Combining Security Intelligence and the Critical Security Controls: A

A SANS Product ReviewWritten by Dave Shackleford

May 2014

Sponsored by LogRhythm

Combining Security Intelligence and the Critical Security Controls:

A Review of LogRhythm’s SIEM Platform

©2014 SANS™ Institute

The Critical Security Controls for E!ective Cyber Defense (CSCs) represent an established and solid set of guidelines for the government, "nancial, education, manufacturing and health care sectors, according to a 2013 SANS survey on the CSCs.1 In it, 73 percent of nearly 700 respondents were adopting or planning to adopt the CSCs, mainly for the purpose of better visibility into their enterprises and to reduce security events. Only 10 percent of respondents felt they had done a complete job of implementing the controls. Respondents indicated that several obstacles hinder their implementations:

SANS had the opportunity to review numerous features of LogRhythm’s security information and event management (SIEM) platform with new security intelligence features built in for compliance. In our review, we focused on LogRhythm’s ability to ease some of these pain points while meeting 10 of the most valuable CSCs. These include:

It could be argued that LogRhythm’s approach aligns with many of the other controls—although less directly. However, due to length, we are focusing on the above controls and how LogRhythm can help security teams not only meet control requirements but also actually improve the state of monitoring and response.

Overall, we found the LogRhythm 6.x software easy to use, with a broad range of rules

together a more comprehensive monitoring and alerting strategy that, in turn, can be used to develop baselines of events and behavior across the IT infrastructure.

SANS ANALYST PROGRAMCombining Security Intelligence and the Critical Security Controls 1

Introduction

1 The Critical Security Controls: www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf; the SANS 2013 Critical Security Controls Survey: www.sans.org/reading-room/analysts-program/csc-survey-2013

Survey respondents adopting or planning to

adopt the CSCs

73%

http://www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf

http://www.sans.org/reading-room/analysts-program/csc-survey-2013

Inventory and Assess

SANS ANALYST PROGRAM2

For good reason, the "rst of the Critical Security Controls focuses entirely on maintaining

CSC 4.

Some of the things to consider for this control include inventory management systems,

Figure 1. Creating an Unauthorized Hosts AI Rule Description

Combining Security Intelligence and the Critical Security Controls

Inventory and Assess (CONTINUED)


Detecting a new host

rapidly is important

in detecting

malicious behavior

and quarantining

a!ected systems to

contain damage.

The tool easily caught new systems we spun up to test this feature. Figure 2 depicts a

and triggering a log event.

The ability to detect new devices in the environment is useful for discovering rogue

detecting malicious behavior and quarantining a!ected systems to contain damage.

as users and groups set up their own infrastructure with convenience as a priority, rather than security.

Figure 2. Rogue Host Event




vulnerabilities are associated with them. Security teams need to continually scan for

as possible. They need to do this day in and day out because new vulnerabilities appear regularly.

LogRhythm helps to meet CSC 4 in two ways. First, it correlates logs and events indicating what software has been installed on systems—and when—with vulnerability detection by scanning tools. This is useful when determining whether speci"c installations and software are responsible for new vulnerabilities that appear in the environment. Second, it is also useful for monitoring new vulnerabilities over time to determine if—and when—they are patched or remediated.

We reviewed a number of vulnerability-focused events and dashboards in the LogRhythm interface, including vulnerability logs and events as both highlights from the


As a part of the vulnerability management life cycle, security teams should also track vulnerabilities once they’re found, and scan results should be compared to previous reports to determine what vulnerabilities have been successfully remediated.

Security teams should also conduct vulnerability scans using system and application credentials that allow for deeper probes and assessment of the systems being tested. Analysts can validate the results of these tests with local system logs, which can also indicate when software was installed on the systems that may expose them to attacks. Finally, incident responders can correlate vulnerability scan results with attack attempts and other related security events to ascertain whether a targeted system is truly vulnerable.



Examples of events we noted and investigated included Windows and Linux events

all of which would naturally lead to deeper investigation or remediation actions. See Figure 3.

Figure 3. Top Vulnerabilities Dashboard


Assessment and patching of systems are strong preventive measures. However, protective measures, including malware defenses and application security, are also

operate undetected.

Malware has been a challenge for security and operations teams for many years. In the

that generate alerts when they detect malware.

limit the use of removable media and carefully "lter email attachments coming into

domains.

malware samples for analysis and reverse engineering.

infections.

and infected hosts, as well as the event sources themselves. In our review test bed, we saw events coming from numerous Windows systems with antimalware agents installed,


Defending Systems


Defending Systems (CONTINUED)


We reviewed numerous worm and bot detection events within this dashboard and watched the time range of malware events detected. The logging of events from host

that we reviewed. An example of this dashboard is shown in Figure 4.

provide actionable intelligence into the type of malware and its impact on previously

applications and code, code review and testing, database security and training for developers in secure coding techniques.

Figure 4. Top Malware Defenses Dashboard




To coincide with this type of alerting rule, lists of strings and attributes can be compiled, and LogRhythm has a number of these available out of the box. Figure 6 shows some

and easy to edit.

Figure 5. Creating an AI Rule for Alerting on User Agent Strings


Figure 6. Application Security Lists



example of simple text-based pattern matching strings, which you can add to or edit as needed.

Figure 7. Malicious User Agent Strings List




and implemented, following industry best practices such as those from the Center for Internet Security.2

authentication when possible, and device management functions should be isolated

were able to correlate changes with data from change control systems to determine whether a change is approved, and alerts can be generated when unplanned changes occur.

We even examined the LogRhythm SmartResponse engine and witnessed it shutting

trigger if con"guration changes are made on them.

2 www.cisecurity.org/resources-publications




We also reviewed a number of charts within the main LogRhythm console for

themselves and their con"gurations, as shown in Figure 9.

Figure 8. Network Device Log for Con"guration Events

Figure 9. Network Device Con"guration and Behavior Monitoring




summary table from one of these reports is shown in Figure 10.

them with approved change requests removed the threat of rogue changes by

Figure 10. Detailed Network Device Con"guration Change Report


Many of the remaining Critical Controls that LogRhythm supports are around good hygiene, including limitation of ports and services, controlled use of administrative privilege, properly executed boundary defense, maintenance of audit logs and monitoring of account use.

control.

LogRhythm helps meet the requirements of this control in two ways. First, it monitors port scanner results as well as logs and events from individual systems that indicate

available and in use over time and then alerts on deviations from the baseline. As part

scans, the output of which is shown in Figure 11.

scanned and timestamps of the data from log events. This type of report data is helpful in


Keeping a Clean Environment

A D V I C E :

Run critical services on

dedicated systems within

restricted network subnets,

and use VLANs and private

IP addresses to isolate and

restrict access to services

from the Internet. IT groups

can also implement so-called

“application !rewalls” to limit

access to critical services and

protect them from attack.

Figure 11. Logs of Port Scan Behavior


Keeping a Clean Environment (CONTINUED)


LogRhythm has a variety of built-in port scan detection rules and monitoring tools. One example of a rule we reviewed sets time thresholds on ports being scanned,

Figure 12. Detection Rule for Stealthy Port Scanning




LogRhythm also monitors hosts to determine what processes are running in a normal baseline mode and then alerts if changes are detected to that baseline. Figure 13 shows a rule we used to trigger if the list of processes running on a host is less than 80 percent similar to the process list from the previous day.

This rule may indicate that something signi"cant has changed on the a!ected platform, warranting additional follow-up investigation, for example.

Figure 13. Abnormal Process Activity Rule




LogRhythm also targets speci"c applications and services for monitoring, based on

LogRhythm test environment and then used the LogRhythm console to review detailed log information related to a syslog event that had been triggered by the SSH rule, as shown in Figure 14.

Although tuning the software to see the most interesting events related to services,

information to be invaluable in developing behavioral baselines and detecting anomalies in the environment.

Figure 14. SSH Event Log


SSH is often used

to hide malicious

activities and

sensitive information

being sent out of the

organization.



privileges, CSC 12 focuses on the restriction of administrative privileges on systems and within applications. It also includes continuous monitoring of all administrative account and activities.

LogRhythm addresses this control by monitoring accounts de"ned on systems, as well as

enables simpli"ed monitoring and privileged accounts and detection of their activities, is installed by default. This module is merely one of a range of event detection options for privileged user activity, including rule-based monitoring.

We reviewed several default LogRhythm rules that accomplish the goals of CSC 12. For example, we reviewed a rule that detects attempted privilege use on Linux platforms that would trigger any time someone not listed in the /etc/sudoers "le attempted to run a privileged command. See Figure 15.

Figure 15. Details of a Linux Privilege Use Rule

A D V I C E :

Use strong passwords with

complexity and aging

policies in place for all

administrative accounts. Log

all administrator activity

and logins (both successful

and failed), and require

multifactor authentication for

administrator access, when

possible. Require lower-

privilege accounts for all initial

access and day-to-day activity

by administrators, with greater

privileges assumed only when

needed.




A similar rule for Windows platforms is shown in Figure 16; if a nonprivileged user right-

Figure 16. Details for a Windows Privilege Use Rule




of privileged user activity and attempted activity. One example of this type of report is shown in Figure 17, in which we select a speci"ed group of privileged users, grouped by login and then by common events.

Monitoring system events related to privilege use and potential misuse helps prevent the build-up of shadow IT setups and other insider threats. It is also important for

Figure 17. Privileged User Monitoring Report




especially at the perimeter.

LogRhythm supports CSC 13 in a number of ways, including the ability to:

settings that may not meet enterprise standards for hardening and security pro"les

We observed all of this in our review, starting with the di!erent types of threat intelligence sources and lists that LogRhythm can consume and integrate for monitoring, analysis and response rules and actions, as shown in Figure 18.

By default, the list has a large number of prebuilt sources, but more can easily be added by simply editing the list.

Figure 18. Third-Party Threat Intelligence Sources




By incorporating both internal and external intelligence sources and allowing analysts to

more up-to-date monitoring and alerting.

Figure 19. Zeus Malware Threat List Details




CSC 14 focuses on collection and analysis of logs, with speci"c control items covering

of logging anomalies. This control also speci"es using central log servers for all logs,

The LogRhythm platform manages and monitors all types of log data and has an extensive range of log monitoring and alerting rules and dashboard reports available out of the box.

We monitored and veri"ed log sources and destinations to ensure logs were being collected properly and log data was processed and correlated with other information from the environment. Figure 20 is an example of a dashboard displaying LogRhythm’s comprehensive log monitoring capabilities.

This dashboard shows the major types of log events in the top three graphs (events by

detailed lists of the alarms that were triggered related to the log data it gathered and

SANS has strongly recommended leveraging log data for security monitoring for many

data to build security intelligence.

Figure 20. Log Monitoring Dashboard




not properly set up, maintained and monitored. CSC 16 speci"es that all accounts should have a purpose and a life cycle policy.

other related user activities on systems. It also correlates user activity to de"ned lists of accounts to ensure that they are legitimate and still active.

Figure 21 shows a monitoring dashboard we used to review account login activity, top accounts with access changes, account life cycle activity (i.e., creation, modi"cation and deletion of accounts) and audit events.

Figure 21. Account Monitoring Dashboard

A D V I C E :

Routinely monitor account

use and conduct audits

for dormant accounts and

suspicious account activity.

Log failed attempts to access

accounts, store and transmit

account credentials using

adequate encryption and

use account lockout features,

where available.




within a "ve-minute timespan, shown in Figure 22.

By monitoring account use and activity, LogRhythm helps detect or prevent illicit activity caused by compromised accounts or new accounts created for malicious purposes.

Figure 22. Repeat Login Detection Rule


Implementing the Critical Security Controls is not easy. However, the LogRhythm platform satis"es many of the CSCs, with emphasis on the 10 mentioned in this review.

easy con"guration rules for vulnerability and threat detection and reporting. It meets

support for secure con"guration, privilege user controls and more.

Because this one tool meets so many of these controls, LogRhythm also helps meet the CSC goal of automating as many processes as possible to reduce human-induced

tools such as LogRhythm go a long way to de"ning and augmenting a foundation of security controls overall. As the CSCs continue to improve, it is our hope that intelligent

challenge IT security departments.


Conclusion


About the Author

Sponsor


instructor and course author, and a GIAC technical director. He has consulted with hundreds

Virtualization Security. Recently, Dave co-

serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

SANS would like to thank this paper’s sponsor:


Documents

Combining Security Intelligence and the Critical Security Controls: A