Tuesday, November 22, 2011

Money Shot

Finding the money shot is key to successfully containing an emerging threat.  What do I mean by the money shot?  That would be the point at which the point of no return is passed in a security incident.  In most malicious code incidents, this is where a binary reaches a system (via HTTP download, email, or some other means) and successfully executes.  It's fairly common nowadays to see 2, 3, 4, or more re-directs from one compromised or malicious site to another before finally reaching the money shot.  But trying to keep up with blocking/containing all the stage 1, stage 2, etc. re-direct domains is an exhausting and futile process.  On top of that, it's an extremely false positive prone undertaking that could have a fair bit of collateral damage as well (in terms of blocking traffic necessary for business operations).  Focus on the money shot first.  That's where the most containment bang for the buck is to be found.  It's the only chance we as practitioners have at keeping up with the ever-changing landscape.  It's all about the money shot.

Message Clarity

Message clarity is a common sense concept that, unfortunately, is not always so common.  In the practice of network security monitoring, clearly communicating a simple and straightforward message is often necessary in order to conduct proper security operations.  In other words, clearly communicating and leveraging data about new tactics, infection vectors, indicators of compromise, command and control channels, and other important data can help organizations successfully contain and remediate new campaigns, rather than falling victim to them.

I've so often seen cases where the message is garbled or over-complicated (for whatever reason -- be it a lack of knowledge, lack of communication skills, or some other reason).  This helps no one.  I've often been told that one of my greatest strengths is being able to clearly and effectively communicate what I find through detailed analysis in an easy to understand manner.  There is elegance in simplicity -- I firmly believe that.  And an elegant, clear, concise, and simple message can often facilitate network security monitoring and security operations.

Tuesday, November 1, 2011

Properly Leveraging a SIEM

For some reason, when organizations have a SIEM, the overwhelming tendency is to deluge the SIEM with data.  Any kind of data -- as much as can be gathered from myriad data sources, regardless of its actual value to security operations and incident response (I've previously blogged on the different between data value and data volume).  To be fair, I can completely understand the need to log as much data as possible to a SIEM for auditing and retention purposes -- one never knows what data might be needed for an investigation.  However, it is also often the case that organizations have a hard time distinguishing between data that is to be retained vs. data that is to be reviewed/analyzed/monitored as part of a Security Operations Center's/Incident Response Center's operational workflow.  There is a difference, and it's an important one to understand.

A SIEM can be a valuable tool to use as the foundation of an organization's security operations workflow -- but only if it is configured/set up in such a way as to provide events of value to the analysts and incident handlers.  In other words, if there is more noise than value-add, human nature is to tune out.  There are a number of techniques that one can employ to increase the value-add of one's SIEM by selectively and precisely engineering/tuning the rules, events, and views presented to the analyst.  They mainly involve (surprise, surprise) studying, analyzing, and understanding the data on the network, and then purposely selecting those rules, events, and views that will return the most bang for the buck when presented to the analyst and/or incident handler.

I believe this to be an important point that is, unfortunately, often overlooked by organizations.