How Snare Helps with DNS CISA Directives

As many know, the US Cyber Command issued a recent emergency directive for DNS Infrastructure Tampering.

While much of the directive relates to validating organisational DNS, password and MFA settings, one key aspect of the directive discusses the monitoring and management of authorised and unauthorised changes to the DNS environment. In order to meet this requirement, adequate logging should be in place to monitor changes to the DNS settings, and log data should include date/time information as well as information on who is making the changes. Snare can help meet this requirement in several ways.

The Snare enterprise agents can track all access and modification to the DNS settings on Windows and Unix systems.

The key aspects of the logs that can be collected are:

  • All user authentication activity. If the user logs into the system either from the local console, Active Directory, or via ssh on Unix then Snare can collect the relevant operating system audit events or kernel events to show that a specific user logged into the system. This data will include the source IP, authentication type, relevant success and failure of the attempt and the date and time stamp of the activity.
    • Microsoft has technical articles on how to configure your audit policy to generate the specific events both on legacy 2003 and newer 2008R2, 2012R2, 2016 and 2019 systems that support advanced audit policies.
    • All the events are quite detailed, and include:
      • Who made the changes,
      • What the changes were,
      • What zones were affected and obviously,
      • When these changes occurred.
  • The Microsoft custom event logs on Windows 2008R2, 2012R2, 2016 and 2019 also include DNS Server and DNS client eventlog categories. The Snare agent will collect these using the default objectives. The events collected show additional changes to the DNS records that can occur through either manual or dynamic updates associated with Active Directory DNS and zone files. A summary of the event types are:
    • 512, 513,514,515,516 – ZONE_OP – These can be part of major updates and changes to the zone files.
    • 519,520 DYNAMIC_UPDATE
    • 536 CACHE_OP
    • 537,540,541 Configuration – these events will be the areas of main concern with systems changes.
    • 556 SERVER_OP
    • 561 ZONE_OP
  • The Snare agent for windows will collect DNS Server logs as part of the default configuration.
  • As part of the installation process, the Windows agent can be told to manage the configuration of the Windows audit subsystem, to ensure that it generates the relevant administrative events.  Alternatively, the Snare for Windows agent can be configured to be subservient to manually configured local policy or group policy settings. It should be noted that unless the associated audit subsystem is appropriately configured, events may not be delivered to the Snare for Windows agent, for processing.
  • For Unix systems the the DNS files are usually flat text files.  The Snare Linux agent can use two aspects to monitor the files
    • File watches: The agent can be configured to watch for any and all changes to specific files related to DNS configuration settings, and will raise kernel audit events on access or modification, including details of who accessed/changed the file, and date/time information associated with the event. On Linux  systems, configuration files related to bind, dnsmasq or other DNS server tools may be monitored.
    • The default administrative Objectives for the Linux agent, track all user logins, administrative activity, an privileged commands. File watches are also configured for for changes to the /etc directory, which hosts system level configuration files for the operating system.
  • File Integrity Monitoring – The Snare Linux agent can also perform sha512 checksum operations on system configuration files, such as DNS configuration files, in order to watch for changes. This will track all new files, changes to files or deletion of files and directories being monitored. These events dont show who did the change but will track the actual changes and permission changes to files. The FIM monitoring can be run on a configurable schedule (eg: once per hour or once per day) depending on the level of granularity wanted.
  • Once the logs have been generated then its up to the SIEM and reporting systems to provide reports or alerts relating to the changes. Snare offers two complimentary method for this:
    • Snare Central – this can provide objective reports looking for the specific event IDs and produce a report in tabular format as well as graph and pie charts of the activity. These can be emailed out on any schedule needed to include the PDF report, CSV and text output as needed.
  • Snare Advanced Analytics – For this we can provide a a view of changes that occur in the system and update the dashboard in near real time as the logs are being collected.
  • As part of normal operations all changes should be validated as part of approved activity as per your normal operating procedures and anything that is not approved would be escalated as a incident for investigation.

If your organisation needs help in this area and you would like more information, please contact our friendly sales team at snaresales@prophecyinternational.com for a chat on how we can help your business achieve a more effective and efficient CISA DNS monitoring solution.

Steve Challans

Chief Information Security Officer

https://www.snaresolutions.com

 

/by

The Log Collection Paradox

How good data management applies to log collection.

I love data. I was a math geek growing up and turned my affinity for statistics into a career. Intuitively most of us know that data drives informed decision making leading to better business outcomes. That’s only if, however, you do a good job collecting, managing, and interpreting that data. Often times this doesn’t seem to be the case. Data management best practices apply to log collection, as that is essentially what it is. The caveat, though, is that not collecting certain logs can have dire consequences. There are plenty of tools, though, that can strengthen your security posture by drastically improving the way you collect and manage your logs.

When it comes to log collection, two approaches seem to dominate the marketplace. The first one is, “Whatever we have to do to steer clear of negative consequences – particularly auditors.” These people, of course, take the Minimalist approach, collecting as little as possible to make managing the whole system as easy as possible. And who can blame them? Unless you are passionate about data management, you probably have dozens of other priorities you’d rather spend your valuable time on. There is inherently a lot of risk in this approach as you will probably not have the information you need when the time comes. If you ride a motorcycle or know somebody who does you may have heard the common phrase “There are two types of riders, those who have been in an accident, and those who will be in an accident.” The wisdom being that an accident is inevitable and it’s best to be prepared, motorcycles are dangerous after all. This axiom is equally applicable to cybersecurity, because there are really only two types of business, those that have been breached, and those that will be breached. It’s one thing to pass an audit, it’s another beast entirely coping with a breach.

The other common approach I often see, when it comes to log collection, is “D. All the Above.” If you have unlimited resources, it’s an awfully attractive option. After all, why risk it. When push comes to shove, if you have all the data at your disposal, you know you have the answers in your archives somewhere. While I don’t totally take issue with this “Maximalist” approach, I think there are a lot of ways to enhance it. For starters, a small environment is generating at least 5 gigs in logs a day, which means around 125 plus logs per second, or 10.8 million logs per day. That is a lot of data and larger environments produce thousands of times more data than that. This means more overhead from hardware costs to SIEM costs. When you are being charged by your solution by units of data ingested into the system, ingesting everything not only costs your business unnecessarily, but for many organizations it makes their SIEM solutions prohibitively expensive. We see it every day. A medium size enterprise goes with a market leader in Security Analytics only to see their bill go from a couple hundred thousand a year to several million. You only have to mingle at the RSA conference story to hear frustration after frustration, and it doesn’t have to be this way.

There are so many ways to focus log collection, but I have three favorites:

  • Log Truncation
  • Forensic Storage
  • Tiered Analytics

Log truncation is simple enough, Snare has a whole paper on it and how it works. What has always surprised me is the reluctance to do it. Log truncation is the removal of the superfluous text on windows event logs. Every windows event has a string of verbose text that has no forensic value. There is no need to collect it and it will only bog down your network and your storage. We’ve seen environments where upwards of 70% of log data was verbose text, and if cut from the log would have saved the organization considerable cost. Generating cost on data that your analytics tool will eventually ignore is quite simply, a waste of money.

Forensic storage is a trending topic in our industry now. Data volume is growing at an incredible rate and we need a lot of this data to piece together what happened in the unfortunate event of a breach. The problem is trying to detect a breach by always sifting through all that data all the time increases mean-time-to-detection (MTTD) which also increases mean-time-to-response (MTTR). That’s where forensic storage comes in. Forward on all critical event logs to your security analytics platform, while keeping everything else with even a shred of forensic value on separate servers. They are there if you need them, but they aren’t driving up hardware and software costs, and more importantly, aren’t bogging down your analytics platform or your incident response team. Every study on data management you see has data scientists reporting that they spend over 70% of their time on data preparation.1 That is wild. Highly skilled and highly paid employees, like data scientists, should not be spending up to 4/5ths of their time on menial tasks. That’s what happens when you inundate your systems with data though. Forensic storage is an easily implemented solution that not only improves security KPIs, but saves you money as well.

That brings us to Tiered Analytics. Tiered analytics, as the data dork that I am, is my favorite solution to data management, but it is also the most complex. While in theory companies of every size can take advantage, it gets increasingly important as your organization grows. A lot of companies do it to a degree already. When branch offices and/or individual departments have their own KPIs and dashboards while that same data is fed into executive level dashboards at corporate, that is Tiered Analytics. This approach helps your business get insight into that data your business generates at multiple levels, with varying degree of detail and varied perspectives.

SANS has a white paper written by Dace Shackleford that gives great examples from each tier. The dashboards and KPIs, for example, built for the C-Level executives would need to answer the following questions:

  • What is our overall risk posture?
  • What are our high-value targets?
  • What are the risks if our high-value targets are compromised?
  • What are the most cost-effective ways of reducing risks?

While IT management would need analytics to answer questions like:

  • What is really happening on the network?
  • Are any systems operating outside of policy?
  • Based on current system workloads can anything be virtualized?
  • What impact would an outage or downtime of a system have on the business?
  • Can we decommission any assets?

Then, another tier down you have various monitoring and response teams looking to answer an almost indefinite number of questions requiring a number of purpose-built dashboards and potentially custom KPIs:

  • Are website links in various emails from a known list of bad websites?
  • Are their network assets that should be monitored more frequently?
  • Are there changes to any host configuration settings or files closely tied to a website visit?
  • What is the impact on other network assets if this one is compromised?
  • Have there been any unusual example of port and protocol usage?
  • Should we monitor some assets more frequently because of the amount of use they get?
  • Is an employee who is supposed to be on vacation logged in at the office?
  • Is their suspicious activity after a USB port was used?

These questions are obviously geared to reducing MTTD to detection and improving incidence response. Some are also aimed at understanding the impact of individual assets on the business.2 Several questions require pulling together disparate datasources, not just logs. Workplace management software, for example, can help you identify when an employee in Barbados on vacation is also somehow at their machine in the office. STIX can help you correlate activity on the network with malicious websites and IPs. Inundating your analytics tools with superfluous data from logs only makes it that much more tedious to bring in data from the rest of your business, which is already becoming an imperative. With a tiered analytics solution, you can even pick and choose which datasources to bring in where, giving your teams easily digestible data sets to analyze and report on increasing the efficiency of each business unit and drastically improving your security posture.

You have only to look at the most recent Verizon Data Breach Report (2018) to see how little progress we’ve made in uncovering breaches. It takes 68% of businesses months or more to uncover they’ve been breached.3 There is so much an organization can do to improve its posture that it can be daunting to even begin. The first step is better data management, make life easier for the people living and working in all that data. The second is to prioritize and work towards more sophisticated approaches action item by action item. Truncation is an easy first step, and forensic storage is a no-brainer. After that comes security analytics whose architecture will vary company to company, but whose implementation will be critical to improving both an organization’s security posture and the cost effectiveness of their security solutions. By improving the way we tackle today’s security challenges, we’ll be better equipped to meet tomorrow’s.

 

1 Cleaning Big Data: Most Time-consuming, Least Enjoyable Data Science Task, Survey Says: Gil Press – https://www.forbes.com/sites/gilpress/2016/03/23/data-preparation-most-time-consuming-least-enjoyable-data-science-task-survey-says/#44e4090d6f63

2 Shackleford, D. (2016, January). Using Analytics to Prevent Future Attacks and Breaches. Retrieved December 18, 2018.

3 Verizon. (2018, March). 2018 Data Breach Investigations Report. Retrieved November 27, 2018, from https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

/by

Data Breach Reporting & PIPEDA

The new reality for Canadian businesses

The Personal Information Protection and Electronic Documents Act or PIPEDA applies to the collection, use or disclosure of personal information by every Canadian organization in the course of a commercial activity.

The Office of the Privacy Commissioner of Canada introduced new data breach reporting requirements that came into effect on November 1, 2018. This requirement was introduced due to “The number and frequency of significant data breaches over the past few years” and the “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manager personal information” according to Commissioner Daniel Therrien.

The reporting requirement works in conjunction with the Privacy Act for the Federal Sector and the Personal Information Protection and Electronics Document Act (PIPEDA) for the private sector.

This new requirement applies to allow business within Canada and those that organizations that collect the personal information of Canadians.
With this new requirement, organizations must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for two years.

The definition of real risk of significant harm is humiliation, damage to reputation/relationship, and identity.

While the requirement refers to the reporting of a data breach, it also identifies the need to improve the security posture of every organization to ensure that the likelihood of a breach is minimized. There are numerous traditional security tools that are designed to protect our network such as firewalls and endpoint protection, however given the number of breaches that have occurred it is evident that they are not enough – organizations need to be proactive and vigilant. This requires a tool that is designed to review all activity within the organization as well as provide the ability to compare that activity day to day, such as an SIEM or analytics tool.

Where Snare Comes In

The Snare Product Suite by Prophecy has been designed to provide clear, concise and accurate reporting of all activity within your network.

Snare Agents are feature-rich, reliable, lightweight log programs that can be installed on Windows, Linux, Solaris and OSX, plus two agents for text-based logs, as well as the MS SQL agent, and then send in near – real time the events/activity on your devices.

Snare Server provides for data collection and reporting in real time, providing critical information required to monitor your organizations network infrastructure. Additionally, it provides for the ability to store and retrieve event data for historical review.

The Snare Analytics product provides organizations with a single pain of glass to review activity over time, check that systems are patched to prevent attacks from out of date software, unusual activity, escalation of or improper use of admin privileges which will allow you to identify and responds to a potential breach before it escalates.

Want to find out more about how the Snare Product Suite can assist, call today for more information book a one-on-one demonstration or request an evaluation.

/by

State OIT Security Challenges and How to Solve Them

State Governments manage and must protect a wide range of citizen information from cyber security threats, including credit card records, personal health information, employment records, revenue and tax information and election systems. With much of this information available online, State Departments and Agencies are a primary target for cyber-thieves. A 2017 cybersecurity report compiled by Verizon found that public-sector entities were the third-most common breach victims, behind financial and health care organizations.

Based on the number and severity of past cyber security breaches, States are keenly aware and have or are taking action to secure their networks and databases. According to a 2018 NASCIO Report – State CIO Top Ten Policy and Technology Priorities for 2018, security and risk management is the number one priority of State CIOs. While State Governments have acknowledged the security threat, different States are addressing the threat in different ways.

The Challenges: In addition to the increase in cyber security threats, States are challenged by limited budgets and competition for information security human resources. State Executives must determine how to protect not only State-level networks and information systems, but dozens of State Agencies that they oversee. While it is not cost effective for every State Agency to separately fund and manage their own information security systems and staff, States CIOs must determine what level of security services and support they can and should provide to their State Agencies.

Steps Taken: Over the past decade, State Legislatures have created state-wide Offices of Information Technology (OIT), and mandated the staffing of Chief Information Officers (CIO), and Chief Information Security Officers (CISO). A 2018 Deloitte-NASCIO Cybersecurity Study reported that all 50 states now have a statewide CISO or equivalent. Based on information sourced from 50 State Web Sites, 23 States now offer Managed Security Services, with the majority of States providing Security Governance, Compliance Audits and InfoSec Training and Consulting. The most frequently offered Managed Security Services are:

  • Security Information & Event Management (SIEM)
  • Incident Management and Response
  • Firewall, Proxy and VPN Services
  • Intrusion Detection/Prevention (IDS/IPS)
  • Vulnerability/Pen Testing
  • Encryption/SSL/TLS/Certificates
  • Malware, Spam & Virus Filtering
  • Forensic Investigations

Alternative Business Models:

In addition to staffing State CIOs and CISOs with specific duties and responsibilities, an increasing number of States are consolidating oversight and management of State Agency IT resources under a single statewide Office of Information Technology. But there are different business implementation models offered by different States.

Education & Governance (only) Model, where State CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected. Examples of responsibilities of the CISO position under state laws include:

  • creating statewide security policies and IT standards,
  • requiring information security plans and annual assessments or reporting, and
  • requiring periodic security awareness training for employees

National Associations, including: NASCIO, National Conference of State Legislatures, National Association of State Chief Information Officers, and the Multi-State Information Sharing & Analysis Center, contribute significantly by identifying information security threats and best practices.

Brokerage Models differ depending on whether they are Sole Sourced or Multi-Vendor Sourced. The Texas Department of Information Resources (DIR), for example, contracted with AT&T to provide a comprehensive suite of Managed Security Services that give state agencies, local governments, school districts and other public entities access to resources to protect systems and data. Agencies can go to the DIR portal, identify the services they need and place an order for them.

An alternative model is to source a mix of security services from multiple vendors and coordinate the provision of these services to State Agencies. A 2018 NASCIO State CIO Survey showed 4 States already function as a broker of services, 5 see themselves migrating to primarily a broker of services and 16 see themselves offering some brokered services as well as providing services directly.

Managed Security Services: A number of States offer a range of managed security services to their State Agencies, most notably: Idaho, Iowa, Kentucky, Louisiana, Missouri, New Jersey, Pennsylvania, Tennessee, Vermont, but business models vary depending on whether they have centralized info security resources, including IT infrastructure, security systems and Infosec human resources, or whether infrastructure is centralized and Infosec resources are distributed, reporting to a centralized State OIT or reporting to a specific Agency.

Security Solutions for State OIT’s:

State Offices of Information Technology must balance the need for information security, with the availability of limited budgets and human resources, and the security software and services available from vendors that support their particular business model. Snare by Prophecy International is a Vendor Partner to State OITs – with over a decade of providing syslog collection, filtering and forwarding for Security Information & Eventlog Management (SIEM). Snare Security Solutions address the two primary challenges faced by State OIT organizations, offering cost-effective, easy to deploy, and easy to use solutions. Snare’s Business Intelligence Platform, built on an elastic.index, combines and correlates syslog events with a host of IT (ITSM, Patch and Backup Histories) and 3rd Party (STIX Malware Threats, Firewalls, DNS, IDS/IPS) security sources for threat-hunting forensics. It includes a prebuilt KPI monitoring dashboard and a smart user interface, so users can build and share queries and reports through a multi-tenant premise or cloud platform. Offered as an op-ex subscription, Snare complements any State’s primary SIEM platform, integrating with Active Directory and supporting Single-Sign-On.

View a pre-recorded demonstration of Snare Business Intelligence Dashboard by our Chief Product Officer here. To learn how Snare leverages Splunk, QRadar or another SIEM platform, go here.

/by