of activity from the previous attacks.
A fully-managed service provides full management of log collection, aggregation indexing, searching, alerting and reporting – services that will address your organisation’s security and compliance needs with only a minimum of input on your part.
As the previous points have illustrated, a MDR/MSIEM system is best operated by a team of security specialists. While it’s possible to operate a MDR/SIEM system with in-house staff, it is a challenge to employ, train and retain a team of skilled and experienced professionals. The alternative is to utilise the services of an external team dedicated to the various aspects of looking after a MDR/MSIEM system, such as:
Having a dedicated team also takes the concern of staff retention out of the equation, as a dedicated team will always have the necessary staff on-hand.
Whether you’re looking to implement or improve your business’ SIEM services for insurance, compliance or incident response reasons, DotSec’s expert team is ready to help.