Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Monitoring Threats and Measuring Risk
You must login to participate in this chat. Please login.

Thank you for putting this together!  It has been very helpful.

Apprentice

You are welcome.  I love sharing the information.  

Apprentice

Thanks so much, @skyhawk for a great class and q&a. 

How you measure risk is a tricky question.  I would say the likelyhood of an attack is greater during the holiday season simply due to the increased traffic.  While the likelyhood may increase the other factors may not change much depending on what is changing in your systems.  Holiday seasons are always more active becasue it is easier for an attacker to hide in the noise during those times.   

It is also important to understand that often times attacks last for weeks, months, or even years.  They may attack in July to steal your holiday data, or vice versa.  This is what makes risk so tough to quantify in many organizations.

Apprentice

Great class today. I''ve got to jump off now. But thanks for the lesson and conversation everyone.

Strategist

I spend time working with SMB's to help protect their networks.  The best advice I can give any SMB is to start from a good foundation.  Make sure you have solid and tight IT practices, as those practices will make securing your company much easier.  It doesn't matter if you are building security at a large company or a small company; foundations are the basic building blocks.  Take time and really understand an document your environment, this will only help when securing systems and networks.

Apprentice

In your experience, how much does the risk equation vary from time to time?  If I'm in the retail industry, should I measure risk differently during the holiday shopping season than I do in, say, July?

Strategist

Another reason SMBs are such big targets. =/ Nothing is simple for them to defend. 

It is very important to include the business when defining use cases.  Often times the business use cases are the ones that can cost the most money to fix.  Understanding how the business works and how you cna help secure them means you have a better security platform.  Besides, if the business didn't exsist, niether would the security team protecting them.

Apprentice

And do you recommend bringing in the BU to the discussion or prioritizing the use cases? Or is that a pure play for security? 

Strategist

The main reason companies don't log is the shere amount of data that is generated.  The more you log, the more money it costs to keep those logs.  As a second note, often times companies do log, but the don't log the correct items.  Again, define your use cases.  If you want logs pertaining to cc transacations, you have to make sure you are logging the information that provides that information.

 

Apprentice

SMB's can stat small and expand from there.  Start by looking for things like bruteforce attacks, or use Honey Tokens in key systems.  Limit the amount of data you have to process.  If you are logging firewalls and being overloaded on information, then take a step back and think about what you are looking for.  Focus on a small set of items to look for and once you have found, remediated those items, then expand and add more things to look for.

Apprentice

@skyhawk The experts are constantly saying log, log, log, though. It seems not everyone even bothers to do that. Why so?

Risk is best associated with the use cases you define.  Every company will define risk diferently.  How your company defines risk will be important to what you define as goals and usecases for your monitoring.  Companies that process credit cards will see loss of that information as higher risk then other companies.  Based on this risk to the business you would want to focus more monitoring and controls on those data sources that monitor and protect credit cards.

 

Apprentice

@ Kelly: CRITs and CIF are free, open-source software for SMBs, but they will need qualified professionals to run these tools, typically a Security+ level skillset with perhaps some Linux/Unix and Python/Django additions

Strategist

@Skyhawk -- are their use cases for SMBs that are better than others? Or does it depend on the industry/comopany?

Strategist

SkyHawk is Kevin W. Lawrence for those of you wondering.   SMB's do have a challenge as they often have less resources.  SMBs can apply the same ideas, but do so with a smaller focused set of use cases.  

Apprentice

Question: I was excited to see the title include "Measuring Risk". I believe you can measure risk (e.g., FAIR) and manage uncertainty (using heuristics). However, there was no mention of this in your prezo. Can you elaborate about how monitoring threats relates to risk?

Strategist

Hello, everyone thank you for attending.  

Apprentice

But what about SMBs? They may not have the expertise or resources to do intelligent monitoring, and apply the intel.

Intelligent monitoring is excellent as a first step towards threat replication. Using threat replication, an org can run fire drills on their detection and response capabilities. Armitage (FOSS) or Cobalt Strike's Malleable C2 can provide this threat replication by using actual indicators of compromise and simulating the adversary's kill chain

Strategist

@Marilyn : ITops and appdev teams that don't align on system and config management will find alignment on log management to be the last control actioned on. Even when log management is labelled as priority, it has project requirements on system-config mgmt that take longer to deploy and standardize

Strategist

@ DRTim: TI tools like Soltra Edge (or the FOSS equiv, CRITs on GitHub) provide indicators in timeline and actionable formats, which made analyzing TI data easier. The Collective Intelligence Framework (CIF), another FOSS tool, can help with network-specific TI data, such as IP addresses and domainnames, by autogenerating snort or firewill rules as well as providing programmatic analysis capabilities

Strategist

Why is that @Andre? Is it because they are better able to focus and agreement on priorities? 

Strategist

@Kelly: Hey again!, yes, orgs that have tighter infosec and BU integration and alignment will have better log management capabilities.

Strategist

Hey there, @Andre! Long time no speak. :-) So it's an internal politics issue?

It seems like there are a lot of tools and services for detecting events and gathering threat intelligence, but few tools that help you interpret and prioritize that data so that you can apply it to your specific organization. Are there are any best practices for filtering all of this stuff so that you get the actionable data/priorities you need for your own particular organization?

Strategist

Too much information? Logging is one thing, getting useable intel is the goal (and challenge) ...

Strategist

@ Kelly : Most security BUs cannot influence outside BUs, particularly when dealing with disparate BUs with unique appdev or ITops requirements. Log management is the number one issue where the security BU butts heads with these other BUs.

Strategist

@Kelly, I think a lot of companies just don't know what to do with logs. They get overwhelmed by the size of some logs and just give up. The shame of it all is that there are so many tools to help with logs -- and some of the best are either free or very low cost.

Author

The experts are constantly saying log, log, log, though. It seems not everyone even bothers to do that. Why so?

Every day on Dark Reading I learn something new!

Strategist

It definitely would not be my first quiz of the day! Hey everyone.

Apprentice

@Marilyn, as long as you studied, you should be fine!

Author

Last day of class. I hope we don't have a pop quiz. 

Strategist

Hi Curt! Anyone else in the room?

Strategist

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly learning community here! 

Author

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at noon EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...