In this three-part audio series, we’ll share some insights from a cybersecurity professional with 18 years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting, and forensics.
Blumira’s Account Executive Mike McCarthy interviewed Pascal Ackerman, the author of a new book, Modern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization. Ackerman is also Managing Director of Threat Services at ThreatGEN.
Check out the first video in Building a Cybersecurity Program: Modern Cybersecurity Practices, Part 1, and the second video, Common Threat Vectors & Industrial Control Systems (ICS): Modern Cybersecurity Practices, Part 2.
In this third video, they discuss different challenges of detection, how to continuously monitor your environment, seeking SIEM maturity and more. Listen to the full audio interview here:
Here’s a summary of a few of the questions and answers that may provide value for organizations seeking threat detection and response solutions:
What kind of challenges exist with detecting infiltration or data exfiltration?
The challenges exist with the technology in place that is monitoring events. Most companies either have no technology in place at all to look at log events or traffic, or some of them will not have enough technology in place to do it.
Some of them have too much and they’re getting overwhelmed with the amount of logs. It’s about getting to a balance where you get the right information at the right time, so you can actually look at it in a reasonable way.
What is the most common of those problems among your clients, and what are you actually seeing in the field?
For my clients, there’s been a lot of effort and attention on obtaining the next tool or next software that will solve all of your problems, which, by the way, I don’t support at all (the easy button).
There’s been so many companies that will say if you install this, we’re going to be the IDS (intrusion detection system) for your industrial network. And here, we’ll be sniffing your network and giving you alerts on everything it can find.
Many people have signed up for that, and now they have four or five systems reporting events. They’re just being overwhelmed. That’s what I’m seeing. And most people buy these tools and don’t ever log at them. So it’s a combination of getting too much information and not having the right people to look at the event and alerts coming up.
Until you find something malicious, keeping an eye on your firewall logs and monitoring all traffic that goes through them is enough for most companies out there. Once you do find something beaconing out to China or Russia, it’s nice to have event logs for everything, so you can see what actually happened when it was installed. To find malicious activity, give me a good packet capture of your firewall egress board and we can find that stuff.
What are some of the other best ways to continuously monitor security in an organization’s environment?
After firewalls, you should start looking at Windows events. Correlate logins on your Windows system with your shift schedule to understand why a user is logging in in the middle of the night, or why are they trying to log into 20 different workstations at once? You can extend that to events that you get from your Apache servers and your Linux systems as well.
What kind of trends have you seen in the SIEM industry, or the market toward including increased security value?
When talking to my customers, they’re just starting their security programs. They’ll leave it up to me to implement a SIEM solution, and I’ll go with the best free solution, the ELK (Elastic, Logstash and Kibana) stack. Once you have that in place, you can start collecting and reviewing firewall logs.
Once you’ve monitored it for a year or year and half, you can decide what kind of information you’re interested in. But it doesn’t cover everything you will want. You could use that experience to talk to a SIEM supplier about which events you’d like to see, for example, you might be interested in a Windows Event, but you could also be interested in adding threat intelligence feeds to it – ask your SIEM provider what they can offer.
We’ve observed that when implementing a SIEM solution, organizations need to do a lot of work to get the most value out of them, meaning not only log management, but also actionable and relevant information. It can take a large investment of time, money and expertise. Are your clients seeing similar barriers to get to the next level of security maturity?
Yes, mostly because technology is technology, and companies will throw money out there, but it’s about getting expertise to actually look at the data that comes from the solutions.
A lot of companies are struggling to get. The right people in place and get the right eyes looking at these events. There’s plenty of companies that do a fantastic job collecting events, making dashboards, sending alerts – but then you get an alert that says an admin has been logged in to too many systems. What’s the next step? What are we going to do now? That’s where people still struggle, especially in the industrial space.