Please Contact Us for questions about the acquisition, product support, or account management.here.
In Nuspire Network’s latest installment of their continuing education webinar series, Chief Technology Officer Matt Corney and Global Sales Manager Tony Petcou discussed the process in which it takes to understand how many security alerts an organization can expect to see within 2017.
Where does it all begin?
The first step in this process is understanding all of the components that exist within your organization’s network.
“The very first spot to really start looking at is all the devices that potentially can send data from your environment,” said Corney.
Examples of these network devices are firewalls and the security functions within those next-gen firewalls, like IPS and application control. Additionally, standalone next-gen IPS events, WAFs, endpoint security monitoring, and vulnerability scanning devices need to be understood as a part of an organization’s network infrastructure.
Every organization is different when it comes to the pieces of information that need to be monitored and the ways that information is collected.
“For some, that might be collecting all of the Windows event logs on every PC in an enterprise, for others, it may link into other technologies as far as endpoint monitoring and security that may help drive some of those pieces," Corney said. "Getting a good inventory is the very beginning."
From there, it is important to understand the types of logs and what is going to come from those sources. Some systems make more noise than others, such as an edge firewall that is processing every packet and every session in and out of the network. The goal is to hone in on the specific devices on a network to get an idea of the events per second (EPS), which is how many logs that device will see by the second.
“If the device is sending or producing a million logs a day or something of that nature, you can start estimating some of those events per second out of those numbers,” said Corney.
Once an organization has a better grasp on the anticipated EPS, feeding those logs into a SIEM solution is essential.
“That log is produced that indicates a firewall session has been established, that an RDS session has been created, a log-in attempt has been attempted. That then needs to go into some type of SIEM to be able to start really digesting that data and making sense of it,” Corney said.
Truly understanding how to obtain meaningful alerts out of a SIEM solution is another task in itself. All of the data needs to first be normalized and collected.
“You should be applying threat intelligence across that information, to provide some indicators of compromise, you’re going to further aggregate that information down and start putting correlation engines, threat monitoring, and other forms of correlation across that data to marry that up across different log sources to understand trends that may be breaking, and when things are falling out of the norm,” said Corney. “Eventually as you start hitting those rule sets, you end up with an alert.”
An alert could mean a lot of things, from something very specific like an actual threat currently in the network that needs to be mitigated, or it could also be benign.
“A false positive, a hit on IP reputation across a shared web host, or something of that nature that ultimately can be dismissed because it’s not a threat to your network,” Corney said.
This is the point in which Nuspire’s Security Operations Center (SOC) comes into play to determine if the alert is applicable within the organization’s environment.
“As that alert is being brought in, the very first step is to do some triaging of that and start working on investigating that alert,” said Corney.
To find out if the particular host that produced the alert was actually susceptible to that alert, information can be collected via vulnerability scanning. Additionally, understanding what patches haven’t yet been applied to that host can assist in understanding whether the threat was potentially already mitigated automatically via a next-gen firewall, IPS process, or endpoint security, or if it is currently active and needs to be immediately responded to.
“That’s where you start to get into some of this validation process, to understand what specifically happens, start pulling together a root cause, understanding the specific indicator of compromise, and what did that potential malware or exploit do to that system? What is the potential impact?” Corney said.
Do you have what you need to respond?
From an incident response perspective, possibly the most important aspect is the people. It is imperative to ensure the right teams are assembled to handle the networking, security, and application levels of this process. A proper team will know how to act upon a given alert, the remediation steps that need to take place, and how to record the events to ensure there is a timeline in place.
Also important is an incident response plan. Stakeholders and the executive management team need to understand these aspects as well to ensure a plan is put in place to follow when a major issue arises.
“You need to reference that plan and make sure that you’re following it to assemble the right team members, assign out those responsibilities that are required, start a notification process to the applicable parties, and really dig into that investigation and remediation process,” said Corney.
Further, the proper tool set is necessary to make all of this happen. A method for long-term archival of the collected log data to be able to reference at a later date is one part. Forensic investigation tools are also necessary, along with the ability to perform static or dynamic malware analysis within a system.
“All of those components are critical to be able to properly respond to these incidents that you’re getting,” Corney said.
From there, an organization can start achieving the ultimate goal of knowing what numbers to expect in terms of log volume and how many events to anticipate. Depending on the size of your organization, in the end you could end up with five, fifty, five hundred critical events or more that are actionable and need to be investigated.
An organization must have a plan in place to know how they are going to respond to the volume of logs and alerts, and have a team in place to continuously update the SIEM to account for new log formats, firmware updates, and the changes to operating systems and devices. They also need to have the ability to tune in new security threats, update threat intelligence and keep that SIEM running efficiently.
Through Nuspire’s security estimator tool, one can approximate the number of events per second their organization should expect.
Click the image above to use Nuspire's security estimator tool.
For more information on how to keep your network safe, click here.