Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Monitoring Threats and Measuring Risk
You must login to participate in this chat. Please login.

Thank you for putting this together!  It has been very helpful.

Apprentice

You are welcome.  I love sharing the information.  

Apprentice

Thanks so much, @skyhawk for a great class and q&a. 

How you measure risk is a tricky question.  I would say the likelyhood of an attack is greater during the holiday season simply due to the increased traffic.  While the likelyhood may increase the other factors may not change much depending on what is changing in your systems.  Holiday seasons are always more active becasue it is easier for an attacker to hide in the noise during those times.   

It is also important to understand that often times attacks last for weeks, months, or even years.  They may attack in July to steal your holiday data, or vice versa.  This is what makes risk so tough to quantify in many organizations.

Apprentice

Great class today. I''ve got to jump off now. But thanks for the lesson and conversation everyone.

Strategist

I spend time working with SMB's to help protect their networks.  The best advice I can give any SMB is to start from a good foundation.  Make sure you have solid and tight IT practices, as those practices will make securing your company much easier.  It doesn't matter if you are building security at a large company or a small company; foundations are the basic building blocks.  Take time and really understand an document your environment, this will only help when securing systems and networks.

Apprentice

In your experience, how much does the risk equation vary from time to time?  If I'm in the retail industry, should I measure risk differently during the holiday shopping season than I do in, say, July?

Strategist

Another reason SMBs are such big targets. =/ Nothing is simple for them to defend. 

It is very important to include the business when defining use cases.  Often times the business use cases are the ones that can cost the most money to fix.  Understanding how the business works and how you cna help secure them means you have a better security platform.  Besides, if the business didn't exsist, niether would the security team protecting them.

Apprentice

And do you recommend bringing in the BU to the discussion or prioritizing the use cases? Or is that a pure play for security? 

Strategist

The main reason companies don't log is the shere amount of data that is generated.  The more you log, the more money it costs to keep those logs.  As a second note, often times companies do log, but the don't log the correct items.  Again, define your use cases.  If you want logs pertaining to cc transacations, you have to make sure you are logging the information that provides that information.

 

Apprentice

SMB's can stat small and expand from there.  Start by looking for things like bruteforce attacks, or use Honey Tokens in key systems.  Limit the amount of data you have to process.  If you are logging firewalls and being overloaded on information, then take a step back and think about what you are looking for.  Focus on a small set of items to look for and once you have found, remediated those items, then expand and add more things to look for.

Apprentice

@skyhawk The experts are constantly saying log, log, log, though. It seems not everyone even bothers to do that. Why so?

Risk is best associated with the use cases you define.  Every company will define risk diferently.  How your company defines risk will be important to what you define as goals and usecases for your monitoring.  Companies that process credit cards will see loss of that information as higher risk then other companies.  Based on this risk to the business you would want to focus more monitoring and controls on those data sources that monitor and protect credit cards.

 

Apprentice

@ Kelly: CRITs and CIF are free, open-source software for SMBs, but they will need qualified professionals to run these tools, typically a Security+ level skillset with perhaps some Linux/Unix and Python/Django additions

Strategist

@Skyhawk -- are their use cases for SMBs that are better than others? Or does it depend on the industry/comopany?

Strategist

SkyHawk is Kevin W. Lawrence for those of you wondering.   SMB's do have a challenge as they often have less resources.  SMBs can apply the same ideas, but do so with a smaller focused set of use cases.  

Apprentice

Question: I was excited to see the title include "Measuring Risk". I believe you can measure risk (e.g., FAIR) and manage uncertainty (using heuristics). However, there was no mention of this in your prezo. Can you elaborate about how monitoring threats relates to risk?

Strategist

Hello, everyone thank you for attending.  

Apprentice

But what about SMBs? They may not have the expertise or resources to do intelligent monitoring, and apply the intel.

Intelligent monitoring is excellent as a first step towards threat replication. Using threat replication, an org can run fire drills on their detection and response capabilities. Armitage (FOSS) or Cobalt Strike's Malleable C2 can provide this threat replication by using actual indicators of compromise and simulating the adversary's kill chain

Strategist

@Marilyn : ITops and appdev teams that don't align on system and config management will find alignment on log management to be the last control actioned on. Even when log management is labelled as priority, it has project requirements on system-config mgmt that take longer to deploy and standardize

Strategist

@ DRTim: TI tools like Soltra Edge (or the FOSS equiv, CRITs on GitHub) provide indicators in timeline and actionable formats, which made analyzing TI data easier. The Collective Intelligence Framework (CIF), another FOSS tool, can help with network-specific TI data, such as IP addresses and domainnames, by autogenerating snort or firewill rules as well as providing programmatic analysis capabilities

Strategist

Why is that @Andre? Is it because they are better able to focus and agreement on priorities? 

Strategist

@Kelly: Hey again!, yes, orgs that have tighter infosec and BU integration and alignment will have better log management capabilities.

Strategist

Hey there, @Andre! Long time no speak. :-) So it's an internal politics issue?

It seems like there are a lot of tools and services for detecting events and gathering threat intelligence, but few tools that help you interpret and prioritize that data so that you can apply it to your specific organization. Are there are any best practices for filtering all of this stuff so that you get the actionable data/priorities you need for your own particular organization?

Strategist

Too much information? Logging is one thing, getting useable intel is the goal (and challenge) ...

Strategist

@ Kelly : Most security BUs cannot influence outside BUs, particularly when dealing with disparate BUs with unique appdev or ITops requirements. Log management is the number one issue where the security BU butts heads with these other BUs.

Strategist

@Kelly, I think a lot of companies just don't know what to do with logs. They get overwhelmed by the size of some logs and just give up. The shame of it all is that there are so many tools to help with logs -- and some of the best are either free or very low cost.

Author

The experts are constantly saying log, log, log, though. It seems not everyone even bothers to do that. Why so?

Every day on Dark Reading I learn something new!

Strategist

It definitely would not be my first quiz of the day! Hey everyone.

Apprentice

@Marilyn, as long as you studied, you should be fine!

Author

Last day of class. I hope we don't have a pop quiz. 

Strategist

Hi Curt! Anyone else in the room?

Strategist

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly learning community here! 

Author

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at noon EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author


COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1627
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...
CVE-2020-1628
PUBLISHED: 2020-04-08
Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs. It was discovered that packets utilizing these IP addresses may egress an EX4300 switch, leaking configuration information such as heartbeats, kernel versions, etc. out to the Internet, leading...
CVE-2020-1629
PUBLISHED: 2020-04-08
A race condition vulnerability on Juniper Network Junos OS devices may cause the routing protocol daemon (RPD) process to crash and restart while processing a BGP NOTIFICATION message. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; ...
CVE-2020-1630
PUBLISHED: 2020-04-08
A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This...
CVE-2020-1634
PUBLISHED: 2020-04-08
On High-End SRX Series devices, in specific configurations and when specific networking events or operator actions occur, an SPC receiving genuine multicast traffic may core. Subsequently, all FPCs in a chassis may reset causing a Denial of Service. This issue affects both IPv4 and IPv6. This issue ...