Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

ThreatList: Top 8 Threat Actors Targeting Canada in 2019

by

Bad actors are looking to hit financial and banking firms in Canada with geo-specific campaigns touting malware like Emotet, GandCrab and Ursnif.

Banking and financial services in Canada are being targeted in geo-specific attacks looking to spread varying forms of malware, according to researchers tracking thousands of malicious email campaigns between January 2019 to May 2019.

In particular, campaigns are typically launched by financially-motivated cybercriminals, but can also be orchestrated by national, state-sponsored threat actors (such as Advanced Persistent Threat or APT groups), said researchers with Proofpoint.

“In 2019, threats specific to Canadian interests, whether abusing Canadian brands, or affecting Canadian organizations through specific geo-targeting mean that defenders at Canadian companies must be cognizant of threats far more targeted than ‘North America,’” researchers said.

Click here for the complete article

Threats Evolve – Your Security Should Too

by

Threats EvolveThreats evolve.  One of the first companies I was working for was hit by a  ‘denial of service’ attack,  an email was sent to a friend of mine which had a script that made sheep dance all over your screen. It was pretty amusing so she decided to send it to the distribution list in the office.  Let’s just say that the system administrators were not amused, as it brought the network down completely, and took the afternoon to bring everyone back up.  This was in 1995.  Now security did evolve to a certain extent, this type of attack would have been caught by either your UTM, email security appliance or end point solution.  Over the course of several years, security solutions did evolve – firewalls, end point, network access control and logging.  In the early 2000’s, the terms SIM, SEM and SIEM were the rage, and the next best thing for organizations to battle against threat actors, as it was a great solution to review all of the events from your network in one centralized location.  That was also when you could back up your logs to a CD.

Fast forward to today, we have embraced BYOD, Cloud technology, IoT devices, and no one actually picks up the phone any more – email or texting is the communication tool providing immediate gratification.  (anyone remember what a telex machine is).  This explosion of technology, and reliance on said technology, has completely altered the threat landscape.  Organizations are subject to  ransomware, trojans, APT’s, insider threats and more – which ‘can’ make it through your defenses, and be hard to detect and remediate.

In a recent article from Dark Reading by Kelly Sheridan, it identifies that the current SIEM systems have flaws, and  while reading this, I was not surprised.  Almost any product that collects event logs identifies themselves as an SIEM, and some SIEM’s now promote the security analytics more than logging portion of the product.  In addition,  the introduction of a new acronym – SOAPA – which stands for security operations and analytics platform architecture (Network World, November 29, 2016), was created to distinguish themselves from SIEM.

Advances for the SIEM  is not moving at the same speed as the threats, or taking into account different threat vectors.  Typically event data is sent from the host devices, using either standard syslog or through the use of an agent, to a repository of some sort. This event data is then queried using a set of correlation rules, that will then initiate an alert or a response of some sort. While most SIEM’s identify that they have huge libraries of pre-built reporting, they need to be refined to accommodate  your organization AND they need to be regularly reviewed to ensure that any new “threats” will be discovered, and alerted on or have a response of some sort created.

While for some attacks the SIEM will most definitely be advantageous to the organization, and of course, if you are required to collect and monitor logs for a compliance requirement it is a necessity, however the threats today take into account how these platforms work.  The threat actors are meticulous; and look at ways to evade the traditional security platforms.

The growth in products that are deemed to include security analytics/behavioural analysis can assist organizations in determining if network activity is malicious. The products look at the typical activity of a network over time, baseline it, and then can provide a relatively good assumption when the activity deviates that there is a potential  issue at hand.

By combining  behavioural analysis/security analytics, machine learning and threat intelligence, an organization will be provided a more comprehensive review of activity on your network.  Using a system that is not based on rules, but rather looking holistically at all of the users, devices, applications and how they all interact, running it through algorithms and machine learning techniques – this will provide a more accurate detection of a threat.

To find out more, contact us.

LogRhythm taps machine learning and analytics for its SOC

by

by ITWire – Ray Shaw

When you run a SOC (Security operations centre), you receive so much data that sometimes it is hard to sort the wheat from the chaff. LogRhythm needed at least a 200% boost to its processing power.

LogRhythm,  a Security Intelligence Company, has announced the release of LogRhythm 7.2, a major upgrade to its leading security intelligence and analytics platform. It has been purpose-built to power the next-generation SOC.

This release extends LogRhythm’s lead in providing accurate security analytics with embedded security automation and orchestration to help customers detect, respond to and neutralise cyberthreats before they result in a material breach.

Chris Petersen, CTO and co-founder of LogRhythm, said, “Armed with finite resources to battle a staggering number of possible security threats, CISOs are desperately trying to realise an effective end-to-end threat lifecycle management capability. Whether you support a massive 24×7 global security operations centre or a small virtual SOC, LogRhythm 7.2 will amplify your organisation’s ability to rapidly detect, investigate, and neutralise threats.”

The risk of a breach is steadily climbing, and cloud and internet of things (IoT) deployments further expand the enterprise attack surface.

Enterprise security operations teams recognise that executing end-to-end threat lifecycle management is the only way to effectively manage that risk. However, most are understaffed and overwhelmed, lacking the necessary analytics, automation, and orchestration to stay ahead.

LogRhythm 7.2 addresses these issues by delivering leading capabilities in four key areas: scalability; machine data intelligence; user and entity behaviour analytics (UEBA); and embedded security automation and orchestration.

Michael Meline, the IT security manager at Kootenai Health, said, “Large enterprises are already harnessing the power of LogRhythm 7.2 – it soars to new heights. LogRhythm is putting customers first by developing features collaboratively with users. The Threat Intelligence Service in LogRhythm 7.2 is more actionable and helpful than 7.1 in surfacing important data for better incident response through security automation and orchestration.”

Highlights of the LogRhythm 7.2 security intelligence and analytics platform include:

Greater efficiency, designed for massive environments

  • LogRhythm 7.2 provides up to 200 percent improvement in data processing and indexing performance to help customers cost-efficiently scale, especially in high-volume environments such as those exceeding 100,000 messages per second. What’s more, fully-automated data source onboarding saves countless hours of administration time in large environments.

Accurate security analytics supports, even more, data sources

  • LogRhythm 7.2 extends the depth of the platform’s patented Machine Data Intelligence Fabric™, a feature that automatically extracts contextual meaning from data to enable the most accurate and powerful security analytics. Specifically, LogRhythm 7.2 delivers advanced threat detection capabilities by expanding its industry-leading data schema with more than 20 additional metadata fields. These added fields complement the platform’s industry-leading support for over 785 unique data sources. LogRhythm 7.2 also advances customers’ visibility into cloud-based systems, including AWS, Salesforce, Box and Microsoft Office 365.

Only SIEM provider to deliver “one-stop-shop” for holistic threat detection across user, network, and endpoint-borne threats

  • LogRhythm 7.2 customers will see accelerated detection and investigation of user-borne risks—such as compromised accounts and insider threats – due to extensive enhancements to the User and Entity Behavioral Analytics (UEBA) module. The UEBA module extensions also include new threat detection algorithms, stronger kill-chain corroboration and new real-time dashboards for more targeted threat hunting.

Eliminates costly and inefficient workflow API integrations via embedded Security Automation and Orchestration

  • Security teams will realise improved efficiency and more rapid response to threats due to the security automation and orchestration capabilities embedded into the new LogRhythm 7.2 platform. It helps reduce total cost of ownership by eliminating the need to buy, integrate and maintain expensive third-party solutions and API integrations.
  • LogRhythm 7.2 delivers extensive workflow and UI enhancements based on real-world customer feedback, such as direct in-workflow access to threat intelligence services. The release also adds 20 new SmartResponse actions that provide customers with automated playbooks for an incident response.

 

Cybersecurity 101: The criticality of event logs

by

From CSO Online – Dwight Davis

Coaches love to talk about “the basics” – the fundamental skills their athletes need to master before they can move on to more advanced techniques. The basics can seem simple and even dull, but without them as a foundation, ultimate success can prove elusive.

Cybersecurity programs have their own set of “the basics.” Sadly, one of the most critical of these essentials is also one of the most neglected: the collection and regular review of event logs. Good log practices can pay big dividends throughout the entire cybersecurity lifecycle, from helping to profile “normal” activity, to identifying and preventing attacks, to, if necessary, performing post-breach forensics and remediation.

Even organizations that understand the importance of event logging can be overwhelmed by the sheer volume of events that routinely occur across even modest IT environments. Operating systems, firewalls, network routers, applications and dozens of other infrastructure elements can each generate their own event logs. Large corporate environments may log thousands of events per second and millions of events per day. With the proliferation of mobile devices and Internet-of-Things endpoints, today’s staggering log volumes will only continue to grow.

The embarrassment of riches in raw log information can result in operational paralysis more than information insight if organizations fail to implement sophisticated log filtering systems. Such filters need to strike a balance between collecting any and all event information versus filtering out so many logs that potentially meaningful data is lost.

Once the data is collected, organizations need log retention policies that ensure that pertinent data is still available if needed to detect, prevent or analyze some future security incident. Many companies will need outside experts to help them institute optimal log collection and retention policies.

Once they have good log information in hand, organizations can use it to create profiles of typical networking and user activities. When paired with security information and event management (SIEM) systems, this baseline log information can help security professionals identify suspicious activity that falls outside of expected norms. In this way, the logs form the core of an early warning system that can help organizations counter threats before they even gain a foothold.

When suspected or actual breaches do occur, the log data serves to help in the identification and isolation of any intruder or malware. Then it provides an audit trail for tracking which network elements, processes or users were involved in the attack. While of obvious value, this critical log data is often lacking.

In a recent AT&T Cybersecurity Insights report, Todd Waskelis, executive director of Security Consulting Services at AT&T, said, “We consistently go in and find that the evidence [log] data we need just isn’t there or readily accessible. This makes it difficult for us as we try to figure out what happened.”

Log data can even play a crucial role in mitigating the regulatory or legal ramifications associated with any significant breach. The audit trail provided by the logs may help an organization prove that a breach didn’t occur because of its own negligence or through some other internal fault.

In the cybersecurity realm, where attention is often focused on the latest big attack or on the newest cutting-edge security control, lowly event logs can sometimes be overlooked. But without good log collection, retention and analysis capabilities, an organization’s security program will rest on very unstable ground.

For information on the various SIEM technologies available – give us a call at 866-431-8972 or email us at sales@symtrex.com.

LogRhythm boosts automation, processing in security platform

by

Howard Solomon – IT World Canada

Improved data processing speed and automation are usually the key capabilities being added to any security product these days, and LogRhythm is the latest to follow the trend.

The company, known for its security information and event management (SIEM) suite, said Thursday these are they key ingredients of the new version 7.2 upgrade to the security intelligence and analytics platform that underlies all of its products.

“One of the big challenges is organizations just don’t have enough security people to throw at the [security] problem, so a goal of ours is how do we automate and make the analysis process as efficient as possible the people you do have are highly effective,” company CTO and co-founder Chris Petersen said in an interview.

The platform enables visibility, data collection and analytics. Improvements include

–Better performance: Up to a 200 per cent increase in performance ingesting data, which the company says critically important to large enterprises such as those exceeding 100,000 messages a second. It could mean reducing the number of rack units supporting LogRhythm applications while supporting the same workloads, Petersen said.

Also, the onboarding data from a variety of enterprise sources is easier. “You can simply point devices to use” – for example a firewall — “and we will intelligently recognize the device, automatically pre-configure it and begin to process that data.” Until now administrators had to do configurations manually;

logrhythm-dashboard

–Support for more data sources: Twenty more metadata fields have been added to the platform’s data structure. Also support has been extended to a total of 785 data sources (including operating systems, applications, and alarm systems in Perth). In addition, there’s more visibility into cloud infrastructure workloads such as Amazon Web Services, Salesforce and others;

–Improvements to the User and Entity Behavioral Analytics (UEBA) module, which analyzes log data on user activity to identify compromised accounts, privilege misuse and data theft. The new module adds improved threat detection algorithms, stronger kill chain corroboration and improved real time dashboards that help admins with threat hunting;

–Improved security automation and orchestration capabilities allowing security teams to move an alarm into a case and add information for investigation. There are 20 new automated actions giving teams automated playbooks for incident response.

LogRythm competes against other SIEM products including IBM QRadar, Hewlett Packard Enterprises’ ArcSight, Splunk, McAfee Enterprise Security Manager and others.

Contact us for more information or to request a demonstration of the product.