Saturday, August 24, 2019

Maximizing the SIEM - Moving beyond compliance by addressing risk

Authors: Nik Alleyne & Jide Ajomale

Working for a managed security services provider (MSSP) puts us in the position to be able to see how and why organizations implement many of their security tools. One of the major learning observed through our work, collaboration with colleagues through different organizations and communication with security folks in general, is that many organizations implement these technologies in many cases to satisfy a compliance requirement. While this is not necessarily bad, we should also look to maximize the investment made in these technologies once the compliance requirement has been met. This then means we now have to figure out how we move beyond compliance to risk management.

In this post specifically, the focus is on the Security Information and Event Management (SIEM). How do we maximize the SIEM once compliance has been met? Our perspective, once an organization has satisfied its compliance requirements, its next strategic move should be primarily risk based. Security is a game of cat and mouse, i.e. attackers vs defenders. With that said, it is extremely difficult for us defenders and or organizations to defend and or protect all of our assets equally. This is further compounded by the fact that we live in a world in which we must assume a breach will occur. The most recent significant breach related to MasterCard, shows that be it a (mis)configuration issue or a vulnerability, compromises will occur. What matters is how soon we detect them. Thus, it is imperative the SIEM is seen beyond simply a device implemented to satisfy a compliance requirement and more of a device that we use as part of our risk management strategy.

Once the organization has achieved its compliance objectives and are now looking at the risks, the first question which it should answer is what are our High Value Assets (HVA). Once the organization has a clear understanding of its High Valued Assets, it should ensure these are effectively monitored via the SIEM. The reality is, the organization’s High Value Assets are more than likely the threat actor’s High Value Targets (HVT).

Important to note, the Threat Actors are mostly after the data you have. They may also use this as a means to attack your infrastructure and may even use your infrastructure as a means to attack other organizations. These actions not only disrupt your business operations but also that of your partners and or other organizations involved. One of the most important breaches which can be used to reinforce this point, is the compromise of Target Co which was initiated from a compromised HVAC provider (, 2015) . At this point some of the organization’s more HVAs (in no specific order) may be as follows:

1. Internet facing e-commerce servers
2. Devices providing authentication services (Active Directory, etc)
3. Device acting as guards :-) (Firewalls, proxy, router, etc)
4. Endpoint security tools, etc.
5. Critical databases
6. Custom applications
7. etc ...

The organization must be clear in its ability to answer the question as to why these assets are important to it. Just simply categorizing all assets as high valued does the organization, its security team and the investment made into the SIEM tool(s) no good. Two key perspectives the organization can use to determine whether or not these assets are truly high valued, can be determined by looking at the impact on the company’s reputation, its brand and or its financial statements.

Now that the organization has clear understanding and a decision has been made on those High Value assets, its next step is to identify the risk associated with those assets. There are different formulas to calculate risk. The organization should choose one it feels most comfortable with. For our purpose we will follow the OWASP Risk Rating Methodology:

Risk = Likelihood * Impact

From the organization’s HVAs, the next step should be to prioritize those assets based on their likelihood of a possible compromise and the impact to the organization if one of these devices were to be compromised. As you think of likelihood, consider a situation where a host is vulnerable, it is exposed to the internet and an exploit is available. From our perspective and experience, there is a high likelihood that this host would be compromised. The question may simply be how long it takes before it is truly compromised.

Now that we understand the likelihood, let's look at the impact. Let's assume on a scale of 1-10, there is a high likelihood that this host will be compromised. If it is successfully compromised, what would the impact be? Can the business continue for a day, a few months or even years if this device was compromised? As in the device no longer maintains the confidentiality of its data, its users have lost confidence in its integrity and the device is no longer available to the organization. Basically, does it have any or all of the CIA (Confidentiality, Integrity and Availability) triad intact.

What about economic impact? Will this impact cost the organization thousands or millions or billions of dollars the longer the CIA triad is not intact? Are there regulatory, brand and or reputational impact which should be considered if this asset was compromised? More importantly, since this post is more from a SIEM perspective, will you be able to detect and investigate the incident with the ultimate aim of being able to answer the who, what, when, where, why and how relating to the breach/security incident. The logs (and packets/flows) put you in the best position to answer the question.

Considering the preceding and as stated above, once you have satisfied your compliance requirements, to maximize on your security technology investments, more specifically the SIEM in this case, you need to look at the risk associated with assets which runs the business. Once this is clear, conduct threat modelling exercises in other to identify supporting infrastructure or applications that could be leveraged to compromise these assets and implement logging for the devices with a high risk first. Ensure you make sound business and risk decisions as to whether your log successes and or failures, permits and or denies, allowed vs blocked etc. For more guidance on considerations you should have when logging, see Nik’s presentation on building a forensically capable network infrastructure (Alleyne, 2019) .

Hope this post helps you to look beyond compliance and instead look at the risk to your business as you look to maximize your investment in the SIEM.

Additional Readings

No comments:

Post a Comment