Limited Budget For SIEM? Then Opt For Managed Security Service Providers (MSSP)

The current recession environment is witnessing increasing data breaches. Some of the reported data breaches last month alone is alarming. Organizations are doing everything to secure themselves but with limited resources and budgets.

Getting a full visibility of your IT security environment in the areas of logs, vulnerability data, full fledged configuration audit, asset analytics, performance analytics, network behavior anomaly detection, audit reports and automated correlation of data in all these areas will blow up your budgets. That’s when Managed Security Service Providers (MSSP) have come to help with quick, useful and actionable security & compliance information or Security Information and Event Management ( SIEM )at a budget under your control. Presenting few customer concerns/cases where we can help them to secure their security environment.

Case 1: Prevent malware attack before your antivirus vendor sends out the signature

  • Can you find out what is happened in certain part of your network at any point of time. Did you see an increased amount of traffic on a certain port? Is it because of a malware?
  • Do you know from where the malware attacks came?
  • What if you can spot the malware attack before your anti virus vendor send out the new signatures and close the port on time to prevent it from getting in your network.
  • If this worm had got in your network imagine the time and cost involved in removing it from you network?

Case 2: Policy violation alerts related to configuration audit data

  • What if you get smart alerts when a policy is violated? For example if you have a corporate policy that you cant install add-ons in a browser and suppose a user goes ahead and installs an add-on then immediately your system administrator is alerted.
  • You get alerts on configuration change violations. If a hacker or an unauthorized user make changes in registry, turn on and off services, turn off logging or if an engineer mis-configures your router you get alerts.

Case 3: Asset policy violation and inventory (software & hardware) tracking

  • What if you get reports on your hardware and software inventory, software revision levels, licenses, USB devices?
  • You get alerts on asset policy violations. For example you have a policy that don’t allow users to use Instant Messaging because confidential data can be leaked out through it. Suppose a user installs Instant Messaging, do know who did this, where and when its is installed? Do you know if any data was shared by this user through IM?
  • What if you can monitor the USB device activity like a user transferred some data to a USB memory stick. Do you know who moved the data? What was transferred? How much?
  • More examples of asset policy violation alerts – if one of your hardware engineers removes a memory stick from the PC and take it home how you know it?
  • If a NIC card is disabled in a key server, or if a new share is created or a new drive is created do you know it.

Case 4: IDS alerts on attempts to log into SQL Server but no SQL Server present in the DMZ range

  • Suppose an IDS alert is generated from an external source address to all the systems in the DMZ range where the web and other services are hosted.
  • The alerts are corresponding to attempts to log into SQL Server with username ‘sa’ and no password.
  • When there is no automated correlation it is difficult to get a clear picture on what is happening. The IS Engineer knows that there is no SQL Server in the DMZ and when no further alerts are generated, the case is closed.
  • But when we correlate this data specifically with vulnerability and asset data we get to know the real situation. After running a scan for port 1433(Port 1443 is the default port used by SQL Server) and multiple SQL vulnerabilities we understand that couple of systems are running SQL Server and correlating this with asset inventory we came to know that these two systems are not listed. These were test systems used by one of the engineers and it was against policy and immediately shut down.

Case 5: An administrator is trying to ‘phone home’ daily

  • A windows server triggers log entries on the web content filter, this system is trying to access sites on the blocked list.
  • Further drilling down the data the time of the event is between 10 – 11 PM.
  • After analyzing Network traffic behavior with the baseline set there is some anomalies and further finds a spike in server performance between 10 – 11 PM
  • This data is correlated automatically with the configuration bases line and finds that there are changes in registry keys, some hidden directories exist and some unknown software installed in the server. It’s a rootkit (A rootkit is a software system that consists of a program, or combination of several programs; designed to hide or obscure the fact that a system has been compromised) and an administrator is trying to ‘phone home’ daily

Case 6: My system is very slow!

  • A critical Linux server is running very slow, users are complaining that the CRM application is running very slow. The CPU and memory usage is very high and disk is running low.
  • This performance data is correlated with network behavioral data and other performance data in the local network.
  • Three other systems are also running slow and generating lot of meaningless alerts.
  • A trend analysis with historical data is run and finds that many new unwanted services are running in the server. System configuration and asset details indicate that several applications are running that should not be running. Further finds a database too in the system. It seems that someone used this system to test a new application which is violation of company policy.
  • The administrator shuts down unwanted applications and optimizes bandwidth eliminating bottlenecks and fine tunes performance to improve availability and speed.