SIEM: You’re Doing it Wrong

Security Information and Event Management (SIEM) is not specifically mentioned in the CompTIA Security+ Exam Objectives. However, the implementations of a network’s security infrastructure that feed SIEM are specifically mentioned in CompTIA Security+ Exam Objective 1.0 “Network Security”. Where SIEM fits into the security construct is serving as an aggregation for all SYSLOG traffic coming from any configured device(s). Intrusion Detection and Prevention, Firewalls, Domain Controllers, Core Switches,  VPN concentrators and many other devices have the capability to feed the SIEM construct. With that being said, SIEM is passive and relies solely on the input of those configured devices as well as their verbosity settings. SIEM does offer near-real time alerts and provides a single touch point for monitoring analysts and contracted security service providers. The reason I use the words “near-real time” and not “real-time” is because I personally believe this to be a misnomer. Everyone is looking for that magical blinking red light and alarm to sound to signify an attack in progress. Anything that requires a threshold of the rule-set and notifications to be sent to a monitoring analyst is not real-time. In-fact, nothing could be more reactionary. So SIEM, by its design, is passive but that should not take away from the capability SIEM provides.

Where most people get SIEM wrong is because of the belief that it is an active protection system. That is what an intrusion detection or prevention system and firewall are used for. Now it is not unfair to say that SIEM is not capable of protecting a network. If configured properly to receive logs from a web filter or domain controller it could be used to identify traffic to malicious hosts or to alert when a user has downloaded a non-permitted executable file. From that point a network admin can isolate the system and prevent malware from spreading or reconfigure existing security systems to prohibit future activities that triggered the SIEM alert notification. The important take away is that the SIEM device is not going to do that for you. Also, remember the input based function of SIEM. If the device isn’t monitored, the verbosity setting not set quite right, or a threat agent circumvents a firewall or other protective measure than the SIEM will not see it and thus, not generate the notification. SIEM is also not intelligent and cannot make up for shortcomings in configuration. If the rules and thresholds are not set to see X but instead only Y and Z than anything falling under the X category will go unnoticed.

We have to remember that security should be addressed in layers. A single firewall may provide adequate protection for a network but it will not nearly be as effective as a network protected by a firewall and an intrusion detection or prevention system. Those security mechanisms are great but monitoring all of those systems is nearly impossible. SIEM provides the bridge between systems to provide a single reference point for situational awareness and intelligence for the admin team. SIEM also adds the layer of situational awareness to overall systemic behavior of the network as well. Where threats are not detected SIEM can also provide insight and generate notifications of application or system crashes. And that is something firewalls and other security devices fail. It also does really well in forensic analysis of events leading up to a suspected breech or incident. Instead of querying logs from 5 different sources, the SIEM can be the proverbial one-stop-shop for an investigation. Despite the shortcomings, SIEM is a must-have for any network but SIEM cannot and should not be implemented without due expectation management. For more information on SIEM you can research any of the SIEM products on the market; Splunk, Tripwire, NetIQ, and Arcsight are but a few. There will be some differences in capability between these and some may even have enhanced features to remedy the identified shortcomings above but those are usually much more expensive and those advanced features are not organically SIEM but instead advanced security utilities infused with SIEM capability.

The Security Nazi…Ruling an Enterprise with an Iron Fist

The content of this article can be associated or mapped to CompTIA Security+ Exam Objective 1.0 “Network Security” or more specifically, firewalls and web filters. First off the title requires a brief explanation. No I am not a fascist but one of my professors called me a security Nazi after grading one of my assignments discussing firewall rules and policy development for a fake company. That being said, I am frequently asked by my clients what they can do to better harden their enterprise. They ask about the latest technology or the latest threat like ‘Ransomware’. To be perfectly honest many organizations are already equipped to handle such threats. All it takes is a little bit more support from management to enforce said policies. But let’s talk about the tech for a minute.

Web Filters are by far my favorite piece of IT Security Infrastructure. If we can all agree that the internet is a boiling cesspool of viruses, identity thieves, and quizzes that tell you which care bear you are and the internal network or LAN is our bastion of good – achieving the company mission statement. Then the web filter is one of the best things to protect the LAN from the evil that lurks in the World Wide Web. I feel the eyebrows rising but bear with me and remember I’m about to talk about firewalls too. If you are a Network Security Administrator then the web filter is your best friend. For those that don’t know, the web filter is a program that screens websites for permitted or blocked content and permits or blocks said content respectively. (Rouse, 2017)

So why do I favor the web filter you ask? Because it protects us from the most lethal threat to a corporate network…The USER! (DeCarlo, 2007) If we examine some of the biggest daily issues that a network faces many of the issues can be tied to user activity within the network. Whether it’s Johnny in the HR department checking the local scores of his favorite team or Suzie in accounting checking her horoscope, each site they visit poses the potential threat of delivering malware to their machine. So the best thing a network admin can do is block sites like that altogether and prevent users from visiting those sites. My professional recommendation is to block any and all URLs that are not specifically required for the network to function. It’s harsh but let’s face it Johnny and Suzie need to be working and not using company assets to do the useless stuff the internet has to offer. This is best done through a whitelist feature that is equipped in nearly all modern web filters. Whitelisting is great because it implicitly denies communication with all URLs that are not listed. Johnny and Suzie will be okay if they want to waste company time, they can do it with their personal smartphones on the public Wi-Fi so that excuse about morale is a poor one at best.

Firewalls are my next favorite security implement because they provide that barrier from the evils of the internet that the web filter doesn’t cover which originates from the internet. Where it can be argued web filters basically protect the LAN from outbound traffic, the firewall protects it from inbound traffic. You know; all those threat agents from China, Russia, and everywhere else on the planet that is fighting to get in and steal your customer or patient data. Firewalls are a necessity. It is important to discern that firewalls do perform some of the same tasks a web filter does so while a network could survive on just a firewall just remember that security is about layering and redundancy. That is why many firewalls come equipped with a web filter application to work in concert with the firewall. I know I mentioned corporate networks a lot but the good news is these features are also often contained within aftermarket wireless routers. My Asus has both a firewall and a web filter, in the form of parental controls I can leverage to protect my home network as well. Which, if you have small children or teenagers, you should appreciate and employ because let’s be honest the last thing on a kid’s mind is security while surfing the web.

References:

DeCarlo, A. L. (2007, March 21). Biggest security threat? Your users. Retrieved February 16, 2017, from http://www.computerworld.com/article/2543940/networking/biggest-security-threat–your-users.html

Rouse, M. (n.d.). What is Web filter? – Definition from WhatIs.com. Retrieved February 16, 2017, from http://searchsecurity.techtarget.com/definition/Web-filter