Thursday, March 8, 2018

NextGen SIEM Isn’t SIEM


Security Information and Event Management (SIEM) is feeling its age. Harkening back to a time in which businesses were prepping for the dreaded Y2K and where the cutting edge of security technology was bound to DMZ’s, Bastion Hosts, and network vulnerability scanning – SIEM has been along for the ride as both defenses and attacker have advanced over the intervening years. Nowadays though it feels less of a ride with SIEM, and more like towing an anchor.

Despite the deepening trench gauged by the SIEM anchor slowing down threat response, most organizations persist in throwing more money and resources at it. I’m not sure whether it’s because of a sunk cost fallacy or the lack of a viable technological alternative, but they continue to diligently trudge on with their SIEM – complaining with every step. I’ve yet to encounter an organization that feels like their SIEM is anywhere close to scratching their security itch.



The SIEM of Today
The SIEM of today hasn’t changed much over the last couple of decades with its foundation being the real-time collection and normalization of events from a broad scope of security event log sources and threat alerting tools. The primary objective of which was to manage and overcome the cacophony of alerts generated by the hundreds, thousands, or millions of sensors and logging devices scattered throughout an enterprise network – automatically generating higher fidelity alerts using a variety of analytical approaches – and displaying a more manageable volume of information via dashboards and reports.

As the variety and scope of devices providing alerts and logs continues to increase (often exponentially) consolidated SIEM reporting has had to focus upon statistical analytics and trend displays to keep pace with the streaming data – increasingly focused on the overall health of the enterprise, rather than threat detection and event risk classification.

Whilst the collection of alerts and logs are conducted in real-time, the ability to aggregate disparate intelligence and alerts to identify attacks and breaches has fallen to offline historical analysis via searches and queries – giving birth to the Threat Hunter occupation in recent years.

Along the way, SIEM has become the beating heart of Security Operations Centers (SOC) – particularly over the last decade – and it is often difficult for organizations to disambiguate SIEM from SOC. Not unlike Frankenstein’s monster, additional capabilities have been grafted to today’s operationalized SIEM’s; advanced forensics and threat hunting capabilities now dovetail in to SIEM’s event archive databases, a new generation of automation and orchestration tools have instantiated playbooks that process aggregated logs, and ticketing systems track responder’s efforts to resolve and mitigate threats.

SIEM Weakness
There is however a fundamental weakness in SIEM and it has become increasingly apparent over the last half-decade as more advanced threat detection tools and methodologies have evolved; facilitated by the widespread adoption of machine learning (ML) technologies and machine intelligence (MI).

Legacy threat detection systems such as firewalls, intrusion detection systems (IDS), network anomaly detection systems, anti-virus agents, network vulnerability scanners, etc. have traditionally had a high propensity towards false positive and false negative detections. Compounding this, for many decades (and still a large cause for concern today) these technologies have been sold and marketed on their ability to alert in volume – i.e. an IDS that can identify and alert upon 10,000 malicious activities is too often positioned as “better” than one that only alerts upon 8,000 (regardless of alert fidelity). Alert aggregation and normalization is of course the bread and butter of SIEM.

In response, a newer generation of vendors have brought forth new detection products that improve and replace most legacy alerting technologies – focused upon not only finally resolving the false positive and false negative alert problem, but to move beyond alerting and into mitigation – using ML and MI to facilitate behavioral analytics, big data analytics, deep learning, expert system recognition, and automated response orchestration.

The growing problem is that these new threat detection and mitigation products don’t output alerts compatible with traditional SIEM processing architectures. Instead, they provide output such as evidence packages, logs of what was done to automatically mitigate or remediate a detected threat, and talk in terms of statistical risk probabilities and confidence values – having resolved a threat to a much higher fidelity than a SIEM could. In turn, “integration” with SIEM is difficult and all too often meaningless for these more advanced technologies.

A compounding failure with the new ML/MI powered threat detection and mitigation technologies lies with the fact that they are optimized for solving a particular class of threats – for example, insider threats, host-based malicious software, web application attacks, etc. – and have optimized their management and reporting facilities for that category. Without a strong SIEM integration hook there is no single pane of glass for SOC management; rather a half-dozen panes of glass, each with their own unique scoring equations and operational nuances.

Next Generation SIEM
If traditional SIEM has failed and is becoming more of a bugbear than ever, and the latest generation of ML and MI-based threat detection and mitigation systems aren’t on a trajectory to coalesce by themselves into a manageable enterprise suite (let alone a single pane of glass), what does the next generation (i.e. NextGen) SIEM look like?

Looking forward, next generation SIEM isn’t SIEM, it’s an evolution of SOC – or, to license a more proscriptive turn of phrase, “SOC-in-a-box” (and inevitably “Cloud SOC”).

The NextGen SIEM lies in the natural evolution of today’s best hybrid-SOC solutions. The Frankenstein add-ins and bolt-ons that have extended the life of SIEM for a decade are the very fabric of what must ascend and replace it.

For the NextGen SIEM, SOC-in-a-box, Cloud SOC, or whatever buzzword the professional marketers eventually pronounce – to be successful, the core tenets of operation will necessarily include:
  • Real-time threat detection, classification, escalation, and response. Alerts, log entries, threat intelligence, device telemetry, and indicators of compromise (IOC), will be treated as evidence for ML-based classification engines that automatically categorize and label their discoveries, and optimize responses to both threats and system misconfigurations in real-time.
  • Automation is the beating heart of SOC-in-a-box. With no signs of data volumes falling, networks becoming less congested, or attackers slackening off, automation is the key to scaling to the businesses needs. Every aspect of SOC must be designed to be fully autonomous, self-learning, and elastic.
  • The vocabulary of security will move from “alerted” to “responded”. Alerts are merely one form of telemetry that, when combined with overlapping sources of evidence, lay the foundation for action. Businesses need to know which threats have been automatically responded to, and which are awaiting a remedy or response.
  • The tier-one human analyst role ceases to exist, and playbooks will be self-generated. The process of removing false positives and gathering cohobating evidence for true positive alerts can be done much more efficiently and reliably using MI. In turn, threat responses by tier-two or tier-three analysts will be learned by the system – automatically constructing and improving playbooks with each repeated response.
  • Threats will be represented and managed in terms of business risk. As alerts become events, “criticality” will be influenced by age, duration, and threat level, and will sit adjacent to “confidence” scores that take in to account the reliability of sources. Device auto-classification and responder monitoring will provide the framework for determining the relative value of business assets, and consequently the foundation for risk-based prioritization and management.
  • Threat hunting will transition to evidence review and preservation. Threat hunting grew from the failures of SIEM to correctly and automatically identify threats in real-time. The methodologies and analysis playbooks used by threat hunters will simply be part of what the MI-based system incorporates in real-time. Threat hunting experts will in-turn focus on preservation of evidence in cases where attribution and prosecution become probable or desirable.
  • Hybrid networks become native. The business network – whether it exists in the cloud, on premise, at the edge, or in the hands of employees and customers – must be monitored, managed, and have threats responded to as a single entity. Hybrid networks are the norm and attackers will continue to test and evolve hybrid attacks to leverage any mitigation omission.

Luckily, the NextGen SIEM is closer than we think. As SOC operations have increasingly adopted the cloud to leverage elastic compute and storage capabilities, hard-learned lessons in automation and system reliability from the growing DevOps movement have further defined the blueprint for SOC-in-a-box. Meanwhile, the current generation of ML-based and MI-defined threat detection products, combined with rapid evolution of intelligence graphing platforms, have helped prove most of the remaining building blocks.

These are not wholly additions to SIEM, and SIEM isn’t the skeleton of what will replace it.

The NextGen SIEM starts with the encapsulation of the best and most advanced SOC capabilities of today, incorporates its own behavioral and threat detection capabilities, and dynamically learns to defend the organization – finally reporting on what it has successfully resolved or mitigated.

-- Gunter Ollmann

Tuesday, March 6, 2018

Lock Picking at Security Conferences

Both new and returning attendees at technical security conferences are often puzzled by the presence of lock picking break-out areas and the gamut of hands-on tutorials. For an industry primarily focused on securing electronic packets of ones and zeros, an enthusiasm for manual manipulation of mechanical locks seems out of place to many.


Over the years, I’ve heard many reasons and justifications for the presence of lock picking villages, the hands-on training, and the multitude of booths selling the tools of the trade. The answers vary considerably and tend to be weighted by how much of a tinkerer or hacker the respondent thinks they are.

The reality – I think – can be boiled down to two primary reasons.

Like most longtime security professionals who now take to the stage to educate attendees on the fragility of the cyber-security domain, or attempt to mentor and guide the in-bound generation of attackers and defenders, locks and lock picking serve as a valuable teaching aid. As such, through our influence, we encourage people to tinker and learn.

By examining how mechanical locks operate and how they have evolved to counter each new picking technique used to subvert earlier models, cyber-security professionals begin to appreciate three fundamentals of security:

  1. Attackers learn by dissecting and studying the intricacies of the defenses before them and must practice, practice, practice to defeat them. 
  2. Defenders must understand the tools and methodologies that the attackers avail themselves of if they are to devise and deploy better defenses, and 
  3. No matter how well thought-out in advance, the limitations of fabrication tolerances and the environments with which the security technology must operate within will introduce new flaws and vectors for attack.

These are incredibly important lessons that must be learned. Would-be professionals seeking to get into penetration testing, red teaming, or reverse engineering can’t just pick up the latest Hacking Exposed edition and complete online Q&A exams – they must roll-up their sleeves and accumulate the hours of hands-on experience of both failures and successes, and build that muscle-memory. Would-be defenders can’t just read the operations manuals of the devices they’ll be entrusted to protect, or sit through vendor training courses on how to operate threat detection systems – they must learn the tools of the attackers and (ideally) gain basic proficiency in their use if they’re to make valuable contributions to defense. Meanwhile, the third point is where both attackers and defender need to learn humility – no matter how well we think we know a system or how often we’ve practiced against a technology, subtle flaws and unexpected permutations may undermine our best efforts through no fault of our own skills.

As a teaching aid, locks and lock picking are a tactile means of understanding the foibles of cyber security.

But there is a second reason… because it’s exciting and fun!

Lock picking feeds into the historical counter-culture of hacking. There’s a kind of excitement learning how to defeat something near the edge of legitimacy – an illicit knowledge that for centuries has been the trade-craft of criminals.

With a few minutes of guidance and practice, the easiest locks begin to pop open and the hacker is drawn to the challenge of a harder lock, and so on. As frustrations grow, the reward of the final movement and pop of the lock is often as stimulating as scoring a goal in some kind of popular uniformed team sport.

The skills associated with mastering lock picking however have little translation to being a good hacker – except perhaps the single-minded intensity and tenaciousness to solve technical changes.
I have noticed that there are a disproportionate number of hackers who are both accomplished lock pickers, (semi) professional magicians, and wall-flower introverts. Arguably, locking picking (and magic tricks) may be the hackers best defense at uncomfortable social events. Rather than have an awkward conversation about sports or pop culture, it’s often time to whip out a lock and a pack of picks, and teach instead of prattle.

-- Gunter Ollmann