Managing Security using Open and Integrated Platform
Ed’s cell phone rings at 4:00 am in the morning, it’s his boss who wants him to look into the security logs of their organization because sensitive financial data belonging to the customers have been made available on the Dark-web and he is getting calls from the press for confirmation.
Ed has been remote due to the pandemic and is able to login remotely to the organizations SIEM environment. From this single pane of glass Ed is able to begin investigating events and running targeted searches for various IOCs as well as searching logs for the specific technologies where the leaked data resided in order to locate any indicators of compromise or evidence of unapproved access. From the SIEM Ed is able to search event payloads and network flows spanning the organization looking for any routes/paths of data flow to help bring light to what caused this breach.
As Ed moves through his investigation looking into access logs for the systems containing the leaked information it is determined that the network segment in question is siloed from the corporate monitoring due to a compliance requirement; the segment is monitored using a standalone Splunk instance that now needs requested access to continue the investigation. John has requested access for Ed to this Splunk SIEM however the investigation becomes delayed until access is granted requiring different teams and approvals, this leads to longer time to knowing what happened causing strain to John and leadership.
After getting access ED notices that there have been SSH connections from the compromised datastore to a business partners’ site which should have been identified and alerted against automatically due to the amount of data that’s been passed. As the data flow is going to a business partners network that Ed can’t access a request has been sent to the business partner for logs adding yet another delay to this overall investigation. Once the requested logs are received by Ed he begins analyzing them only to find data flows leaving the business partner network to a known IP of Ruyk, this is the first piece of information giving some initial thoughts as to what has happened. The business partner was breached and a misconfiguration of Eds company allowed the business partner to maintain connections and filter data out of the network without the organization having any visibility due to the siloed Splunk instance. Ed continued his investigation including adding rules into both the Splunk SIEM and the organizations SIEM to look for all known IOCs of Ruyk to catch anything else still residing in the network.
Meanwhile higher management is eagerly looking for an update and immediate remediation steps but Ed’s organization doesn’t have any incident response system relying on employees best guesses to make sure all steps have been followed that need to be. They are relying on emails and Slack communication between ED and his manager.
The above organization is having slow and costly response in effectively handling the incident, and not able to gain complete insight into the incident effectively because of the following reasons.
• Complexity in security infrastructure
There are too many tools from several vendors involved. Analysts have to switch back and forth between them to get what they want. For example, when they see an observable in SIEM they check it on Virus Total, also log into their local databases to check for matches with users, assets.
• Myriad of security tools and lack of integration in security tools
As mentioned earlier there are several tools but they don’t talk to each other.
• Siloed data sources
Each department has their own data sources which is difficult to share due to compliance and technological challenges.
• Ineffective Orchestration and Response
Parties involved in handling a security incident aren’t looped in a timely manner and rely on manual means to communicate. This only delays the remediation process.
• Dispersed resources for threat intelligence.
Threat intelligence sources are dispersed and not accessible from one location.
Issues faced by the above organization can be resolved by having an integrated security platform such as IBM Cloud Pak for Security
· It will resolve the complexity issue faced by the organization by providing a frictionless interface to all their security tool under one window.
· They can integrate third party tools, that could be either on-prem or on cloud, by building connectors on those tools using SDK provided by the OASIS Open Cybersecurity Alliance. This helps them extract more value out of what they already have rather than costs on building something from scratch.
· Analysts can search all the threat intelligence feeds such as XForce, Fireeye, Virus Total etc. from one place without going to each feed.
· Federated search allows the analyst to look into all data sources within the organization without compromising the privacy as data stays at its original location and isn’t duplicated.
· Built-in security orchestration, automation and response system helps remediate the incidents in timely manner.
