The earliest log management tools were designed to reduce the burden of sifting through reams of audit trails in support of compliance and other business objectives. Such work was typically done with mainframes, and it was a big deal if anything of real security consequence was actually detected. This crude task has now evolved into the use of modern security information and event management (SIEM) platforms supporting real-time enterprise data collection, cyber threat intelligence gathering, security event monitoring, and advanced assistance for the threat hunting task being performed today in security operations centers around the world. As part of the research for my 2017 TAG Cyber Security Annual (you can download the free PDFs at https://www.tag-cyber.com/), I had the opportunity to sit down with Roger Thornton, CTO of AlienVault, to discuss these trends.
EA: Do most companies now have a SIEM – or do you still see gaps in coverage, perhaps in smaller organizations?
RT: Just about every company in the world has some requirement for security visibility and monitoring today. In spite of that broad mandate, I see lots of gaps in coverage for SIEM – and that’s not just in smaller companies. It’s in most companies where teams are stretched thin and budgets are tight. In most of these companies, you will find a smattering of point solutions. They may operate intrusion detection at the perimeter or some vulnerability scanner collecting basic logs, but very few have all the controls in place, or have them integrated for effective security monitoring and analytics. A traditional SIEM is a data aggregation platform, and that aggregation can be a difficult chore in itself. But it is a pointless one if you don’t possess the pertinent data to perform the required enterprise cyber security analytics.
EA: What are some of the technical challenges involved in trying to unify the various tasks related to log, event, and incident analysis?
RT: Long gone are the days that any single point solution can effectively detect threats. Detection now requires continuous monitoring of multiple facets of an infrastructure, which will require multiple different controls to be deployed and integrated into a platform that will support analytics. The first challenge is collecting data – and to do this, you must know what’s on your network. You also must know the vulnerabilities across your network assets, and this information must be up to date, rather than a snapshot in time. You will also need detailed information about the behavior or your network and the systems running on it, including what protocols are present, what connections are being made, and what users are doing. Finally, you need detailed information about the threats themselves – and this changes constantly. Once you have all that, you then need to pull it all together into an analytics platform so that you can find the bad guys with enough accuracy to direct action, but without too many false alarms. Our approach at AlienVault is to address this complexity through an integrated solution that orchestrates data gathering, security controls, threat intelligence, and analytics into one simple, easy to use package.
EA: What role does accurate threat intelligence play in deriving good intelligence from collected data?
RT: Well, I can tell you that bad threat intelligence involves stale indicators of compromise (IOC) in the form of virus signatures, URLs, domain names, and IP addresses. Such stale data is often useless, because the attackers have moved on, and the IOC may now be pointing at the wrong source. This threat intelligence can be improved by adding context, and to do so, requires that it be constantly updated. This work can be intensive, so you will either need a good threat feed from a vendor or sharing community, or you will need an in-house security research team. The best threat intelligence can be consumed directly by security controls to produce effective preventive or mitigating action. Instead of just providing IOC’s, the best threat intelligence provides the specific tuning rules for your IDS, vulnerability scanners, firewalls, network analysis tools, and SIEM correlation engine – and this is the approach we try to take at AlienVault.
EA: Do you have opinions about open source tools in enterprise? What factors should a CISO team take into account before downloading and using an open source tool?
RT: You would be hard pressed to find a company that does not use some open source tools within their information security program. And we all know that attackers make use of open source tools in their exploits. With that said, there is certainly a place for both open source projects and commercial products within any security team – albeit with the time and expertise required to make open source truly work. At AlienVault, we maintain an open source project called Open Source SIM (OSSIM). This open source offering, like our commercial Unified Security Management product line, is an integration and orchestration platform for a collection of embedded security tools. OSSIM integrates several open source security tools including snort, nmap, and OpenVas. Like most open source tools and projects, OSSIM works best when used by experts and researchers with deep security skills.
EA: How do you see virtualization of the data center and evolution of the network to SDN as affecting the unified security management task in the modern enterprise?
RT: Because of the rapid adoption of virtualization, products that are monolithic, expensive, hardware-centric, and bound to single operating environments are simply doomed to extinction. Virtualization allows for segmented computing into fine-grained processing regions, which significantly reduces the attack surface at any one point. Furthermore, virtualization and SDN can unify security controls, provided they are designed to support such action. Virtualization and cloud environments provide templates that will greatly simplify the setup and configuration of security tools. And the promise of SDN for security is the ability to put monitoring and analytics agents at just about any point in the network with the same ease required to deploy software into operating environments. At AlienVault we accomplish this through software sensors that can be provisioned with minimal effort into virtual data centers and cloud environments.
EA: Any trends you’re seeing in the threat and attack space? Is it getting harder to detect attacks due to increased offensive capability – or is it getting easier to detect attacks due to more automated, feature-rich tools
RT: Attackers have an enormous advantage, because they can decide when, where, and how to strike. But once they’ve made initial inroads, then they are like strangers in a foreign place. They have to search the environment, move laterally, attempt access, and try to exfiltrate. The truth is that identifying this behavior is actually quite easy, as long as you have the right data, tools, and knowledge of what to look for. So, while it may be impossible to keep someone out, the good news is that it can be relatively easy to catch them, once they are in. Security teams should thus make sure to invest sufficient time and money into getting good at threat detection and incident response. Large companies with sophisticated security teams have been doing this for years, and now it’s catching on with everyone.