Friday, April 23, 2021

SOC Fundamentals | Tuning the Signal To Noise Ratio

Ask any security operations analyst about their biggest frustrations, and alert fatigue will be among them. They constantly struggle to identify the serious threat indicators while ignoring the false positives. Scientists and engineers have a name for this balance between useful and irrelevant data. It's called the signal-to-noise ratio.

The signal is the important data, while the noise is everything else; the white noise that gets in the way. When the signal-to-noise ratio is too low, the noise drowns out what's important. Experts from radio operators to genome scientists grapple with these issues in some form.

Improving the signal-to-noise ratio is also a problem for modern IR teams who face information overload. They are swamped with rising levels of network event data. They have trouble sifting through it all to find the real threats. Sometimes they fail, with potentially disastrous consequences.

Too Much Data, Too Few Resources

The problem facing SOCs is twofold. The first issue is data volume. There's a lot of it. Modern networks are information firehoses, churning out rivers of data. Every year, better network telemetry increases that volume. The result is a surplus of alerts, which we can call 'candidate signals'. These are interesting data points that might warrant further investigation.

This is compounded by the second problem: resource scarcity. SOCs continually struggle to find enough talent to cope with the flood of data from increasingly complex infrastructures. Without those manual skills, many find themselves overburdened and unable to get the intelligence they need from the data that's coming in.

The natural reaction to not having enough of a signal is to add more data. For many SOCs, this means buying more tools and telemetry, typically in the form of endpoint detection and response (EDR) or endpoint protection platform (EPP) products.

This is the wrong approach. Many SOCs incident response platforms are already disjointed, comprising tools from different vendors, acquired over time, that don't play well together. This makes it difficult to get an end-to-end view of the incident response process, and in most cases also stops operators handing off interesting telemetry investigations to each other.

Adding to these platforms might create more relevant signals, but it won't help SOCs to spot them. It will do the opposite, creating more noise that drowns those signals out. Any attempt to fix the SOC by generating more data amplifies the underlying problem.

If the signal-to-noise ratio remains low, then the growth in network telemetry becomes a greater source of risk. Poor candidate signal filtering leaves operators unsure where to begin and blinds them to real, time-critical attacks. The results can be catastrophic.

The Answer to Alert Fatigue

SOCs can't dig themselves out of this hole by generating more data. Instead, they must address the underlying problem. They must find better ways to spot the right signals in the data they already have. To do that, they must alter the signal-to-noise ratio.

In practice, this means reducing the number of candidate signals. SOCs must present SOC analysts with fewer alerts so that they can focus their attention on what really matters.

The key to increasing the signal-to-noise ratio is a tightly integrated end-to-end tool chain. This is a set of tools that work together seamlessly with little overlap, and all able to exchange data with each other smoothly throughout the entire cycle of detection, containment, mitigation, cleanup, and post-incident analysis.

Cloud Funnel by SentinelOne
Aggregated Endpoint Telemetry in Your Data Lake.
Retain Your Data Locally. Correlate With Other Data Sources. Automate SOAR Workflows.

This approach helps in several ways. First, it reduces the noise from different tools that would otherwise overlap with each other. This eliminates the shadow signals that can distract busy operators.

It also combines events and alerts into incidents, which are larger, more visible data elements that are easier to track. This gives analysts a top-down view of candidate signals without having to trawl through low-level events and correlate them manually.

Finally, it enables SOCs to better automate the detection, analysis, and reporting of incidents. This automation is a key part of the event correlation process.

A well-formed tool chain detects candidate signals early, developing them through several stages of analysis. This allows the SOC to either confirm and escalate candidate signals or dismiss them quickly if they are found to be benign. This helps to automatically mitigating many incidents without having to alert human operators, leaving them to focus on those alerts that need their attention.

Easing the SOC's Burden With Contextualized Data

SOCs that invest in tool chain integration will enjoy a smaller, refined set of alerts that come with the appropriate, contextualized data, ready for human operators to deal with efficiently.

This higher signal-to-noise ratio will show up on analyst screens, reducing their cognitive load. It will mean fewer investigation numbers and reduced investigation times. This will lead to better outcomes for SOCs in the form of shorter containment times and an overall reduction in response times. Ideally, this will prevent attackers from getting close to your infrastructure, but in the event of a successful compromise, it can also reduce attacker dwell time, mitigating the effect of the attack.

When it comes to handling fast-moving cybersecurity incidents, the sharper focus that comes from a less cluttered data environment can be the difference between containing an incident before it does any damage, and making the next week's headlines for all the wrong reasons.

Rapid Threat Hunting with Storylines
Time always seems to be on the attacker's side, but security analysts can get ahead by hunting threats faster than ever before.

The Time For Change Is Now

This optimisation process should begin as early as possible in the incident response process. The longer that the SOC allows less relevant candidate signals to linger, the more they will proliferate and the more difficult it will be to discern what's important. Triaging candidate signals as soon as possible frees up analysts to apply their skills to the signals that matter. In an industry where talent is hard to come by, it's imperative to keep those analysts as productive as possible.

With that in mind, now is the time to support these goals by revising your process chain to look for improvement opportunities. Take a beat and step back to examine your overall tool set and your team structure. At some point, you might find that generating more telemetry yields results, but only if you have the capabilities to weed out the noise quickly. In the meantime, less is more.

If you'd like to learn more about how the SentinelOne Singuarlity platform can help your organization achieve these goals, contact us for more information or request a free demo.

MITRE ATT&CK Engenuity: AI & Big Data Powered EDR > Human Powered Products

Finally! The long-awaited 2020 ATT&CK evaluation results published. And along with it, almost every participating vendor's interpretation of the results and how they excelled in the evaluation. As you read the industry's commentary on the results, keep an eye out for contrived and/or creatively adjusted metrics. Below you will find a data-first approach to understanding our performance.

The benefit of MITRE Engenuity ATT&CK is that testing data is open and publicly accessible. In an effort to be transparent with our results, in this post, we will only talk about the numbers and metrics published by MITRE Engenuity – so that you can validate the information for yourself and separate fact from fiction. No number fudging, no creative invention.

SentinelOne's MITRE Results

Here is a screenshot of SentinelOne evaluations from MITRE Engenuity; you will see that SentinelOne had:

  • 100% Visibility – 174 of 174 steps
  • Highest Analytic Coverage – 159 of 174 steps
  • Zero Delayed Modifiers
  • Zero Config Change Modifiers
Source: MITRE Engenuity

Read on to understand how the above metrics are critical for an effective security posture. 

The latest ATT&CK results were released Tuesday, April 20, 2021. While the Round 1 ATT&CK Evaluation  (the first year of testing) was based on APT3 (Gothic Panda), and the Round 2 ATT&CK Evaluation focused on TTPs associated with APT29 (Cozy Bear), this year's evaluation focuses on emulating financial threat groups. Testing day 1 simulates the Carbanak adversary group's attack methodology. Their objective? Breach the HR Manager, quietly move about the network, identify payment data, and exfiltrate it. It involves 4 Windows computers and a Linux server and consists of 96 techniques in 10 steps.  See the Carbanak emulation.

Testing day 2 simulates the FIN7 adversary group. Similarly, their objective is to steal financial data. This simulation involves five computers and 78 techniques in 10 steps.

2020 MITRE Engenuity ATT&CK Evaluations
Join our webinar to learn about SentinelOne's record-breaking results.

Visibility is the Foundation of Best-In-Class EDR

1. SentinelOne is the ONLY vendor to deliver 100% visibility with ZERO missed detections across all tested operating systems – Windows & Linux.

The foundation of a superior EDR solution is its ability to consume pertinent SecOps data at scale across a variety of OSes and cloud workloads while missing nothing in the process. With the increased sophistication and frequency of today's attacks, depth and breadth of visibility are fundamental capabilities that an EDR solution should deliver. Having no gaps in visibility means no blind spots, significantly reducing the attacker's ability to operate undetected.

Complete in-depth visibility is table stakes for any worthy EDR solution. No visibility, no breach protection!

As the ATT&CK evaluation data shows, SentinelOne had ZERO misses in this round. We detected 100% of attacks over Windows devices as well as Linux servers.

Detection Quality Separates the Wheat from the Chaff

2. SentinelOne delivered the MOST high-quality analytic detections to provide automated instant insight into adversary actions.

Analytics Detection Coverage (a count of any non-telemetry detection) rather than Detection Counts should be a factor to consider when deciding on the best EDR solution. Having a high number of general, tactic, or technique detections leads to higher quality detections because this ensures fewer attacks are missed. Having access to high-fidelity, high-quality detections gives enterprises more time to investigate events rather than searching through a sea of data that may be predominantly false positives.

In the ATT&CK  evaluation, "Techniques" and "Tactics" are the key measures of data precision.

  • Technique: The epitome of relevant and actionable data – fully contextualized data points that tell a story, indicating what happened, why it happened, and crucially, how it happened.
  • Tactic: The next level down in the hierarchy, representing categories of techniques that tell us the actor's steps in achieving their ultimate goals (persistence, data egress, evasions, etc.) In short, the 'what' and the 'why.'

These two detection classifications are the core of the MITRE ATT&CK framework and are of the highest value in creating context. According to MITRE Engenuity's published results, out of all participants in this evaluation, SentinelOne recorded the highest number of analytic detections.

Detection Delays are Deadly

3. SentinelOne experienced zero delayed detections, making EDR real-time.

Time is a critical factor whether you're detecting an attack or neutralizing it.

A delayed detection, according to MITRE Engenuity, is not immediately available to the analyst; it may come in minutes or hours after the adversary has performed the malicious activity.

A delayed detection during the evaluation often means that an EDR solution required a human analyst to manually confirm suspicious activity due to the inability of the solution to do so on its own. The solution typically needs to send data to the analyst team or third-party services such as sandboxes, which in turn analyzes the data and alerts the customer, if required. However, many critical parts of this process are done manually, resulting in a window of opportunity for the adversary to do real damage.

Adversaries operating at high speed must be countered with machine speed automation that's not subject to the inherent slowness of humans.

As the ATT&CK evaluation data shows, SentinelOne had zero delayed detections in this evaluation.

Configuration Changes Highlight Fragility & Scaling Problems

4. SentinelOne required zero configuration changes, making EDR effortless.

According to MITRE Engenuity, Config change refers to any detection that was made possible only because the vendor changed the initial configuration.

However, in a real-world scenario,  SOC operators do not have time to customize settings, especially during an ongoing attack. Constantly tuning, fine-tuning, and adjusting a product means the battle is lost before it starts. In reality, SOC operators wouldn't even know what changes to make. Without an alert, they would not know what to look for to drive the configuration change.

Technology-powered solutions should work at an enterprise-scale right out of the box to realize immediate time-to-value. SentinelOne Enterprise-Grade EDR deploys in seconds and works at total capacity instantly, as shown by the MITRE Engenuity evaluation data.

Storyline Automatically Connects the Dots

5. SentinelOne produced one console alert per targeted device.

Ask any SOC Operator about their biggest frustrations, and alert fatigue will be high among them. They constantly struggle to identify the serious threat indicators while wading through false positives. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, an EDR solution should eliminate the noise before it reaches you by automatically grouping individual data points into combined alerts.

Consolidating hundreds of data points across a 48-hour advanced campaign, SentinelOne correlated and crystallized the attack into one complete story, represented as a single alert per target machine. SentinelOne provides instant insights within seconds rather than having analysts spend hours, days, or weeks correlating logs and linking events manually.

SentinelOne reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of benefiting from EDR.

What the Results Mean for You

As a security leader, it's important that you look at how you can improve your security posture and reduce risk while reducing the burden on your security team. While evaluating, look for an EDR solution that:

  • Provides complete visibility without any blind spots
  • Automatically correlates detections instead of relying on humans to interpret and manually stitch the data
  • Defeats adversaries in real-time
  • Works out-of-the-box as expected without needing continuous tune-ups
  • Includes granular remediation capabilities for automated cleanup and recovery

SentinelOne's exceptional performance in 2020 ATT&CK evaluations once again prove that purpose-built, future-thinking solutions deliver the in-depth visibility, automation, and speed that the modern SOC needs to combat adversaries. As evidenced by the results data, SentinelOne excels at visibility and detection, and even more importantly, in the autonomous mapping and correlating of data into fully indexed and correlated stories through Storyline technology. This technology advantage sets us apart from every other vendor on the market.

To learn more about SentinelOne's performance in the 2020 MITRE Engenuity ATT&CK Evaluation, register for the upcoming webinar on Monday, April 26 at 10 a.m. PDT.

2020 MITRE Engenuity ATT&CK Evaluations
Join our webinar to learn about SentinelOne's record-breaking results.

pfSense Plus 21.02.2-RELEASE and pfSense CE 2.5.1-RELEASE Now Available

LogRhythm Releases Version 7.7 of NextGen SIEM Platform

New Timeline View Enables Visual, Chronological Review of Security Incidents to Enhance Detection and Response Capabilities

Boulder, Colo. — April 5, 2021 — LogRhythm, the company powering today's security operations centers (SOCs), today announced the launch of version 7.7 of the LogRhythm NextGen SIEM Platform. The update introduces new features designed to streamline the threat detection and response process, including a new Timeline View that provides analysts with an easy-to-follow security narrative when investigating an incident.

Visualizing Security Stories with Timeline View

Through Timeline View, security analysts have a consolidated, chronological view of user or host activity. The view includes all data related to the incident and is automatically contextualized to provide a quick view into how a potential incident has played out thus far. With Timeline View, analysts can easily further their investigation without needing to navigate off the existing page to understand the cause and scope of a given incident. Analysts can also go deeper into the data presented by drilling down into specific timeline events and reviewing the underlying raw data.

"We're thrilled to bring Timeline View to our customers with the release of LogRhythm 7.7," said Rusty Carter, chief product officer at LogRhythm. "We understand how challenging it is to manage the detection and response process using multiple screens, so our goal was to make it easier for analysts to not only get an overview as to how an incident is progressing, but to also be able to drill down into that contextualized activity. These features are vital to making accurate decisions even more rapidly."

To even better visualize relationships, patterns and abnormalities present in log data, LogRhythm's Detail Page pairs Timeline View with Node Link graph (previously introduced in LogRhythm 7.5). This combination allows analysts to investigate incidents from multiple perspectives and to quickly determine the timing and scope of an incident.

Figure 1: A Detail Page in the LogRhythm Platform featuring the new Timeline View (left) and Node Link Graph (bottom right)

Additional Benefits Provided by 7.7

In addition to Timeline View, LogRhythm 7.7 introduces a number of new features designed to improve analysts' daily workflows and the ability to interact with other technologies. Specific benefits include:

  • Easier integration with third-party platforms: Version 7.7's Alarm REST API provides a simpler integration with third-party ticketing systems, SOAR platforms, and other LogRhythm partner solutions. The publicly consumable API makes it even easier to work through standard alarm workflows, including listing alarms, pushing updates into alarms, and adding comments to alarms.
  • Seamless log configuration in the cloud: Cloud-to-cloud collection enables LogRhythm Cloud users to configure log sources regardless of origin through a Graphical User Interface (GUI). This makes it easier for users to configure log sources, ultimately leading to a lower error rate and higher confidence.
  • Built-in support for more popular cloud-based services: LogRhythm has added new out-of-the-box Beats to help analysts onboard many popular cloud-based services, including Okta and Carbon Black Cloud, which further help customers secure the identities and endpoints within their environments.

 Immediate, Global Availability

Version 7.7 version of the NextGen SIEM Platform is now available for immediate use around the globe. Existing LogRhythm customers should contact their customer success representative for more information on the upgrade.

To learn more about LogRhythm 7.7, schedule a demo with a LogRhythm expert.

About LogRhythm

LogRhythm's award-winning NextGen SIEM Platform makes the world safer by protecting organizations, employees, and customers from the latest cyberthreats. It does this by providing a comprehensive platform with the latest security functionality, including security analytics; network detection and response (NDR); user and entity behavior analytics (UEBA); and security orchestration, automation, and response (SOAR). Learn how LogRhythm empowers companies to be security first at

Introducing LogRhythm 7.7: Improving the Analyst Experience with Detail Page and Timeline View

Security analysts are constantly challenged to investigate security incidents and mitigate them quickly. But does your security operations center (SOC) have the full picture of what's occurring in the environment to remediate the impact of a false negative?

LogRhythm is excited to announce the much-anticipated general availability of LogRhythm 7.7. The latest release reinforces our focus to simplify and enhance the analyst workflow and builds upon the dashboard layouts and visualizations of LogRhythm 7.6. LogRhythm 7.7 features includes a new Detail Page with Timeline View that enhances the analyst experience and accelerates threat detection and response.

Telling a Security Story with Data

Part of your analysts' daily routine involves decision-making about threat hunting and alarms. More often than not, deciding what to do is complicated by trying to make sense of all the data your SIEM gathers. LogRhythm 7.7 simplifies the process by identifying what is important with Detail Page and the Timeline View widget.

With this release, your team has one view which they can use to examine host or user details, sequence associated activities or events, and learn whether a particular action or behavior is "normal." This insight speeds investigations and response to threats or suspicious behavior. With LogRhythm 7.7, you can also pair Timeline View with Node-Link Graph, a feature launched in LogRhythm 7.5, and other aggregate visualizations to investigate the progression and scope of a security event.

Discovering Insights with Detail Page

Embedded in the LogRhythm NextGen SIEM Platform, Detail Page gives your security operations center (SOC) a powerful investigative tool to organize and use all available data within LogRhythm. This includes log and activity data, contextual information, and unique insights to help you quickly resolve security incidents.

Detail Page creates a security narrative for user- and host-related events that helps analysts make sense of their data. Detail Page populates basic contextual information with TrueIdentity™ and TrueHost. LogRhythm TrueIdentity associates multiple account identifiers and account types to a single identity construct. TrueHost associates multiple host identifiers, such as IP address, hostname, and MAC address, to the same host to provide a more comprehensive understanding of activities from the same host.

If CloudAI is enabled, behavioral data will also appear showing score information and insight labels about the user or host. CloudAIis LogRhythm's user and entity behavior analytics (UEBA) solution that uses machine learning to detect insider threats, compromised accounts, administrator abuse and misuse, and other user-based threats.

Figure 1: Detail Page tells a story with all the data available within the LogRhythm NextGen SIEM Platform

Accelerating Threat Detection with Timeline View

Within Detail Page, Timeline View presents a chronological story of key events in user or host activity. Behavior data also appears if CloudAI is enabled, but each event is always tagged with a risk-based prioritization score out of the box, making it easy to help you spot important events. Events in the timeline emerge in simple language, alongside the risk-based prioritization (RBP) score and common classification, so you can quickly understand the activity and identify high-priority events.

Timeline View uniquely shows a case timeline alongside aggregate information and underlying raw data. With filtering and drill-down capabilities, this feature gives analysts a complete view into user or host activity, with multiple ways to display the data and quickly make decisions.

Figure 2: See a sequence of events with risk-based prioritization scores in the Timeline View widget

Simplifying Integration with the Alarm REST API

As part of LogRhythm 7.7, we launched an Alarm REST API, which simplifies integration with other workflow tools. Capabilities include listing alarms, pushing updates into alarms (e.g., changing the status or modifying RBP), and adding comments to alarms, among others features. This is a key integration for third-party ticketing systems, third-party security orchestration, automation, and response (SOAR) platforms, and other LogRhythm partner solutions. If you have integrations with the SOAP API, we encourage you to migrate to the REST API.

New Cloud Capabilities

LogRhythm 7.7 also introduces cloud to cloud collection for LogRhythm Cloud customers. All LogRhythm Cloud customers will receive one fixed size Open Collector upon request. This simplifies how LogRhythm Cloud users configure log sources. LogRhythm supports Azure EventHub as the first log source with others to follow.

Threat Source Newsletter (April 22, 2021)

Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers.   We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these...

Chef Infra Best Practices: #3 Testing Chef Infra Cookbooks Fast with Docker

Third installment of the Shape-Up Your Infrastructure Webinar Series – "Testing Chef Infra Cookbooks Fast with Docker". 

It often seems like every day brings about a new mission-critical business application to manage. Each of these critical systems needs special attention as you build out your infrastructure automation. No one wants to push out that "simple" configuration change that causes business outage. Each and every change, no matter the size, needs full validation, but how can this be accomplished without slowing the business velocity?

Test Kitchen is an open source testing framework that tests cookbooks using Vagrant, Docker, VMware vSphere, or leading cloud providers. With Test Kitchen you can automate the validation of your complex infrastructure systems on local workstations during your development process as well as part of automated CI pipelines. This shifts the validation of systems as far left as possible, avoiding the need for costly manual validation in pre-production environments, or worse yet, validation in production. 

Test Kitchen is part of Chef Workstation and works in concert with Chef InSpec letting you write complex tests for your infrastructure code with ease. With Chef InSpec you utilize the same test language, and even code, for your infrastructure tests as your security and compliance tests. This reduces the time necessary to test systems and time spent training employees on new testing frameworks. 

Overview: Chef Infra Client and Test Kitchen Infrastructure Automation 

Test Kitchen validates infrastructure changes in four main stages: Create, Converge, Verify and Destroy: 

  • CreateIn the create stage systems are created and booted in a clean-room environment either running locally on a workstation hypervisor or on a cloud provider 
  • Converge In the converge phase the Chef Infra Client is installed and cookbooks are then run to bring the node into policy compliance. 
  • Verify: In the verify Chef InSpec is used to smoke tests and verify systems meet business needs. One of the coolest things about Test Kitchen is that you are validating the compliance primitives along with running smoke tests.  
  • Destroy: In the destroy phase passed runs are committed to source control, failed runs are returned to development and the clean room instances are deleted from your local hypervisor or cloud provider.