Federal Agencies Need These 3 Requirements From Modern SIEMs

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs

December 30, 2020

The SolarWinds compromise that affected multiple key federal agencies brings into focus the weaknesses of legacy log management and SIEM platforms. A big part of the compromise involved compromised credentials — once the attackers got in, they moved laterally, with the malicious use of multiple user identities. Insider threats isn’t a new concept for federal agencies and it’s been on the radar long enough that guidelines have even been released on how to address and we’ve talked about it before. 

Federal agencies are particularly challenged around insider threats. Internally, these organizations look to address whistleblower and confidential information leaks while externally combatting nation-states and other malicious actors trying to gain access to extremely large amounts of data. And with limited budget and personnel, government agencies offer an attractive target for adversaries that are aware these agencies might not have as many resources for their security program.

This brings me back to one of the biggest weaknesses of legacy SIEM tools: correlation rules are static, too coarse (only indicate whether something did or didn’t occur), and not enough to detect modern insider threats and compromised credentials. GovCon expert Chuck Brooks says in his wishlist for the U.S. government: “Agencies are also looking at behavioral identifiers bolstered by machine learning and artificial intelligence to detect and mitigate insider threats. It is an area that needs more attention in government as well as industry as data is continually being breached as a result of human activities.”

A modern solution should not only be simple and easy-to-use to save analysts time when threat hunting, but also be dynamic in correlating and identifying threats, especially when low and slow attacks don’t trigger static correlation rules. These kinds of threats can only be detected with risk and behavioral rules and identifiers that don’t exist in legacy SIEMs.

Here are three requirements federal agencies should look for in modern SIEM platforms.

Requirement #1: Anomalous behavior is detected with machine learning and statistical analysis and not reliant on only static correlation rules

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs
Figure 1: Drive-by Compromise technique shown in Exabeam Smart Timeline rule tags.

As demonstrated with the SolarWinds incident, it can be difficult to detect attacks that take time and slowly move through an agency’s network. Modern SIEM solutions should include user and entity behavior analytics (UEBA) to complement their static correlation rules. Anomalous behavior like lateral movement of compromised credentials can then be bubbled up in the same manner FireEye states in their threat research response. For example, correlation rules aren’t going to trigger based on complex behaviors where you might not know specifically what event or events define risky behavior. UEBA solutions take in security and operational data from a variety of sources to baseline “normal” behavior of users and entities in a network. Anomalous activity like accessing a server or workstation for the first time adds to a user or entity’s risk score and can send alerts to security teams to immediately investigate.

Requirement #2: Threat hunting via point-and-click + filters means easier, faster threat hunting

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs
Figure 2: Threat hunting is intuitive and doesn’t involve complex queries and disparate tools.

Federal agencies already have limited resources — so any time savings across threat hunting and training is invaluable to personnel resourcing and resolving incidents and threats. As seen above in Figure 2, modern interfaces with built-in filters can be a huge time savings for security analysts. This ease of use means analysts can threat hunt on day one without having to build complex queries to check for lateral movement. Analysts should be able to focus on performing behavior-based searches, not just use an indicators of compromise (IoC)/static correlation approach. They should be able to use MITRE tactics and techniques with behavior-based searches, allowing them to layer tactics, techniques and procedures with analytics to really understand what is normal versus abnormal. For example, I’ve seen one federal agency review all after-hours anomalous activity; even when the user only had one anomalous event. Being able to easily filter and search across all activities like this should be built into a SIEM solution. This becomes critical when analysts are threat hunting with ad hoc questions like “show all users that logged into a server for the first time” (as indicated in Figure 2 above) or “find every user with a risk score greater than 20.”

Requirement #3: Data, context, and user/asset risk score is stitched into a user timeline and correlated across all systems

Drive-by Compromise Technique
Figure 3: The user authenticated to the VPN with credential ‘55134’ and that account is mapped to ‘rkoch’.

Modern SIEMs need to not only be a single source of truth, but also be able to “stitch” together information from multiple log sources. With the massive amount of data federal agencies collect, it’s not uncommon for security teams to have to access multiple databases and tools to pull together the information they need to properly investigate incidents. The example I like to bring up is the fact that some log sources in federal organizations don’t have specific identifiers like traditional Microsoft Windows user IDs in the data. Security teams often have to log into another system to correlate the user across log sources. Finding a solution that is able to stitch everything, including user identity, into a single user timeline will give analysts a complete view of potential threats and huge time savings with their investigations.

I work with many government agencies looking to take the manual, time-consuming processes out of their threat hunting so analysts can spend more time on threats. As these agencies look at solutions and tools, I work with them to figure out how machine learning and artificial intelligence within modern solutions like Exabeam can fit in with their security training, processes, and existing tools to help keep their network and data secure across budget resource constraints. 

Recent SIEM Articles
Exabeam Leverages the Power of SaaS to Proactively Improve Security Content and User Experience

Exabeam recently released i54, the latest version of Exabeam...

New Features in Exabeam Content Library Now Available 

Exabeam recently released an update to its Content Library, ...

Escaping Dante’s SOC Inferno: Greed and the Gimme Mindset 

Let’s face it, we live in a mobile-first, always-on, data-...

Escaping Dante’s SOC Inferno: The Anger of Shattered Dreams  

What the…Hell? (An Open Letter) Cutting straight to th...

Auto Parser Generator Now Available for Customers

Exabeam recently released Auto Parser Generator, a new tool ...

Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...