SIEM SOAR IDS

Here is how to, and who enable enterprises

                       

Overview

• Alerts
• Playbooks
• Cloud capability
• Vendors
• Backstory and VirusTotal from Google Chronicle
• Splunk
• Sample Playbooks

There are many options

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Security information and event management (SIEM) tools collect (ingest) logs from many applications and utilities monitoring hardware, networks, etc. It does that, in real-time, to define trends for display on an analytics dashboard displaying trends in metrics such as these:

• Rate of successful user logins

• Rate of unsuccessful user logins

• Rate users abandon transactions at various points in the process
• Rate of successful transaction completions per hour/week/month, etc.

• Rate of HTTP errors

• Actions taken by users (recommend to friend, etc.)

• Availability (uptime)
• Latency of transmissions
• Performance of transactions (impacting productivity)
• Length of user sessions - too many transaction per hour may indicate automated DDoS attacks
• Frequency of user sessions - too many transaction per hour may indicate automated DDoS attacks
  
  

Risk objects can include a specific user, a computer, or an IP address.

Sudden deviations from historical trends may indicate massive infiltration:

SIEM systems organize data to facilitate search for specific items.

Tags assigned to highlight the importance of specific technologies tracked help to organize and focus both proactive and reactive response.

Alerts

Because of the large amount of information it handles, newer SIEM tools automatically identify alerts based on the logs and trends it manages.

Examples of trigger events security pros are interested in include:

• Too many unsuccessful attempts to log in - user locked out
• Out of normal working hours
• Login using obsolete passwords
• Change in permissions enabling possible destruction of assets
• Download or upload of a suspicious file (Excel or Word file containing a macro, etc.)
• Deletion of assets
• App security feature being disabled
  
  

SIEM work with IDS (Intrusion Detection Systems) providers (such as Palo Alto, Sophos, etc.) who define signatures which indicate intrusions. Managed Detection and Response (MDR) professional services.

“SOAR” (Security orchestration, automation, and response) tools take automatic action based on information obtained from SIEM systems. Not only does this make for faster incident identification and response, this automation also frees up security analysts to handle more complex and uncommon incidents that, consequently, can’t be automated with SOAR.

Traditionally, SIEM tools are used by security professionals in a SOC (Security Operations Center) who protect organizational operations from evolving threat actor tactics and techniques.

Additionally, product managers, developers, and Quality Assurance professionals are increasingly seeking to leverage SIEM/SOAR while in development, both for troubleshooting and faster/better preparation for production operations.

Playbooks

SOAR systems make use of Playbooks – automated or manual (procedural documentation) that provides details (consistent list of actions) about each operational use case:

• response to incidents
• security alerts
• team-specific
• product-specific
  
  

Playbooks are activated by a trigger based on SIEM data found. Incidents found include:

• attempts at phishing, vishing, etc.
• Link to known threat actors
• Malware detected
• ransomware
• business email compromise (BEC),
• other attacks previously discussed
  
  

Playbooks perform actions such as

• call APIs
• contact user via email, Slack, SMS,
• Restore from backups
  
  

Playbooks should be treated as living documents that are frequently updated, as a collaborative effort. Updates are often made if:

• A failure identified, such as an oversight in the outlined policies and procedures, or in the playbook itself.
• Change in industry standards, such as changes in laws or regulatory compliance.
• Change in the cybersecurity landscape due to evolving threat actor tactics and techniques
• Change in incident notification requirements from government-imposed laws, regulations, and compliance standards
• Agreements with auditors
• etc.
  
  

The sequence of steps specified in incident and vulnerability playbooks should reflect:

1. Preparation to handle
2. Detection of incursion and data leak
3. Analysis of vectors
4. Containment of data loss (remove permissions, disconnect network)
5. Eradication of malware
6. Recovery from an incident (retore from backup)
7. Post-incident
   
   

Cloud capability

Early editions of SIEM (since the 90’s) were installed on-prem. “Enterprise” in a product name typically denote that it’s “self-hosted” – installed by customer technicians on-prem.

Most SIEM vendors have evolved to provide SaaS cloud functionality. Cloud-hosted SIEM tools are operated by vendors who are responsible for maintaining and managing the infrastructure required to use the tools. This is so their customers don’t need to maintain and upgrade their own infrastructure. Cloud computing can also offer faster route to scalability with more flexibility.

Vendors

A crowded field:

• Google Backstory, UpperCase, VirusTotal from Google Chronicle
• Microsoft Azure Sentinel - Azure log analytics with AutoIR (Investigation Response)

• AWS SIEM XDR

• AT&T Cybersecurity AlienVault Unified Security Management (USM) Appliance (Legacy)
• Blumira Automated Detection and Response
• DatadogHQ
• Devo Platform
• DNIF HYPERCLOUD
• Dynatrace
• Elastic
• Exabeam Fusion
• Graylog
• Gurucul Next-Gen SIEM
• Fortinet FortiSIEM
• Hunters SOC Platform
• IBM QRadar
• Logpoint
• Logz.io
• LogRhythm
• Logsign Unified SO Platform
• logz.io
• ManageEngine EventLog Analyzer
• NetWitness Platform XDR
• Odyssey ClearSkies Cloud SIEM
• OpenText (formerly HPE) ArcSight Enterprise Security Manager (ESM)
• Rapid7 InsightIDR
• Securonix Next-Gen
• Stellar Cyber Open XDR Platform
• SolarWinds Security Event Manager
• Splunk Enterprise and Splunk Cloud
• Sumo Logic Continuous Intelligence Platform
• Trellix Security Manager
• SNow

Backstory and VirusTotal from Google Chronicle

The products were built as a specialized layer on top of core Google infrastructure, as part of an Autonomic Security Operations solution that also includes Looker and BigQuery. The overview diagram from https://cloud.google.com/chronicle/docs/overview

Google provides VirusTotal.com for everyone to check whether a website URL was reported as malicious by various threat advisory organizations.

Backstory adds log capture and analysis to VirusTotal, and UpperCase provides threat intelligence (Known Malicious IPs and URLs).

Backstory claims to “Extract signals from your security telemetry to find threats instantly,” by combining log data with threat intelligence.

VIDEO: https://cloud.google.com/chronicle-security-operations

Chronicle SOAR for Anywhere Security Operations product includes a Python based IDE for customizations. VIDEO: Google SOAR playbooks. Previously branded “Siemplify”.

Its website at:
https://chronicle.security [Wikiwand]

“Backstory” was announced at RSA on March, 2019 by the company “Google Chronicle” which was spun off Google X, the R&D arm of Google Alphabet.

Google also acquired Mandiant in 2022.

Chronicle Technical Training on-demand course and 40-question quiz.

Google’s SOAR has a Tableau-based analytics dashboard so it can be customized.

Google has defined a UDM (Unified Data Model) which Normalization is often needed to ingest raw events from various data sources. Different logs have different time stamp formats, etc.

Normalization is performed by Parsers which injust logs.

Splunk

Previously, you were introduced to security information and event management (SIEM) tools and a few SIEM dashboards. You also learned about different threats, risks, and vulnerabilities an organization may experience. In this reading, you will learn more about SIEM dashboard data and how cybersecurity professionals use that data to identify a potential threat, risk, or vulnerability.

Splunk Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to review an organization’s data on dashboards. This helps security professionals manage an organization’s internal infrastructure by collecting, searching, monitoring, and analyzing log data from multiple sources to obtain full visibility into an organization’s everyday operations.

Review the following Splunk dashboards and their purposes:

Security posture dashboard The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

Executive summary dashboard The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

Incident review dashboard The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

Risk analysis dashboard The risk analysis dashboard helps analysts identify risk for It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names.

Review the following Chronicle dashboards and their purposes:

Enterprise insights dashboard The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

Data ingestion and health dashboard The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

IOC matches dashboard The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

Main dashboard The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

Rule detections dashboard The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.

User sign in overview dashboard The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.

Key takeaways SIEM tools provide dashboards that help security professionals organize and focus their security efforts. This is important because it allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner. Later in the program, you’ll have an opportunity to practice using various SIEM tool features and commands for search queries.

Create a cybersecurity portfolio Throughout this certificate program, you will have multiple opportunities to develop a professional cybersecurity portfolio to showcase your security skills and knowledge.

In this reading, you’ll learn what a portfolio is and why it’s important to develop a professional cybersecurity portfolio. You’ll also learn about options for creating an online or self-hosted portfolio that you can share with potential employers when you begin to look for cybersecurity jobs.

What is a portfolio, and why is it necessary? Cybersecurity professionals use portfolios to demonstrate their security education, skills, and knowledge. Professionals typically use portfolios when they apply for jobs to show potential employers that they are passionate about their work and can do the job they are applying for. Portfolios are more in depth than a resume, which is typically a one-to-two page summary of relevant education, work experience, and accomplishments. You will have the opportunity to develop a resume, and finalize your portfolio, in the last course of this program.

Options for creating your portfolio There are many ways to present a portfolio, including self-hosted and online options such as:

Documents folder

Google Drive or Dropbox

Google Sites

Git repository

Option 1: Documents folder Description: A documents folder is a folder created and saved to your computer’s hard drive. You manage the folder, subfolders, documents, and images within it.

Document folders allow you to have direct access to your documentation. Ensuring that your professional documents, images, and other information are well organized can save you a lot of time when you’re ready to apply for jobs. For example, you may want to create a main folder titled something like “Professional documents.” Then, within your main folder, you could create subfolders with titles such as:

Resume

Education

Portfolio documents

Cybersecurity tools

Programming

Setup: Document folders can be created in multiple ways, depending on the type of computer you are using. If you’re unsure about how to create a folder on your device, you can search the internet for instructional videos or documents related to the type of computer you use.

Option 2: Google Drive or Dropbox Description: Google Drive and Dropbox offer similar features that allow you to store your professional documentation on a cloud platform. Both options also have file-sharing features, so you can easily share your portfolio documents with potential employers. Any additions or changes you make to a document within that folder will be updated automatically for anyone with access to your portfolio.

Similar to a documents folder, keeping your Google Drive or Dropbox-based portfolio well organized will be helpful as you begin or progress through your career.

Setup: To learn how to upload and share files on these applications, visit the Google Drive and Dropbox websites for more information.

Option 3: Google Sites Description: Google Sites and similar website hosting options have a variety of easy-to-use features to help you present your portfolio items, including customizable layouts, responsive webpages, embedded content capabilities, and web publishing.

Responsive webpages automatically adjust their content to fit a variety of devices and screen sizes. This is helpful because potential employers can review your content using any device and your media will display just as you intend. When you’re ready, you can publish your website and receive a unique URL. You can add this link to your resume so hiring managers can easily access your work.

Setup: To learn how to create a website in Google Sites, visit the Google Sites website.

Option 4: Git repository Description: A Git repository is a folder within a project. In this instance, the project is your portfolio, and you can use your repository to store the documents, labs, and screenshots you complete during each course of the certificate program. There are several Git repository sites you can use, including:

GitLab

Bitbucket

GitHub

Each Git repository allows you to showcase your skills and knowledge in a customizable space. To create an online project portfolio on any of the repositories listed, you need to use a version of Markdown.

Setup: To learn about how to create a GitHub account and use Markdown, follow the steps outlined in the document Get started with GitHub .

Portfolio projects As previously mentioned, you will have multiple opportunities throughout the certificate program to develop items to include in your portfolio. These opportunities include:

Drafting a professional statement

Conducting a security audit

Analyzing network structure and security

Using Linux commands to manage file permissions

Applying filters to SQL queries

Identifying vulnerabilities for a small business

Documenting incidents with an incident handler’s journal

Importing and parsing a text file in a security-related scenario

Creating or revising a resume

Note: Do not include any private, copyrighted, or proprietary documents in your portfolio. Also, if you use one of the sites described in this reading, keep your site set to “private” until it is finalized.

Key takeaways Now that you’re aware of some options for creating and hosting a professional portfolio, you can consider these as you develop items for your portfolio throughout the certificate program. The more proactive you are about creating a polished portfolio, the higher your chances of impressing a potential employer and obtaining a new job opportunity in the cybersecurity profession.

Sample Playbooks

• https://www.ncsc.gov.uk/section/about-ncsc/incident-management United Kingdom, National Cyber Security Center (NCSC) - Incident Management

• https://www.ncsc.gov.uk/section/about-ncsc/incident-management Australian Government - Cyber Incident Response Plan

• https://www.jpcert.or.jp/english/vh/guidelines.html Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) - Vulnerability Handling and related guidelines

• https://www.jpcert.or.jp/english/vh/guidelines.html Government of Canada - Ransomware Playbook

• https://www.gov.scot/publications/cyber-resilience-incident-management/ Scottish Government - Playbook Templates

---