Like a triage nurse, security professionals must prioritize data that will help them better identify problems and keep the organization, their data and devices safe from intruders and cyber attacks.
However, the registration and monitoring of all relevant events throughout the IT environment can be difficult. For example, some common log sources, such as servers, firewalls, Active Directory, intrusion detection systems, and endpoint tools, are fairly easy to swallow and analyze. But other sources that are particularly valuable for incident response (IR) are difficult to manage at scale and are rarely ingested due to the effort involved.
In fact, a new 451 research survey of 150 large companies found that the business security information and event management (SIEM) platforms only ingest records of approximately 45% of the records production systems of their organizations. This means that teams run the risk of losing critical information that could indicate a commitment and affect their general security posture.
To maximize the benefits of registration, organizations must evaluate and adapt existing processes to adapt to current needs and threats, as well as consider registering additional, often overlooked, sources that are invaluable for threat search exercises. and go. Here are five sources of registration that must be prioritized.
1. Records of the database
The registration of the database poses challenges for several reasons. Administrators often avoid enabling features, such as auditing, that could affect server performance. The audit of databases and tables is very difficult given the large number of database servers resident in the typical business environment. In addition, security teams struggle to gain access and visibility to operations that occur in databases created by third parties that have restrictions on viewing data or table structures.
To obtain sufficient visibility of the databases without enabling the audit functions, consider the possibility of correlating the rules and alerts incorporated in your SIEM if the activity monitoring of the database is present. You can also create stored procedures that monitor specific actions and write an event log with the registration ID, date and time of the infringing registry entry to activate an alert.
2. Web server logs
Of the main vectors of data breach, holes in web applications, which normally have access to highly confidential information from the client's account, represent the highest percentage, according to the "Verizon 2018 Data Violation Investigation Report"Unfortunately, security teams have the least visibility in web application logs.
In addition, the analysis of web server records is challenging because they often have a custom or multiline format and are recorded non-standard in a text or database file, unlike the native web server registry, such as Microsoft IIS or Apache. If you are using standard web server logs, be sure to enable all relevant fields, since the default W3C design in IIS does not capture some critical elements, such as page size and cookie settings. The event log from a web application firewall (WAF) already observes potentially malicious actions.
3. Domain name system registrations
The DNS server logs provide a large amount of information about the sites that users visit and show if any malicious applications arrive at the command and control sites. However, DNS is also a common tunneling protocol for data deletion, since firewalls generally allow data output. DNS records are challenging due to the volume of data, its multiline format and the difficulty that arises when exporting them.
Consider using BIND, Infoblox or even Microsoft's new analytical event logging method, which uses a more standard log format instead of traditional debugging and importing flat files. New analytical records have significant performance gains with respect to the debugging method, and events are stored in the common Windows event log format.
4. Records of the platform in the cloud
Companies are rapidly adopting services in the cloud, such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, Salesforce and Dropbox, to store data and applications. However, many of these services do not have consistent registration formats and require different analyzers and methods to register events of various applications hosted on the platform. Creating analyzers to scale the number of events is a challenge for most teams, but filtering the data effectively before ingesting it will prevent your SIEM or logging tool from being overloaded by handling only actionable events.
CASB (Cloud Application Security Broker) solutions may not be comprehensive business platforms, but they provide granular audit capabilities at the application or service level and must have the same registration and monitoring considerations as full cloud platforms. CASB solutions are essential for forensic and IR investigations, since alerts about unauthorized access to cloud services can indicate potential internal threats.
5. Physical security records
It is extremely valuable to monitor the internal threat logs of camera systems, biometric card / data access readers and alarm systems. Combining this with the correlated evidence of servers, workstations, firewalls, VPN and remote access devices is essential to demonstrate if credentials were stolen and establish the location of insider information at specific points in time. However, the physical security team and the IT security team tend not to work together, which hinders the collection and correlation of the different sources of registration. In spite of that, it is not impossible to ingest records of disparate systems. Attention should focus on things like unauthorized physical access to remote facilities, access of visitors / contractors to unauthorized areas and after-hours alarm triggers.
These five registry sources are useful for improving visibility throughout the company's security environment, but companies must be smart about how they handle all the new alerts generated by their security products. The Research 451 report found that 43% of companies can not act on at least a quarter of alerts, and almost half said that their SIEM, endpoint detection and response, and other data capture systems were overwhelming your security operations capability.
A good best practice is to create a roadmap with all possible sources of registration and have IT teams work with the affected business units to establish priorities, taking into account the level of effort required for the intake and the potential risks that will be mitigated when doing it. . The fact that security teams work with the owners of the data or applications in advance ensures that they can review the types of events that can be processed together with the evictor, where the owners of the sources may need more visibility.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the IT security experts with the most knowledge in the industry. Review the Interoperability agenda here.
Joe Partlow is currently the technology director of ReliaQuest, a business cybersecurity company. He has been involved with InfoSec in some function or function for more than 15 years, mainly on the defensive side. Current projects include mobile and memory forensic devices, SIEM … See complete biography