Blog Post: http://raffy.ch/blog. - Video: https://youtu.be/nk5uz0VZrxM
In this video we talk about the world of security data or log data. In the first section, we dive into a bit of a history lesson around log management, SIEM, and big data in security. We then shift to the present to discuss some of the challenges that we face today with managing all of that data and also discuss some of the trends in the security analytics space. In the third section, we focus on the future. What does tomorrow hold in the SIEM / security data space? What are some of the key features we will see and how does this matter to the user of these approaches.
4. Tomorrow - How To Drive Value From Your Security Data
Become Risk Centric
Risk Service
Resource
Access
User
Device
App
Data
Anomaly
Belief Net
Security “Knowledge”
Entity Engines
Expert
Challenges – these are things you want to be aware of when you invest in any data capability – or assess your own
Use-Cases
- Focus on the wrong use-cases
- Email is still prevalent vector for attacks, not vulnerabilities
- Not having a use-case driven approach at all
- Sharing use-cases is still non existent – Sigma
- SOCs are building use-cases for the data they have instead of for the things they want to detect
Scalability
Running many rules
Collecting all data (expensive)
Collecting all data
Correct data architecture
Trying to do it ourselves, rather than outsourcing – can you get the right people? Why does everyone re-invent their processes?
Cloud helps, but it still expensive
SOCs are running an average of 30 tools!
Data
- Visibility gaps (email and humans) – how is it that we buy phishing solutions and do not understand our email communication patterns better?
- Understanding data and knowing what to do with it (remediation) – alerts are not indicative of whether a system / user is under duress
- Application visibility and understanding – SaaS applications anyone?
- Beyond alerts : inventory as well – CSPM, … AND metrics collection as well
False Positives
- A threat / exploit / vulnerability centric view makes event prioritization challenging
- We are still operating on an event level instead of an entity (user, device) level
- We are prioritizing all events / alerts that our data sources send us …
Beyond events/alerts
- CSPM / configuration / asset information
Shared Frameworks
- ATT&CK -> I think that’s a bad trend – it’s not really covering the right set of detections and is not enough prescriptive for your use-cases!
- Sigma -> is an okay start, but very very limited still to date and hasn’t been shown to really produce good thorough detections
Move to the Cloud
- Not solving all our problems, in fact, introducing new problems – governance, …
- Let’s be clear, your SIEM will run in the cloud
Insider Focus
- Monitoring the users and understanding them – away from the latest vulnerability / … because even an external attack will show a change in the user’s behavior
Rethink what we really want from SIEM / security data analytics -> Some call that XDR now
Data
Inventory
Classification
Movement
App
Posture
Activity
SaaS
Cloud posture
Device
Asset Info
Posture (Vuln, Patch, Config)
User
HR
Identity
Access Priv’s.
Activity / Behavior
Personality
Anomaly
- To self and to peers
Interaction with critical data
Gets you out of the cat and mouse game – yet another attack type (ransomware today, phishing tomorrow, etc.)
AI and ML to the rescue – or not
We will get better at anomaly detection from a behavioral standpoint, but not through supervised ML! Expert systems
We will keep using ML (supervised) for malware detection, document classification, and basically all kinds of pattern matching
Let AI help automate machine-enabling tasks – and visualize more
Verifyability and explainability of approaches
That’s IT, folks!
Cloud
We are moving to the cloud. Period. Your SIEM too.
How do you monitor on-prem in that case?
Visibility
- Challenges to see and understand it all? What are all the assets in your environment right now? How do you track them? What are they? What are their risks?
- What about all your users?
- Across on-prem and cloud / SaaS / …
Automation
- built into products and not separate as SOAR
- beyond the simple ‘augmentation’ use-cases – phishing playbook – remediate across your risk engine …
- we need to push toward remediation. Why do we still need security analysts making decisions? Why can’t we learn from past activity?
Privacy
- Needs to be designed with ‘privacy first’ (only collect what you need, in a secure manner)
Securing collected data - Anonymization?
Nuances of regional regulations (GDPR, CCPA, etc.)
Where are the socio-ethical boundaries?
SIEM visibility has been focused on network – it’s time to get endpoint and cloud visibility. AND DATA – including SaaS
The risk-based approach will help you not just defend from external attacks, but also monitor your insiders. They are becoming more of a problem!
Sharing – from TI to TTPs / analytics sharing