ThetaPoint Blog

The Grass Isn’t Always Greener

It is amazing the number of times I hear of organizations switching from one SIEM platform to another, only to have the exact same problems that caused them to switch in the first place. I am here to tell you that the grass is not always greener on the other side. Some of you might be familiar with the 1993 Harold Ramis film “Groundhog Day”, starring Bill Murray and Andy MacDowell. For those that are not, here is the general theme, a weatherman gets stuck in Punxsutawney, Pennsylvania and relives the same day over and over, only to realize…

Sessionize Heterogeneous Event Types With This One Weird Trick

Context makes all of the difference for alert disposition and adjudication. Having all related events readily available shortens the decision cycle and eases the cognitive load associated with finding sufficient evidence to inform judgement. I have already discussed how important it is to front-load event processing inside the utility stack, but have not shown how you can connect those two goals to make it possible. How I Learned to Stop Worrying and Love the community_id Analysts typically rely on comparisons of equality (or approximate equality) for stitching more than one record together to form context around an…

SRA Example: Any Stack, Any Network, Anybody

In this blog I will share a sample implementation of the technology stack described in the ThetaPoint Security Reference Architecture for Security Operations Centers. I will walk through some basics of network and endpoint instrumentation, event transport, analytics, and workflow. This example is designed to be easy to follow, but if you have something more specific that you want to delve into, feel free to book time on my calendar, and we’ll explore in detail together.   Architectural Overview - Instrumentation For this implementation, we’ll be using the Elastic Beats for wiring up event collection on…

Leaky Secrets in Git - Instrumentation and Response

How Bad Can it git? A recent research paper described a rigorous empirical study on the rate at which secrets (cryptographic keys, API credentials, etc.) are inadvertently leaked through SCM (source code management) tools to GitHub. The numbers they found were alarming. The research team identified hundreds of thousands of secrets in the public Github BigQuery dataset using simple search techniques. Additionally, they identified thousands of secrets per day using automated searches against the Github API. How Does this Happen? Mistaken Beliefs and Improper Usage Developers, operators, and administrators can often misjudge the level of exposure that…

Security Reference Architecture - Process - Analysis Workflow

Your SOC’s analysis workflows mitigate most of the risks from intelligent actors. They also comprise your front-line staff’s most frequently executed work. As we stated in our framework overview, most analyses will not result in actionable findings. However, this underscores the need for high-quality alerts and quickly moving on from non-actionable events. We have split the main analytical workload into two core processes – one that makes sense out of alerts (Triage), and one that creates the logic for generating alerts (Use Case Development). We lift these two processes out of the typical investigation loop to…