Threat Intelligence and Cybersecurity

Threat Intelligence Overview

“Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace.”

Cyber threat intelligence provides a number of benefits, including:

• Empowers organizations to develop a proactive cybersecurity posture and to bolster overall risk management policies.
• Drives momentum toward a cybersecurity posture that is predictive, not just reactive.
• Enables improved detection of threats.
• Informs better decision-making during and following the detection of a cyber intrusion.

Today’s security drivers

• Breached records

• Human Error

• IOT innovation

• Breach cost amplifiers

• Skills gap

  Attackers break through conventional safeguards every day.

Threat Intelligence Strategy and External Sources

Threat Intelligence Strategy Map:

Sharing Threat Intelligence

“In practice, successful Threat Intelligence initiatives generate insights and actions that can help to inform the decisions – both tactical, and strategic – of multiple people and teams, throughout your organization.”

Threat Intelligence Strategy Map: From technical activities to business value:

1. Level 1 Analyst
2. Level 2/3 Analyst
3. Operational Leaders
4. Strategic Leaders

Intelligence Areas (CrowdStrike model)

Tactical: Focused on performing malware analysis and enrichment, as well as ingesting atomic, static, and behavioral threat indicators into defensive cybersecurity systems.

Stakeholders:

• SOC Analyst
• SIEM
• Firewall
• Endpoints
• IDS/IPS

Operation: Focused on understanding adversarial capabilities, infrastructure, and TTPs, and then leveraging that understanding to conduct more targeted and prioritized cybersecurity operations.

Stakeholders:

• Threat Hunter
• SOC Analyst
• Vulnerability Mgmt.
• IR
• Insider Threat

Strategic: Focused on understanding high level trends and adversarial motives, and then leveraging that understanding to engage in strategic security and business decision-making.

Stakeholders:

• CISO
• CIO
• CTO
• Executive Board
• Strategic Intel

Trends and Predictions

Threat Intelligence Platforms

“Threat Intelligence Platforms is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions.”

These are made up of several primary feature areas that allow organizations to implement an intelligence-driven security approach.

1. Collect
2. Correlate
3. Enrichment and Contextualization
4. Analyze
5. Integrate
6. Act

Platforms

Recorded Future

On top of Recorded Future’s already extensive threat intelligence to provide a complete solution. Use fusion to centralize data, to get the most holistic and relevant picture of your threat landscape.

Features include:

• Centralize and Contextualize all sources of threat data.
• Collaborate on analysis from a single source of truth.
• Customize intelligence to increase relevance.

FireEye

Threat Intelligence Subscriptions Choose the level and depth of intelligence, integration and enablement your security program needs.

Subscriptions include:

• Fusion Intelligence
• Strategic Intelligence
• Operation Intelligence
• Vulnerability Intelligence
• Cyber Physical Intelligence
• Cyber Crime Intelligence
• Cyber Espionage Intelligence

IBM X-Force Exchange

IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers. IBM X-Force Exchange is supported by human and machine-generated intelligence leveraging the scale of IBM X-Force.

• Access and share threat data
• Integrate with other solutions
• Boost security operations

TruSTAR

It is an intelligence management platform that helps you operationalize data across tools and teams, helping you prioritize investigations and accelerate incident response.

• Streamlined Workflow Integrations
• Secure Access Control
• Advanced Search
• Automated Data ingest and Normalization

Threat Intelligence Frameworks

Getting Started with ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) can be useful for any organization that wants to move toward a threat-informed defense.

Level 2:

1. Understand ATT&CK
2. Find the behavior
3. Research the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analyst

Cyber Threat Framework

An integrated and intelligent security immune system

Best practices: Intelligent detection

1. Predict and prioritize security weaknesses

• Gather threat intelligence information
• Manage vulnerabilities and risks
• Augment vulnerability scan data with context for optimized prioritization
• Manage device configuration (firewalls, switches, routers, IPS/IDS)

3. Detect deviations to identify malicious activity

• Establish baseline behavior
• Monitor and investigate anomalies
• Monitor network flows

1. React in real time to exploits

• Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add context
• Use automated and cognitive solutions to make data actionable by existing staff

Security Intelligence

“The real-time collection, normalization, and analytics of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise.”

Security Intelligence provides actionable and comprehensive insights for managing risks and threats from protection and detection through remediation.

Ask the right questions – The exploit timeline

3 Pillars of Effective Threat Detection

• See Everything
• Automate Intelligence
• Become Proactive

Security Effectiveness Reality

Key Takeaways

Data Loss Prevention and Mobile Endpoint Protection

What is Data Security and Protection?

Protecting the:

• Confidentiality

• Integrity

• Availability

  Of Data:

• In transit

• At rest

  • Databases
  • Unstructured Data (files)
  • On endpoints

What are we protecting against?

Deliberate attack:

• Hackers

• Denial of Service

  Inadvertent attacks:

• Operator error

• Natural disaster

• Component failure

Data Security Top Challenges

• Explosive data growth
• New privacy regulations (GDPR, Brazil’s LGPD etc.)
• Operational complexity
• Cybersecurity skills shortage

Data Security Common Pitfalls

Five epic fails in Data Security:

• Failure to move beyond compliance
• Failure to recognize the need for centralized data security
• Failure to define who owns the responsibility for the data itself
• Failure to address known vulnerabilities
• Failure to prioritize and leverage data activity monitoring

Industry Specific Data Security Challenges

Healthcare

• Process and store combination of personal health information and payment card data.
• Subject to strict data privacy regulations such as HIPAA.
• May also be subject to financial standards and regulations.
• Highest cost per breach record.
• Data security critical for both business and regulatory compliance.

Transportation

• Critical part of national infrastructure
• Combines financially sensitive information and personal identification
• Relies on distributed IT infrastructure and third party vendors

Financial industries and insurance

• Most targeted industry: 19% of cyberattacks in 2018
• Strong financial motivation for both external and internal attacks
• Numerous industry-specific regulations require complex compliance measures

Retail

• Among the most highly targeted groups for data breaches
• Large number of access points in retail data lifecycle
• Customers and associates access and share sensitive data in physical outlets, online, mobile applications

Capabilities of Data Protection

The Top 12 critical data protection capabilities:

1. Data Discovery

• Where sensitive data resides
• Cross-silo, centralized efforts

2. Data Classification

• Parse discovered data sources to determine the kind of data

3. Vulnerability Assessment

• Determine areas of weakness
• Iterative process

4. Data Risk analysis

• Identify data sources with the greatest risk exposure or audit failure and help prioritize where to focus first
• Build on classification and vulnerability assessment

5. Data and file activity monitoring

• Capture and record real-time data access activity
• Centralized policies
• Resource intensive

6. Real-time Alerting
7. Blocking Masking, and Quarantining

• Obscure data and/or blocking further action by risky users when activities deviate from regular baseline or pre-defined policies
• Provide only level of access to data necessary

8. Active Analytics

• Capture insight into key threats such as, SQL injections, malicious stored procedures, DoS, Data leakage, Account takeover, data tampering, schema tampering etc
• Develop recommendations for actions to reduce risk

9. Encryption
10. Tokenization

• A special type of format-preserving encryption that substitutes sensitive data with a token, which can be mapped to the original value

11. Key Management

• Securely distribute keys across complex encryption landscape
• Centralize key management
• Enable organized, secure key management that keeps data private and compliant

12. Automated Compliance Report

• Pre-built capabilities mapped to specific regulations such as GDPR, HIPAA, PCI-DSS, CCPA and so on
• Includes:
  • Audit workflows to streamline approval processes
  • Out-of-the-box reports
  • Pre-built classification patterns for regulated data
  • Tamper-proof audit repository

Data Protection – Industry Example

Guardium support the data protection journey

Guardium – Data Security and Privacy

• Protect all data against unauthorized access
• Enable organizations to comply with government regulations and industry standards

Mobile Endpoint Protection

iOS

• Developed by Apple

• Launched in 2007

• ~13% of devices (based on usage)

• ~60% of tablets worldwide run iOS/iPadOS

• MDM capabilities available since iOS 6

  Android

• Android Inc. was a small team working on an alternative to Symbian and Windows Mobile OS.

• Purchased by Google in 2005 – the Linux kernel became the base of the Android OS. Now developed primarily by Google and a consortium known as Open Handset Alliance.

• First public release in 2008

• ~86% of smartphones and ~39% of tablets run some form of Android.

• MDM capabilities since Android 2.2.

How do mobile endpoints differ from traditional endpoints?

• Users don’t interface directly with the OS.
• A series of applications act as a broker between the user and the OS.
• OS stability can be easily monitored, and any anomalies reported that present risk.
• Antivirus software can “see” the apps that are installed on a device, and reach certain signatures, but can not peek inside at their contents.

Primary Threats To Mobile Endpoints

System based:

• Jailbreaking and Rooting exploit vulnerabilities to provide root access to the system.

• Systems that were previously read-only can be altered in malicious ways.

• One primary function is to gain access to apps that are not approved or booting.

• Vulnerabilities and exploits in the core code can open devices to remote attacks that provide root access.

  App based threats:

• Phishing scams – via SMS or email

• Malicious code

• Apps may request access to hardware features irrelevant to their functionality

• Web content in mobile browsers, especially those that prompt for app installations, can be the root cause of many attacks

  External:

• Network based attacks

• Tethering devices to external media can be exploited for vulnerabilities

• Social engineering to unauthorized access to the device

Protection mobile assets

• MDM: Control the content allowed on the devices, restrict access to potentially dangerous features.
• App security: Report on the health and reliability of applications, oftentimes before they even make it on the devices.
• User Training

Day-to-day operations

While it may seem like a lot to monitor hundreds, thousands, or hundreds of thousands of devices daily, much of the information can be digested by automated systems and action taken without much admin interactions.

Scanning

Vulnerability Assessment Tools

“Vulnerability scanning identifies hosts and host attributes (e.g., OSs, applications, open ports), but it also attempts to identify vulnerabilities rather than relying on human interpretation of the scanning results. Vulnerability scanning can help identify outdated software versions, missing patches, and misconfigurations, and validate compliance with or deviation from an organization’s security policy.” — NIST SP 800-115

What is a Vulnerability Scanner?

Capabilities:

• Keeping an up-to-date database of vulnerabilities.
• Detection of genuine vulnerabilities without an excessive number of false positives.
• Ability to conduct multiple scans at the same time.
• Ability to perform trend analyses and create clear reports of the results.
• Provide recommendations for effective countermeasures to eliminate discovered vulnerabilities.

Components of Vulnerability Scanners

There are 4 main components of most scanners:

1. Engine Scanner

• Performs security checks according to its installed plug-ins, identifying system information, and vulnerabilities.

1. Report Module

• Provides scan result reporting such as technical reports for system administrators, summary reports for security managers, and high-level graph and trend reports for corporate executives’ leadership.

1. Database

• Stores vulnerability information, scan results, and other data used by the scanner.

1. User interface

• Allows the admin to operate the scanner. It may be either a GUI, or just a CLI.

Host & Network

Internal Threats:

• It can be through Malware or virus that is downloaded onto a network through internet or USB.

• It can be a disgruntled employee who has the internal network access.

• It can be through the outside attacker who has gained access to the internal network.

• The internal scan is done by running the vulnerability scanner on the critical components of the network from a machine which is a part of the network. This important component may include core router, switches, workstations, web server, database, etc.

  External Threats:

• The external scan is critical as it is required to detect the vulnerabilities to those internet facing assets through which an attacker can gain internal access.

Common Vulnerability Scoring Systems (CVSS)

The CVSS is a way of assigning severity rankings to computer system vulnerabilities, ranging from zero (least severe) to 10 (most severe).

• It provides a standardized vulnerability score across the industry, helping critical information flow more effectively between sections within an organization and between organizations.
• The formula for determining the score is public and freely distributed, providing transparency.
• It helps prioritize risk — CVSS rankings provide both a general score and more specific metrics.

Score Breakdown:

The CVSS score has three values for ranking a vulnerability:

1. A base score, which gives an idea of how easy it is to exploit targeting that vulnerability could inflict.
2. A temporal score, which ranks how aware people are of the vulnerability, what remedial steps are being taken, and whether threat actors are targeting it.
3. An environmental score, which provides a more customized metric specific to an organization or work environment.

STIGS – Security Technical Implementation Guides

• The Defense Information Systems Agency (DISA) is the entity responsible for maintaining the security posture of the DoD IT infrastructure.
• Default configurations for many applications are inadequate in terms of security, and therefore DISA felt that developing a security standard for these applications would allow various DoD agencies to utilize the same standard – or STIG – across all application instances that exist.
• STIGs exist for a variety of software packages including OSs, DBAs, OSS, Network devices, Wireless devices, Virtual software, and, as the list continues to grow, now even include Mobile Operating Systems.

Center for Internet Security (CIS)

Benchmarks:

• CIS benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

• The initial benchmark development process defines the scope of the benchmark and begins the discussion, creation, and testing process of working drafts. Using the CIS WorkBench community website, discussion threads are established to continue dialogue until a consensus has been reached on proposed recommendations and the working drafts. Once consensus has been reached in the CIS Benchmark community, the final benchmark is published and released online.

  Controls: The CIS Controls^TM are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices.

  The five critical tenets of an effective cyber defense systems as reflected in the CIS Controls are:

  1. Offense informs defense
  2. Prioritization
  3. Measurements and metrics
  4. Continuous diagnostics and mitigation
  5. Automation

Implementation Groups

20 CIS Controls

Port Scanning

“Network port and service identification involves using a port scanner to identify network ports and services operating on active hosts–such as FTP and HTTP–and the application that is running each identified service, such as Microsoft Internet Information Server (IIS) or Apache for the HTTP service. All basic scanners can identify active hosts and open ports, but some scanners are also able to provide additional information on the scanned hosts.” —NIST SP 800-115

Ports

• Managed by IANA.

Responses

• A port scanner is a simple computer program that checks all of those doors – which we will start calling ports – and responds with one of three possible responses:
  1. Open — Accepted
  2. Close — Not Listening
  3. Filtered — Dropped, Blocked

Types of Scans

Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities.

1. Ping:

• Simplest port scan sending ICMP echo request to see who is responding

1. TCP/Half Open:

• A popular, deceptive scan also known as SYN scan. It notes the connection and leaves the target hanging.

1. TCP Connect:

• Takes a step further than half open by completing the TCP connection. This makes it slower and noisier than half open.

1. UDP:

• When you run a UDP port scan, you send either an empty packet or a packet that has a different payload per port, and will only get a response if the port is closed. It’s faster than TCP, but doesn’t contain as much data.

1. Stealth:

• These TCP scans are quieter than the other options and can get past firewalls. They will still get picked by the most recent IDS.

Tools – NMAP

NMAP (Network Mapper) is an open source tool for network exploration and security auditing.

• Design to rapidly scan large networks, though work fine against single hosts.
• Uses raw IP packets.
• Used to know, service type, OS type and version, type of packet filter/firewall in use, and many other things.
• Also, useful for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
• ZenMap is a GUI version of NMAP.

Network Protocol Analyzers

“A protocol analyzer (also known as a sniffer, packet analyzer, network analyzer, or traffic analyzer) can capture data in transit for the purpose of analysis and review. Sniffers allow an attacker to inject themselves in a conversation between a digital source and destination in hopes of capturing useful data.”

Sniffers

Sniffers operate at the data link layer of the OSI model, which means they don’t have to play by the same rules as the applications and services that reside further up the stack. Sniffers can capture everything on the wire and record it for later review. They allow user’s to see all the data contained in the packet.

• Wireshark

WireShark

Wireshark intercepts traffics and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network, how much of it, how frequently, how much latency there is between certain hops, and so on.

• Network Admins use it to troubleshoot network problems.
• Network Security Engineers use it to examine security issues.
• QA engineers use it to verify network applications.
• Developers use it to debug protocol implementations.
• People use it to learn network protocol internals.

WireShark Features

• Deep inspection of hundred of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three pane packet browser
• Cross-platform
• GUI or TTY-mode – TShark utility
• Powerful display filters
• Rich VoIP analysis
• Read/write to different formats
• Capture compressed file with gzip
• Live data from any source
• Decryption support for many protocols
• Coloring rules
• Output can be exported to different formats

Packet Capture (PCAP)

PCAP is a valuable resource for file analysis and to monitor network traffic.

• Monitoring bandwidth usage

• Identify rogue DHCP servers

• Detecting Malware

• DNS resolution

• Incident Response

  Wireshark is the most popular traffic analyzer in the world. Wireshark uses .pcap files to record packet data that has been pulled from a network scan. Packet data is recorded in files with the .pcap file extension and can be used to find performance issues and cyberattacks on the network.

Security Architecture considerations

Characteristics of a Security Architecture

The foundation of robust security is a clearly communicated structure with a systematic analysis of the threats and controls.

• Build with a clearly communicated structure

• Use systematic analysis of threats and controls

  As IT systems increase in complexity, they require a standard set of techniques, tools, and communications.

  Architectural thinking is about creating and communicating good structure and behavior with the intent of avoiding chaos.

  Architecture need to be:

• Described before it can be created

• With different level of elaboration for communication

• Include a solution for implementation and operations

• That is affordable

• And is secure

Architecture: “The architecture of a system describes its overall static structure and dynamic behavior. It models the system’s elements (which for IT systems are software, hardware and its human users), the externally manifested properties of those elements, and the static and dynamic relationships among them.”

ISO/IEC 422010:20071 defines Architecture as “the fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.”

High-level Architectural Models

Enterprise and Solution Architecture break down the problem, providing different levels of abstraction.

High-level architectures are described through Architectural Building Blocks (ABBs) and Solution Building Blocks (SBBs).

Here are some example Security ABBs and SBBs providing different levels of abstraction aimed at a different audience.

Here is a high level example of an Enterprise Security Architecture for hybrid multicloud showing security domains.

The Enterprise Security Architecture domains could be decomposed to show security capabilities… without a context.

Adding context gives us a next level Enterprise Architecture for hybrid multi-cloud, but without specific implementation.

Solution Architecture

Additional levels of abstraction are used to describe architectures down to the physical operational aspects.

Start with a solution architecture with an Architecture Overview giving an overview of the system being developed.

Continue by clearly defining the external context describing the boundary, actors and use that process data.

Examine the system internally looking at the functional components and examine the threats to the data flows.

Finally, look at where the function is hosted, the security zones and the specific protection required to protect data.

As the architecture is elaborated, define what is required and how it will be delivered?

Security Patterns

The use of security architecture patterns accelerate the creation of a solution architecture.

A security Architecture pattern is

• a reusable solution to a commonly occurring problem
• it is a description or template for how to solve a problem that can be used in many different situations
• is not a finished design as it needs conext
• it can be represented in many different formats
• Vendor specific or agnostic
• Available at all levels of abstraction

There are many security architecture patterns available to provide a good starting point to accelerate development.

Application Security Techniques and Risks

Application Security Overview

Software Development Lifecycle

Penetration Testing Tools

Source Code Analysis Tools

Application Security Threats and Attacks

Third Party Software

• Standards

• Patching

• Testing

  Supplier Risk Assessment

• Identify how any risks would impact your organization’s business. It could be a financial, operational or strategic risk.

• Next step would be to determine the likelihood the risk would interrupt the business

• And finally there is a need to identify how the risk would impact the business.

Web Application Firewall (WAF)

Application Threats/Attacks

Input Validation:

• Buffer overflow

• Cross-site scripting

• SQL injection

• Canonicalization

  Authentication:

• Network eavesdropping

• Brute force attack

• Dictionary attacks

• Cookie replay

• Credential theft

  Authorization:

• Elevation of privilege

• Disclosure of confidential data

• Data tampering

• Luring Attacks

  Configuration Management:

• Unauthorized access to admin interface

• Unauthorized access to configuration stores

• Retrieval of clear text configuration data

• Lack of individual accountability; over-privileged process and service accounts

  Exception Management:

• Information disclosure

• DoS

  Auditing and logging:

• User denies performing an operation

• Attacker exploits an application without trace

• Attacker covers his tracks

Application Security Standards and Regulations

Threat Modeling

“Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.”

Conceptually, a threat modeling practice flows from a methodology.

1. STRIDE methodology: STRIDE is a methodology developed by Microsoft for threat modeling. It provides a mnemonic for security threats in six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege.

• Microsoft developed it

1. P.A.S.T.A: P.A.S.T.A. stands for Process for Attack Simulation and Threat Analysis. It is an attacker-focused methodology that uses a seven-step process to identify and analyze potential threats.

• Seven-step process

1. VAST: VAST is an acronym for Visual, Agile, and Simple Threat modeling. The methodology provides actionable outputs for the unique needs of various stakeholders like application architects and developers.
2. Trike: Trike threat modeling is an open-source threat modeling methodology focused on satisfying the security auditing process from a cyber risk management perspective. It provides a risk-based approach with unique implementation and risk modeling process.

Standards vs Regulations

DevSecOps Overview

Why this matter?

• Emerging DevOps teams lead to conflicting objectives.

• DevSecOps is an integrated, automated, continuous security; always.

  Integrating Security with DevOps to create DevSecOps.

What does DevSecOps look like?

• Define your operating and governance model early.
• A successful program starts with the people & culture.
  • Training and Awareness
  • Explain and embrace new ways of working
  • Equip teams & individuals with the right level of ownership & tools
• Continuous improvement and feedback.

Develop Securely: Plan A security-first approach

Use tools and techniques to ensure security is integral to the design, development, and operation of all systems.

Enable empowerment and ownership by the Accreditor/Risk owner participating in Plan & Design activities.

Security Coach role to drive security integration.

Develop Security: Code & Build Security & Development combined

Apply the model to Everything-as-Code:

• Containers
• Apps
• Platforms
• Machines
• Shift security to the left and embrace security-as-code.
• Security Engineer to drive technical integration and uplift team security knowledge.

Develop Securely: Code & Build

Detect issues and fix them, earlier in the lifecycle

Develop Securely: Test

Security and development Combined

Validate apps are secure before release & development.

DevSecOps Deployment

Secure Operations: Release, Deploy & Decom

• Orchestrate everything and include security.
• Manage secure creation and destruction of your workloads.
• Automate sign-off to certified levels of data destruction.

Controlled creation & destruction

Create securely, destroy securely, every time.

Secure Operations: Operate & Monitor

• If you don’t detect it, you can’t fix it.

• Integrated operational security helps ensure the security health of the system is as good as it can be with the latest information.

• Playbooks-as-code run automatically, as issues are detected they are remediated and reported on.

  Security & Operations combined

It’s not a question of if you get hacked, but when.

So, why DevSecOps?

Deep Dive into Cross-Site Scripting

Application Security Defects – Writing Secure Code

What, Should I worry?

Issues Types

• Majority of security products have Web UIs: LMIs, Administrative Interfaces, Dashboards.
• Web vulnerabilities most commonly reported by 3rd parties as well as internal pen-testers, with XSS far in the lead.
• Crypto vulnerabilities come next.
• Appliances highly susceptible to command execution vulnerabilities.

Writing Secure Software is Not Easy

• Developers face many challenges:

• Yet with good security education, and solid design and implementation practices, we can make sure our products are secure.

Mitigating Product Security Risk

• Prevent new bugs
  • SANS 25 most dangerous programming errors.
• Think like a hacker.
• Build defenses in your software.
  • Input Validation
  • Output Sanitization
  • Strong encryption
  • Strong Authentication & Authorization
• Choose secure frameworks rather than simply rely on developer security skills.
• Don’t think that if your product is isolated from the Internet, it isn’t at risk.
• Don’t think that if a file or database is local, it doesn’t need to be protected. The majority of breaches are launched from INSIDE.
• Address existing bugs.
  • Redesign for not only looks, but for security and functionality.
  • Implement smart architectural changes that fix security flaws at the top.
  • Don’t spot-fix issues, think of how the vulnerability can be fixed across the board and prevented in the future.
  • Security bugs are special. (Need to be fixed asap)
    • Deliver security patches with faster release vehicles.

Cross scripting – Common Attacks

Cross-Site Scripting (XSS)

• Allows attackers to inject client-side scripts into the Web Page
• Can come from anywhere:
  • HTTP parameters
  • HTTP headers and cookies
  • Data in JSON and XML files
  • Database
  • Files uploaded by users
• Most common security issues found in many security products.

Dangers of XSS

• Harvest credentials
• Take over user sessions
• CSFR
• Steal cookies, local store data
• Elevate privileges
• Redirect users to malicious sites

Cross-site Scripting – Effective Defenses

• Preventing XSS with HTML Encoding
  • Enforcing the charset (UTF-8)
• Preventing XSS with JS Escaping
  • Escaping single quotes will prevent injection
  • Preventing XSS by using safe DOM elements
  • Use Eval and Dynamic Code Generation with Care
• Input Validation
  • Whitelisting – recommended
  • Blacklisting – not recommended
  • Client Side input validation – not recommended
  • Use proven Validation and Encoding Functionality

SIEM Platforms

SIEM Concepts, Benefits, Optimization, & Capabilities

“At its core, System Information Event Management (SIEM) is a data aggregator, search and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates and makes that data human accessible. With the data categorized and laid out at your fingertips, you can research data security breaches with as much detail as needed.”

Key Terms:

• Log collection
• Normalization
• Correlation
• Aggregation
• Reporting

SIEM

1. A SIEM system collects logs and other security-related documentation for analysis.
2. The core function to manage network security by monitoring flows and events.
3. It consolidates log events and network flow data from thousands of devices, endpoints, and applications distributed throughout a network. It then uses an advanced Sense Analytics engine to normalize and correlate this data and identifies security offenses requiring investigation.
4. A SIEM system can be rules-based or employ a statistical correlation between event log entries.
5. Capture log event and network flow data in near real time and apply advanced analytics to reveal security offenses.
6. It can be available on premises and in a cloud environment.

Events & Flows

Data Collection

• It is the process of collecting flows and logs from different sources into a common repository.

• It can be performed by sending data directly into the SIEM or an external device can collect log data from the source and move it into the SIEM system on demand or scheduled.

  To consider:

• Capture

• Memory

• Storage capacity

• License

• Number of sources

Normalization

• The normalization process involves turning raw data into a format that has fields such as IP address that SIEM can use.
• Normalization involves parsing raw event data and preparing the data to display readable information.
• Normalization allows for predictable and consistent storage for all records, and indexes these records for fast searching and sorting.

License Throttling

• Monitors the number of incoming events to the system to manage input queues and EPS licensing.

Coalescing

• Events are parsed and then coalesced based on common attributes across events. In QRadar, Event coalescing starts after three events have been found with matching properties within a 10-second period.
• Event data received by QRadar is processed into normalized fields, along with the original payload. When coalescing is enabled, the following five properties are evaluated.
  • QID
  • Source IP
  • Destination IP
  • Destination port
  • Username

SIEM Deployment

SIEM Deployment Considerations

• Compliance

• Cost-benefit

• Cybersecurity

  QRadar Deployment Examples

Events

Event Collector:

• The event collector collects events from local and remote log sources, and normalize raw log source events to format them for use by QRadar. The Event Collector bundles or coalesces identical events to conserve system usage and send the data to the Event Processor.

• The Event Collector can use bandwidth limiters and schedules to send events to the Event Processor to overcome WAN limitations such as intermittent connectivity.

  Event Processor:

• The Event Processor processes events that are collected from one or more Event Collector components.

• Processes events by using the Custom Rules Engine (CRE).

Flows

Flow Collector:

• The flow collector generates flow data from raw packets that are collected from monitor ports such as SPANS, TAPS, and monitor sessions, or from external flow sources such as netflow, sflow, jflow.

• This data is then converted to QRadar flow format and sent down the pipeline for processing.

  Flow Processor:

• Flow deduplication: is a process that removes duplicate flows when multiple Flow Collectors provide data to Flow Processors appliances.

• Asymmetric recombination: Responsible for combining two sides of each flow when data is provided asymmetrically. This process can recognize flows from each side and combine them in to one record. However, sometimes only one side of the flow exists.

• License throttling: Monitors the number of incoming flows to the system to manage input queues and licensing.

• Forwarding: Applies routing rules for the system, such as sending flow data to offsite targets, external Syslog systems, JSON systems, other SIEMs.

Reasons to add event or flow collectors to an All-in-One deployment

• Your data collection requirements exceed the collection capability of your processor.
• You must collect events and flows at a different location than where your processor is installed.
• You are monitoring packet-based flow sources.
• As your deployment grows, the workload exceeds the processing capacity of the All-in-One appliance.
• Your security operations center employs more analytics who do more concurrent searches.
• The types of monitored data, and the retention period for that data, increases, which increases processing and storage requirements.
• As your security analyst team grows, you require better search performance.

Security Operations Center (SOC)

Triad of Security Operations: People, Process and Technology.

SOC Data Collection

SIEM Solutions – Vendors

“The security information and event management (SIEM) market is defined by customers’ need to analyze security event data in real-time, which supports the early detection of attacks and breaches. SIEM systems collect, store, investigate, support mitigation and report on security data for incident response, forensics and regulatory compliance. The vendors included in this Magic Quadrant have products designed for this purpose, which they actively market and sell to the security buying center.”

Deployments

Small: Gartner defines a small deployment as one with around 300 log sources and 1500 EPS.

Medium: A midsize deployment is considered to have up to 1000 log sources and 7000 EPS.

Large: A large deployment generally covers more than 1000 log sources with approximately 15000 EPS.

Important Concepts

IBM QRadar

IBM QRadar Components

ArcSight ESM

Splunk

Friendly Representation

LogRythm’s Security Intelligence Platform

User Behavior Analytics

Security Ecosystem

• Detecting insider threats requires a 360 degree view of both logs and flows.

Advantages of an integrated UBA Solution

• Complete visibility across end point, network and cloud infrastructure with both log and flow data.

• Avoids reloading and curating data faster time to insights, lowers opex, frees valuable resources.

• Out-of-the-box analytics models that leverage and extend the security operations platform.

• Single Security operation processes with integration of workflow system and other security solutions.

• Easily extend to third-party analytic models, including existing insider threats use cases already implemented.

• Leverage UBA insights in other integrated security analytics solutions.

• Get more from your QRadar ecosystem.

  IBM QRadar UBA

  160+ rules and ML driven use cases addressing 3 major insider threat vectors:

  1. Compromised or Stolen Credentials
  2. Careless or Malicious Insiders
  3. Malware takeover of user accounts

  Detecting Compromised Credentials

• 70% of phishing attacks are to steal credentials.

• 81% of breaches are with stolen credentials.

• $4M average cost of a data breach.

Malicious behavior comes in many forms

Maturing into User Behavioral Analytics

QRadar UBA delivers value to the SOC

AI and SIEM

Your goals as a security operations team are fundamental to your business.

Pressures today make it difficult to achieve your business goals.

Challenge #1: Unaddressed threats

Challenge #2: Insights Overload

Challenge #3: Dwell times are getting worse

Lack of consistent, high-quality and context-rich investigations lead to a breakdown of existing processes and high probability of missing crucial insights – exposing your organization to risk.

Challenge #4: Lack of cybersecurity talent and job fatigue

• Overworked
• Understaffed
• Overwhelmed

Investigating an Incident without AI:

Unlock a new partnership between analysts and their technology:

AI and SIEM – An industry Example

QRadar Advisor with Watson: Built with AI for the front-line Security Analyst.

QRadar Advisor empowers security analysts to drive consistent investigations and make quicker and more decisive incident escalations, resulting in reduced dwell times, and increased analyst efficiency.

Benefits of adopting QRadar Advisor:

How it works – An app that takes QRadar to the next level:

How it works – Building the knowledge (internal and external)

How it works – Aligning incidents to the ATT&CK chain:

How it works – Cross-investigation analytics

How it works – Using analyst feedback to drive better decisions

How it works – QRadar Assistant

Threat Hunting Overview

Fight and Mitigate Upcoming Future Attacks with Cyber Threat Hunting

Global Cyber Trends and Challenges

• Cybercrime will/has transform/ed the role of Citizens, Business, Government, law enforcement ad the nature of our 21^st Century way of life.

• We depend more than ever on cyberspace.

• A massive interference with global trade, travel, communications, and access to databases caused by a worldwide internet crash would create an unprecedented challenge.

  The Challenges:

The Rise of Advanced Threats

• Highly resourced bad guys

• High sophisticated

• Can evade detection from rule and policy based defenses

• Dwell in the network

• Can cause the most damage

  The threat surface includes:

• Targeted ‘act of war’ & terrorism

• Indirect criminal activities designed for mass disruption

• Targeted data theft

• Espionage

• Hacktivists

  Countermeasures challenges include:

• Outdated security platforms

• Increasing levels of cybercrime

• Limited marketplace skills

• Increased Citizen expectations

• Continuous and ever-increasing attack sophistication

• Lack of real-time correlated Cyber intelligence

SOC Challenges

SOC Cyber Threat Hunting

• Intelligence-led Cognitive SOC Proactive Cyber Threat Hunting

What is Cyber Threat Hunting

The act of proactively and aggressively identifying, intercepting, tracking, investigating, and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.

The earlier you locate and track your adversaries Tactics, Techniques, and Procedures (TTPs) the less impact these adversaries will have on your business.

Multidimensional Trade craft: What is the primary objective of cyber threat hunting?

Know Your Enemy: Cyber Kill Chain

The art and Science of threat hunting.

Advance Your SOC:

Cyber Threat Hunting – An Industry Example

Cyber threat hunting team center:

Build a Cyber Threat Hunting Team:

Six Key Use Cases and Examples of Enterprise Intelligence:

i2 Threat Hunting Use Cases:

Detect, Disrupt and Defeat Advanced Threats

Know Your Enemy with i2 cyber threat analysis:

Intelligence Concepts are a Spectrum of Value:

i2 Cyber Users: