Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Visibility Gap of Your Security Tools SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Visibility Gap of Your Security Tools
I have been focusing on visibility lately and often specifically on gaps. Visibility gaps demand the attention of every cybersecurity professional. Success often hinges on how quickly these gaps get closed. The very act of which helps us achieve what they need the most - greater visibility. Solving for these gaps will equip us by catalyzing transformation. No need for Artificial Intelligence or Machine Learning, just an advanced persistent drive to close these visibility gaps!
 
I introduced this idea in a previous Diary Is Your SOC Flying Blind?  This time, I want to focus on your security agents. Are they working and providing their intended value? How do you know? What would it look like to have an Agent Health Dashboard that answered two fundamental questions all day long:
        Is the agent installed?
        Is the agent performing its expected role?
 
I like to include practical ideas when I am the Handler. To that end, I developed several ideas across several diverse dimensions for you to consider. Perhaps next week, you will use this as a checklist to complete or perform a spot check.
 
Visibility for your developers and DBAs
  Number of active sessions
  Number of runaway sessions
  Application performance metrics
 
Visibility for your physical security
  Camera feeds
  Badges that show to be both inside and outside of the building at the same time
 
Visibility for your networks
  Netflow volume
  Traffic volume 
  New ports and services
  Trends over time for each
 
Visibility for your Servers and Workstations
   Day log volume
   Communication patterns
   Lateral movement detection
   Trends over time for each
   Alert when devices stop sending their logs 
   Activity performed by administrators
 
Application question - What visibility gaps exist, and what can you do next week on purpose to close one of them? Please leave your ideas and suggestions in our comments box!
 
Russell Eubanks
I will be teaching next: Driving Cybersecurity Change - Establishing a Culture of Protect, Detect and Respond - SANS Stay Sharp: Europe 2020

Russell

100 Posts
ISC Handler
Jan 25th 2020
Another metric worth looking at, if DPI permits it: inbound/outbound traffic ratios for encrypted traffic (SSL/TLS/SSH). Just watching 22 and 443 is okay but not great, as you may get outbound exfiltration using encryption over port 80.
Rogueshoten

3 Posts
Two huge areas I find are frequently missed:
1. If the Antivirus or File Integrity Management settings have files or folders excluded from their oversight, those files or folders need to be covered somehow by a different process.
2. I've never met anyone who correlated the number of alarms sent by the tools to the number acknowledged or acted upon by the staff. If a class of alarms only goes to one person (in error), and they have those alarms sent to a sink hole, there's a problem. If the delivery mechanism is broken for a class of alarm notifications, you'll never notice unless this form of correlation is performed.
HackerHater

7 Posts

Sign Up for Free or Log In to start participating in the conversation!