Protecting the Business: Creating a Security Maturity Model with SIEM
This session is a must-see for anyone who’s curious abou how event-based security managers actually work. Jamie and Destiny present a hands-on, end-to-end, how-to on configuring and using Log and Event Manager. The session will include configuring file integrity monitoring, understating the effects of normalization, and creating event correlation rules. They’ll also do a live demonstration of USB Defender’s insertion, copy activity detection, and USB blocking, Active Directory® user, group, and group-policy configuration for account monitoring, lock-outs for suspicious activity, and detecting security log tampering.
Even if you’re not using LEM or a SIEM tool, this will be a valuable lesson on Active Directory® threat considerations and some real-world examples of attack techniques.
Joining me today is Jamie Hynds, a senior product manager for SolarWinds security products.
Thanks, Destiny. Excited to be here.
Well, Jamie, for a lot of us, security, especially when we're establishing a mature process for analyzing security data, it can be a real challenge. And I'm not sure operating compliance checklists for everything equals maturity.
It certainly can seem overwhelming, and really, just having a plan without at least some checklists to ensure you're using your SIEM software to its full potential just simply isn't enough. For example, if you're aggregating all your critical security events in Log & Event Manager, that's great, good stuff. But what's your plan for analyzing all the data it gathers? I recommend four main focus areas for security analysis in any organization.
Exactly. The first item on the checklist will be cyber threat intelligence. The second being threat detection. Thirdly, we have incident or intrusion response, and finally, threat prevention.
And that is definitely one way to start one, and a great checklist, Jamie. Something to note is there are several ways to accomplish mature analysis, so don't just think that this is the only way. Now, let's briefly talk about each one of these steps so that we can help you guys who have LEM and can tweak them into that 500-pound gorilla, helping you guys succeed these goals. So first off, cyberthreat intelligence. This is where you will focus your efforts on finding intelligence sources that will help you identify the actual threat.
Yes, that's a long way of saying your anti-virus or anti-malware software needs to be in place. Also, LEM can help you in this area, introducing you to threats and having an actual response to those threats.
Okay, exactly. See, we're already making these big ideas simpler. So the second one is threat detection, which includes items such as NetFlow, which shows the flow of the data within your network for more forensic and incident research. And then you have the response capabilities as well. So, this improves awareness with metrics that allow you the internal visibility to what's within your bandwidth and sets a baseline. Which is critical, because when you're identifying those anomalies, you have to have a baseline.
And that flows right into incident intrusion response also, Dez.
Yeah, I see what you did there. [Jamie laughs]
Having a response to a threat is one thing, but being alert to possible threats, like, say for example, a USB drive on a device where you have a watch set up for new USB activity, that takes it to the next level. LEM allows you to set up this kind of alert and also to respond to the alert by disabling and ejecting that USB device.
Okay, see, now that is something that I personally think is just flat awesome. So being alerted to a situation, that's one thing. Doing something actually about it, that's critical, which brings us to the last, but certainly not the least: threat prevention. All right, so, for example, integrating tools like Cisco Umbrella into your LEM or adding better web filtering that prevents calls to known sites and consistently scans for things like malware. Some users even prevent the callout to start file encryption. So, Jamie, now that we have set the stage, if you will, show us the ways that LEM can actually help them with their plans.
Sure, let's jump right in. So, Destiny, opening the fire hose and seeing all your logged data coming into LEM can be overwhelming.
Oh, extremely. [Destiny laughs]
So, what I want to do is to walk you through some use cases to get you started in terms of, as I said earlier, analyzing that log data and understanding that and identifying trends, et cetera, from that log data.
Now, you're going actually show us step by step how to do this, correct?
That's why we've got you.
So, the first area I want to focus on is File integrity monitoring. So data is critical, obviously, to any organization. File integrity monitoring is a process of monitoring access to those files, permission changes, and not only files that store the data, but also key system files as well to monitor the integrity of those.
So, how do we pull in the data? So, the first step in Log & Event Manager to actually get your data into LEM is to deploy the LEM agent. Very easy to do. There's a local installer, a remote installer you can use to push out your agents from a central machine. And from there, you see all the various different agents you're collecting logs from. Number of benefits to the agent. It compresses the logs. It can encrypt the logs, and also the active response we spoke about, in terms of taking actions and threats. The agent takes care of that as well.
Well, that's fantastic, especially encryption level, because that's a lot of security concerns that people have with logging events.
Exactly. So, data is encrypted in transit with LEM, which is obviously very important. So, we can come in here to our agent, and we can see all the various different connectors we have. When I do a search for FIM, for file integrity monitoring, I can see my file and directory connector for file integrity monitoring. So I know a lot of you are probably thinking, do I have to go in and set all my auditing and all my Windows files and folders, which is obviously very time consuming. With LEM, we include lots of templates out of the box to help you get started, as well as the ability to actually set up your File Integrity Monitoring directly from the LEM UI, without having to go into every single file and folder to actually set your file auditing.
And something that I like, too, is this kind of reminds of me of like, the Network Configuration Manager, with those out-of-the-box templates that are there. You can use these as guidelines as well, so this is really key for people getting into it, because you have these to kind of build a template around and to see where you need to go.
In fact, they're pretty much a starting off point, and then you can go from there. So to give you an idea, I know I mentioned system files and the integrity of those files. If you're not sure, you know, what should I be monitoring with my Windows Server to ensure my system files are secure and integrity is good? You can come in here and you can see your Windows Server Monitoring template. So, we're going to monitor things like .bat files, .dil files, changes to the host file, which I'll show you in a minute, and any changes the boot.ini, your startup programs, et cetera. So you can actually deploy that template from here. And from there, add that monitoring from here. Now that it's added, we want to set up a custom monitor. So I'm sure everyone has lots of files and folders or sensitive files they want to monitor. So to do that, you can click on Add Custom Monitor. And in here, you simply give it a name, and then from here, you can actually browse to your machine to decide what files and folders you want to monitor.
I love the customization of that, because we all know that we're trying to outsmart everybody, so sometimes we trying to hide things and do things within there. We need to protect them, so this is a great way to customize it.
Precisely. So in here, on my machine here, I have my C drive, and I can then see all my various different directories from here. I can go in to monitor the THWACKcamp directory. Equally, I can come in here and monitor any Windows directory I like. You can select from here. If there's an individual file you want to monitor, you can even monitor individual files from here as well. But for the time being, I'm going to select this THWACKcamp folder. From here, you can go recursive or non-recursive. So do you want to monitor everything in that folder? Or non-recursively, whatever you prefer. You can also set your masks here. So you could say I only want to look at Excel files or Word documents, whatever the case may be. In this case, I'm going to monitor all and sundry. Now, what's really good about this is when you think file integrity monitoring, it can be quite noisy by nature, is what I like to call it. So, you're going to associate lots and lots of logs coming from file integrity monitoring. But in this section to the right-hand side here, we can see how to actually adjust the login levels here. So if you want to maybe say, I want to look at file deletions and directory deletions, but permissions aren't important for this particular folder, you can chop and change all these various different permissions.
Which is vital, because you don't want all the white noise, because then it's not actually helping you to pinpoint things in. You need to put your focus to where you need it, and with logging, that's kind of a lot of the places where people go a little bit excessively because they kind of open it up. Like you said, the flood hills, right? And you don't want to really do that, because then you're not pinpointing it in or focusing in on your actual needs.
Exactly. You want something actionable and intelligent when it comes to File Integrity Monitoring. For the purpose of this demo, I want to just enable everything so we can see exactly what you can pull in, but you can completely customize this. So, now that we have that saved, I'm going to give this a name. I'm just going to call this THWACKcamp, and we're going to save these changes. And from here now we have our Windows Server Monitoring and our THWACKcamp monitor set up. We're going to save this and start the connector, and from there, we can show some examples on how we can actually use this data. So, now that the green button is on, we can see file integrity monitoring is now started. And if I come back to my Log & Event Manager here, I can see the monitor section. So in this monitor section, we can see all our various different logs coming in from all my sources. So as you can see, the events filter is going to show all events. But I have lots and lots of different filters out of the box, and I have some custom file integrity monitoring filters, which I have created here earlier on. So to give you some examples, if I come in here to my THWACKcamp folder, I can then see, say, if someone creates a file. Real simple example. They created a file called Destiny.xls. Straight away, I can see LEM has picked up that file creation, and I can see, there's my file creation. So I can see, this file is created, and thanks to LEM's normalization, which is very important, so rather than looking at raw event logs or syslogs, et cetera, you can see here, we can normalize all of this data. So you can very easily see it was a FileCreate event. I can see the name of the file, the machine it's created on, the IP address, the username that created the file, et cetera. So I'm sure you're all familiar with looking at raw logs and trying to wade through those logs to make sense of them. This normalization is incredibly beneficial in terms of understanding and comprehending those logs.
Well, and it also helps you to pinpoint in to where your area focuses when you're seeing these. So the visualization is key, right? Like, you want to be able to go over here and see visually what is going on and being able to pinpoint into the problem at hand. That helps you with time, and that also helps you to pinpoint if there's any kind of a security event that needs your attention now.
Exactly. So, with the file as well, you can actually call these sensitive files. So if there's one group of files you want to group together, be it every single Excel file or files that contain certain keywords, you can set up those sensitive files, and from there, you can set up your filers. So, out of the box, LEM does include lots of different groups, and as you can see, one of these groups is Sensitive Files. So, in this particular sensitive file list, I have things like my accounting directory, anything that contains the word customers, salaries, very important. I've set up a filter here for THWACKcamp, and also the HR directory. So you can see all these various different folder names or file names can be grouped in to sensitive or critical files that you want to monitor. And from there, we can then have a filter to show sensitive file activity, and I can then see all my various different activity in that THWACKcamp directory or in my salaries directory or my HR directory, et cetera. It's really useful for actually honing in on particular filenames or keywords that you want to hone into on your file server.
And you can also pause the screen, like if it's coming through and you need to actually focus in on areas and move it through there. And then when you resume it, it's not like it holds it back. I mean, it literally starts you back off where you're going. But I know a lot of times when I talk to you guys and you guys are like, well, things are flooding through, and you didn't want to pause it, because they thought it stopped it from actually gathering. And it doesn't. So I mean, we help you to find what you need when you're needing it. So instead of the noise, those things coming in, you're able to pinpoint in to getting your job done.
Precisely. Equally, what's vital is file permission changes. So I'm sure no one here is going to set file permission to everyone on your files. No one would do that. But in this case, if you come into Properties here, and you set your permissions to everyone. Again, this could be an insider setting incorrect permissions that you want to keep an eye on. We're going to set this to everyone, and we're going to set it to full control, which I know none of you would ever do.
So in here, we have our permission set on that file incorrectly, and then I can, from there, see permission changes, and I can, within milliseconds, see that there was an attribute change on that. And I can see Destiny's .xls file was changed by this username, this IP address, again et cetera. So being able to monitor for file permission changes is hugely beneficial when it comes to file integrity management.
Another use case is host file changes. So I've seen malware out there that actually makes host file entries to divert to bad IP addresses, et cetera, based on a particular site. So in here, if I, say, come in here, and I actually make a change to the host file. I'm going through manually, but there is malware out there that can actually make changes to these host files. So if I come into—remind me of the path again, Destiny? System32 > Drivers...
Et cetera, yep. We'll get there eventually. [Destiny laughs] So, if I come into my host file, Destiny, and I, for example, have an address in here. Let's say you're going to pick an IP address there, any one, and that's going to badsite.com. If that change is made to that host file, it's going to compromise the integrity of that file, and it could be browsing to a malicious site.
Which is a lot of like how ransomware and things can get you on there.
Precisely. And in here, I can see, by the time I've even got to LEM, it's picked up the change. So I can see, again, the host file was changed by this user, and from there, I can investigate further. So that's kind of how you can see your real-time alerts. Sorry, your real-time filters and your events coming in. But what happens if you actually want to alert to this? So realistically, you're not going to be sitting and looking at the console 24/7. As you said earlier, you want to monitor this activity and take an action from there. So LEM includes lots of rules out of the box. If we do a quick search for files, you can see just some of the file integrity monitoring alerts we have out of the box. So, for example, if you have something like, if someone deletes a sensitive file, so you can see the correlation here. So, if I go into the correlation, I can see if someone tries to delete a file, and that's part of the sensitive files that we spoke about earlier on.
The group that you'd…
Exactly. So, it could be salaries file or customers file or HR, et cetera. We're actually going to be very strict, and we're going to disable that domain user account. It shouldn't have tried to delete that file; therefore, we need to investigate, and before they can do any more damage, we can actually disable their domain account from here.
This is that action that I was talking about that's so critical. Because to be alerted to it is one thing, but doing something while you can actually get to the point, that's vital.
Precisely. And you can also add more actions here. So it's not just a case of, you know, disable that account, and that's all we can do. You could also, for example, send an email alert to the administrator to let them know or send an SNMP trap to another third-party system like a ticketing system. There's lots of options when it comes to active response, which we'll go through later on.
So, you also want to see what happened historically. So if you want to look at reports, we'll say, or how many files were deleted yesterday, or is a file missing? What changed, when did it change--the who, what, where, when, for example. So we can very easily come into my sensitive file activity here. This is going to capture all events for my sensitive files, and I can then come to nDepth, which is our historical analysis tool in LEM, and we can then see all changes made to any of my sensitive files for a particular timeframe. So if you want to pinpoint exactly what happened and when, I can see for the last 10 minutes. Equally, if I want to shoot back the last hour, two hours, the last day, week, et cetera, I can customize my timeframe here, and I can, in here, see all of my various different event names that occurred in my sensitive files.
So you can pinpoint into specific events so that you can actually correlate those, kind of like a forensic dive-in on it so that you can actually see specific things that you're wanting to do. In that cloud of, you know, all the flows that are coming through and all the log adjustments, you're able to actually pinpoint it down very quickly. And that's something that I actually like about it a lot too, because if I'm focusing in on areas, then I usually have a set of events or a set of logging that I want to look for, depending upon the security threat of which that I'm dealing with. And to be able to pinpoint it in and to go through those steps and actually figure out when things happen, it helps me figure out when it occurred, how long it happened for, and what the mitigation and how we were able to actually resolve this, and I have a timeframe now to show that.
And even to have you dive in much quicker, you can see all the event names here. So you don't have to go through reams and reams of event logs trying to find your various different key events, et cetera. You can come in here and you can see very easily, I've got three file create events, 12 file writes, one file deletes.
And that's that visualization.
And that's vital, because that's your first alert. When you're in here and you can visually see, and all of the sudden, you see a whole bunch of recreates, and this is jumping up into the 200s, and I have seen this happen, and you see it just slowly rolling and gathering the events. You know there's something that's going on, especially if it's on a sensitive group like you were talking about, or something that you're monitoring and you're wanting to keep an eye on. You know that's that anomaly from your baseline.
Speaking of visualization, Destiny, we also have, in this nDepth section, we have things like Word Cloud so you can actually drill into particular filenames or file paths or any unusual keywords that you can see. Then we also include lots of tree maps, spark charts, line graphs, et cetera, to help you with that visualization of your log data.
So on the word chart, so that a lot of people may not know, but I've actually used this before, especially when different malware, especially ransomware, have come out, because it has an actual name or an extension type that it actually uses. You can actually go through there, and if it's not obviously going rampant upon your system, I can look for those words, because it's going to pick it up within the events, and typically see if there's something that's going on before I'm actually in that mode of the actual attack. So it's like, you can see the prevention happening and taking place. So that's something to think about when you're using that.
So speaking of keywords, Destiny, you can type in any keyword you like into this tool. So if you wanted to type in, let's say, as we looked at earlier, THWACKcamp. So if you want to really quickly drill in for a username, a filename, an IP address, even, whatever you like, type your keyword, click play. It'll then return all the resorts for that particular keyword and highlight them from here.
Again, if you just want to see file deletions, click file deletions, click here, and out of, you know, several thousand event logs, there's your one file deletion you want to focus in on within seconds.
Well, great, and I hope that helps you guys, especially, because we're wanting to help you guys get the most out of the LEM and any SIEM, actually. So I hope that actually helps them to hone in on what they need to focus on.
Exactly. So, Destiny, USB devices often go hand-in-hand when it comes to file monitoring as well.
It's certainly a big threat having users copying files to USB devices, using USB devices unauthorized on particular servers or, you know, bringing devices in from home. There could be ransomware on it or something like that.
And unwillingly to them, right? Like, there's been notable cases where you buy a new USB, and it has malware or something that is actually on it.
Yeah, it might even be intentionally malicious. So Destiny, it's your time to shine. Can you plug this USB device in for me?
I might be able to handle this, guys. Dramatic effect.
So, with a SIEM solution like LEM, we can monitor for actual USB device insertions into machines. As you can see here, as soon as Destiny plugged that device in, I can see, for example, the unique ID of the device. So if you wanted to block that one particular device, that very device with that serial number on it, we can block that one device. If I want to take it a step further, as we said earlier, we can actually set up rules to actually block those USB devices. So if you can just take that out again for a second, we should see it here. So we can see, there's my detachment. But where the real power of this USB monitoring comes into play is the correlation routes. So we have, for example, one here for Detach Unauthorized USB Device. So you could set up, maybe, a group, much like your sensitive files earlier, of authorized USB users, authorized USB devices or servers, et cetera. So in this case, we have a list of authorized USB devices. We have that unique ID of every device that we know is safe to use in our environment, and if one of those devices is inserted, that's okay. If it's not part of my authorized USB devices, we want to detach that immediately. Some of the actions we're going to take, the very powerful one we mentioned earlier, is actually block that USB device, detach it immediately. You know, you can't run autorun. You can't copy files. You can't install anything from that device. The device if blocked.
We're also going to send a popup message to the user to let them know that said device was locked. So if I enable this rule here and then just click ‘Save.’ Now, so this time, if you attach that again for me.
Attached, and as if by magic...
Destiny, you are not allowed to use the USB device.
So, we laugh about this, me and Jamie have, about the, Destiny, you're not allowed, but this is actually vital. Because a lot of you have specific messages that you have to say by your actual security team, so we allow you to customize that out so that it's an actual warning or a critical alert to the person that's actually using it. So, that's a great feature.
So it's very easy, again, to do that. You can come into your rule here, and you can customize any text. So obviously, this is only a bit of fun here for our pop-up message, but you can put any text you want in there. So, if you have a requirement, as you said, to include certain terms in that message to the user, you can pop it in there.
So, from what you're showing here, which is fantastic, I'm curious, though. I do a lot with databases and things on that side. So would I be able to actually prevent my database servers from even allowing a USB?
Absolutely. Any server you like, yeah. So you could actually have a group of database servers. So you could say, for all my SQL servers, never allow USB device attachment, regardless if it's an administrator or regardless of the serial number of that device.
Okay, now that's pretty awesome for me, because I know a lot of the times when you're securing your data, especially if you have a lot of data to secure, you want to make sure that you're actually following a lot of security protocols, and that's just an extra check box on that just to make sure it backs up my actual security plan.
Exactly. So, one of the other areas of concerns would be actually copying data onto those USB devices. So given that the amount of information a USB device can hold nowadays is phenomenal. So, you know, users can copy so many files onto those devices within seconds. You want to be alerted to that if users have copied excessive files or one sensitive file, that's going to be a cause of concern. So would you just pop that device in and out for me again? Sorry now. And this time, we're going to copy a file over to the USB stick and show that copy directly from there.
Okay, and you want me to put it back?
Yes, please. No pressure, Destiny. Okay, so it's back in. So if we were to now copy— Looks like we'll go back to my THWACKcamp, this incredibly sensitive file, and I'm going to copy this onto my USB stick. And as you can see, before we even reach back to LEM again, I can see this USB file was created on this device. And again, you can create your rules to say if any Excel file is copied, if this one file is copied, and from there, say you don't have a correlation rule set up, you've actually allowed a USB device to be attached. You can actually come in here, and you can say, "Detach that USB device from here." So even without a correlation rule enabled, you can take action as soon as you see that event.
Which, that's great, especially if there is an actual attack or if there's something that's misleading or something that's not right on your network. You can detach it from there and then investigate the issue, beforehand and after. So it allows you that interaction of which you need. Now, for any SIEM that you have, what we like to say is, you want to be able to back up those maturity plans. Any kind of a security protocol, a compliance. What we want to try to convey here, though, is that with whatever you're using, you need to be able to match with your security plan and have that actual, that 500-pound gorilla, as we say. You've got to be able to back up your plan. Because it's one thing to say it, but it's another thing to actually do something about it and have the proof that you can showcase it.
If it's not documented, it's not done.
And, you know, much like the file integrity monitoring, if you want to come back here, back to your point of investigation, you can see all USB activity that has taken place. So if you need to put the pieces of the puzzle back together again and see what USB file was copied by who, when, on which machine, et cetera, you can use this again. And you can see all your various different activities there based on the username, filename, et cetera.
And that's like that mean time to detection, and that's something that a lot of the security experts and a lot of people out there are focusing in on, is, how long did this go unknown?
And that's what we're trying to actually work on to actually prevent the timeframes from getting so crazy. Because a lot of things have been there for like months, years, and they're lying there. So when you're able to go back and actually pinpoint in or be able to, you know, proactively investigate issues that just don't seem right, you have that mean time to detection that's shortened, which is critical in any kind of a security.
And another area when it comes to USB devices is nowadays, users on their laptops. They're taking laptops home or out of the office, attaching USB devices, and companies don't have visibility into that offline activity when it comes to USB devices. What you can do with the USB Defender with LEM is have a local policy. So you can restrict USB device usage locally on those machines, based on, again, device ID or username. So if users take their laptops out of the office and are plugging in devices and copying files, we can actually block that activity locally on those devices as well.
Which is fantastic, because that's a lot of the stuff that I talk about with user education, especially with you guys on THWACK, is that it starts at the business. But you have to also include the home, because people are very variable, and they're going back and forth between these places. You can protect them as much as you want with a business plan and a security-maturity analysis plan, but when they leave, they're outside of your threshold. So to be able to do something, even when the take home their laptop, is vital to help them to actually secure themselves and prevent them from making a mistake by being at home.
Yeah, and then once they come back into the office again, connect up to the SIEM solution, all that log data will be sent to the SIEM, so you can see what they actually did while they were out of the office.
Which is great.
So, Destiny, when it comes to a mature analysis of your security, one huge area to monitor your event logs from is Active Directory.
So Active Directory provides centralized management and administration of user accounts, groups, computers, et cetera. When it comes to developing a mature security analysis, the amount of information you can get from Active Directory for things like authentication, group changes, user changes, group policy, the list is endless when it comes to event log monitoring.
Pretty much, because it's kind of the framework, right? So, yeah.
Exactly. So, much like the file integrity monitoring, to get the event logs from your domain controller, it's simply a matter of installing the agent on your domain controller. From there, we're going to pull in the Windows application system and security logs, so you can see within minutes of installing the agent; you can see all your log data from your Active Directory service.
So, again, some of the filters, local change management, user account changes, group changes, et cetera. So, if I bring up my Active Directory server here, and if I come into Active Directory. So, one of the things that often confuses users a bit is they've installed the agent on their machine. They're looking at LEM. There's no logs coming in from Active Directory. They're not seeing logons. They're not seeing group changes, user account changes, et cetera. The reason for that is typically down to the main audit policy. So with any SIEM solution, you're going to have to adjust your domain audit policy on your Active Directory server. So, in the audit policy settings here, you can see what you're going to audit for. So maybe you don't want to look at successful logon events, although we recommend you would. You can come in here, and you can say, I don't want to look for successful logons. I only care about login failures. Or, if I want to look at, say, directory service access or account management, you only want to look at, successful audit management or account management. So, very easy to get up and running when it comes to actually adjusting these policies.
And if anybody has our universal device tracker, they will understand what this is as well. But sometimes, you just don't know where to make the connection at.
Exactly. So, when it comes to Active Directory, you know, a few things you might want to monitor for, the first is new user accounts. So if a new employee starts the company, and you want to see their new user account, you're going to have to have the documentation there to show that that was created successfully, that the correct permissions were assigned through a signoff to create that account. So with that, it's going to be important to actually monitor for your new user account creations. So, when it comes to new users, if I want to create a new user, I can come into new user. We'll call them John Adams. And then we're going to give him ‘jadams.’ We're going to give him a password, and then we're going to create that user. So if, for example, that user was created maliciously, that that user shouldn't have been there or there wasn't the correct documentation to back up the creation of that user, that's going to be a cause for concern. So, in here, you can see straightaway, if I come into my user account changes, I can see this guy here was enabled. So there's my new user account.
And so you can actually have an alert set up on this. You have your sensitive servers and things of that nature, so that it would automatically do this for you.
Yep. But you can take it a step further where, you know, the jadams account; he's just a regular user. It's just something to kind of keep an eye on, but it's not a critical event. But what happens if I add him to the domain admins group? That's going to be definitely a potential problem. So, if I come into my John Adams again and I'm going to add him to the domain admins group. Click Apply. And now he's got a huge amount of access to the network. He's part of the domain admins group. You're going to want to ensure that that is okay to do, or, you know, if not, why was he added? Who added him? We need to get that fixed right away. So, if I come into my group changes, I can see straightaway he was added to my domain admins group.
So, just seeing this like this, I'm having a little idea here to back up any kind of a security policy is that A, you have that documentation that things went awry, that wasn't there. And then B, you're also backing up the actual Active Directory, the changes that have been made. So when you have change requests, and like you were saying, the documentation to actually create a user and to do things, you can actually see this and have a report. Something that's also an additional documentation of when things have actually made the change and were successfully implemented.
Yeah, and back to the visualization we spoke about earlier, you can see a big flashing red filter to say, we have an escalated privilege user event. Flashing red, come in here, see straightaway, this guy was added to domain admins and I can also see who added him. So, it was actually me that added that user. So if there was maybe a user that tried to add another user for some reason, we can investigate that from there. So, we'll jump back to group changes later, but we can also look at authentication. So, it's a really valuable source to see who's logging on where, when they're logging on, to which machines, is their logon failures? Maybe people are trying to guess passwords, or there's a passwords tool out there that's trying to guess passwords. So, certainly a huge source of information as well is your authentication events from Active Directory.
Well, especially if you do any kind of methodologies with security, a lot of the actual evaluation modes and things of it is you have track, right? So we sometimes let them play, but we're tracking what they're doing. And so to be able to do that authentication and where are they going, and you can kind of see what they're trying to attain.
Mmhmm. So, you can also validate that your lockout policies are working correctly and your clipping levels are set correctly. So, you can see all your failed logons here. So I can see, for example, if this user logged on here from this machine, et cetera. It was a failure, and I can also actually see the reason for failure. So it could have been that the password is wrong. So in this case, it's very specific. I can see the username is correct, but the password is wrong. Maybe this account was already disabled, or maybe the account doesn't have log-on privileges to that machine, et cetera. So that reason for failure can be very useful in terms of pinpointing why the logon was a failure.
And that's great for people troubleshooting, as well. So when we always say we want you to have some type of a SIEM that's actually in place, because you don't know what's happening on your network, or your environment itself, unless you're actually paying attention to the logs and the events that are happening. So, by using these tools, you're not only setting up a security or an actual back-up plan to a security model. You're also helping yourself troubleshoot and pinpoint, visually, errors that are happening that can help an AD guy or any of your Exchange, especially, too, to pinpoint the problem and fix it quickly. Because it's helping you to actually identify where the problem is so that you can provide the solution.
Mmhmm. And then, from your log-on failures, you can also validate that accounts are being locked out successfully. So I can see, this poor guy, billybob, is locked out. And I can go back to my log-on failures and correlate the lockouts to the log-on failures to see why he was locked out, if his account is enabled again, et cetera. You can see all that data here as well.
So, speaking about account enablement as well, it's not beyond the realms of possibility that people are enabling accounts either accidentally or maliciously. So someone could have left the company. So far that I've seen, a lot of users actually build groups in AD. So we can integrate this with AD and put it in our groups. So, you could see a group of users that have left the company, and then you can then have a rule or a filter to show you people that have left the company, but their account has been re-enabled. That's going to be a major red flag. So let's just say if I come into AD again, and I can see that—and I'm going to disable this guy for a second, so we'll disable him. So let's say he's left the company. He's in my group. Just say he's left the company. I'm then going to enable that account again. And now if he's in that group, I can see that account enabled event. So, again, you get your correlation rule, you get your email alert to let you know that user was enabled. And again, go investigate from there why was that user enabled when he's left the company. That's going to raise a major red flag.
So, the way that I'm seeing this, would you be able to actually create a rule that would not allow them or to maybe disable their account if they had left?
Yes, you can add your left users group into your correlation rule, and we have an action out of the box that allows you to automatically disable that account.
So if it's enabled for like a split second, the active response will kick in and automatically disable that account again. So, one thing as well about— I've seen people being concerned about with Active Directory is when people clear event logs. So, again, it could be an outsider or an admin that decide they want to do something malicious, and they're going to try and be really clever and actually clear the event logs, either before or after the malicious actions have taken place.
I'm sure you guys understand where we're going with this, but just in case security's not your realm here, a lot of people will delete the events before they do something malicious, and they're doing this for two reasons. One is because they want to see if you have a SIEM tool that's available, that's going to be alerted upon on their actions that they're doing. And two is because they're setting a precedent for what they're about to do. And what you'll see is you'll have an event log that's cleared, you'll have a gape in time when it's collecting, and you'll see it cleared again. Because they're clearing it beforehand to test you, they're allowing it to run their actions, and then they're clearing their actions from the next time. But if you're already alerting to the first time, you're already a step ahead on there.
Yes, Destiny, we can certainly monitor for that and create correlation rules around that to disable users and log them off as soon as an event log is cleared.
So, Destiny, as part of the checklist at the very beginning, we mentioned threat intelligence. We couldn't speak about a SIEM solution without threat feed intelligence.
So, with LEM, we can monitor, say, things like firewall logs to see traffic coming in and leaving your network and correlating that against some blacklist on the internet.
So, we use, in our case, it was Log & Event Manager. We use emergingthreats.net, and this is the exact text file that we reference with LEM for our bad known IP addresses.
Which also gets updated daily.
Absolutely, yeah. So you can see things like IP addresses known for spam, malware, denial of service, et cetera.
And we see a lot of different blacklists out there. They're all incorporated in here. So, to enable this in Log & Event Manager, it's literally as simple as going to appliances and settings and simply enable threat intelligence.
So from there, we're going to look at all the event logs, see the IP addresses, and alert you if we see a malicious IP address. So we have a filter here for all threat events. So, as you can see, there is quite a few. So I can see some TCP traffic, and I can see it's an inbound TCP connection, and it was denied. It's on my Cisco device, and I can also see Exchange activity, and IsThreat is equal to true, which means that that bad known IP address, the source machine here, is appearing on the blacklist, and that's going to be a cause of concern, isn't it?
Well, that's fantastic. And that also helps you to be self-aware of what's going on and what the traffic is and something that I have faced, too, is that a lot of the firewalls, sometimes you're in the trillions of events that can actually happen on firewall logs. So, to be able to actually hone in and do something is fantastic.
Exactly. With that sheer volume of logs the firewalls generate, having an actionable and intelligent alert out of the box lets you know there is a bad IP address. So, in our correlation rules, then, we have ones, both inbound and outbound. If there's an authentication attempt from the outside from a potential threat to a device in your network, we're going to alert on that. And also, if there's a server communicating from your network outside to a bad known IP address, we're going to alert on that also.
Which is how ransomware goes, right? So it makes the callout to actually get, to let it know, hey, I'm available. Send me the information to encrypt everything or change, and then it comes back through. So you're preventing it from going out, essentially.
Mmhmm. So, you can see if there's an authentication event and it's true, so the threat is equal to true, which means that that IP address appears. Again, we can go back to our active response and not only identify the threat like we mentioned at the very beginning, but also take our active response as well. Be it shutting down that machine, blocking the IP address on our firewall, or logging the user out, et cetera. There's lots of different actions we can take.
So that leaves us with our threat intelligence.
Jamie, thank you so much for your time today, and the step by step, out of the box of how to get your LEM in gear. I think it's awesome to share these steps with our viewers.
Thanks for an opportunity to join you for this THWACKcamp session, Destiny. Hopefully, you will start your security models more quickly with LEM.
Well, that's all for this session. Please feel free to ask questions in chat, and just remember, there are plenty of ways to create a security maturity model, and the key is to start now and to show steady progress. Don't wait for the big bang and for the security to hit you all at once. Keep pushing forward. Security isn't just an IT issue. It's a business issue, and security should be a focus for business from the top down. And I'm Destiny Bertucci.
I'm Jamie Hynds, and thank you for watching.