When is an alert not an alert?

The Riddler is one of Batman’s enduring enemies who takes delight in incorporating riddles and puzzles into his criminal plots—often leaving them as clues for the authorities and Batman to solve.

Question: When is a door, not a door?
Answer: When it’s ajar.

So riddle me this, Batman: When is an alert not an alert?

Users of the EventTracker platform know that one of its primary functions is to apply built-in knowledge to reduce the flood of all security/log data to a much smaller stream of prioritized alerts. However, in most cases, without applying local context, this is still too noisy. Netsurion provides a risk score that is computed based on the asset value and the Common Vunlerability Scoring System rank of the source.

This allows us to separate “alerts” into different priority levels. The broad categories are:

And so, there are alerts and then there are actionable and prioritized alerts. Over-reacting to awareness or compliance alerts will drain your energy and eventually sap your enthusiasm, not to mention cost you in real terms. Under-reacting to actionable alerts will also hurt you by inaction that could reduce attacker dwell time and minimize the damage of ransomware or a data breach.

Find out more.

SIEM and Return on Investment: Four Pillars for Success

Return on investment (ROI) — it is the Achilles heel of IT management. Nobody minds spending money to avoid costs, prevent disasters, and ultimately yield more than the initial investment outlay. But is the investment justified?

It is challenging to calculate the ROI for any IT investment, and security information and event management (SIEM) tools are no exception.

We recently explored some basic precepts or “pillars” of the ROI of SIEM tools and technology. These pillars provide some sensible groundwork for the difficult endeavor to justify intangible costs of SIEM tools and technology.

Pillar 1. Think Risk: Before and After

Before and after — meaning life with SIEM tools and, subsequently, life without. SIEM tools help eliminate risk. In most cases, risk has a quantifiable cost. While it’s difficult to say how much was saved by avoiding a major intrusion, examining the effect by comparing conditions before, and after, is a good start.

In an ROI analysis, develop a statement such as “before we invested in SIEM practices, tools, or technique X, we were greatly at risk. After we deployed XX, our risk was greatly reduced, if not eliminated.”

Then prove and substantiate the statement. The after statement may be characterized with quantitative data, such as the number of intrusions or access points that were eliminated. The more you can quantify, the better. If you can’t quantify, estimate as best you can, but be consistent and realistic.

Pillar 2: Think Cost Avoidance versus “Return”

In other words, don’t expect revenues or a gain from the investment.  Rather, the return is the prevention of intrusion and costly security disaster that SIEM afforded. Cost avoidance is your return.

When the security IT firm RSA published a whitepaper on this very topic (SIEM and ROI), they focused on this dimension of ROI: it’s more about cost avoidance than it is about “return.” Cost avoidance is at the heart of the value that SIEM provides.

RSA wrote, “Most experts — who for years argued for or against a ‘return on security investment (ROSI)’ — agree that the value an SIEM solution brings is primarily in the realm of cost avoidance, not ‘return’ as it’s defined in the purest economic sense. So whether you’re looking for an ROI, ROSI, total cost of ownership (TCO), or a breakeven point, the goal is demonstrable value.”

The value of a SIEM solution must be viewed differently. It’s better seen in the cost it avoided rather than the direct dividend or revenue it yielded. As the whitepaper stated: “it’s not a cotton candy machine.”

Pillar 3:  Focus on A Variable That Can Be Measured: Time

If you don’t focus on quantifiable variables in your ROI analysis, you’ll be loaded up with assumptions. And assumptions carry little weight in business justification exercises.

Instead of assuming, use time as a key variable that SIEM helps improve in several ways. Explore how much time is saved. For example, if you are in a market or industry characterized by heavy compliance and auditing, consider the preparation that such compliance requires. SIEM tools save preparation time. Time saved can be redirected to other security needs that are already competing for attention in the daily schedule of today’s busy security manager.

In addition to time saved, there’s also an improvement in reaction time. When the sky is falling, the ability of an organization to trace, find and secure swiftly and promptly is critical. Good tools enable that. Improvements in reaction time can be measured.

Add time saved and reaction time improved, and you’re using a quantifiable variable as a measure of value and ultimately ROI.

Pillar 4:  Consider the Cost of a Solution  Without Early Discovery

Disaster recovery has many costs that are both tangible and intangible. Liken a security intrusion or major breach to a medical problem: the earlier you discover it, the more options you can implement and the greater are the chances that you can mitigate risk. SIEM tools help discover noncompliance and implement detection earlier. This allows more courses of action and presents them sooner — often before an incident occurs or begins to spiral.

Without early discovery, damage may ensue. But how much does it cost?

Cost estimates of security breaches may be found in news reports.  For example, the following cost estimates of data breaches were found with a simple media search:

“Maricopa Community College data breach cost $20 million, including $2.3 million in lawyer fees.”

“The Target breach cost $17 million in third-quarter expenses.”  It should be noted there were later citations that said their fourth quarter recognized $60 million in costs, and then another editorial estimated $1 billion in costs when all was said and done.

Yet another is a headline that read: “Navy Intranet Breach Cost $10 Million.”

And the list goes on and on, with the point being that citing news media reports is a quick and somewhat reliable means of presenting the costs associated with remediation and recovery. It strengthens the case for SIEM tool purchases and helps put some urgency into cost avoidance — and is based on someone else’s hardships after an intrusion, not yours.  But it paints a picture of what the price of disaster and a large-scale breach could look like.

Determining the ROI of SIEM is not hard when it is approached in a logical way with known information built on a foundation of cost avoidance, time saved, and improved reaction time.

The ROI of SIEM is best explained in the trouble it avoids and the disaster it prevents.

Protecting Legal Data: 3 Ways MSPs Can Enhance Cybersecurity

Contributed by: Meaghan Moraes, Blog and Social Media Manager at Continuum

The legal world is centered on offering clients protection—and in the current technology environment, that extends to cybersecurity. With the proper security procedures, policies, training, and IT security in law firms, advanced cybersecurity is yet another way that lawyers can protect their clients today.

However, that’s much easier said than done, as firms and other organizations in the legal space have extremely desirable data, yet many are inadequately prepared for sophisticated breach attempts—making businesses in this vertical primary targets of cyber attacks.

In fact, according to a survey by law firm eWranglers, only 33% of responding firms had implemented data protection policies, and a similar 33% had implemented employee cybersecurity training. It’s clear that these types of small businesses need to seriously invest in cybersecurity in order to withstand the landscape for years to come. Oftentimes, this requires the help of a managed IT service provider (MSP) that can provide the tools, support, and security partnership that these legal firms otherwise wouldn’t have access to.

So, how can you seize that opportunity as an MSP to protect your legal clients with the enhanced cybersecurity that will safeguard their data? The following three steps will help you improve your clients’ security posture and mutual business growth.

1. Develop Policies and Procedures

Implementing clear and explicit cybersecurity policies for clients is an effective way to not only better protect their data, but to instill trust and forge a lasting partnership that they can turn to. The best way to execute these policies and procedures is through initial and consistent security awareness training. It’s important that your set of policies address these four things:

Every policy you develop for your clients should have accompanying procedures that illustrate what actions must occur.

2. Establish Preventative Measures

Another key finding from the eWranglers survey was that, with only 25% with device encryption and a mere 17% with directory security, many law firms lack a fully developed prevention infrastructure. While many legal organizations have some aspects of cybersecurity-related compliance policies, they often don’t have real, comprehensive preventative measures dedicated to security.

Prevention can include employee background checks, implementing user accounts, asset controls, network security protocols, browser filters, and data encryption. But, in this volatile IT landscape, prevention only goes so far and planning for an undesired incident is crucial.

3. Have an Incident Response Plan

Helping your clients create an incident response plan brings pragmatism and order to a chaotic situation, and ultimately helps them recover faster. Essentially, the plan just takes some road mapping and internal and external collaboration.

Once you can ensure your legal clients are identifying circumstances, safeguarding against further damage, collecting external intelligence, collecting logs and data, and notifying necessary parties, they’ll be as prepared as possible for whatever is thrown their way.

Covering these three areas will allow you to offer your legal clients the advanced protection they now demand.

MSPs Need Both Cybersecurity Automation and Human Expertise

The rising level of security threats and public incidents demand new approaches to people, processes, and technology that optimize manual processes and harness the benefits of automation. Automation and machine learning (ML) remove inefficiencies and the potential for error or security gaps. While programmatic threat detection and incident response minimize false positives along with staff and skill shortages, it is not a panacea or quick fix. Human analysts are still the most vital link in cybersecurity defense that differentiates you in the marketplace.

Trends Driving Adoption of Automation

There are six top trends prompting Managed Service Providers (MSPs) and enterprises to embrace automated threat detection and response. In addition to challenges in hiring and retaining hard-to-find cybersecurity professionals, there are hidden costs inherent in the massive amounts of alerts that can trigger false positives.

img cybersecurity automation1

In light of global IT challenges like staff shortages, ML and automated threat detection and response enhance efficiency, job satisfaction, and retention of cybersecurity experts – whether in Netsurion’s Security Operations Center (SOC) or partner and customer environments.    

However, some inhibitors of automation and ML include the lack of talent to implement, the time and cost involved, and a focus on day-to-day security operations.

Benefits and Challenges of Automation

Cybersecurity incorporates automation, machine learning (ML), and artificial intelligence (AI) to accelerate threat correlation and reduce incident response times when minutes matter. Rising labor costs are often the catalyst to exploring automation benefits. A more programmatic threat defense improves efficiency and effectiveness by:

  1. Enhancing threat correlation in real-time
  2. Reducing “noise” and false positives that waste analyst attention
  3. Providing threat context and actionable intelligence
  4. Accelerating a rapid response

It can also be used to chain together seemingly disparate insights that can reveal more persistent and advanced threats lurking stealthily in your organization. Ideally, automation enhances Security Operations Center (SOC) analyst effectiveness by streamlining routine tasks and providing insight and threat context that results in better decision making.

However, some inhibitors of automation and ML include the time and cost involved, as well as a focus on day-to-day security operations instead of future-oriented SecOps improvements.  Another downside of automation and ML is the human expertise needed to develop the algorithms and ongoing system tuning and optimization.

Advantages and Pitfalls of Human Experts

Given the shortage of cybersecurity staff to fill an estimated 3 million IT and security role, it’s no wonder that automation and machine learning is viewed as a viable solution to the ongoing IT staff and cybersecurity skills shortage. A proactive defense requires constant vigilance and robust security operations. Security must work in tandem with automation and ML along with dedicated experts to implement defense-in-depth protection and future-proof your security investment.

One of the arguments against human-led threat response is that it is labor intensive and therefore more expensive. But the security gap or technology misstep that results in a data breach is equally costly in terms of damaged brand reputation, lost customers and revenue, and possible compliance fines.

Pitfalls of humans include time away due to vacation or training as well as the key challenges of hiring and retaining security experts in the first place. If you don’t have the expertise or an in-house SOC, leverage 24/7/365 SOC experts like Netsurion to augment your team and customize cybersecurity to customer environments.

A Blend of Security Automation and Human Expertise is Needed  

Cybersecurity experts are needed to architect the customer solution, prepare the necessary runbooks and playbooks, tailor and prioritize threat detection, respond to suspicious events and possible incidents, and enhance threat remediation over time. While automation and machine learning are leveling the playing field for small-to-medium-sized businesses (SMBs) and their service providers, it doesn’t stand alone. Humans are still needed to reduce business and cybersecurity risk and assess qualitative and quantitative results over time. Some IT decisions have performance and productivity impacts, so incorporate humans in-the-loop when blocking devices and quarantining access to users for the first time. MSSPs must demonstrate why a two-pronged approach of automation and human-led cybersecurity is warranted.

Evolve From Alerts to Proactive Threat Response

Overcoming advanced and morphing threats requires more mature technology, skilled people, and rapid incident response than in years past. Service providers must blend automation and ML along with dedicated security experts to implement defense-in-depth protection and future-proof security investments used by their customers. To enhance customer resilience, balance the best of both options - human and artificial intelligence. Netsurion provides a comprehensive managed service and complete platform for MSSPs to predict, prevent, detect, and respond to escalating threats.

How Strong Are Your Passwords? Tips To Keep You Protected

Passwords keep your accounts and network safe but may also be a gateway for hackers. It's very important that you create strong passwords that will keep you protected.

Below are tips that we recommend you use when creating your passwords. Take a look at the infographic and check if you are already practicing these techniques.

If not, take a moment to do so.

At Lumifi, we encourage you to create strong passwords and even enable two-factor authentication, as well. Two-factor authentication will validate the identity of the person logging into the network.

First, make sure your first factor is strong by following these tips and second, enable two-factor authentication to ensure that whoever is accessing the network is actually who they claim to be.

Demystifying MDR: Five Myths for MSSPs

Small-to-medium-sized businesses (SMBs) are continuously seeking ways to safeguard their data and resiliency against persistent criminals through increased cyber defenses. But their security service providers often find that they are ill equipped to address advanced threats, let alone know where to begin. Managed Detection and Response (MDR) solutions are gaining traction with resource-constrained organizations looking for 24/7 proactive protection. The threat landscape and MDR marketplace is evolving, creating confusion for Managed Security Service Providers (MSSPs) and customers alike.

This blog separates MDR fact from fiction. Read on to learn the most common myths our team hears, along with MDR insights and realities to help discover the best-fit solution.

MYTH # 1:  MDR is just the latest “shiny object” in cybersecurity.

Fact: MDR is here to stay as it solves real customer challenges like the skills shortage.

Resource-constrained SMBs are actively looking for a security solution provider with the right expertise and services for 24/7 monitoring, threat detection, and comprehensive response. To address escalating cyber threats, MDR providers integrate more log sources, high-fidelity alerting, and a rapid response to minimize lateral movement and attacker dwell time. It also reduces the impact of a cybersecurity incident by providing advanced detection and response that organizations can’t efficiently operate on their own.

Managing an outsourced detection and response capability is not new, and MDR is service rather than software or hardware. It provides a 24/7 Security Operations Center (SOC) that offers better visibility into the growing attack surface that cyber criminals can exploit. While it’s impossible to predict the future, MDR addresses actual market problems and has seen rapid adoption by MSSPs as well as by end customers. By 2025, 50% of organizations will be using MDR services, according to Gartner.

MYTH # 2:  My customers are too small for MDR safeguards.

Fact: MDR’s proven results benefit organizations of all sizes.

Today’s cybersecurity threats readily evade signature-based detection like anti-virus and anti-malware. Financially motivated cyber criminals target businesses large and small, especially those with intellectual property or supply chain contacts. A patchwork of siloed products and tools lack holistic visibility that creates unintended security gaps. Over 40% of cybersecurity incidents have impacted SMBs and cyber criminals in SMB organizations take longer to uncover and mitigate them.

Don’t be lulled into a false sense of security that creates a risk gap due to insufficient investment, as well as increased cyber threats and targeted attacks. Navigate through the options of MDR to move from a reactive approach to a more proactive coverage of business-critical networks, servers, data centers, and cloud data for your customers.

MYTH # 3: MDR is complicated and costly for MSSPs to adopt.

Fact: Reduce the risk of an inadequate MDR solution that wastes time and money.

As the first step in an MDR evaluation process, know that it is not another siloed point product. MDR is generally a Software as a Service (SaaS) solution, requiring no hardware or capital investment. MDR can consolidate the number of tools and vendors to purchase, onboard, and manage – saving valuable time.

With MDR, a more robust cybersecurity posture can also pay dividends. It prepares organizations to rapidly detect and effectively respond to advanced threats that could cause a security incident and jeopardize resiliency.

Myths Facts

MYTH # 4:  I must build my own Security Operations Center for MDR.

Fact: SOC-as-a-Service augments your team with 24/7 coverage and expertise.

A SOC is a cybersecurity command center that monitors, detects, investigates, and responds to suspicious activities and incidents. Standing up a SOC is costly with hardware, software, and people expenses like hiring, training, and retaining hard-to-find cybersecurity experts. Instead of building a SOC on your own or operating it around-the-clock, SOC-as-a-Service enables you to quickly scale your security capabilities without the cost and overhead. Cybersecurity analysts in the SOC work as an extension of your in-house team on incident handling, threat intelligence, and threat hunting.   

MYTH #5: Every MSSP is ready to offer an MDR solution.

Fact: One size does not fit all. Tailor your service provider solutions to your goals, capabilities, and target customers.

Conduct an assessment regarding MDR along with your future objectives and current capabilities. Be careful not to overextend yourself and risk poor service delivery and disappointed customers. While MDR definitions vary, your current offerings may be closer to defense-in-depth coverage than you realize. Look to add comprehensive visibility and simplicity with as much increased attack surface coverage as possible and a streamlined tech stack; point products merely add more complexity. If you don’t possess the staff or expertise for DIY MDR, consider a co-managed MDR solution from an MSSP provider who has your back and is committed to your success.

Conclusion

MSSPs can assist organizations in becoming more proactive regarding the escalating threat landscape and to invest in more capable threat detection and response. MDR evolved to help security teams overcome the challenge of an ever-expanding attack surface without the same resources and staff as larger enterprises. As you evaluate MDR solutions, look for providers with the most comprehensive coverage and proven track records. Align your staffing and budget with Lumifi's MDR to address continuously evolving threats. By enhancing your security operations with these four steps – predict, prevent, detect, and respond – your customers will be well-positioned to address today’s security challenges and the uncertain threat landscape.

Auditing File Shares with the Windows Security Log

Over the years, security admins have repeatedly asked me how to audit file shares in Windows.  Until Windows Server 2008, there were no specific events for file shares.  The best we could do was to enable auditing of the registry key where shares are defined.  But in Windows Server 2008 and later, there are two new subcategories for share related events:

File Share Events

This subcategory allows you to track the creation, modification and deletion of shared folders (see table below).  You have a different event ID for each of those three operations.  The events indicate who made the change in the Subject fields, and provides the name the share users see when browsing the network and the patch to the file system folder made available by the share.  See the example of event ID 5142 below.

A network share object was added.

Subject:
Security ID:  W8R2wsmith
Account Name:  wsmith
Account Domain:  W8R2
Logon ID:  0x475b7

Share Information:
Share Name:  *AcmeAccounting
Share Path:  C:AcmeAccounting

The bad news is that the subcategory also produces event ID 5140 every time a user connects to a share.  The data logged, including who accessed it, and their client IP address is nice, but the event is logged much too frequently.  Since Windows doesn’t keep network logon sessions active if no files are held open, you will tend to see this event frequently if you enable the “File Share” audit subcategory.  There is no way to configure Windows to produce just the share change events and not this access event as well.  Of course, that’s the point of a SIEM and log management platform which is at the heart of Netsurion Open XDR, which filters out the noise.

5140 A network share object was accessed
5142 A network share object was added.
5143 A network share object was modified
5144 A network share object was deleted.

Detailed File Share Events

Event ID 5140, as discussed above, is intended to document each connection to a network share, and as such it does not log the names of the files accessed through that share connection.  The “Detailed File Share” audit subcategory provides this lower level of information with just one event ID – 5145 – which is shown below.

A network share object was checked to see whether client can be granted desired access.

Subject:
Security ID:  SYSTEM
Account Name:  WIN-KOSWZXC03L0$
Account Domain:  W8R2
Logon ID:  0x86d584

Network Information:
Object Type:  File
Source Address:  fe80::507a:5bf7:2a72:c046
Source Port:  55490

Share Information:
Share Name:  *SYSVOL
Share Path:  ??C:WindowsSYSVOLsysvol
Relative Target Name: w8r2.comPolicies{6AC1786C-016F-11D2-945F-00C04fB984F9}MachineMicrosoftWindows NTAuditaudit.csv

Access Request Information:
Access Mask:  0x120089
Accesses:  READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD)
ReadEA: Granted by D:(A;;0x1200a9;;;WD)
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)

This event tells identifies the user (Subject fields), the user’s IP address (Network Information), the share, and the actual file accessed via the share (Share Information) and then provides the permissions requested and the results of the access request.  This event actually logs the access attempt and allows you to see failure versions of the event as well as success events.

Be careful about enabling this audit subcategory because you will get an event for every file accessed through network shares each time the application opens the file.  This can be more frequent than imagined for some applications like Microsoft Office.  Conversely, remember that this category won’t catch access attempts on the same files if a locally executing application accesses the file via the local patch (e.g. c:docsfile.txt) instead of via a patch.

You might also want to consider enabling auditing on individual folders containing critical files and using the File System subcategory.  This method allows you to be much more selective about who, which files and what types of access are audited.

For most organizations, enable the File Share subcategory if it’s important to you to know when new folders are shared. You will probably want to filter out the 5140 occurrences.  Then, if you have file level audit needs, turn on the File Access subcategory, identify the exact folders containing the relevant files and enable auditing on those folders for the specific operations (e.g. Read, Write, Delete) needed to meet your audit requirements.  Don’t enable the Detailed File Share audit subcategory unless you really want events for every access to every file via network shares.

Internet Explorer 8 - People Still Love It, But There’s a Problem

Microsoft has confirmed that Internet Explorer 8 (IE8) has a “Zero Day Vulnerability” that has already been exploited to enable the compromise of computer systems.

This is a technical way of saying that the issue with IE8 is currently unpatched, and other security mechanisms are not currently effective in preventing the exploit.

RELATED READING: Why is patching important to the security of your business?

Given time (beyond “Day Zero”), this vulnerability will be patched or other systems will be able to prevent the issue, but because this issue is so new, it is currently able to reek havoc on systems that visit compromised websites.

This type of issue with a browser is so damaging because computer hackers who take advantage of it, can execute malicious code on the affected machines without the user needing to download anything or without any indication that the machine has been compromised.

All a user has to do to be infected is to go to a website that has a malicious script embedded on it, and viola you have been hacked! No bells, no whistles, no pop-ups of any kind will appear in your browser. You will not have any indication of an issue (until something bad happens on your machine).

Most of the time, the hackers are installing Remote Access Trojans so that they can get information about the affected machines or take them over completely.

So what should you do if you still run IE8?

Well, there are a couple of options.

You can make sure that you pay attention to Microsoft bulletins and down load the patch when they release it. They are aware of the issue, and that is step one in fixing it. They have promised that a fix to this problem will be coming shortly.

Your other option is to upgrade to other versions of Internet Explorer.

At the time of this publishing, IE9 and IE10 did not have the same vulnerabilities.

IE8 is old, but it is still the most used version of IE today. It is its popularity that makes it such an attractive target for hackers.

If you use IE8, update your system regularly and be careful where you browse.