Your SIEM isn’t the Problem, but Your Model is (part 2)

The Model is your Tutor for your Analysts and your MSSP

The same set of facts and labels should be readily available regardless of who or what is doing analysis.  When a common Model applies across the infrastructure, every investigation into an alert also presents the correct contextual data to the investigator, regardless of how familiar they are with the tooling or business itself. You no longer need to go digging around just to find out what is important about an asset. This consistency and immediacy make it easier to internalize the normal quirks and behaviors that help adjudication. When your infrastructure is easy to learn, junior analysts and MSSPs have a clear path to making sound judgements.

Making your Model part of the culture also facilitates collaboration during Incident Response. Even when working in different organizations, personnel start out speaking the same language and understanding the same context and risk to the business.

Our Approach to Effective Modeling – Automate, Synthesize, Validate, Propagate

ThetaPoint’s SIEM Value Realization Service prescribes a blended approach of technical and interview-driven data gathering to establish a framework for business-level concepts. We then layer automated collection with business rules that can derive the model from automatically collected data. We layer business processes and other perspectives to validate model accuracy and collection scope. This rules-driven approach lets you push business-level information down to assets and events and derive higher-level relations from low-level facts.

Additionally, we build on the Baseline Infrastructure by treating model data as an event stream. This lets you reuse the Utility and Workflow stacks to automate Model synthesis. That may sound like a lot is going on, but let's take a look at an example event stream that starts with sequences of observations of live IPv4 addresses, and then builds up something more useful. We can use logstash to generate our observation events:

nmap events to kafka topic

 

 

 

 

 

 

 

 

 

Second, we can set some general-purpose event decorators to make sure that IPv4 segments are labeled consistently:

Separately, we can list installed software packages from another tool like osquery to generate event records observing software packages that have been installed on server hosts.

When we ingest these osquery events, we can apply the same CIDR-based designation to identify production software packages either through the logstash filter, or directly in the osquery config. More importantly, we can create a business rule to derive a functional abstraction from the low-level data:

Systems with Postgres server installed in a customer-facing production network are part of the ‘ecommerce’ organization

Building the Model from an event stream also lets us automatically link complementary events to increase accuracy and verify scope. For example, the nmap sweep data should not identify any active addresses that cannot be accounted for by an osquery task that selects for configured NICs in an ‘up’ state connected to a default route. Once your validated Model has been assembled, we can use the Utility platform to push it into the SIEM and as many repositories and monitoring surfaces as possible.

Ultimately, properly configured, updated and maintained Model insures your SIEM is delivering/deriving the value you expected and maintaining its currency to the organization.  Additionally, your Analysts and MSSP vendor will also deliver more value to you and your organization, ultimately reducing dwell time of the adversary and improving your overall security posture.  Again, this often-overlooked step, is a surefire way to maximize the value of your SIEM and IR Tool investments.

Key Takeaways:

·      Don’t be that guy. Gain the upper hand on your adversaries to make aggressor TTPs more obvious.

·      A refined Model makes automated analysis easier to think about and decreases buried complexity caused by over-use of simpler abstractions.

·      An omnipresent Model builds a consistent understanding of business context across personnel and enhances collaboration by allowing more effective communication and alignment to business risk.

Join the Discussion