next-generation siem: powering intelligence-led cyber security · business goals and objectives...
TRANSCRIPT
NEXT-GENERATION SIEM: Powering intelligence-led
cyber security
02 INTEGRITY360.COM
Legacy SIEM accomplishes X,
Y and Z; Next-generation SIEM
takes on the entire alphabet
INTEGRITY360.COM 03
You won’t run into a hacker on your morning commute, and there’s a better chance you won’t see them on
the company’s network.
Malicious threat actors and their Tactics, Techniques and Procedures (TTPs) are evolving quicker than most businesses can keep track of. By breaching one of a seemingly infinite number of vulnerabilities and moving laterally through the network, attackers can lay hidden for months at a time before taking any action.
The trend is leading to a sharp decline in organisations’ abilities to counter hacking attempts. Just 12 percent of companies
Executive summarybelieve they could detect a sophisticated cyber-attack, according to Ernst & Young.Effective cyber security is a comprehensive blend of dedicated and experienced personnel at various points along the cyber-attack lifecycle, and powerful tools aiding their efforts. It’s a 24x7x365 type of job that requires a hybrid on- and off-site approach for total security.
Companies don’t have to wait for that next-generation of cyber security. Integrity360 combines powerful security information and event management (SIEM) platforms with the expertise of remote personnel and on-site analysts to provide exhaustive protection against the tireless efforts of hackers.
04 INTEGRITY360.COM
A day’s work is never done in the field of cyber security. The expansion of the digitally enabled workforce,
Bring Your Own Device (BYOD) policies and flexible cloud solutions have created a seemingly infinite number of vulnerable endpoints.
Protecting them from malicious threat actors has become a daunting, around-the-clock task. The amount of information that cyber security professionals must compile and analyse is growing by the second, and it’s one of the reasons why many companies have adopted a SIEM platform. SIEM excels at the collection, monitoring and analysis of network traffic and log management from multiple sources. The platform gives IT administrators a holistic view of the company’s digital infrastructure through comprehensive data aggregation. This facilitates the detection of threats and risks in previously unmonitored areas, and improves both the speed and efficacy of their incident response.
SIEM enables: Continuous assessment of a variety of
endpoints. Recognition of anomalous behaviour. Identification and response to incidents. Compliance with major national and
international data regulations.
Introduction to SIEM technology
Advantages of SIEM Improve cyber security decision-making
by aligning IT risk with overarching business goals and objectives through a vulnerability risk matrix.
Elevate incident investigation and response through threat intelligence from internal and Red Team threat and vulnerability management, third-party vendor subscriptions and the cyber security community at large.
Maintain highly accurate logs of authorised users and corresponding access through real-time alerts on anomalous behaviour.
Aggregate multiple threat intelligence sources to assign weights through a variety of Indicators of Compromise (IOCs) that can be leveraged in multiple functionalities like monitoring, alerting, reporting, investigation and forensic analytics.
Actively identify unusual network traffic patterns with a variety of modern tools, like algorithms powered by advanced analytics and correlation searches.
Manage the growing velocity, volume, variety and veracity of data by normalising the information to support a best-in-class identification, response and remediation framework.
Reduce incident response times and prove compliance with the help of a pre-built dashboard, ongoing reports and detailed incident response workflows.
INTEGRITY360.COM 05
Windows events PowerShell logs Microsoft sysmon Linux secure/audit Scripted Inputs
SERVERS
Firewall/traffic logs IDS/IPS AV/Anti-malware Sandbox Web proxy
SECURITY TOOLSET
Active directory DNS DHCP AAA Services
NETWORK SERVICES
Webserver logs Database activity Fileserver audit Mail server
APPLICATIONS
Windows events PowerShell logs Microsoft Sysmon
ENDPOINTS
Network flow capture Full packet capture
NETWORK DATA
Security data fuelling SIEM
06 INTEGRITY360.COM
Where a legacy SIEM may accomplish X, Y and Z, next-gen SIEM takes on the entire
alphabet. The platform enables real-time and simultaneous analysis of network infrastructure, application data and device activity using analytics-based SIEM tools that are powered by machine learning.
Next-gen SIEM supports a single-pane view of an organisation’s digital environment through its ability to pull information from an almost unlimited number and type of log sources, and store and analyse that machine data using artificial intelligence and machine learning. In doing so, businesses can automate the initial stages of an investigation for a rapid response.
Introduction to next-generation SIEM
Next-gen SIEM earns its stripes through its ability to ingest a large amount of machine data and use machine learning to automate correlation searches. It continuously combs the data it collects to identify abnormal events that closely resemble known cases of compromised systems. This form of user and entity behaviour analytics (UEBA) gives companies the tools they need to combat constantly evolving, cutting-edge malicious threat campaigns.
The ability to collect and make sense of raw machine data, in almost any format, ensures security monitoring applies equally to both the traditional IT infrastructure and emerging environments such as cloud platforms, Internet of Things (IoT) and Operational Technology (OT) networks.
Artificial intelligence supports its predictive analytics capability, which has the potential to radically transform security analysis through the ongoing discovery of patterns across large volumes of data. It gives businesses the capability to conduct investigations at scale, rather than linearly in singular events.
Next-gen SIEM supports: Anomaly detection through supervised
and unsupervised machine learning. Threat and vulnerability data enrichment. User and asset context and prioritisation. Unparalleled visibility into device,
application and user activity. Big data processing capabilities. Proactive threat response actions.
Next-generation SIEM relies on a remote SOC
to provide intelligence-led cyber security.
INTEGRITY360.COM 07
What is next-gen managed SIEM service?
Next-gen SIEM provides the tools necessary to identify and contain modern cyber threats, but yielding the
best results relies on the expertise of cyber security analysts to remediate the situation – simply adopting the platform isn’t enough.
But talented professionals who can effectively utilise SIEM are difficult to come across: Europe is expected to see a cyber security skills gap that will reach near 350,000 people by 2022 and worldwide the figure will reach 1.8 million during the same time span, according to Frost & Sullivan.
Introducing a basic security alerting service will only increase the burden on overstretched IT teams. Organisations are overcoming this lack of resources by leveraging a managed SIEM service. The platforms can provide next-generation, intelligence-led cyber security with the help of Security Operations Centres (SOCs) that offer expert-level analysis of security events and alerts.
The SIEM platform allows skilled cyber security analysts to remotely monitor network traffic in real-time, apply machine learning algorithms to identify threats through the collection of machine data and use innovative tools to remediate the risks.
The model gives companies access to: Experienced level one, two and three
personnel who are versed in dealing with various threats.
Threat intelligence sharing through a large client network.
Ongoing threat and vulnerability management to reinforce posture.
Security infrastructure monitoring 24x7x365.
A managed SIEM service offers businesses an affordable, agile alternative to the ‘do it yourself’ cyber security culture that has reigned over the last decade. By leveraging a next-gen SIEM, security analysts from a remote SOC can monitor, detect and remediate threats in real-time, greatly limiting the impact of a potential cyber-attack and improving key metrics.
HOW REMOTE SOC LEVERAGES NEXT-GEN SIEMIntegrity360 leverages the SIEM platform to provide next-gen managed SIEM services. Our SOC augments the platform’s capability to enable three core services: A continuously expanding correlation search catalogue that ensures the detection of new and developing threats. Expert cyber security analysts that can triage, prioritise, investigate and respond to threats and alerts 24x7x365. Proactive threat hunting and vulnerability management through exception-based or ad-hoc searching to identify unusual or unexpected patterns.
These features combine to fuel threat detection through a combination of machine learning techniques and correlation searches, which trigger an alert that is immediately sent to Integrity360 analysts located at the SOC.
From there, our team conducts in-depth analysis to determine the severity of the risk by contextualising key data points. This proactive approach is vital during an investigation, as finding – or missing – the smallest details can be the difference between a failed attempt or a full-blown data breach.
08 INTEGRITY360.COM
The fast-paced evolution of hackers’ techniques poses a constant threat to the companies whose cyber security
strategies stand still.
Integrity360’s remote SOC team ensures that the SIEM’s ability to identify and detect suspicious or malicious activity is constantly improving. Its fundamental capabilities are continuously enhanced in line with the latest innovations in cyber security through our Red Team-led threat intelligence R&D process.
USING THREAT INTEL:
The Red Team-led approach to security
Our Red and Blue team experts are constantly studying threat actors and groups in order to build more effective defences. The proactive strategy fuels our “offence informs defence” mindset that modern cyber security demands. By facilitating knowledge-sharing across our SOC team, they gain the experience necessary to detect, respond and mitigate emerging threats across all our clients’ networks.
A SIEM platform needs to support a Red Team-led approach, normalising data from disparate systems into common data models, and then enforcing mature correlation searches (threat cases) to identify and alert on suspicious activity.
The more information our SOC collects, the better our analysts can ascertain the severity of threat alerts, separate false-positives from true risks and provide comprehensive network protection.
Modern cyber security
demands an approach where offence informs
defence.
INTEGRITY360.COM 09
EXTERNAL RECON COMPROMISED MACHINE
INTERNAL RECONLOCAL PRIVILEGE ESCALATION
DOMAIN ADMIN CREDS
DOMAIN DOMINANCE
LOWPRIVILEGES LATERAL
MOVEMENT CYCLE
COMPROMISE CREDS
REMOTE CODE EXECUTION
AD
MIN
RE
CO
N
ASSET ACCESS
EXFILTRATION
HIGHPRIVILEGES LATERAL
MOVEMENT CYCLE
LOCAL PRIVILEGE ESCALATION
REMOTE CODE EXECUTION
ASS
ET
RE
CO
N
Cyber-Attack Kill Chain
10 INTEGRITY360.COM
Cyber security strategies must account for the changing threat landscape. Adaptive security architectures operate
on the fact that TTPs are fleeting by nature; hackers are always searching for the next best infiltration technique.
Closing threat actors’ entrances into the digital infrastructure are often an easy fix. Roughly three-fifths of all cyber-attacks could have been stopped by updating patches, the Ponemon Institute found.
Integrity360’s TVM service is powered by leading cloud-based vulnerability assessment tools, providing Integrity360’s experts with the network visibility necessary for: Comprehensive asset discovery. Prioritisation and alerting through internal
and external scheduled scans. Continuous monitoring of endpoints.
HOW THREAT AND VULNERABILITY MANAGEMENT WORKSIntegrity360’s threat and vulnerability management service is designed to provide awareness of risk exposure, progress and
MAKING SECURITY OPERATIONAL: Threat and vulnerability management
efficiency of threat remediation, as well as operational planning to clients and their executive teams.
Our experienced professionals conduct and analyse highly accurate internal and external vulnerability scans, along with passive network monitoring, applying their years of industry knowledge and environmental context to interpret the findings to provide prioritised remediation. From there, they build a targeted approach that takes into account the improvements necessary for comprehensive security.
The findings are presented in detailed bi-monthly and monthly reports, which outline all the vulnerabilities discovered in a pre-defined time range, where they’re trending and what is the most efficient order to patch them in based on difficulty and level of risk. Our vulnerability risk matrix provides a transparent methodology as to how our team determines what is a low-, medium- or high-risk vulnerability based on consequence and likelihood of failure.
INTEGRITY360.COM 11
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
CR
ITIC
ALI
TY
VULNERABILITY
Vulnerability risk matrix
C LOW RISK (1-8)B MEDIUM RISK (9-15)A HIGH RISK (16-25)
The vulnerability risk matrix takes into account the exploit’s likelihood of failure and its subsequent impact to identify highly critical faults and promote agile IT operations.
CRITICALITYCONSEQUENCE OF FAILURE
5 MAJOR4 SIGNIFICANT3 IMPORTANT2 MINOR1 VERY MINOR
VULNERABILITYLIKELIHOOD OF FAILURE
5 ALMOST CERTAIN4 HIGHLY PROBABLE3 COULD OCCUR2 MAY HAPPEN1 UNLIKELY
12 INTEGRITY360.COM
The modern business faces its own daily challenges that others – even within the same industry – may not.
Strict government regulations, the need for operational continuity and the presence of unique infrastructural designs all contribute to the idea that while a remote SOC is certainly beneficial, at times it might not be enough.
Advanced SOC provides an exclusive and individualised strategy that incorporates the on-site presence of senior security resources to support the capabilities of a remote SOC team. By deploying support on the ground and in the air, businesses ensure compliance, protect consumer and employee data, and mitigate any threat through a multi-faceted response.
Senior security resources, both dedicated and aligned to the service, are embedded in the clients IT team and act as an intermediary between our clients and our skilled cyber security professionals. This
ADVANCED SOC:
The natural evolution of remote SOC
ensures organisations effectively utilise the wide range of resources and assets at their disposal in accordance with the dedicated team members’ needs to remediate any threat.
WHAT IS ADVANCED SOC?Advanced SOC service combines the around-the-clock cyber security presence of remote SOC analysts with on-site capabilities to provide 8x5 on-site incident management, response coordination and reporting from experienced personnel.
Built as a bespoke design around our clients’ unique security and regulatory requirements, the service offers complete peace of mind through a comprehensive team-based approach that includes access to:
Level one, two and three security analysts. Network Operations Centre (NOC) team. Cyber Threat Intelligence (CTI) team. Cyber security manager. Service delivery manager.
INTEGRITY360.COM 13
These roles combine to provide four of the core components of an effective cyber security strategy: Operational support and platform
management. Security event analysis and incident
management. Security threat intelligence and incident
response. Security incident and policy management.
By fusing the quick response time and environmental knowledge of on-site, dedicated resources with the operational intelligence gathered by a remote SOC, organisations gain: Access to the SOC to facilitate threat
intelligence sharing. Expert-level functionality of next-
generation SIEM and other technology. Experienced, instantaneous security
incident response. Proactive threat hunting and information
gathering. Assurance that on-site protocols are
meeting regulatory compliance.
Moving to Advanced SOCIntegrity360 aligns its advanced SOC implementations with the ISO9001 quality standard. The demanding guidelines are supported by experienced project managers who have a proven track record of successfully completing projects on-time and within budget.
A hypothetical advanced SOC implementation applies three phases:
Mobilisation: The primary phase focuses on establishing the infrastructure of the project. A formal kick-off with the Integrity360 project management team and our clients’ staff helps determine all scheduling and resourcing expectations.
Activation: The secondary phase allows the Integrity360 team to gain a thorough understanding of our clients’ digital environments. During this period the project manager develops the advanced SOC service design and the cyber incident response plan.
Implementation: The final phase is the successful implementation of SIEM technologies.
14 INTEGRITY360.COM
AAdvanced SOC is a service that is embedded into our customer’s IT operation to provide them with true
security operations capability; prediction, prevention, detection and response. Dedicated resources continuously monitor and manage layered security controls to identify and disrupt threat actor activity during key stages of the attack lifecycle. This combination is critical to limiting attacker dwell time in the network.
Integrity360’s advanced SOC model is not limited to implementing and managing key security controls. To enable the delivery of a true security operation, Integrity360 couples the output of key cyber security functions with log and event data from the entire digital infrastructure. This machine data is fed into a dedicated next-gen SIEM platform to create the full security picture. Context is applied to captured data and used for incident alerting and investigation.
Any system alerts are forwarded to Integrity360’s SOC for initial triage and investigation by the level one security
How advanced SOC works
analyst team to assess and prioritise incidents, identify false positives and enrich them with security intelligence and context. Confirmed or assumed incidents are escalated to the on-site Integrity360 senior security analysts (or, outside regular business hours, to remote level two analysts) who drill into the information presented to them. This enables them to investigate the risk, its potential impact and possible expansion using the powerful search capabilities of the next-gen SIEM platform.
Depending on the severity or complexity of the threat, a level three analyst in the Integrity360 SOC may be called in for consultation, to conduct remediation or for wider threat hunting.
Once a confirmed incident has been identified it is escalated to the customer as actionable intelligence, along with the recommended remediation. This is coupled with management reporting from the assigned cyber security manager covering the root cause, the incident management timeline and total security impact.
INTEGRITY360.COM 15
ENVIRONMENT
SERVER
SECURITYTOOLSET
ENDPOINTS
SIEM
SECURITYALERTS
L1 SECURITY ANALYSTS (SHARED)
24X7ESCALATION
L2 SECURITY ANALYSTS (SHARED)
L2 SECURITY ANALYSTS (DEDICATED)
CTI TEAM
CUSTOMER3RD Party
INCIDENTRESPONSEESCALATION
ESCALATIONTO CLIENT
CONFIRMEDINCIDENTESCALATION
IR ESCALATION
Security Incident Workflow
LOG AND EVENT DATA
16 INTEGRITY360.COM
Our advanced SOC service gives clients the ability to efficiently implement security controls,
monitor their logs, remediate attacks and conduct proactive threat and vulnerability management at a fraction of the cost that hiring their own team would be.
Our security analysts hold Global Information Assurance Certifications (GIAC) in intrusion analysis, incident handling, continuous monitoring and malware reverse engineering. We ensure the highest level of expertise is applied to every cyber security incident.
Our NOC and CTI team, as well as cyber security manager, apply their full breadth of industry knowledge gained through extensive experience with our wide variety clients to proactively stop malicious threats from infiltrating the network.
Roles and responsibilities of advanced SOC
Advanced SOC is an agile
and effective alternative to the
resource-intensive approach of
in-house cyber security.
INTEGRITY360.COM 17
NOC TEAM (24X7)
Operational monitoring of managed devices and solutions. Operational support of managed devices and solutions. BAU activity (change requests, service requests) related to managed
devices and solutions.
SOC TEAM (24X7)
Security incident investigation, analysis and management. Proactive threat hunting. Asset discovery and categorisation. Vulnerability assessment and prioritisation (threat/criticality).
CTI TEAM Provision of security and threat intelligence. Incident response engagements. Escalation to external forensics consultants.
CYBER SECURITY MANAGER
Security governance. Policy management. Security reporting.
DEDICATED ON-SITE ANALYST
Major incident management and coordination. Security incident escalations. Initial containment and mitigation actions. SIEM tuning.
SERVICE DELIVERY MANAGER
Service oversight, reporting and governance. Continuous service improvement.
Advanced SOC: Meet the team
18 INTEGRITY360.COM
Gain access to level one, two and three analysts who monitor the security infrastructure 24x7x365 with the help of an advanced analytics-based SIEM platform.
BETTER VISIBILITY INTO NETWORK ACTIVITY
The on-site analyst serves as a dedicated resource, providing 8x5 support to resolve threats quicker.
FASTER THREAT RESOLUTION
Advanced SOC offers a flexible, cost-effective approach to mitigating threats, curtailing the use of expensive resources and adapting to the unique needs of individual risks.
AGILE INCIDENT RESPONSE
A dedicated cyber security manager delivers regular reports both to immediate supervisors and the board.
ONGOING REPORTING
The service delivery manager ensures consistent reporting for major regulations like GDPR, PCI DSS and Sarbanes-Oxley, among others.
MAINTAIN COMPLIANCE
Ensure the cyber security tools you’ve adopted are fully utilised to the greatest extent.
MAXIMISING RETURN ON INVESTMENT
Threat and vulnerability management provides ongoing operational security intelligence through the latest TTPs and pertinent information the industry offers.
PROACTIVE RISK ASSESSMENT
There’s no one-size-fits-all solution, and you don’t have to create the cyber security strategy yourself. Leverage the experience of our professionals to design a detect and response model that maps to your organisation’s unique needs.
BESPOKE DESIGN
Benefits of advanced SOC
Security threats are constantly evolving. Next-gen SIEM is a managed service powered by remote and on-site SOC team members that’s built as a comprehensive countermeasure.
Integrity360 guides you from the initial audit, where we determine the cyber security solutions that are the best fit for your digital infrastructure. Our managed security service ensures our clients get the maximum return on investment and best protection available in the industry.
Contact an Integrity360 advisor today to learn more.
Next Steps
20 INTEGRITY360.COM
LONDON OFFICE90 Long Acre,Covent Garden, London, WC2E 9RZ+44 203 397 3414
BIRMINGHAM OFFICETS2 Pinewood Business Park,Coleshill Road, Birmingham, B37 7HG+44 203 397 3414
NEW YORK OFFICE260 Madison Avenue, 8th FloorManhattan, 10016+1-212-461-3286
HEAD OFFICE3rd Floor, Block D, The Concourse,Beacon Court, Sandyford, Dublin 18.+353 (0)1 293 4027