“Cybersecurity visibility” seems to be the watchword of contemporary cybersecurity. And that’s great; what company doesn’t need to see more into their environment to catch more threats? However, sometimes more is not always more.

At Fortra’s Alert Logic, we craft our solutions around providing the right type of visibility, cutting out the excess, and delivering only what you need to succeed. And visibility is a critical component of the work done by our global security operations center (SOC). Josh Davies, Principal Technical Product Marketing Manager, and Bradley Cameron, Senior Customer Technical Engineer, tackle the topic of what it takes to produce the best cybersecurity visibility into an environment, and how Alert Logic makes that happen.

How Does Cybersecurity Visibility Underpin Detection & Response Solutions?

Detection and response solutions base their effectiveness on a critical understanding of the data. We need to ensure we have the right data to trigger an investigation or provide context into an ongoing investigation and the ability to move quickly without being impeded by useless alerts or confused by billions of irrelevant logs. Here’s how we do it.

Determining What Stays & What Goes

When we come into a deployment, we check for a few things:

1. What data sources do they have that produce logs

Scope the entire environment to identify all assets, APIs and tooling we need to connect to the platform for log collection.

2. What logs they need to collect

How can we collect the logs from the identified data sources? We work with the customer to identify the appropriate method of collection, using a combination of API integrations, agents, and remote log collectors.

3. What we need to add in

This is the scenario where “more is more.” We’re not talking about collecting additional logs but making sure the logs we collect are monitoring the right activity. This is an ongoing challenge, as it requires customizations to logging configurations which are not enabled by default. A great example is how we spend time proactively looking through our customers’ logs to ensure their Windows logs have the right visibility to catch ransomware attacks. Without this enhanced level of logging, an attack could be missed or be more difficult to identify. We need to have this data to identify ransomware attack sequences before they get to the point of encryption or exfiltration.

There are four main categories of logs that help us get a better view into potential ransomware activity in your environment. Following are these logs and our public guidance on how to configure them.

Windows command line parameter logs

By default, extra parameters that run after a command are not logged to Windows event logs. The following configuration fixes this: Enable Windows Command Line Parameter Logging

Windows PowerShell script block logs

By default, PowerShell scripts are not logged in Windows event logs, except where the entire script is passed as a one-liner. To change this, use this configuration: Enable Windows PowerShell Logging

Windows object access logs

Due to the potential noisiness of logging all file reads, modifies, deletes, and creations, Windows doesn’t log this activity by default. The following configuration will enable this: Enable Windows Object Access Logging

Windows user account events

These logs allow us to identify password attacks by showing us the number of authentication attempts, as well as other events like creation or deletion of users, attempts to change passwords, etc. To enable this, you can use the following configuration: Enable Windows User Account Events Logging

4. What we can leave out.

This is one of the most important steps. Is more data better? “There’s a law of diminishing returns to a certain extent,” said Cameron “Some logs can send us so much information that it doesn’t have any value whatsoever. It’s just about finding the balance between high-security value and a good level of log collection, so not too much or too little.”

As Davies corroborated, “We go after the high valuer logs first, the ones we can deliver immediate value on, the ones on which you are most likely to detect the compromise.” After all, it’s unrealistic and costly to collect data from every log source, and doing so will ultimately sink your ship as you get mired in useless logs – making it harder to pick out security insights from the noise. You need to pick and choose.

What can be left out? “WAF or Virtual Private Cloud (VPC) flow logs can literally log every connection,” noted Cameron. “That could be billions and billions worth, rendering them useless. Again, we have to consider: Is it worth ingesting for what we’re seeing?” The answer in most cases is no, because we have network traffic inspection which gives us deeper visibility into network connections and allows us to be selective about only capturing connections that may hold security significance.

Using Security Expertise to Identify When ‘More is Less’

You might say, “But we need those VPC flow logs to give us vital information regarding threats in the cloud.” One of the ways we achieve optimum visibility is through our IDS platform that offers that same level of insight and much more – without the overwhelming data trough.

“VPC flow logs are almost like net flow logs, providing details like the connections made, how many times they were made, and maybe the packet size. But that’s about as far as it goes,” said Davies.

On the other hand, our IDS agent goes a step further. Once it is installed on Windows or Linux, it forwards all the traffic to the IDS, which has hundreds of thousands of signatures. It will then check the traffic against those signatures and if it matches, it will create an event that gets sent back to us. This means we only capture connections that have security relevance. Keep in mind, we’re here to help you manage your IDS solution and maximize the cybersecurity visibility you can gain from our tools – we’ll go further in-depth on that in the next section. Then, if certain parameters are met, an incident is raised in the customer’s environment.

Here’s the difference: VPC flow logs extend to Layers 3 and 4 of the connection, allowing the detection technologies that rely on them to leverage them to look for malicious IPs. However, Alert Logic’s IDS extends to Layer 7, not only providing information as to what connections are being made across the network (like VPC flow logs) but also the context of those connections.

“This allows us to make a much more value-based assessment of whether something is a threat or not, rather than relying only on the IP addresses — which, as we know, are not always strong indicators of malicious activity,” noted Davies.

We’re in it for the Long Haul

Finally, part of our dedication to visibility through our solutions is manifested by our commitment to staying with our customers throughout the lifetime of the product, ensuring they get the best use.

This has several advantages:

  • We can ensure everything is configured properly and in a way that will guarantee that visibility doesn’t slip, and configuration drift is addressed, leaving detection and response with “half the puzzle pieces.”
  • We can help adjust as new servers and services get added. With technologies being brought into an environment on a regular basis, it helps to have a team that is “on the ball” and two steps ahead where visibility is concerned. As Cameron stated, “It’s about having that continuous conversation about making sure that we’re covering as much as they have and as they’re expanding, we’re sort of expanding with them.”
  • We conduct tuning exercises on behalf of, or with the customer. When we see opportunities for improvement, we combine our security expertise with the customer’s IT and business context to limit noise and false positive alerts, while avoiding reckless over tuning which can reduce noise at the expense of missing actual attacks, creating phantom false negatives.

Get Optimized Cybersecurity Visibility with Alert Logic

As technologies expand, organizations must engage in constant battle against IT drift, avalanches of logs, and the tendency to just “work harder” to get through it all. This leads to swift cybersecurity burnout and it’s time the industry knew something better. Fortra’s Alert Logic cuts through the unnecessary and puts critical visibility at the forefront of its detection and response strategies.

Additional Resources:

Schedule a Live Demo of Alert Logic

Visibility in Detection & Response | On-Demand Webinar

Visibility Is Key for Effective Cybersecurity | Solution Brief

24/7 Security Monitoring Services | Alert Logic

 

 

Katrina Thompson
About the Author
Katrina Thompson
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Related Post

Ready to protect your company with Alert Logic MDR?