Creating the Ideal Cybersecurity Blueprint: Why Log Management Is Critical in Preventing Major Fines and Long-Term Security Issues

Creating the Ideal Cybersecurity Plan

When it comes to creating your company’s cybersecurity plan, the focus tends to be on perimeter security products. These will generally include unified threat management systems and email gateways, endpoint detection and protection products, identity access and privilege access products, and security awareness training systems. These security products are easy to evaluate and demonstrate when it comes down to proving a quantifiable return on investment.

These products and solutions are essential in creating a solid infrastructure, but there are some critical components missing when only focusing on the perimeter.

Is log management in your cybersecurity blueprint?

If we use an analogy of a house, these traditional cybersecurity products are like your kitchen, your bathroom, or bedrooms. They are easy to see and easy to attach a value to, but it’s what you can’t see on the surface that really impacts the value, safety, and longevity of a home. If your foundation, wiring, plumbing, and electrical systems are compromised, you will have BIG (and very expensive) problems. What happens if every time you plug an appliance into the wall, it blows a fuse? Or if any time you turn on your air conditioning, your entire electrical system and power is shut down. Each of these events has the potential to compromise the safety of your home, damage the infrastructure, or lead to very costly fixes.

Those events – like plugging in a cord or turning on an appliance – are what putting in a USB, clicking on a file, or logging into a device are in cybersecurity. One event can turn into a costly compliance fine or even invite intruders into your system; and in both analogies, letting in strangers is a worst-case scenario.

Event data is your foundation.

So how do you protect your house?

Imagine if one of those events in your home led to shutting off the power. The easiest way to fix the problem is to narrow down where the problem originated and then to head over to your circuit breaker to fix the problem…

(back to cybersecurity)

That central tool to collect all of your logging events and manage the data is a centralized log management system – we call ours Snare Central.

A centralized event logging tool does not “prevent” a cybersecurity breach or attack. It can, however provide several key features that ensure that your security posture is robust.

A SIEM or ELM is essential and required technology for any organization that must comply with many regulations such as PCI DSS, HIPAA, NERC/FERC and ISO 27001. It is also necessary for any organization to have a centralized logging tool to bolster their security.

Collecting all event data from all devices within your organization, as well as some of the security applications like mobile devices, endpoint management, and firewalls will enable an organization to baseline normal activity. The Snare Central dashboard (see below) provides a visual representation of activity, so if a spike occurs, you can drill down into the action to spot nefarious activity or spot holes in the foundation of their organization.

In the event of a breach, one of the first things that will be required to review in-depth all the log files to pinpoint when and where the initial breach took place – did an end-user open an email and launch malware or attach a USB stick to their desktop and copy data? If you are only collecting from servers and security devices, you may miss an important event in your discovery.

Also, retaining this information is essential.

Going back to the home analogy, if you ever want to sell your home, most buyers will want to know what repairs were done to critical aspects of your home – wiring updated, plumbing repairs, and yes patching to the foundation of your house.

For the security team having the ability to review historical data can address any potential problems going forward.

Centralized event logging is not new, it is not sexy, but it should be part of the foundation of your security framework when it comes to your organization.

Talk to our team about adding or upgrading your log management solution

Want to learn more about how Snare’s suite of log management and collection solutions can help your company? Reach out to us here.

October 22, 2020/by Brad Thomas

Cyber risks: What do you tell the board?

Cyber security risks: What do you tell the board?

Cyber security is a risk that needs to be managed like every other risk. So how does the executive team inform the board on the risks and how they are being managed? What actions does the board need to take to be responsible for cyber risk?

Your company board performs quite a few different functions, but often the starting point is governance. The board and its members are constantly asking the question, “Are we doing all the things that we need to be doing to protect the business and the shareholders?” Their focus is on ensuring the RETURN of shareholder capital before the RETURNS on shareholder capital. Of course, this oversight is multifaceted, and often one of the areas of least expertise at board level is cyber security.

Under the Australian Corporations Act one of the board’s primary responsibilities is to act “in good faith in the best interests of the corporation (Section 181.1)” – ensuring the ongoing sustainability of the business.

As a result, the starting point for quite a few IT and cyber security questions from the board are based on compliance. “What compliance mandates am I required to address and how do I address them in the most efficient way?” We all know that ‘compliant with regulation’ does not necessarily mean secure any more than meeting a building code means quality construction techniques have been employed.

So what do you do to mitigate cyber security risks and protect shareholders?

Compliance, Regulatory Risk & Business Impact

Risks can be quantified in the following ways:

Fines for non compliance
Inability to trade while non-compliant
Reputation and brand damage due to breaches
Actual physical inability to access systems due to ransomware, etc – that means business comes to a halt
Payment of ransoms of gain access to encrypted systems (hopefully!)
Cost of restoring systems and databases that have been destroyed by malware
Loss of IP and trade secrets through corporate espionage or the actions of nation state backed cyber criminals

Compliance is not security – but it’s at least a good starting place for boards who do not yet fully understand the broad scope of cyber risks. Most compliance regulations mandate a number of technical security controls that are foundational to your cyber security posture. Even if you don’t really understand the controls, this is a sensible start in ensuring that at least basic controls are active, being monitored, and reported on to ensure visibility and accountability.

Data Security

To add complexity to this many compliance mandates (like GDPR) mean that you need to understand what data you are storing, where you are storing it, what’s important and who has access to it in an ongoing and real time manner. When the board has to ask “Who did it?” the executive will need IT to have access to forensic log data that proves who had access to the data , what they took or changed and how they gained access.

Malicious Attacks

How do we mitigate or defend from an attack that our perimeter security can’t detect or stop? How do we know if our important files have been deleted, edited or changed? How do we know if user accounts accessed data they should not have had access to or their access privileges were increased without approvals?

Monitoring of systems and system events is critical in detecting “zero day” attacks that perimeter defense (like anti-virus or firewalls) do not have a solution for yet. We have seen many companies turn to a security expert like an MSSP to help detect threats after an initial breach has hurt the business. As a board you must ensure that your service provider can complement your internal compliance and security teams.

Breach Notification & Financial Penalties

To make things even more complex, there are also a number of legislative requirements that mandate formal disclosure of data breaches. This means that you actually need to be monitoring the databases and the access to important data – all the while ensuring that only approved staff inside your business can see the underlying data while they are monitoring the systems.

There are many studies (like the Ponemon study for example) that quantify data breach costs, but on top of this there are often fines that apply directly for not maintaining compliance or for failing to notify of a breach. In Australia the fines for failure to notify is significant – up to $420,000 for individuals and up to $2.1M for corporations. These penalties apply to businesses with a turnover as low as $3M – that’s right down to SMB.

Bottom line – it’s just not big business that needs to have a plan!

Some organizations like the US Department of Health & Human Services even maintain a “Wall of Shame” for breach reports. Fines of up to $1.5M can apply for data breaches.

What happened? Is it bad? What do we do next?

And so we come to the question that the executive leaders will be asked by the board. What happened? Is it bad? What do we do next?

It’s at this point that a good executive will have all of the forensic data on hand to be able to inform the board (and any regulators) what data has been accessed, how and when it happened, and which accounts accessed the data.

This is critical in remediating the vulnerability and ensuring that any holes are plugged, and that additional controls are put in place.

Many vendor solutions will claim to be a panacea for all your cyber and compliance ills but realistically, you will need to evaluate potential solutions carefully. In our experience, one area of huge value is the ease that any monitoring solution can be set up and installed, and managed, without hiring additional, expensive cyber system administrators. Ideally, you need a simple installation, a security policy that can be applied easily across multiple devices (sometimes tens of thousands of devices) and network, automated reporting, and alerting to help eliminate “false positives”.

(Ask us how Snare can help with this)

Visibility and Accountability

In the end, the board needs to hold itself accountable for understanding the risks and ensuring they are managed.

This means a variety of actions:

Gain understanding of cyber risks and mitigating strategies
Understand your compliance requirements and monitor compliance over time – not just at a point intime like a security or compliance audit
Understand the security controls and monitoring that is in place and ensure regular reporting back to the board on potential issues and threats
Ensure end-to-end accountability for cyber risk both at the executive level and across the organization
Ensure communications plans are in place to manage the multiple stakeholders in an emergency including staff, customers, partners, shareholders, regulators and any other stakeholders.

Ultimately, the security risk must be balanced with the commercial risk and cost as no-one has unlimited funds to throw at these problems. Finding an efficient and affordable approach is also important.

Snare can help as we provide substantial monitoring and reporting for not only for many compliance regulations but also provides intelligent reporting and alerting to help detect potential compromise of systems.

Resources

Australian Data Breach regulations

https://www.oaic.gov.au/privacy/notifiable-data-breaches/

IBM/Ponemon Cost of Data Breach study

https://www.ibm.com/au-en/security/data-breach

AU Govt statement on Cyber Attacks

https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks

DHHS HIPAA Breach report (wall of shame)

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

October 2, 2020/by Brad Thomas

Finding the Insider Threat

Unified threat management firewalls, endpoint protection, and email gateways are all designed to protect the network from outside threats. Security awareness training is designed to educate employees about how to spot threats and become instrumental in defending against threats.

The issue at hand is that no matter what security defenses are in place, corporations still need to follow a zero-trust mentality to safeguard customers, employees, and proprietary information. The threat that can be one of the hardest to protect oneself against is the threat from inside the corporation. For the most part, this is not part of a malicious plan, but one of human error, or the result of a third-party breach.

On the other hand , employees can be duped via social engineering or phishing;, even experts within the security industry have been victim to this. Hopefully, when this occurs, the employee reaches out to the IT team to let them know that they provided their credentials to a fake website or that they clicked on a link that they should not have. What happens if one of your employee’s credentials has already been part of a previous breach?

In the last couple of weeks, there have been numerous reports of stolen information that are available for sale on the dark web, and either you or your co-workers could be among them. If you’re concerned, you can check to see if your credentials were disclosed by going to haveibeenpwned.com. You may find the results surprising , and maybe even a little scary.

The other potential weakness is the mass migration to working from home due to COVID-19. Organizations implemented collaboration and meeting tools rapidly, and employees had to use their existing internet connection from home, which may not have a robust firewall and often have a shared (family) connection.

Reviewing the log files from your employee’s desktops and laptops is critical; they are the breadcrumbs of activity and can be essential in determining if there is an active threat on your system.

A threat actor can gain entry to your network using a username and password and then try to gain privileged access to the more sensitive information on your network, such as financials, customer list, or proprietary and patented information to sell for profit.

Snare Central is one of the few systems that can provide an early alerting system for unusual activity by a user or if a user is attempting to escalate their privileges with little configuration . The bonus is the event logs are transmitted in real-time, ensuring that the threat actors cannot cover their tracks.

Integrating Snare Central with your SIEM/UEBA will provide a robust monitoring system to safeguard your organization from an insider threat.

June 25, 2020/by Brad Thomas

New APT Groups Targeting Healthcare and Essential Services

The year of 2020 has been a tough time for many and will be remembered for a while given this global pandemic where we have not seen anything like it in over 100 years. The impacts of COVID-19 will be talked about for many years to come.

Given the nature of the modern world and how we are all interconnected, the bad guys waste no time in coming up with new and innovative ideas on how to scam or cause havoc with peoples personal lives as well as finding new ways to extort money from individuals and businesses. The COVID-19 pandemic is just another way they attack everyone for some form of gain. There are been hundreds of phishing attempts and ransomware attacks trying to gain access to peoples and business.

The US Cert put out a recent announcement on the 5th of May 2020 https://www.us-cert.gov/ncas/alerts/AA20126A that details some of the new APT threats that exist for the healthcare and essential services industry. All industries need to keep a heightened awareness of what is going on with their environments. Obviously and cyber incidents to the healthcare industry would severely impact the critical care they provide to the populations of the world during this pandemic. Many of the systems that are used for critical care run on windows-based platforms which can be susceptible to malware and ransomware attacks. Some regions have already seen these impacts not long ago which caused large number of systems and services to be shutdown.

The CERT advisory has many good recommendations and mitigations that all businesses need to review and check that they are doing enough in these areas. They are worth reading for everyone:

A number of other mitigations that can be of used in defending against the campaigns detailed in this CERT advisory are as follow:

Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
- See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
Use multi-factor authentication to reduce the impact of password compromises.
- See the U.S. National Cyber security Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor authentication services and setting up two factor authentication.
Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.
- See the NCSC blog on protecting management interfaces.
Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
- See the NCSC introduction to logging security purposes.
Review and refresh your incident management processes.
- See the NCSC guidance on incident management.
Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.
- See the NCSC guidance on obsolete platform security.
Further information: Invest in preventing malware-based attacks across various scenarios.
- See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.

While most of this is good cyber hygiene it may highlight some weakness with the corporate environment that needs to be addressed. In particular, Snare are specialists in security monitoring capabilities. We often see organisations that only collect logs from a small subset of systems. Often some server infrastructure is not even monitored. As many know the end user is often the weakest link in the corporate network and their systems are not monitored at all. Users can receive emails and attachments from various sources and click on things they should not. While security awareness campaigns, anti-malware protection and other technical controls help, things often happen that were unexpected which then allows the bad guys in. Anti-malware protection and technical controls are not infallible, and threats get through. In the case of healthcare systems like MRI scanners, ultrasound, respirators etc. they are often running older operating systems and not fully patched and won’t allow anti-malware tools to be loaded as the vendors won’t warrant the system if things change on the system, it could impact on its performance or operation. Then there are the business and finance systems which are also connected to the corporate networks and can be vulnerable. In years long past this may have been an acceptable risk but now with everything connected to the corporate network it allows for easy propagation of worms and ransomware and other APT threats. Many healthcare systems have been impacted on this. Upgrading this technology is expensive when compared to IT systems but so it the mass disabling of the systems from an incident as the impacts are much larger when peoples’ lives are at stake. APTs often gain access and sit quietly for months or years before they activate and quietly trickle information out of the business.

At Snare we have many technologies to help customers make sure they can monitor as much of their environment as possible. Having the forensics to help in any incident or APT threats that are trying or have gained access to the business systems is a critical part of any incident management and response. We need to know:

how they got in – via networks, VPN, system remote access, web server, database, application exploit, lost user id and password information, etc.
what they did – did they just read data, change it, ex-filtrate and steal intellectual property (IP), what commands they ran, etc.
when they did it- what was the sequence of events and actions they performed, how did they pivot from system to system to get to the target, this also means having accurate time and using things like NTP from a trusted source on all systems.
the why – often this can be financial like ransomware to encrypt your systems then ransom your for money, if it’s for stealing your IP then its espionage related if you are a research company which is often financial in a way as they think it’s easier to steal then invent on their own.

Businesses in the healthcare industry may also have HIPAA and other regulatory requirements depending if they operate in the USA or other parts of the world. For more information refer to https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. However, in general the controls need to cover various technical security requirements are:

Access Controls
Audit Controls
Integrity Controls
Transmission Security

So Snare agents and Snare Central are core components to our solution to help with the forensic collection of audit log data from servers, databases, desktops and other syslog devices like firewalls, routers, switches then keep them in Snare Central for long term storage, reporting and analysis. The access to the data is secure and away from the system that generated the data. The integrity of the data is monitored and reported on if changed, and the transmission security of the audit log data is protected with encryption. We can collect all the core operational security events and other application data for all systems in an enterprise. Having this data all collected and stored away from the systems that generate the event is critical in managing the cyber operations of businesses. By collecting the log data in near real time there is less opportunity for the bad guys to delete all the activity they performed on the system. Once they fully compromise the system via some exploit or zero-day vulnerability they can do whatever they like. But if the data was collected up until the point they break the system, it gives the security teams evidence of what happened and how they got access to the system. Snare Central allows the customer to store the logs for as long as they need, and they can grow the system at any time to use more disk as needed with no additional cost.

From other aspects of monitoring user activity Snare can track critical files and registry settings, Snare SQL agent monitors all MSSQL activity in a database to see which users accessed or changed any data in the MSSQL database. Besides all user activity all commands like select, insert, update, delete and table calls, like create, drop, truncate, etc. can all be tracked. We have some good white papers on how to setup FIM, FAM, RIM and RAM settings using Snare.

https://www.snaresolutions.com/products/snare-agents/

https://www.snaresolutions.com/products/snare-central/

https://www.snaresolutions.com/portfolio-item/how-snare-makes-fim-easier/

https://www.snaresolutions.com/portfolio-item/complying-with-iso-27001/

So, if your healthcare environment has gaps in its cyber security logging posture and you want to do more to monitor your systems or your research organisation then please contact our friendly sales representative in your region.

May 14, 2020/by Steve Challans

Cookie and Privacy Settings

How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visist to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy