While resources such as the SANS 20 Critical Controls are helpful, businesses of all sizes face similar struggles with building and maintaining their security programs and determining their critical security controls. This can be disastrous because motivated attackers may target organizations found to lack basic security controls. The deficiency in security controls is often attributed to:
- Lack of internal talent
- Lack of resources
- A nebulous security strategy
Fortunately those with a vague security strategy have many resources such as the SANS 20 Critical Controls to make their security approach more clear. According to SANS, “The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness .”
Organizations who are planning or already have implemented security monitoring can really leverage their SIEM to assist with the Critical Security Controls. I use the term “assist” very loosely since SIEM can indirectly or directly support the critical controls. Sparing you an exhaustive and detailed list of all critical controls and how they could potentially map to a SIEM, I’ll only highlight a few examples.
- Critical Security Controls
- Inventory of Authorized and Unauthorized Devices
- “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. ”
Asset Management and Discovery
Most SIEMs (such as AlienVault USM) have the ability for asset management and discovery. For SIEMs that can actively and passively discover assets, it provides a quick win. Knowing what assets you have and their purpose provides context to the monitoring team and allows the business to understand where their potential risk is. Once an organization can catalog its assets, they know what they need to defend and they know what could potentially be a threat (rogue devices).
Controlled Use of Administrative Privileges
“The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. ”
Rules can be created to generate alerts based on any action done by an administrator. For example, in a Windows environment, alerting can be on:
- Users being added to the domain admins group
- Administrator logons
- Unsuccessful administrator login attempts
Creating rules can potentially identify anomalous activity around administrative accounts that attackers tend to target. This could decrease incident response time for defenders.
Maintenance, Monitoring and Analysis of Audit Logs
“Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. ”
Security solutions such as AlienVault will centrally manage, normalize, and correlate logs from any compatible log source. The actual value is in the ability to correlate event and network logs within a security context. One of the critical controls explicitly recommends deploying SIEM or log analytic tools.
In architectures that leverage dedicated hardware to their SIEM, it lowers the chance of an attacker modifying logs. If an attacker tries to cover their tracks by clearing logs on a compromised server, the logs will also be stored in the SIEM. This would mean the attacker would have to increase their effort of clearing logs which gives times for defenders to catch up.
In short, SIEM and log management solutions can add value to SANS 20 Critical Controls. SIEM is only a tool that organizations must leverage to build better security.
About the Blogger: Jimmy Vo is a Security Consultant at VioPoint who focuses on security monitoring and security assessments. In addition to consulting, Jimmy specializes in throwing roundhouse kicks and playing with dogs. Outside of work and MMA training, he runs @SecurityTwits and hangs out at the local Michigan Security Group (#misec) meetings. Follow Jimmy on Twitter: @jimmyvo
- Learn more about the AlienVault unified approach to SIEM