The real threat to business is cybercriminals who are highly skilled in information technology and are familiar with various hacking techniques. They are the ones who are able to implement complex attacks on IT infrastructure. These can be massive attacks (the most sensational example being the WannaCry and NotPetya virus outbreaks ) or targeted attacks aimed at a specific company or industry.

The problem is that skilled attackers can bypass any security measure. Moreover, as our practice shows, companies often find out about the hacking after the consequences have occurred – information was stolen, data was encrypted, attackers demanded a ransom, or, being in the infrastructure for several months, prepared and at some point withdrew a large amount of money. The security measures seem to be installed, but they do not detect intrusion.

Any stage of the attack should be recorded as an information security incident. Detects incidents in the early stages of an attack by a security operations center (SOC). Its tasks include monitoring activity in the IT infrastructure, analyzing events, detecting information security threats and responding to them. SOC is always based on three components – technology, people and processes. This article will focus on technology.

Imagine that only security reports are used to monitor the IT infrastructure and logs are collected on some servers. At the same time, logs and reports are not analyzed constantly, but only when such a need arises. What if a major attack is already taking place within the company’s network? How can I see that a remote connection has been established from a specific host? Or that strange activity is going on on the chief accountant’s computer under an account that should only do backups? How to notice that there was a substitution in the accounting database?

To notice this, you need to collect events from a large number of sources – PCs, servers, databases, business systems, network equipment – or the network traffic itself. The more sources, the more chances of detecting an attack. However, such a volume of sources and events causes several problems at once:

  1. It is difficult to trace all the sources of events separately.
  2. For each source, events are described in their own language, and you need to understand how to read them correctly.
  3. Events from different sources can be linked, and you need to be able to arrange them in the correct sequence.
  4. Logs are periodically deleted, so it is difficult to recover events for a long time (for example, a couple of months).

Security information and event management (SIEM) systems help to solve these problems ; they are used to automate the collection of events and identify information security incidents. SIEM system – a single window for all events from sources that are connected to it; this removes the first indicated problem. Translation of events into one language occurs in the SIEM system using special normalization rules. To do this, the system must know that it receives events from a certain source, and be able to decompose the data into separate cells (this is the time of the event, this is the user, this is the IP address, etc.). The information security specialist receives events in a single understandable format: this is convenient for both manual analysis and automated event matching.

To solve the problem of the relationship of events (including those received from different sources), correlation rules are used. What if the attacker knows the approximate structure of the password on the target system and he brutes the password by trying 10 passwords per day? And if he brutes the password for several systems at once – knowing that there are the same users? With the correct setting of event correlation, the SIEM system will notice such activity. The rules of correlation can be used, in particular, the rules based on techniques and tactics MITER ATT & CK .

The SIEM system also acts as a historical basis for what is happening in the IT infrastructure. This makes the investigation of incidents much easier. In addition, new indicators of compromise (IOC) can be checked on the saved data, and retrospective analysis can be carried out . Any templates that can be used to identify malicious activity can be used as indicators – the name of the message, attachments, sender’s name, file hash, connection to an external IP address, changes in the registry. The more detailed the template is described, the more accurate the test results.

Often, user and entity behavior analytics (UEBA) is also used to analyze data collected by SIEM systems . Such an analysis is based on the search for deviations from the average statistical data obtained over a long time. For example, if an employee logs in at 1 am for the first time in six months, this could indicate a potential incident.

As a source of events, a SIEM system usually uses standard logs of other systems – OS, network equipment, antivirus tools, firewalls, Active Directory, DNS, DHCP server. And how much detail the SOC can analyze the events will depend on the level of logging configured on the target system.

In order to detect events at the end nodes of users and servers in the IT infrastructure, an endpoint detection and response (EDR) class tool can also be used , which not only has built-in logging mechanisms, but also analyzes in detail what is happening at the operating system level. In particular, an EDR system can act as a source of events for a SIEM system.

An important source of events for detecting incidents can be network traffic in the IT infrastructure. The network traffic analysis (NTA) class tools are used to automate the collection and analysis of events within traffic .An NTA system can be both a separate tool with its own normalization and correlation engines, and a source of information security incidents data for a SIEM system. The key difference from standard network attack detection tools (IDS) is that the NTA system operates with large volumes of traffic. This allows you to identify the entire attack chain, rather than triggering a single signature. Also, the NTA-system saves a copy of the traffic for later analysis. New IOCs can be checked on this saved copy. In addition, the saved traffic helps to conduct a detailed investigation of the cyber incident that has occurred. NTA can also help identify unknown threats through behavioral traffic analysis.

The research company Gartner positions the SIEM + NTA + EDR bundle as a set of necessary technical tools that allow you to organize the most accurate monitoring of the IT infrastructure and identify information security incidents.

Also, to detect unknown threats, a behavioral analysis of any software that has entered the IT infrastructure can be used – from a removable disk, from the Internet or from an internal network. For this analysis, the tools of the sandbox class are used . The sandbox can analyze the behavior of an object inside a specially prepared environment and issue a verdict on how dangerous the object is. It is recommended to check all files inside the traffic, which is possible if you direct the file stream from the traffic from the NTA to the sandbox. The found verdicts and file indicators can then be used in both the NTA and SIEM systems.

The following problem often arises: when building an information security incident management process, it turns out that we do not have enough information about the elements of the IT infrastructure and their vulnerabilities. To solve this problem, tools of the asset management (AM) and vulnerability management (VM) class are suitable . Such systems can be, for example, vulnerability scanners , which, through active network scanning, help to compile lists of assets in the IT infrastructure and fix their vulnerabilities. This will allow you to correctly assess the emerging threats and incidents, assess the hacking attempts that are visible in the SIEM system, and understand whether these attempts are dangerous for a particular attacked system.

The main technical system for the SOC is the SIEM system, but its efficiency directly depends on the data it receives from the sources. NTAs, EDRs, sandboxes, AM and VM systems can be sources for enriching a SIEM system if they are compatible with it.

In the next article, we will look at the SOC staff and their main tasks, the stages of building a SOC and its work processes.