Good security happens when you have detailed events; context is king as its often said. But when you can’t connect the dots, it makes a security analyst very busy trying to sort out fact from fiction. In many ways, this is similar to a news agency or newspaper reporter putting together a news story. When reporting a news story, it's as important to get the “scoop” and report it fast as it is to make sure you have your facts straight.
Why is this important you ask? In this era of claimed "fake news"—it’s all the rage after all—the television, newspapers and the Web are full of inaccurate reports. While it's easy to start a debate on this topic, it’s a disservice to write off the accuracy of a news report on the writers or stations perspective alone. It's way too easy to fall down the slippery slope of what is or is not fake news—after all, the line between good journalism and misinformation has certainly burred. In truth what makes a news story correct has always come down to one simple thing: it's facts!
But how do you know if the facts are truly the facts? How is it that you establish them? In the news world, this comes down to corroboration of your sources and specifically having multiple sources to support a news story all saying the same thing or have enough connectivity to support the story.
Just the Facts
When you have multiple sources that can confirm the facts, then you have a news story that is worth reporting on. When you can’t do this, it makes little sense to claim what is believed to be true to be factual. It doesn’t mean the story can’t be true; the facts at hand don’t get you there, which means you keep digging. This process is similar to how a security operations team functions, gathering the facts to establish and support what is the news story (ie something bad is happening). But how does a good security team do this in their line of work? Through correlation of events.
In a nutshell, correlation is about finding the common thread to a series of events—which by themselves may seem benign, but together form a pattern for how an adversary is infiltrating yours or your customer environment. There are several techniques and tools that a SOC might leverage to accomplish this from processing event logs via a SIEM with rules that look for certain event patterns, to leveraging threat intelligence that describe different indicators of compromise (IoC’s) to look for similar patterns within their end customers, to leveraging artificial intelligence and anomaly detection to identify weird things that often when linked with other events reported help to identify attack paths.
Regardless of the technique, each has their pluses and minuses which we will cover at a later date. The most important thing that needs to happen is that you leverage multiple sources for events to establish that a security incident has occurred or is occurring.
Isn't EDR Enough?
If everything ran on your endpoints then Endpoint Detection and Response (EDR) would provide many benefits and a good solution for you. But the world doesn’t run that way. Sure a good EDR solution will provide a robust approach to ensure that an endpoint is secured. But attacks many times originate from an attack vector that the EDR solution can’t see or defend.
That’s because we use many other systems at work and in our personal lives from email to SaaS based services (which nowadays includes email, think Office 365) as well as private and hybrid based services running within your company on application servers as well as file servers and data servers providing access to your company data. Then you have devices and networks that connect you to these systems as well as your endpoint solution to the internet.
In the end, you should take away that there is a world outside the fleet of endpoints running at any business. So again why isn’t EDR based security enough you might ask since you’re typically using an endpoint system to use all the other systems?
In the most simplistic explanation for why, it's because it comes down to how you define enough. If enough is just what is running on the endpoint, then it is enough. However, in many cases, this approach really turns that wonderful EDR solution into the security of last resort or last line of defense before bad things happen.
This is because in the most basic case such as stopping ransomware, that ransomware got on to the endpoint somehow, going through all that aforementioned infrastructure. This could have happened via an email that tricked you into opening a word doc, or clicking a link that opened a browser based attack. Or, it could have been through another system on the network when it was off the corporate network (say, at your home) and when it entered the corp network it started to jump to other machines.
There are many, many ways for bad things to get on to an endpoint. Being able to carry out it's malicious intents is what EDR solutions help to mitigate. What if there was a way to detect all the other steps in the process of getting to that endpoint?
Adding More Point Solutions
Well along with EDR, what if a company deployed better network security such as a next gen firewall, or network-based intrusion detection, or a SIEM with event logging or DNS protection or email protection services, or even O365 monitoring or Active Directory / Windows Domain monitoring?
Those toolsets can certainly add color on the attack earlier in the process by, say, detecting a download request looking for a domain in Russia or China, or by someone accessing a Windows account or O365 account from a geographically impossible location or say rapid network request access to a fileserver to name a few activities.
While all of these actions could be categorized as at minimum anomalous, they are also likely suspicious. But how do you know they have anything to do with the endpoint mentioned previously or each other? You won’t. Now that doesn’t make them bad or not useful, just like the EDR solution wasn’t for not seeing any of these other activities. But this gets to the point of why fact checking is important and how it applies to detecting and preventing cybercriminals from carrying out attacks.
Correlating to Identify Attacks Sooner
These point solutions by themselves are good tools. To bring this back to the news story analogy, what makes these point products great is when you pull all of the anomalous or suspicious events together and correlate (corroborate) the events (the facts) to arrive at what weird things are just well, weird, and innocent (potentially fake news) vs. actual security incidents that require immediate response (the breaking news).
Being able to pull all of these event sources together enables an MSP to rapidly determine what needs attention in a proactive way. There isn’t time in the day for even a smaller MSP with just a few customers to be reviewing all the point solutions to determine if there is an issue. This is because there is not just one hacker in the world or one nation-state sponsoring these hackers. There are thousands of individuals involved in cybercrime globally. The only way to operate and to enable an MSP to scale is to have a sophisticated solution that can bring all these security tools together and correlate to find the common thread.
While this approach of identifying actionable facts based on multiple source validation using rules and correlation techniques is helpful for the surface level, at high scale, the velocity of events requires a way to identify the things that standout from the background noise and find the attacks that are less known. In a future blog, we will get into this and discuss why false positives prevent MSPs from achieving scale.
If you'd like to learn more about finding the security solution that is ideal for your customers and the modern threat landscape, watch our on-demand webinar, Over 300 and counting: MSPs need to secure their own house fast!
By Lily Teplow
By Lily Teplow
By Scott Wittstock