When SIEM is not enough…

Two years ago, after the antivirus solutions were declared “dead”, another technology joined, or is on a good way to becoming a part of the “dead club”. According to some researches, as much as 65% of security experts consider SIEM (Log management) to be a solution not capable of dealing with security problems of today. Although, same as the antivirus solutions, SIEM also has its place in the overall defensive pose of the company and is an inevitable part of it (if nothing else, due to the need for adjusting to laws and standards). Logo gathering is simply not effective enough to detect today’s attack types and methods.

Due to the complexity and the size of a firm, the SIEM solutions are starting to become less and less usable for multiple reasons: too many events to be followed, the lack of professionals who know how to interpret and put them into the right context, the complexity of adjusting SIEM to work on and detect malicious models in the system and user behavior. The additional expectations of the companies are too big. Why? The SIEM solutions are expensive, their implementation is long and tiring, and in the end, there is always the problem of having to constantly install extra solutions, to be able to have an insight into the relevant security problems. SIEM “Out-of-the-box” does not give any significant detection or analytical abilities, due to which it remains, in most cases, unused and its full potential is hardly and rarely ever fully achieved, which usually leaves a bitter taste in its users’ mouths. With all the mentioned above, companies are starting to become more and more conscious about security problems, and questions, which even SIEM has no answers to, are asked:

1. How to detect if the user data has been compromised (password/user name)?
2. How to be sure that the external entities (e.g. cloud service provider) are taking care of the data adequately?
3. Can we be sure that the users haven’t shared their passwords with other people, or made it accessible to the entire Internet out of negligence?
4. How to recognize patterns in user’s behavior? Are all events related to accessing the workstations or servers legitimate or are there any anomalies?
5. Are we capable of detecting the “pass the hash” vulnerability abuse?
6. When a safety incident occurs, are we able to make a quick analysis and inquest without the need for external associates and specific skills, which are hard to find?
7. Are we able to track the attacker’s lateral movements on the workstations and servers?
8. Can we detect the spear phishing attacks, created especially for our users and company?
9. How to get an insight to potential anomalies when accessing to VPN or Webmail? Can we recognize when a user connects from Croatia and then 15 minutes later from China?
10. Can we recognize and detect the indicators of compromise, which aren’t visible in the log records?

These are just some of the many questions we need answers to, if we want to be adequately protected from threats, as well as to be able to detect and analyze them. A lot of new solutions have appeared on the market. One of them is certainly UserInsight, the Rapid7 company’s solution. UserInsight is a cloud solution, which deals with analyzing and detecting anomalies in user behavior and managing incidents, and it is a solution that has the answers to all the questions asked above. The system is easily set up and it functions on the “collector” principle. Collectors are a software component which monitor different sources of information in the system (firewalls, Windows log, mobile devices, workstations, SIEM, LDAP, DHCP, MS Exchange…). Information is collected without the need for installing agents to the information sources, and the list of the sources themselves change on a daily bases and all relevant information sources enter the list of support quickly. After the system has been installed, the insight into suspicious and potentially malicious activity is gained easily and quickly. The “Out-of-the-box system” enables the installation of traps (Honeypots). The honeypots are virtual machines, which can be adjusted based on the user’s wishes, and they serve as  baits for the attackers. After being installed into the system, UserInsight controls them and traces what type of connection and which actions are aimed towards those machines. In that way, you get a really good mechanism for an easy and quick detection of the intruder, because the virtual machine serves the services, which are very alluring to the attackers and which look like parts of a system that is easily compromised. By using the virtual decoys, the system’s possibilities to detect are pretty wide, and capable of detecting all malicious acts that are indicators of compromising. Some important indicators which the system detects, when it is being networked:

1. Detection of the „pass the hash“ attacks
2. Detection of the administrative actions in a system, according to, or out of the parameters
3. Detection of the anomalies in user behavior, i.e. user access to resources, which the user has never before accessed
4. Detection of the processes that are being executed on the servers and workstations, which are out of norm
5. Lateral motion on the network
6. Company’s user accounts appearing on hacker networks and forums
7. Accessing and using IT systems from locations that are not matching to the usual patterns or are not possible to achieve (i.e. the system being accessed from Slovenia and China within an hour)
8. Mail messages entering the system with a specially created links, similar to the domains which the company uses (Spear-phishing, phishing)

It is important to note that the UserInsight enables both analyzing and managing the detected incidents, and in that way, it is possible to analyze each action deeper and to easily do the analyses, which can, with only a few clicks, show when the incident started, where it happened and how big the final influence on the environment and on the system is. Given the fact that most breaks into the companies’ systems are not detected for more than 6 months after they have happened, and that the most compromised companies have had, or still have a SIEM solution, it is clear that SIEM is just not enough. To be able to fight the threats, we need adequate tools to do it.