combining security intelligence and the critical security controls: a
TRANSCRIPT
A SANS Product ReviewWritten by Dave Shackleford
May 2014
Sponsored by LogRhythm
Combining Security Intelligence and the Critical Security Controls:
A Review of LogRhythm’s SIEM Platform
©2014 SANS™ Institute
The Critical Security Controls for E!ective Cyber Defense (CSCs) represent an established and solid set of guidelines for the government, "nancial, education, manufacturing and health care sectors, according to a 2013 SANS survey on the CSCs.1 In it, 73 percent of nearly 700 respondents were adopting or planning to adopt the CSCs, mainly for the purpose of better visibility into their enterprises and to reduce security events. Only 10 percent of respondents felt they had done a complete job of implementing the controls. Respondents indicated that several obstacles hinder their implementations:
SANS had the opportunity to review numerous features of LogRhythm’s security information and event management (SIEM) platform with new security intelligence features built in for compliance. In our review, we focused on LogRhythm’s ability to ease some of these pain points while meeting 10 of the most valuable CSCs. These include:
It could be argued that LogRhythm’s approach aligns with many of the other controls—although less directly. However, due to length, we are focusing on the above controls and how LogRhythm can help security teams not only meet control requirements but also actually improve the state of monitoring and response.
Overall, we found the LogRhythm 6.x software easy to use, with a broad range of rules
together a more comprehensive monitoring and alerting strategy that, in turn, can be used to develop baselines of events and behavior across the IT infrastructure.
SANS ANALYST PROGRAMCombining Security Intelligence and the Critical Security Controls 1
Introduction
1 The Critical Security Controls: www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf; the SANS 2013 Critical Security Controls Survey: www.sans.org/reading-room/analysts-program/csc-survey-2013
Survey respondents adopting or planning to
adopt the CSCs
73%
Inventory and Assess
SANS ANALYST PROGRAM2
For good reason, the "rst of the Critical Security Controls focuses entirely on maintaining
CSC 4.
Some of the things to consider for this control include inventory management systems,
Figure 1. Creating an Unauthorized Hosts AI Rule Description
Combining Security Intelligence and the Critical Security Controls
Inventory and Assess (CONTINUED)
SANS ANALYST PROGRAM3
Detecting a new host
rapidly is important
in detecting
malicious behavior
and quarantining
a!ected systems to
contain damage.
The tool easily caught new systems we spun up to test this feature. Figure 2 depicts a
and triggering a log event.
The ability to detect new devices in the environment is useful for discovering rogue
detecting malicious behavior and quarantining a!ected systems to contain damage.
as users and groups set up their own infrastructure with convenience as a priority, rather than security.
Figure 2. Rogue Host Event
Combining Security Intelligence and the Critical Security Controls
Inventory and Assess (CONTINUED)
SANS ANALYST PROGRAM4
vulnerabilities are associated with them. Security teams need to continually scan for
as possible. They need to do this day in and day out because new vulnerabilities appear regularly.
LogRhythm helps to meet CSC 4 in two ways. First, it correlates logs and events indicating what software has been installed on systems—and when—with vulnerability detection by scanning tools. This is useful when determining whether speci"c installations and software are responsible for new vulnerabilities that appear in the environment. Second, it is also useful for monitoring new vulnerabilities over time to determine if—and when—they are patched or remediated.
We reviewed a number of vulnerability-focused events and dashboards in the LogRhythm interface, including vulnerability logs and events as both highlights from the
Combining Security Intelligence and the Critical Security Controls
As a part of the vulnerability management life cycle, security teams should also track vulnerabilities once they’re found, and scan results should be compared to previous reports to determine what vulnerabilities have been successfully remediated.
Security teams should also conduct vulnerability scans using system and application credentials that allow for deeper probes and assessment of the systems being tested. Analysts can validate the results of these tests with local system logs, which can also indicate when software was installed on the systems that may expose them to attacks. Finally, incident responders can correlate vulnerability scan results with attack attempts and other related security events to ascertain whether a targeted system is truly vulnerable.
Inventory and Assess (CONTINUED)
SANS ANALYST PROGRAM5
Examples of events we noted and investigated included Windows and Linux events
all of which would naturally lead to deeper investigation or remediation actions. See Figure 3.
Figure 3. Top Vulnerabilities Dashboard
Combining Security Intelligence and the Critical Security Controls
Assessment and patching of systems are strong preventive measures. However, protective measures, including malware defenses and application security, are also
operate undetected.
Malware has been a challenge for security and operations teams for many years. In the
that generate alerts when they detect malware.
limit the use of removable media and carefully "lter email attachments coming into
domains.
malware samples for analysis and reverse engineering.
infections.
and infected hosts, as well as the event sources themselves. In our review test bed, we saw events coming from numerous Windows systems with antimalware agents installed,
SANS ANALYST PROGRAM6
Defending Systems
Combining Security Intelligence and the Critical Security Controls
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM7
We reviewed numerous worm and bot detection events within this dashboard and watched the time range of malware events detected. The logging of events from host
that we reviewed. An example of this dashboard is shown in Figure 4.
provide actionable intelligence into the type of malware and its impact on previously
applications and code, code review and testing, database security and training for developers in secure coding techniques.
Figure 4. Top Malware Defenses Dashboard
Combining Security Intelligence and the Critical Security Controls
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM8
To coincide with this type of alerting rule, lists of strings and attributes can be compiled, and LogRhythm has a number of these available out of the box. Figure 6 shows some
and easy to edit.
Figure 5. Creating an AI Rule for Alerting on User Agent Strings
Combining Security Intelligence and the Critical Security Controls
Figure 6. Application Security Lists
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM9
example of simple text-based pattern matching strings, which you can add to or edit as needed.
Figure 7. Malicious User Agent Strings List
Combining Security Intelligence and the Critical Security Controls
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM10
and implemented, following industry best practices such as those from the Center for Internet Security.2
authentication when possible, and device management functions should be isolated
were able to correlate changes with data from change control systems to determine whether a change is approved, and alerts can be generated when unplanned changes occur.
We even examined the LogRhythm SmartResponse engine and witnessed it shutting
trigger if con"guration changes are made on them.
2 www.cisecurity.org/resources-publications
Combining Security Intelligence and the Critical Security Controls
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM11
We also reviewed a number of charts within the main LogRhythm console for
themselves and their con"gurations, as shown in Figure 9.
Figure 8. Network Device Log for Con"guration Events
Figure 9. Network Device Con"guration and Behavior Monitoring
Combining Security Intelligence and the Critical Security Controls
Defending Systems (CONTINUED)
SANS ANALYST PROGRAM12
summary table from one of these reports is shown in Figure 10.
them with approved change requests removed the threat of rogue changes by
Figure 10. Detailed Network Device Con"guration Change Report
Combining Security Intelligence and the Critical Security Controls
Many of the remaining Critical Controls that LogRhythm supports are around good hygiene, including limitation of ports and services, controlled use of administrative privilege, properly executed boundary defense, maintenance of audit logs and monitoring of account use.
control.
LogRhythm helps meet the requirements of this control in two ways. First, it monitors port scanner results as well as logs and events from individual systems that indicate
available and in use over time and then alerts on deviations from the baseline. As part
scans, the output of which is shown in Figure 11.
scanned and timestamps of the data from log events. This type of report data is helpful in
SANS ANALYST PROGRAM13
Keeping a Clean Environment
A D V I C E :
Run critical services on
dedicated systems within
restricted network subnets,
and use VLANs and private
IP addresses to isolate and
restrict access to services
from the Internet. IT groups
can also implement so-called
“application !rewalls” to limit
access to critical services and
protect them from attack.
Figure 11. Logs of Port Scan Behavior
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM14
LogRhythm has a variety of built-in port scan detection rules and monitoring tools. One example of a rule we reviewed sets time thresholds on ports being scanned,
Figure 12. Detection Rule for Stealthy Port Scanning
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM15
LogRhythm also monitors hosts to determine what processes are running in a normal baseline mode and then alerts if changes are detected to that baseline. Figure 13 shows a rule we used to trigger if the list of processes running on a host is less than 80 percent similar to the process list from the previous day.
This rule may indicate that something signi"cant has changed on the a!ected platform, warranting additional follow-up investigation, for example.
Figure 13. Abnormal Process Activity Rule
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM16
LogRhythm also targets speci"c applications and services for monitoring, based on
LogRhythm test environment and then used the LogRhythm console to review detailed log information related to a syslog event that had been triggered by the SSH rule, as shown in Figure 14.
Although tuning the software to see the most interesting events related to services,
information to be invaluable in developing behavioral baselines and detecting anomalies in the environment.
Figure 14. SSH Event Log
Combining Security Intelligence and the Critical Security Controls
SSH is often used
to hide malicious
activities and
sensitive information
being sent out of the
organization.
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM17
privileges, CSC 12 focuses on the restriction of administrative privileges on systems and within applications. It also includes continuous monitoring of all administrative account and activities.
LogRhythm addresses this control by monitoring accounts de"ned on systems, as well as
enables simpli"ed monitoring and privileged accounts and detection of their activities, is installed by default. This module is merely one of a range of event detection options for privileged user activity, including rule-based monitoring.
We reviewed several default LogRhythm rules that accomplish the goals of CSC 12. For example, we reviewed a rule that detects attempted privilege use on Linux platforms that would trigger any time someone not listed in the /etc/sudoers "le attempted to run a privileged command. See Figure 15.
Figure 15. Details of a Linux Privilege Use Rule
A D V I C E :
Use strong passwords with
complexity and aging
policies in place for all
administrative accounts. Log
all administrator activity
and logins (both successful
and failed), and require
multifactor authentication for
administrator access, when
possible. Require lower-
privilege accounts for all initial
access and day-to-day activity
by administrators, with greater
privileges assumed only when
needed.
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM18
A similar rule for Windows platforms is shown in Figure 16; if a nonprivileged user right-
Figure 16. Details for a Windows Privilege Use Rule
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM19
of privileged user activity and attempted activity. One example of this type of report is shown in Figure 17, in which we select a speci"ed group of privileged users, grouped by login and then by common events.
Monitoring system events related to privilege use and potential misuse helps prevent the build-up of shadow IT setups and other insider threats. It is also important for
Figure 17. Privileged User Monitoring Report
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM20
especially at the perimeter.
LogRhythm supports CSC 13 in a number of ways, including the ability to:
settings that may not meet enterprise standards for hardening and security pro"les
We observed all of this in our review, starting with the di!erent types of threat intelligence sources and lists that LogRhythm can consume and integrate for monitoring, analysis and response rules and actions, as shown in Figure 18.
By default, the list has a large number of prebuilt sources, but more can easily be added by simply editing the list.
Figure 18. Third-Party Threat Intelligence Sources
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM21
By incorporating both internal and external intelligence sources and allowing analysts to
more up-to-date monitoring and alerting.
Figure 19. Zeus Malware Threat List Details
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM22
CSC 14 focuses on collection and analysis of logs, with speci"c control items covering
of logging anomalies. This control also speci"es using central log servers for all logs,
The LogRhythm platform manages and monitors all types of log data and has an extensive range of log monitoring and alerting rules and dashboard reports available out of the box.
We monitored and veri"ed log sources and destinations to ensure logs were being collected properly and log data was processed and correlated with other information from the environment. Figure 20 is an example of a dashboard displaying LogRhythm’s comprehensive log monitoring capabilities.
This dashboard shows the major types of log events in the top three graphs (events by
detailed lists of the alarms that were triggered related to the log data it gathered and
SANS has strongly recommended leveraging log data for security monitoring for many
data to build security intelligence.
Figure 20. Log Monitoring Dashboard
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM23
not properly set up, maintained and monitored. CSC 16 speci"es that all accounts should have a purpose and a life cycle policy.
other related user activities on systems. It also correlates user activity to de"ned lists of accounts to ensure that they are legitimate and still active.
Figure 21 shows a monitoring dashboard we used to review account login activity, top accounts with access changes, account life cycle activity (i.e., creation, modi"cation and deletion of accounts) and audit events.
Figure 21. Account Monitoring Dashboard
A D V I C E :
Routinely monitor account
use and conduct audits
for dormant accounts and
suspicious account activity.
Log failed attempts to access
accounts, store and transmit
account credentials using
adequate encryption and
use account lockout features,
where available.
Combining Security Intelligence and the Critical Security Controls
Keeping a Clean Environment (CONTINUED)
SANS ANALYST PROGRAM24
within a "ve-minute timespan, shown in Figure 22.
By monitoring account use and activity, LogRhythm helps detect or prevent illicit activity caused by compromised accounts or new accounts created for malicious purposes.
Figure 22. Repeat Login Detection Rule
Combining Security Intelligence and the Critical Security Controls
Implementing the Critical Security Controls is not easy. However, the LogRhythm platform satis"es many of the CSCs, with emphasis on the 10 mentioned in this review.
easy con"guration rules for vulnerability and threat detection and reporting. It meets
support for secure con"guration, privilege user controls and more.
Because this one tool meets so many of these controls, LogRhythm also helps meet the CSC goal of automating as many processes as possible to reduce human-induced
tools such as LogRhythm go a long way to de"ning and augmenting a foundation of security controls overall. As the CSCs continue to improve, it is our hope that intelligent
challenge IT security departments.
SANS ANALYST PROGRAM25
Conclusion
Combining Security Intelligence and the Critical Security Controls
About the Author
Sponsor
SANS ANALYST PROGRAM26
instructor and course author, and a GIAC technical director. He has consulted with hundreds
Virtualization Security. Recently, Dave co-
serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
SANS would like to thank this paper’s sponsor:
Combining Security Intelligence and the Critical Security Controls