Light Dark
February 26, 2015 By Westley McDuffie 3 min read
Intelligence & Analytics

Security incident and event management (SIEM) has long been touted as a single “pane” of glass. With all its infinite wisdom, it will reduce the complexities and give you the certainty you seek. Wartime commanders have long wished for a crystal ball to tell them what their adversaries are doing. During my tenure as an analyst, I learned about the Military Decision-Making Process (MDMP) and Intelligence Preparation of the Battlefield (IPB), and I have come to realize that a single pane of glass is more about you than it.

How to Prep the Battlefield

The cyber battlefield is the latest enclave in the combat area, although it is not prone to the same battlefield conditions. U.S. Department of Defense network and security teams already bring the MDMP and IPB to network operations, and those that do not should. Private companies would also benefit from this approach.

The battlefield is your network, and you must know all of it. Not only does this help you purchase the right defenses, but it aids in troubleshooting and can reduce fraud, waste and abuse by aligning expenses where they are needed. If you cannot explain with certainty what is supposed to be on your network, how can you explain what is not supposed to be on your network? You must also understand the modus operandi of your foes. Moving one step forward, can you even say who your foes are? I do not mean this in general terms, since just about everyone is going to face similar foes in the form of hacktivists, nation-state attackers, corporate attackers and insider threats. However, can you name them?

Far too often, we become bogged down with trying to figure out something that happened via TCPDUMP without looking at everything else around it. Bad guys do not ping and run. By bringing to light your foes’ most likely course of action or most dangerous action, you can start to build your intelligence. These tools help analysts defend their kingdoms. Understanding what you are most likely facing will help you reduce your risk, and by combining that with what you are protecting, you begin to produce real intelligence. Also, be sure to include those initial probes you pass off as nothing, since your foes are watching your reaction.

SIEM is a great tool as long as it is in the hands of competent analysts. It is even better with complete IPB. If not, it is just another layer of nonworking complexity in an existing infrastructure that you already do not understand. This leads to more uncertainty. Having the best tool on the planet will do nothing for your posture if you are a complete moron. I said this as I intended. SIEM is a tool. It is not “the” or “a” solution. Protecting the network and its information is the solution. Your course of action is understanding your foes and their intent. For instance, if I asked you to build me a house, and you showed me a hammer and told me it was the solution, you would not build my house. The hammer in your hand is just one tool, not the whole solution. I need to see blueprints, permits and other tools to determine that you understand.

SIEM as a Tool

This tool provides you with the ability to build your solution. That single pane of glass provides nothing more than indicators to what was reported. With millions of events being processed daily, only a handful are actionable. You can craft those indicators to be a series of events, which reduces the amount of time spent digging into individual noisemakers and gives you more time to watch combined events. There is a time and place for items such as TCPDUMP, but if this is your first step, we are in need of a serious discussion.

An individual source of a known bad actor does not consist of something that could be nefarious. By aligning this source with a brute-force password attack, a known user account or the Tor channels being used, it tells me this is more than just a brute-force guessing attack and that the items I’m speaking of may have relationships. Depending on the endpoint receiving the unwanted attention, the adversary could already be layers deep into the network. It is not always what you see that becomes the issue — it’s what you don’t see. SIEM puts this together so that it can be digested and understood.

For the sake of argument, let’s assume all the agents, endpoints and network objects are reporting to your SIEM. It’s great if a consolidation of log files to one central location has been achieved. But now what? It is configured to answer the who, what and how. After the configuration, if you can’t see the who, what and how, what do you see?

One section of data alone does not provide intelligence, nor does two. All the data together does not provide intelligence. That’s data; at most, it’s information. Combine that with what your adversaries are trying to do. Intelligence is thinking about the next step in a series of actions that has yet to be revealed or finding that one item on your battlefield that uncovers potential issues before they happen.

Image Source: iStock

 | 
Westley McDuffie
Security Evangelist, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature