Without a trace: Cybersecurity incident response teams must follow the thread of security events through volumes of log data from increasingly diverse sources.
Organizations that start to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced persistent threats (APTs). The Sony Pictures Entertainment hacking incident in November underscores the importance of security monitoring and rapid incident response to clamp down on damages before disaster strikes.
IT security managers cannot protect what they cannot see, and to “see” associations or patterns that can help detect APTs enterprises must have comprehensive logging in place across multiple layers within a network. The greater the visibility, the larger the machine data, and the harder it is for cybersecurity incident response teams to “follow the thread” and correlate security events with threat intelligence in a meaningful way. The answers to many security questions about fraudulent activity, user behavior, communications, security risk and capacity consumption lie within these large data sets.
Why so much logging? Most advanced adversaries gain access to a victim’s network via malware, drive-by links or Web shells. Once the initial attack phones home — malware will initiate outbound connection to C2 hosts to get around inbound firewall rules — root kits are delivered, and they quickly gain access to a user account and drive around the network as a fully credentialed user. It is difficult to lock down a Microsoft network in any meaningful way without destroying its functionality. A successful strategy to defeat this type of attack includes the following:
- Detect the malware or drive-by links before users click on them. To do this a cybersecurity incident response team has to be able to compare user behavior against threat intelligence. This requires full packet logging of all ingress and egress traffic on an enterprise’s edge.
- Detect malware or rootkit delivery to the endpoint. To do this the cybersecurity team needs verbose logging on antimalware and endpoint protection systems.
- The cybersecurity team needs to be able to analyze user behaviors and access across the entire enterprise. Security information and event management (SIEM) tools can alert you to unusual activity, such as account usage during off hours. This is only possible with comprehensive logging of Active Directory (AD) and host access events.
To read the full article – > Click here
For more information on how to defend against APT, malware or security analytics please contact us.