Escaping Dante’s SOC Inferno: Fraud and the Truth About Normal

A framework-based approach — guest starring… the CIS top 20 Controls!

So if you‘ve just joined us, this is the second post in a series of nine. If you happen to be a stickler for order you can check out the first post (which includes some Dante-related preamble): here. If you’re a returning reader to the series, welcome back — we’ve totally saved your favorite table. This next installment on your journey out of the SOC inferno covers the eighth circle of hell — Fraud. But before we talk about fraud, let’s discuss normal, whatever that is…  

If you take a look at InfoSec today, you will find it is anything but “normal”. We’re a hodgepodge of misfits, hackers, button-downs and alternative types. We are of every race, color, creed, gender, national origin, and sexual orientation. And we are beautiful, more capable because of it. But, sadly, we are all stuck in the same hell. Constantly being one step, one keystroke, behind our adversaries (and, sigh, auditors). 

So, while there is no need for InfoSec to “normalize” itself (get a haircut and fly right) our security operation centers (SOCs) do desperately need to understand what normal looks like — at least from a security perspective — if we are to know when bad things are happening to our hardware, software, and with our people and the data that they’re responsible for. That is, of course, if we want to escape the hell that we are in today, where threats are still getting through because we are only focusing on a subset of known bad across a subset of known assets and software.

Knowing what our normal networks, operating systems and devices look like on a day-to-day basis is critical to understanding our security posture and risks. Without this baseline knowledge, instead of flying right, we are flying blind. Every alert must be investigated. And every vulnerability is a threat. How many times do we find ourselves fighting the wrong fires in front of us, while the real inferno burns against our backs?

So let’s think about our typical SOC analyst like a bank teller looking at a hundred-dollar bill. It’s the first bill she’s seen today, but certainly will not be the last. She sees many of them every day and has been trained to recognize fakes.

There are certain characteristics of a hundred-dollar bill that make it look and feel authentic to her, and when those anti-counterfeiting elements are not present something immediately looks or feels wrong. 

She is not trained to spot anomalies in counterfeits; she is trained to learn “normal” so she can do this as counterfeit techniques change over time, without having to retool herself every time counterfeiters change their techniques. 

In contrast, let’s consider a non-U.S. national who is looking at a hundred-dollar bill for the very first time. They would likely have a very difficult time telling if it is a counterfeit or a legitimate piece of United States currency. They simply wouldn’t have enough experience handling the foreign bill to know what normal should look and feel like. They don’t know what is normal.

This analogy holds true for our environments. 

There is a saying in the industry that “you can’t protect what you don’t know exists”. This has never been more true than in this age of shadow IT and cloud-based services. The old days of on-premises users, data and devices are long gone and not likely to return anytime soon — if ever. In fact, just last week, Microsoft announced that some of their employees can now work from home permanently. 

So, whether we’re a global company with 150,000 employees, like Microsoft, or a start-up with only a dozen folks on staff, it’s never too late (nor too early) for us to start down the path of InfoSec maturity. 

This is a fine moment to talk about the Center for Internet Security (CIS) Top 20 Controls. The first six controls, known as Implementation Group 1 (IG1), focus on the inventory of hardware and software assets, vulnerability management, administrative privileges, secure hardware and software configuration and audit logs — these are the basics of any solid IT security operations (ITSecOps) unit or managed security services provider (MSSP). And if you’re already a wiz at knowing what they are, do stay with us for the ride as we’ve got some thoughts around how they can help you.  

Can these controls really help us escape Dante’s SOC Inferno? Will they help us gain visibility and manageability for our organizations in hopes of understanding our normal — or lack thereof? And are a lack of controls impacting our ability to do our jobs in the SOC? Three resounding yesses! 

Let’s take a closer look at each of the controls within IG1 for a better understanding. 

CIS top 20 Controls #1 & #2 — inventory and control of hardware and software assets

Actively manage (inventory, track, and correct) all [software and] hardware devices on the network so that only authorized [software and] devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access [or that unauthorized and unmanaged software is found and prevented from installation or execution].

Above I have concatenated the descriptions of Controls #1 and #2 because they are nearly identical to each other — only varying on the hardware versus software verbiage. The gist of both controls is that we must inventory, track and correct hardware and software deployed within the environment. Without the timely and accurate inventory of our devices and software, how can we expect to know what vulnerabilities are applicable, where exploits may exist, and what updates need to be deployed? Establishing a continuous hardware and software inventory will also help us to identify our configuration drift (addressed by and aiding with Control #5). 

You may be looking at this and think — well surely this is IT’s responsibility. I’m a security practitioner — I don’t have control over this control, but without it being properly implemented (and BTW, it’s actually not the easiest to achieve), it’s impacting my ability to do my job. Yet here’s the thing: silos are bad, m’kay — so if you think being better aligned with IT is an opportunity for an improvement in your organization then help push for this change. #OneTeam and all — it’s in your organization’s and your SOC’s best interests. 

CIS top 20 Controls #3 – continuous vulnerability management

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Control #3 is all about the consumption of data feeds to help us understand what software updates and patches are available, as well as provide us with security advisories, threat intelligence (including industry and geolocation attack data).

But all the data in the world is useless without taking action based upon it. Any vulnerability management solution selected should allow for easily pivoting from vulnerability assessment to remediation with as little time and manual effort as possible. And again, being well aligned with your friends over in IT is going to really help get this done — plus a decent VM tool can help with Controls #1 and #2 — everyone wins!

CIS top 20 Controls #4 — controlled use of administrative privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Like Controls #1 and #2, you cannot secure what you cannot control. As we have seen in ransomware attacks in recent years, the widespread use of administrative accounts can lead to compromised systems quite quickly. These admin accounts can be misused to further escalate privileges, allow for pivoting to other more valuable systems and eventually lead to data breaches. Currently available identity and access management (IAM) solutions can help organizations quickly identify and rollback administrative privileges where they are not needed or even supplying admin access only for a specific task or amount of time — referred to as just-in-time (JIT) access.

CIS top 20 Controls #5 – secure configuration for hardware and software on mobile devices, laptops, workstations and servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

The secure configuration of endpoint devices can make all the difference between an infrastructure breach, which is inevitable, and a data breach, which is preventable. Dwell time is often the difference between the two. By implementing the first four CIS Controls and deploying secure device configurations while monitoring for compliance drift, we’re able to detect departure from the norm. But, without first having a security baseline to know when systems are out of compliance, we are once again flying blind. However, CIS provides free Benchmark PDF guides to “propagate their worldwide use and adoption as user-originated, de facto standards” and to aid organizations like ours with deploying secure configurations.

CIS top 20 Controls #6 — maintenance, monitoring, and analysis of audit logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Just as we require the use of the other CIS security controls that we’ve discussed thus far, the collection, management and analysis of audit logs and security-related events is critical to our layered defense. Through mature tools, coupled with open and paid threat intelligence data feeds, we can detect attackers much sooner, shut down known bad actors, reduce the MTTD and MTTR (oooh — there’s another Dante’s SOC Inferno blog in the works around metrics — mark your cards!), and improve our overall security posture.

Summary

Yes, these are the basics, but without these foundations in place — including the relationships needed with IT — security analysts are going to struggle. By implementing each of the six CIS Top 20 IG1 Controls above, along with the necessary tools to perform each of them, it is possible for organizations of all types and sizes to escape from Dante’s SOC Inferno by improving visibility, maintaining manageability and developing a more mature security posture overall. 

Additionally, by ensuring we have visibility into normal we are much better prepared to spot anomalies faster, investigate more accurately, and focus on extinguishing the real fires that cause the most risk to our environments. Here at Exabeam we’re here to help you do exactly this, and we’d love to show you how. 

Hell doesn’t have to be your normal. 

Interested in learning more about how Exabeam helps SOC teams understand what’s both normal and abnormal? Check out this video to see our technology in action.  

Further reading

Escaping Dante’s SOC Inferno: The Treachery of SIEM Lies