Advanced SIEMs: A Road to the Security Knowledge, Protection, and Compliance - JANUARY 2021 / WHITE PAPER - Adlumin
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Advanced SIEMs: A Road to the Security Knowledge, Protection, and Compliance J A N U A RY 2 0 2 1 / W H I T E PA P E R adlumin.com ©2021 Adlumin Inc. – All Rights Reserved
TABLE OF CONTENTS Key Features of Adlumin’s Platform Introduction ….……………………………………………………….........…....................…..................................... 3 How Adlumin Works ……………………………………………….........……………………………........................... 4 Darknet Exposure Module …………………...…………………….........………….....................…......................... 5 User & Entity Behavior Analytics (UEBA) ……………….........…................……………….......….......................... 6 Analytics Lifestyle and Algorithmic Detail …………………..………………..............................…......................... 7 Threat Intelligence Portal …………..…………........................……………………….........…………...................... 9 Permiter Defense …….........................................................................................................………............... 10 References ……........................................................................................................................……….......... 11 adlumin.com page 2
INTRODUCTION Sophisticated, targeted attacks can take weeks, months, or longer to discover and resolve. Security teams require integrated tools that quickly uncover the source and scope of an attack to reduce time-to- resolution, mitigate ongoing risk, detect attacker breakout, and further fortify the network. In addition, security teams now need capabilities to extend predictive, analytical security beyond the boundaries of their enterprise into the open deep and dark web. Digital technologies have changed the face of business and government — and will continue to do so at an even faster pace. They provide benefits including driving innovation, boosting productivity, improving communications, and generating competitive advantage. A report from the World Economic Forum and McKinsey & Company estimates that cyberattacks will cost the global economy $3 trillion in lost productivity and growth by 2020, while theft, sabotage and other damage inflicted by trusted personnel continue to cost organizations in lost revenues, revealed secrets and damaged reputations1. Cyberattacks are becoming more sophisticated and it’s difficult to find hidden threats early – yet early detection is critical to preventing the loss of confidential and sensitive enterprise and customer data. Now more than ever, these sophisticated threats like APTs and insider attacks hide within the enterprise, indications of breaches can be gleaned by analyzing large quantities data and extending the security sensor grid to the open deep and dark web. Organizations do not have the available human capital resources required to sift through these large quantities of data, in search for the indicators that require analysis. Adlumin’s security platform uses artificial intelligence and machine learning to analyze the behavior patterns of users on your network detecting threats, all the while, monitoring the open deep and dark web for organizational intrusions. What are organizations using Adlumin to detect? • Account Manipulation • Lateral Movement • Account Takeover Detection • Lateral Movement by Insider • Compliance • Leaked Accounts • Compromised Account • Potential Inbound Attacks • Dark Web Scanning • Privilege Management • Data Exfiltration and IP Theft • Remote Account Takeover • Fraudulent Activity • Risk Management • Identity Ecosystem Hardening • Suspicious Behavior Adlumin was designed and built on our artificial intelligence platform, which leverages big data analytics. It is characterized by technology that can understand, reason, and learn. adlumin.com page 3
HOW ADLUMIN WORKS Adlumin uses a complex, proprietary technology stack to deliver a premium analytics capability to its customers that is cost efficient, simple to integrate, and easy-to-use. The architecture consists of relational and non-relational databases, streaming analytics clusters, and robust API’s relational and non-relational databases hold. Our proprietary knowledge base was built from an incident response point-of-view, drawing correlations between various data sets and threat vectors3. Adlumin’s security platform is responsible for enforcing high velocity data science algorithms on streaming data providing anomaly detection at the speed of cyber into five easy-to-ingest categories: Informational, Low, Medium, High, and Critical. Our robust API integration pipeline provides unmatched data enrichment with threat intelligence, geolocation, and open deep and dark web intrusion detection. The easy-to-use dashboard interface makes every member of your team—from beginner to expert—effective at investigating and countering threats. Beginners have access to simple auto-populating, use-case based research capabilities that will allow a novice analyst to scope a breach in under three seconds. Advanced analysts have access to the Kibana dashboard allowing them to make highly customized queries and visualizations across the entire Adlumin dataset. adlumin.com page 4
DARKNET EXPOSURE MODULE Adlumin delivers a true, big data platform that facilitates the searching millions of events in real-time, providing the capability to extend predictive and analytical security beyond the boundaries of the enterprise into the open deep and dark web. Adlumin utilizes Human Intelligence (HUMINT), proprietary automated scanning, and various technology providers to gain access to the same leaked data the fraudsters use. Using a combination of our proprietary technology and tradecraft, we can share exposed data with our customers before it is used to cause harm, typically weeks or even months before it becomes available to dark web scanners. Due to widespread password reuse, Account Takeover (ATO) attacks have become an extremely lucrative business for cybercriminals. The Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) reported that organized crime rings are performing ATO attacks on a massive scale and can leverage botnet- infected armies to attempt credential stuffing attacks against various web and mobile applications2. The use of stolen credentials to break into sites is not particularly new or sophisticated – but it works. It’s not surprising to hear that one reused password can easily jeopardize millions of accounts. The Adlumin security platform discovers and recovers stolen credentials in real-time, immediately alerting you of a match and initiates an automated response protecting your organization from these extremely effective attacks. Adlumin collects stolen and leaked artifacts using multiple techniques and from many sources. We acquire the most actionable data from sources using Human Intelligence and Applied Research (HUMAN + TECHNOLOGY), further providing the capability to extend predictive, analytical, security beyond the boundaries of the enterprise into the open deep and dark web. adlumin.com page 5
USER & ENTITY BEHAVIOR ANALYTICS (UEBA) Compromised accounts are part of almost every financial intrusion. Adlumin uses proprietary artificial intelligence (AI) and machine learning algorithms to analyze account-based threats and write your SIEM rules. Multidimensional Monitoring Adlumin looks at events from a user, host, and cohort-based perspective. Adlumin will monitor whether a user behavior pattern and computer usage pattern looks normal relative to itself and similar machines. Live Monitoring vs. Monitoring Data at Rest Much of UEBA happens well after the most recent user session has been cached and reporting to the sysadmin may occur long after the data was collected. At Adlumin, we analyze user behavior as soon as it becomes available in real-time. Using our proprietary architecture, we can notify customers from the hot data coming in, instead of resorting to batch processing of stale data at a later time. Baselines From “Clean Data” Our methods identify and discard outliers in baseline data collection, which allows us to create a perspective that will not be skewed by one-off or potentially malicious usage patterns. This means our baselines are comprised of the best general representation of a given user or host. Adlumin’s enhancement of your existing security offerings and currently deployed technologies provides new capabilities to extend predictive, analytical, security beyond the boundaries of the enterprise into the open deep and dark web. adlumin.com page 6
ANALYTICS LIFESTYLE AND ALGORITHMIC DETAIL Two Types of Profiles for Monitoring the Adlumin UEBA Engine Builds Event Profile For simplicity, we will just consider users as they typically have a simple set of usage patterns.. For instance, a user will login, open an application, create file, and logout. This pattern will happen over and over, which makes this behavior predictable. Adlumin clusters on these patterns and extracts the most representative pattern for each cluster. Detailed Profile The second is a set of attributes based on that profile. For example, the user will typically open the same type of application at the same time and create a file with a similar size. Some of these attributes can vary; however, for each set of user sessions, our platform compresses it into a generalized set of details allowing for some flexibility in variation. New profiles are trained on weekly schedule to account for behavior drift. When a user profile is built, the UEBA engine will collect and score live user data against the profile. The engine looks for completed user sessions (where the user has idled for a given threshold) and then take the most recent set of events to be scored. The set of events is first mapped to an event profile. If it cannot be mapped within a tolerance (e.g. a user uses the command line when they never have before), that set of events is flagged and a detection is created. adlumin.com page 7
After being mapped to an event profile, the set of events will be compared to the detail profile. If this pattern is significantly different from the detail profile, that set of events is flagged and a detection created, further providing the capability to extend predictive, analytical, security beyond the boundaries of the enterprise into the open deep and dark web. adlumin.com page 8
THREAT INTELLIGENCE PORTAL The Adlumin Threat Intelligence Portal (ATIP) provides powerful new capabilities to the already robust cloud-native SIEM from Adlumin, a cybersecurity company dedicated to defending corporate networks from threats, malfunctions, and IT operations failures. ATIP is a threat intelligence platform that conducts searches across numerous databases, and the world’s largest crowdsourced threat intelligence database – with additional integrations in the works. Integrating with Adlumin’s threat intelligence sources enables a collaborative defensive system through community-powered threat data. Every Adlumin platform user has access to crowdsourced threat intelligence from more than 100,000 participants in 140 countries. That adds up to millions of threat indicators daily. The portal automatically checks millions of dangerous Indicators of Compromise (IoC) against the IP traffic in your network, providing additional context to make informed decisions about your network’s security, based on similar threats flagged in other users’ networks. It facilitates real-time searches of individual IP address across the three threat intelligence databases, in addition to firewalls, VPN servers, and network security appliances. Users receive immediate notifications of potentially dangerous events. ATIP also allows users to share information about suspected threats with others. The new platform builds on Adlumin’s existing line of dependable, easy-to-use network protection and breach detection software. Users can access ATIP from the main Adlumin dashboard, where clear, color-coded visualizations aid the user experience. Adlumin’s Threat Intelligence Platform provides financial institutions with automated threat detection at an intermediate level of security within Domain 2 of the FFIEC CAT and NCUA ACET. Organizations receive automated security threat alerts without any work on the part of the IT or Security Team. Additionally, the main ATIP dashboard provides a real-time feed with articles from top cybersecurity news and information sources. adlumin.com page 9
PERIMETER DEFENSE Adlumin’s Perimeter Defense is a unique feature, in that it gives the user insight into their network from the perspective of the attacker. With Perimeter Defense, internet-facing servers, DMZ hosts, and ATM networks are regularly scanned and monitored for changes and abnormalities. From the Perimeter Defense management page, users input the IP addresses or CIDRs of their high-value assets and internet-facing networks, select a detection severity level, and choose the types of monitoring they’d like to enable. Once a network or IP has been added, Adlumin Perimeter Defense monitors several key data points depending on the enabled options, including remotely accessible ports, expired TLS certificates and known product vulnerabilities. As periodic scanning occurs, Adlumin will alert on issues such as new ports being opened or existing ports being closed, self-signed or expired TLS certificates, as well as if any publicly accessible services are running product versions with known vulnerabilities. If any issues are detected, Adlumin will trigger a detection with the severity level that the user has specified for a given network range or IP address. Adlumin Perimeter Defense gives users the tools to monitor all their connected devices on the Internet. adlumin.com page 10
REFERENCES
1. D. Chinn, J. Kaplan and A. Weinberg, “Rick and responsibility in a hyperconnected world: Implications
for enterprises,” January 2014. [Online]. Available: https://www.mckinsey.com/business-functions/digital-
mckinsey/our-insights/riskand-responsibility-in-a-hyperconnected-world-implications-for-enterprises.
2. FBI, “International Business E-Mail Compromise Takedown,” June 2018. [Online]. Available: https://www.fbi.
gov/news/stories/international-bec-takedown-061118.
3. Amazon.com, “System and Organization Controls 3 (SOC 3) Report,” AWS, March 2018. [Online]. Available:
https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf.
The information contained in this document is solely for example purposes only and not intended to be relied on for
implementation purposes or otherwise by the reader. Adlumin hereby expressly disclaims any indication to the contrary.
Adlumin, its affiliates or subsidiaries, and a customer are only bound by the terms and conditions contained in a contract
between the parties. The Adlumin names and logos and all other names, logos, and slogans identifying Adlumin’s products
and services are trademarks and service marks or registered trademarks and service marks of Adlumin Trademark Services
LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of
their respective owners.
adlumin.com page 11You can also read
