At one time, everyone considered intrusion detection (IDS) or prevention (IPS) systems critical to overall information security success. But in recent years, observers keep declaring IDS/IPS dead, only to see it keep hanging on. And while we’re still not ready to bury IDS/IPS today, we DO urge you to consider how you’re deploying these tools within your overall information security strategy. Without proper tuning and deployment, IDS/IPS solutions can't do their jobs properly. And the current landscape of cloud computing and dispersed workforces means protection tied to a firewall misses a lot of activity. Read on to learn how to properly leverage IDS/IPS in a modern environment.
The goal of IDS is to detect cyberattacks by analyzing the signature of data packets as they traverse the network. When the system detects a suspicious packet, it generates an alert. IDS is a passive tool that simply detects and alerts. IPS goes a step farther by adding an active protection method of adapting to the threat and blocking the traffic from reaching the intended victim host. Most IDS/IPS solutions are now available as a bundle with your firewall subscription.
To effectively use IDS/IPS systems, you should be aware of a couple of inherent limitations:
Follow these steps to ensure that these tools provide the protection you’re expecting:
For help reviewing your security system’s architecture, contact us today.
Here’s the hard truth about monitoring solutions: Most companies haven’t properly configured their SIEM/XDR system. Logging millions of events per day may seem productive. But what good does it do if an IT team is overwhelmed with alert fatigue and learns to ignore most of notifications they get?
“The basic rules in your SIEM may be functioning, but they often aren’t functioning well,” says Pratum Chief Technology Officer Steve Healey. Read on to learn how trained SOC analysts leverage SIEM/XDR tuning to turn out-of-the-box rules into meaningful tools for reducing noise and alert fatigue while stopping attacks before they gain a foothold.
All SIEM solutions come pre-loaded with a large number of rules. Alert fatigue happens because standard rules can’t possibly work equally well in every environment. “The idea behind those rules is solid, but they’re generic,” Steve says. “The execution will lead to an enormous number of false positives and alert fatigue. You’ll have to tune the rules with additional logic specific to your business to create exceptions without impeding the rule’s original intent.”
Beyond SIEM vendors, many other tech vendors regularly issue new detection rules to close gaps discovered in their own products. Many of those rules also generate a flood of false positives. Pratum’s SOC analysts (who have managed multi-tenant SIEM/XDR solutions for more than a decade) review each new rule’s goal and customize it for every customer’s environment. “We don’t just disable ineffective rules,” Steve says. “We take the core intent of the rule and build it out to get high-fidelity results.” With this kind of tuning, Pratum recently turned 266 million monthly security events in one client’s environment into just 41 alerts sent to the client’s IT team.
The real art of creating SIEM/XDR rules lies in finding the sweet spot of writing rules sensitive enough to detect real threats but not so sensitive that they cause constant false positives. Nobody wants to get an alert every time someone logs in from a coffee shop using a different IP address. But if a legitimate user who normally uses an iPhone suddenly logs in through an Android device in a new geographic location, that’s worth an alert.
The solution is a team of SOC analysts trained to create models of normal activity. By identifying patterns of typical activity, analysts help the system recognize a scenario that checks all the boxes to be suspicious—but actually isn’t. “We can create threat models based on baseline behavior so we know what’s normal and only send an alert when the pattern changes,” Steve says. “Machine learning can figure that out over time.”
The following real-world scenarios illustrate how SIEM tuning modified standard rules into more accurate reporting tools that stop the alert fatigue.
Pratum recently revised one rule intended to deal with the growing threat of business email compromise (BEC) attacks. In these situations, hackers take over a legitimate user account. Then they often create email forwarding rules that let them intercept a user’s messages and conceal the fact that the account has been compromised. Many SIEM solutions now include a stock alert designed to watch for the creation of suspicious forwarding rules. But Pratum’s analysts recognized that the stock rule wasn’t catching the forwarding rule hackers are using most right now. So Pratum’s SOC team wrote a new rule, had the Pratum penetration testing team attempt an exploit to validate the rule, then rolled the rule out to Pratum’s entire client base. The new rule not only identifies the activity, but can also automatically orchestrate a response to contain the threat.
“The intent of most rules is terrific. A lot of rules would be amazing if they were accurate 100% of the time. But they aren’t,” Steve says. Pratum’s SOC team noticed that one stock rule started generating 50 tickets a day for every organization Pratum manages. Less than 5% of the alerts were legitimate threats because the rule kept triggering when normal software operations took place.
The analysts disabled the rule to stop the flood of unactionable data, then rewrote it with complex logic that cut the false positives to almost zero. “Within 72 hours of enabling the new rule, it saved one of our customers from an intrusion that the stock rule missed,” Steve says.
SIEM developers rightfully talk a lot about their solutions’ machine learning capabilities. But the developers tend to focus their machine learning work on big customers, which means some of the tools don’t do much for small organizations generating a limited amount of monthly data. So Pratum’s analysts devote a lot of attention to modifying rule logic so that companies with, say, 30 employees benefit from the next-gen tools as much as companies with 1,000 employees.
For more information on how Pratum’s custom SIEM/XDR rules could make your organization more secure and efficient, contact us today.
Ransomware is rapidly becoming everyone’s problem. If all the recent headlines have provided the wake-up call you need, we have the tips to help you prevent ransomware. Here's what you can begin doing today:
A lot of IT leaders focus their battle against ransomware around stopping zero-day threats. But digest this fact: One recent analysis showed that almost two-thirds of system vulnerabilities involve bugs that were identified two years ago. That literally means that the majority of your vulnerabilities are already solved if you just make the effort to use available patches. Hackers love to grab low-hanging fruit. Don’t let them find it on your system. Get a vulnerability scan and then address the gaps.
Leaving certain port settings open unnecessarily gives hackers an easy gate into your system. CIS Controls 9 and 12 offer information on some common settings to check.
If a ransomware actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Extended Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.
By effectively isolating/air-gapping various parts of your system, you limit how far ransomware hackers can get if they penetrate one part of the network.
Similar to the previous point, implementing a policy of least-privileged access and Identity and Access Management means you keep hackers from getting into your entire system if they compromise one user’s credentials.
Even if ransomware locks up your data, an effective backup of your data lets you quickly restore operations. Test the backup often to ensure it’s doing its job.
A detailed incident response plan helps everyone know what to do to limit the damage when you get a notice that you've been hit by ransomware. Breach costs are 38% lower for companies that have an IR plan in place before the breach.
Ransomware frequently gets onto a system when a user clicks a bogus e-mail link or falls for social engineering via text messages. Engaging every member of your team in cybersecurity of how it keeps the business running—will provide one of the best defenses. Provide regular training on the latest tricks in phishing and other social engineering tactics.
An IT risk assessment, vulnerability scan and penetration testing all provide essential checks on your current cybersecurity posture and point to critical remediations you need to make.
Along with making your system more secure, these steps will almost certainly help you get a lower cyber insurance premium at a time when rates are rapidly increasing.
The U.S. government is also stepping up its response. President Biden issued an executive order in May aimed at, among other actions, strengthening software security in federal agencies and creating a federal board to investigate major breaches. The administration says it intends to shift the focus from incident response to incident prevention.
Dozens of states are working on new regulations to step up cybersecurity across several industries.
America continues to pressure Russia about its hacker-friendly climate since major attacks such as the JBS breach, the Colonial Pipeline attack and multiple others were almost immediately attributed to criminal organizations in Russia. But if you’re pinning your organization’s safety on the hope that Russia will crack down on hackers, you may also have a tendency to think vampires make excellent stewards of blood banks.
The fact is that the government can’t keep up. Hacking operations are well-run businesses employing some of the world’s best coders. They shift tactics constantly and engage in flexes like quoting your own cybersecurity policy back to you if you claim that you can’t afford the ransom they demand.
Contact Pratum to find out how we can help get your ready to stop ransomware attacks before they strike.
Get our blog articles delivered
to your inbox: