Security Incident Handling and SIEM

August 15, 2014  |  Jimmy Vo

It was 9:00 a.m. on a Wednesday morning and I was sitting in front of a testing computer. Laid across my small work area were five SANS 504 (Hacker Techniques, Exploits, and Incident Handling) books which were accessorized with colorful sticky tabs. As I answered questions regarding the security incident handling phases outlined by SANS my mind started wandering off, as per usual. I thought to myself, the combination of vulnerability scanning and SIEM could definitely assist in the incident response process. After pondering for a good amount of time, I realized I was in the middle of CGIH exam.

The security incident handling process is broken down in 6 primary phases:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

Solutions that bundle SIEM and Vulnerability Scanning like AlientVault USM can add a lot of value to security incident handling processes. I’ll discuss how AlienVault can support several phases in the incident handling process.

Identification

The surest way to identify a data breach is finding your data on Pastebin. Will this embarrass an organization? Yes it will. My goal as an incident responder is to identify an incident, filter out the events and response appropriately. Identifying the incidents can be a hassle and a nebulous dark art without the proper tools.

I’m an advocate for processes and skill when it comes to security, but sometimes tools can make life easier. Imagine a world without log management or SIEM. I’d have to view the logs from my firewalls, domain controllers, IDS, and centralized AV. A piece of me dies when I think about this. By centralizing logs and creating rules based on actions from several log sources, we can quickly identify potential incidents. SIEM or no SIEM, the incident responder has to take this data, dig deeper and determine if there is a potential compromise.

Containment

There are a lot of steps incident response teams have to take during the containment phase. There are a few places centralized logging can add value for this specific phase. If all log sources are being centralized, incident responders can check nearby systems to determine the magnitude of the incident or event.

Rules can also be generated to alert on specific actions found by the containment team to determine if containment was successful. For example, if a piece of malware is found to make callbacks to a specific server, AlienVault USM can alert monitoring analyst of any traffic from or to the remote callback IP. If a rule is triggered that was outside of the systems contained, it tells the team to go back to identification phase.

Eradication

The main purpose of SIEM during this phase is to monitor the affected system to validate eradication. Under proper configuration and logging, I could use SIEM to watch for OS and application logs of the affected system. In addition to these logs, I could create alerts from IPS logs for the network segment. If the monitoring of the affected system does not display anomalous activity, it can be said with high confidence that eradication was successful.

Vulnerability analysis tools can be used to confirm eradication was successful. Using a vulnerability scanner can be done on the system and neighboring systems affected by the security incident. If everything looks normal, this could add validation that eradication was successful. This part of incident response can be part of the recovery stage since there is validation being done.

It’s critical that tools will never replace processes. Security incident response is a process which requires procedures, standards and policies. It’s tools like AlienVault USM that support critical steps of incident response such as identification, containment and eradication. More importantly, I am a GIAC Certified Incident Handler :blush:

GIAC

Share this with others

Get price Free trial