Five Reasons to Start Your SIEM Initiative Today

Regardless of how SIEM in today’s cybersecurity marketing campaign is driven mainly by Compliance, which solutions is the best, and whether it should be managed or on-premises, Security Information and Event Management is conceptually accepted among security professionals so here’s my top reasons to consider SIEM implementation as one of your cybersecurity initiatives:

  1. Another tool for Management
    Seems obvious but not many realize SIEM is a management tool at the first place. It means it does not have and does not need to have active o pro-active capabilities. All it has to be capable of, is ability to deliver right Security Information from the right Security Event to the management, even not necessarily security management.
  2. It is all about visibility
    Remember SIEM itself does not provide visibility but it is a technique to take “Visibility” to a different level. So if you already do have Visibility over your network and systems, then SIEM is like an interface to enhance the way you see events, not really more revealing facts about security of your systems.
  3. Correlation is heart of the matter
    The main purpose behind a functional SIEM is ability to correlate events, otherwise the main purpose is ignored by solution designer or you. any security program knows in real word, there is no meaning behind each security event unless being correlated and overlapped with other events, and for that matter, SIEM is where you should be able to harmonize your flow of security information; needless to say, it is the job of SIEM solution provider to make sure system is capable to direct you.
  4. Combining older systems
    Not all users of the SIEM are genuinely looking for this management system just because of its native features. One of the main drivers to upgrade to SIEM has been presence of older SIM and SEM. So whether you are forced or just want to combine two management systems, SIEM is the most popular way of SIM and SEM integration.
  5. Intrusion comprehension
    This is totally different than intrusion Detection, Response or Correlation capability and it is about origination of incident and the level of intelligence behind root causes and indirect role of systems to shape the final tangible incident. This is absolutely one of the hidden benefits of a well-designed SIEM within a well-managed security operation.
    There are other benefits like Auditing, Policy enforcement validation, security certification…which could be addressed potentially and based on how you are going to execute your SIEM. But remember the main essence of your SIEM is in the details of operation, and none of the benefits would come out of the box with any solution in the market.

Privacy: Does Cyberspace Leave Any For Us?!

What does ‘Privacy’ exactly mean to you, and is there anything left for us in cyberspace?

‘Privacy’, ain’t mean anything to you? Actually you are lucky if you are young enough to accept that Cyberspace is an integral part of our living (perhaps you might even believe it is the main part of living!), but imagine one day you wake up and you are part of the Cyberspace with old definition of Privacy”, then you would be shocked and even paranoid about private aspects of your life, I bet you already are!

Privacy does not have the same definition, or expectations of 50 years ago, or even 10 years ago. That type of privacy does not exist within boundary of the Net, it simply does not apply to cyberspace anymore and the main driver for that is the way internet applications are setup and utilized, which force us to forget about privacy otherwise we won’t get the expected experience of the Net Applications.

Today’s Privacy means adversaries shouldn’t be able to get into your private life, otherwise all Net application providers have and supposed to have access to most private part of your life. They require you to disclose as much as possible or either you would be denied completely, or you won’t get particular key services of an online application. Note that you cannot necessary blame software in this case, as applications are where the limitation to privacy natively appears. An example is any web software which takes care of your filing taxes, or credit score… the application requires you to disclose ALL information to software, otherwise there is no value to application when any piece is missing, so you have to trust and maximize disclosure.

How you are going to talk about privacy when they know you more than yourself!

Privacy is simply collective and relative, there is no absolute unless you decide not to have any online presence, which is impossible because at least your bank knows about you and their systems are online. Privacy is collective but not selective, means some people know you better than yourself and some SHOULD NOT (doesn’t mean that they DO NOT!) but you cannot select who is doing what with your data out there, unless totally being departed and detached from society!

Privacy nowadays is the state of being only worried about adversaries, hackers and criminals, but not concerned about how application providers are with our your information. remember, even with regulation like GDPR, we ‘may’ be able to reduce exposure of our data, but we never able to erase information about ourselves, we perhaps can ask a data processor to forget about our data inside a database (assuming data never got into hands of bad guys) but we cannot ask them to forget about intelligence behind our data.

An example is when the intelligence of how you shop and what you shop is created within “cloudy sky of numerous Net applications“, no matter if you personally delete every single record of your shopping transactions within a website. So relax and change your definition of Privacy, you also may want to totally ignore VPN and anonymous web browsing which I will explain later Why you usually do not need them.

Vulnerability Management Elements

Precise vulnerability management if one for the key to an agile security program.

Among non-technical but crucial elements like methodology, system and workflow behind your VM, there are some technical aspect which can totally change the outcome of VM. these easily turn your VM to a reliable management system.

being able to dynamically connect and correlate data to different part of a vulnerability management interface is crucial.

Interface!

Colorful interfaces for vulnerability management solutions are getting more and more common nowadays. Interfaces could simply distract us from main purpose of vulnerability management, or they could force their potentially lame “understanding of an standard VM process” to us and replace our very customized approach,. But regardless of their positive or negative impact on the process, they are the main element of a VM solution.

Penetration testers or operators of these VM software are solely relying on what is provided via user interface, and seeing what is happening in back-end is either impossible, or very limited. This is so different than first generation of vulnerability management solutions where operator was certainly who set the system up and configure and due to tools and techniques, s/he had to know what exactly is happening in back-end, as there was not any colorful front-end.

What we need to have in a VM interface and how it has to be linked to all aspect of the system are different stories, but for now just remember that interface to a VM is not like a normal user interface. If you cannot dynamically connect and correlate the data there then it is useless. Perhaps next generation has more AI involved but as of today you need to be able to change objects and their correlation, and be able to see what is happening behind the scene. Otherwise you better stick with a fully manual VM system.

Scoring

Everything is about scoring aka Ranking. It is considered ‘blind’ assessment If you do not rank based on a agreed scoring system. But does not mean CVSS is the solution.

Common Vulnerability Scoring System or CVSS has been playing the role of a defacto standard for ranking security vulnerabilities and version 3.0 has significantly better but far from a reasonable scoring methodology.

In practice, vulnerability assessment has to be done with very specific considerations of the target system. This includes the software slash client application, operating system, user privileges, network protocols and services… and dozen of other factors which all together affect the way a system can be exploited with presence of that specific vulnerability.

A CVSS score 10 might be ranked so low or even not needed to deploy! And a CVSS score 2 might be a patch or mitigation your need to deploy right away! It all depends on the description of the vulnerabilities, attack vectors, details of exploit… you need to read and research about a vulnerability in depth before giving it a score. You could utilize CVSS in your own scoring system, but you should never rely solely on CVSS. There are practical ways to assess each individual vulnerability.

Mitigation

This is the hardest part and solutions in current market are either not capable of handling this phase of VM for you, or they are so expensive and not affordable. Most of the tools for VM are not even able to roll a patch and have follow-up scanning and reliable validation, let alone taking care of the workarounds and countermeasures which requires intensive scripting and cross platform API.

The whole purpose of a VM is to mitigate weaknesses so if you focus on this phase you will find your organization having a very smooth system quickly.

Developing an organic scoring system with documentation of logic will let to a smart and meaningful scoring system.

In other words, assess vulnerabilities based on specific situation related to the details of exploitation method. A single particular vulnerability might not be applicable to all layers of an organization, or all similar machines. Develop an organic scoring system and document the logic so you will have solid justification for future similar vulnerabilities. It takes not more than a few months to develop an smart meaningful assessment and scoring system.

Focus on mitigation and not to have same vulnerability repeating again and again, those are considered corrective actions which are preventive also. Remember companies still get hacked after mitigating weaknesses because they do not pay attention to vector and surface of the attack and how exploitation works. Most of the times patching is not enough, even though vendors always release updates and patches.

The interface to a VM is where you should be able to see and understand everything. If you have to ping a node from a different interface, or your VM is not linked to your asset management system, do not waste your time and money, you could utilize free tools with same manner.

Manage Numerous IT Projects With No Resource Constraints

IT resource management is crucial in chaotic environments where multiple projects collide… 

The most obvious challenge of IT managers is to make sure they meet deadlines and projects deliverables in a timely manner. This is more tangible in environments where tons of big and small projects overlap in shared resources. That is a sign of resource constraint. By resource, I mean IT staff and personnel. 

Regardless of why an IT team faces unexpected projects and ends up with a messy environment, or how IT manager job description and responsibilities are important at the first place, let’s focus on how to address IT project management disordering, and how to reach a smooth flow of projects mixed with daily IT tasks. 

One of the simplest techniques to handle resource allocation is aliening expected assignment(s) with factual capacity of resource; when and how a resource is free and what and when to assign them with, but there are many ways to do this. I prefer mapping the current state of resources (main aspects or features of them), plus identifying projects and their specifications and finally justify these together via any simple tool. 

Information Technology Project Management
Gain a strong understanding of IT project management as you learn to apply today’s most effective project management tools and techniques…

Once you master this very basic and easy technique, no matter what is your tool, you will be able to manage IT projects even in a very disordered and out-of-control department. That is one of the reasons why I do not believe in phrase “lack of resources”! The more we blame shortage of human resources, the more we put ourselves in a situation that is irreversible. A situation where it does not matter how many staff you add to your team, still you will not be able to meet deadline, and more important, have reasonable quality for you IT operations. 

Information Technology Project Management: Providing Measurable Organizational Value
how to create measurable organizational value through IT projects…

Back to the technique, list your resources and calculate their availability and capacity at a certain time. What are the factors in equation? It really depends on your very particular environment but universal factors are known to any project manager. Then list you projects and identify their specifications in detail. If you do not have time to do these basic steps then you better put more time and reputation on fixing a broken IT department and a dozen of overdue deadlines and unhappy c-suite. Allocation of resources is going to be so strait forward if you complete the 1st and 2nd step precisely. 

There are bunch of tools to execute such a simple idea, but some of them like Microsoft Project requires a dedicated trained professional just to use the tool and set it with right information. That is too complicated and is not reasonable where the task of project management is not the goal. In other words, tools like MS Project are good for those that are project managers and they do this for thousands of clients. 

I developed a simple smart Excel spreadsheet to handle this crucial task of managing IT projects with real scenarios. As simple as 123. Based on size of your staff and project, you might be eligible to use free of charge. 

GDPR Facts & Challenges

Let’s list some of GDPR facts and challenges:

  • Estimated time of engagement will be end of 2018
  • All recent cyber incidents in US made Europe totally suspicious to US privacy and cyber reliability
  • GDPR is simply a data privacy compliance regime to force other countries to comply with Europe. Cyberspace was 100% ruled by US in the past, compliance requirements in that regards were also largely driven by U.S.-based regulations, but that has changed in recent years
  • No current initiative or certification can ultimately fulfill GDPR compliance by default, however every step to accomplish makes the entire process smoother, cheaper and easier to enforce and implement gradually
  • Regulation is about “structured data running through enterprise”, the flow of data and how it is organized
  • Requires extensive record keeping to enable ‘Proof of Compliance’. GDPR requires companies to maintain records of all processing of personal data
  • GDPR believes in embedding privacy measures into corporate policies and everyday activities that involve personal data
  • You must document privacy measures and keep records of compliance
  • Train employees on privacy and data protection and regularly test and audit your privacy measures. Then use the results to improve policies and controls
  • Every single person act like a customer, individuals can, for example, request that businesses provide their data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller as their “right to data portability” or delete their information by exercising, their “right to be forgotten”. So the result is much stricter rules in terms of, what is called “privacy by design and by default”: Consent, notification of data breach, and mandatory privacy impact assessments
  • Technology won’t solve the issue at the first place. It is more about understanding of what businesses need to do, and then a lot of changes in processes. Technology is the last part perhaps only to enforce and support the system.
  • Migrating to Cloud Computing will ease compliance but it won’t necessarily refine internal workflows. So even if your company is already a cloud entity or ready to be, do not rely so much on what cloud vendors claim
  • Utilizing US Privacy Shield as a final solution is not applicable. US PS only applies to transferring of data over Atlantic. US had negotiated an agreement called US-EU Privacy Shield with EU regulators that enabled more than 2,000 U.S. cloud companies to transfer the personal data of EU citizens to the U.S. for processing without risk of breaching fundamental European privacy rights. But in January, President Donald Trump signed an executive order that modifies the Privacy Shield agreement in an attempt to avoid running afoul of the EU privacy rules when spying on non-US citizens
  • Standards are good to comply, but regulations are mandatory. GDPR is not good to comply, it is mandatory if you seek Europe business
  • Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater
  • GDPR is one of the strongest competitive factors in business, it is like a metric, it drops companies off of the list, or can add them as the only qualified candidate to negotiate a business
  • The GDPR compliance is a journey which better starts sooner if you want to conduct business with Europe

Does JavaScript Pose A Security Risk?

Javascript is a silent threat!

Professional JavaScript for Web Developers
essential guide to next-level JavaScript development…

I no longer am able to imagine the current structure of the web without JavaScript. This is about online applications in form of traditional websites, otherwise traditional web interfaces won’t be able to handle the applications and web would collapse without JS!

That does not mean I am a fan of JavaScript in terms of security even though I am a JS coder myself. Because with all that sandboxing and native security countermeasures, the way we use it today is risky. What level of risk and threat model? It depends on what type of internet user we are dealing with.

As user with limited internet browsing scope, whether home user or a corporate user with restrict and secure corporate policies, risk is very low. Assuming user has a limited number of trusted sources to browse so exposure is only to the known codes and applications.

Javascript threat is completely out of scope of general endpoint protection solution

How JavaScript Works
Most of our languages are deeply rooted in the paradigm that produced FORTRAN…

As a user with wide range of random and unknown sites and applications, home or corporate, the possibility of facing a malicious Javascript is so high. This is either directly from malicious codes like browser extensions and add-ons or indirectly from malicious Ads and other type of metadata. Let’s list some of the common scenarios:

    null
  • Malicious Javascript in a browser extension records everything you do online
  • Malicious Javascript in a hijacked Ad redirects to any malicious destination
  • Malicious Javascript within a page mimics joining by Google, facebook, or Microsoft account and steals credentials
  • Malicious Javascript renders the content and mislead the visitor

The possibilities are endless when it comes to creative malicious content. But again, how can you even thinking about Not using most reputable Net applications by disabling Javascript?

JavaScript: JavaScript Programming.A Step-by-Step Guide for Absolute Beginners
some of the best resources to learn JavaScript from scratch…

The beauty of JS from a hacker POV is that, it does not matter what type of protection you have: a basic anti-virus or the most sophisticated EDR; none our capable of handling many types of malicious Javascript code. That means the threats are totally out of scope of general endpoint protection and all those solutions which majority of technology currently relying on.

EU GDPR And Businesses

New European Union General Data Protection Regulation affects United States businesses

EU GDPR will be enforced effective May 2018 after a two year post-adoption grace period. This raises some concerns about how US businesses might be affected. This is a brief evaluation of all aspects of this regulation in terms of trade with member countries in Europe, and potential impacts on business processes. GDPR will be a new challenge for business owners in United States and actually all over the (cyber) world.

GDPR applies to all companies (regardless of their physical location) which process and hold the personal data of individuals residing in the European Union member countries (Data Subjects).

Global perspective: what others are doing about GDPR?

It is good to know what others are doing about GDPR. Some data from surveys collected in November 2017 gives us an understanding of what is happening in other companies around the world:

  • 50% do not know about the impact of GDPR on their business
  • 9% of US firms say they have allocated more than $10 million for GDPR compliance
  • 77% budgeted at least $1 million to comply with the regulations
  • 83% of US privacy professionals expect GDPR spending to be in the six figures
  • 61% of US companies did not begin to implement compliance program yet
Which departments are affected, and is that only IT staff that should be worried about GDPR?

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, you are subject to GDPR requirements.

Depends on your products (goods or services) and business model, simply all departments of a company are affected by this regulation. This in minimum includes but not limited to Marketing and Sales where primary contact with an EU entity would be initiated. Every single marketing email or sales event has the potential of gathering EU citizens information. Any communication with EU member countries virtually through phone, email or websites ends up storing citizens information in some form and fall into GDPR boundaries. The most external layers of a business are the first affected business nodes.

In order to identify the scope of your journey to compliance or even luckily not being affected at all, you need to review your business workflow in deep, and that is a systematic approach rather than blindly jumping only tech-wise in the middle of battle! Today’s businesses are more and more relying on technology and mainly software, but that does not mean you need to start with your tech departments (IT engineering, software development, webmasters…) first. The very first step is to know your workflow. if you already have this piece then your are so ahead of others.

Do you need help implementing GDPR? Do you need a gap analysis?

The answer can easily be determined via a gap analysis but first evaluate the level of knowledge in your organization in regards to regulations and particularly GDPR. Chances are there is a tech savvy with basic understanding of subject, otherwise you have to seek external consultation to do the primary analysis and write a plan for implementation.

For implementation itself, it really depends on the result of analysis. If Systems and Workflows are clearly documented, the implementation will be connecting dots from system to technology. You may need help choosing the technology but that is not a big deal as long as you could define the problem and know exactly what is missing.

Without bright understanding and documented systems and workflows, starting right off the bat with Data Mapping will be tedious and based on company size it requires extra help.

There are some generic actions described mentioned here.

GDPR: Primary Actions

GDPR: start from scratch with these primary steps

Following steps can be helpful identifying where you are in GDPR Compliance Journey. Consider that as a quick audit towards a more comprehensive gap analysis to understand your current situation:

  • Role identification: Identify whether you are a a data controller, data processor, or both.
  • Identify all data collection/processing systems and workflows, knowing where the data came from, every entity it has been shared with, and every location where it is stored.
  • Conduct a full audit, which can be a labor intensive and time-consuming but it is inevitable: how you currently process customers private data e.g. financial information, marketing facts…
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will cooperate with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you have policies to notify EU citizens of potential breaches when their data is affected.
  • Revise Privacy policy and privacy practices to meet GDPR requirements.
  • Awareness: make sure business associates and subcontractors are aware of their requirements under GDPR.
  • Review policies on data retention. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • Other initiatives: utilize your other regulatory initiatives or privacy and security programs.
  • Consider utilizing Privacy Shield If data transfer across borders is required. You may need start participating in this program.

First challenge is to identify your definition under GDPR: data controller or data processor or perhaps both. This changes many things going forward because obligations are different and each have different set of requirements. As I mentioned multiple times, know your workflow to locate where data is residing within systems and processes. This is going to be the biggest audit of your organization. Even if you sign off of GDPR later for any reason, the values of this Journey affects your business in a positive way forever.

IT System Administration Good Exercises: Event Lookup!

Computer administration is all about how the system and network is running at the moment. What else could be more important than how zeros and ones are really interacting in background?

System and Network administration starts and ends with lowest level of these environment. Those place that we barely look are the source of system and network information. Those pieces that are crucial to administration and proactively find flaws. actually many future and potential security vulnerabilities also start showing some signs at lowest level of system and networks.

In Windows, the main (but not the only) source of system events are stored under System Windows Logs. We could use many interfaces and tools to query this database but the easiest way is to use Windows Event Viewer user interface (eventvwr.msc or eventvwr.exe under \windows\system32).

One of the good exercises it to check this log regularly. It may sounds funny but this regularly could mean annually, still better than zero, which is most system administrators choose. If you are not checking Windows System logs then you simply do not know what is going on on systems you are administrating. Even though this is the starting point, it is very crucial to look up for system anomaly events and start investigating them.

This is not the time and place to go through type of events and build the skill of event analyzing or train you to get your eyes educated, but it is the time and place to emphasis the importance of System logs database where you can start finding issues and tune up your system and network before an issue turn into something bigger or before a user call you that his machine is so slow and you do not have any clue why sometimes your nodes start acting.

I recommend at least every other week review through System log and find red flags for further investigation and analysis. Over time you could develop simple scripts and alerts to trigger certain repeated issues but you have to always go though every once in a while to have sight over your systems.

If your system administration tells you s/he doesn’t have time to do this, it is like saying I do not have time to make sure my bike is working fine in weekend, so I walk to office everyday and I am always late for that reason! Excuses like time and resources in this regard is like I am willing to work with an old fashioned lawn mower just because I do not have time to go to garage and plug the new faster one to outlet!

System logs gives you a lot of information about the computers your are managing. This won’t be limited to the system that your investigating, you will find things that are global within environment: specific to a software, a segment of network, an application malfunctioning or just performance issues. The latter has been generally ignored among IT staff because they find replacing equipment fast and easier than troubleshooting but it is funny when we replace something and issue remains unsolved.

How many times have you found a system having performance issues related to a hardware malfunction? a lot, right, but I assure you will find more performance issue is related to the fact that system is not tuned up and many things are running with problem is background.

But performance is not why I am insisting to lookup System logs. You will find Security issues that have not any reflection on the actual Security log. You will find useful correlation with other logs of the system, network issues, application, Active Directory, and many things that System is not directly a place to follow them but they have artifacts and footprint there.

Develop a simple process to review these logs and you will find yourself proactively mitigating issues before they turn to global system and network problems.

GDPR In A Glance

A Summary of New European Union General Data Protection Regulation

The story of this legislation is to protect the personal data of the EU citizens, including how that data is collected, stored, processed/used, and destroyed once it is no longer needed.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.

EUGDPR.ORG

The main purpose of the regulation is to give individuals enough power to choose how their persnal information is kept, processed or discarded.

GDPR defines personal data as “Any information relating to an individual or identifiable natural person” including names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, biometrics and genetic data, location data, an individual’s IP address and other online identifiers.

The rights afforded to EU citizens and the major GDPR requirements include:

  • Data is only collected when there is a legal and lawful reason for doing so
  • Obtaining consent before personal data is collected, stored, or processed
  • Implementing controls to ensure the confidentiality of data is safeguarded
  • Training employees on the correct handling of personal data
  • Ensuring individual’s right to be forgotten can be honored and that it is possible to permanently erase all collected data
  • Ensuring individuals are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA
  • Making sure data transfers across borders occurs in accordance with GDPR regulations
  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data
  • May be necessary to appoint a Data Protection Officer
History

The European Union’s parliament approved the GDPR in April 2016, it was entered into force by May 2016 and now the two years grace period will end by May 2018.

GDPR applies to all companies regardless of their physical location, that process and hold the personal data of data subjects (individuals, citizens) residing in the European Union member countries.

GDPR is literally a risk-based framework focusing on PII, personally identifiable information; anything from name, gender and address, to bank account info, even sales and marketing transactions which are collected normally during the course of any typical business interaction.

What is the potential loss of non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements: i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Cost of GDPR noncompliance is high but how about more positive incentives to be compliance?

The details of how EU is going to enforce GDPR and how noncompliant businesses are going to be proactively identified is not clear now, but community believes any company around the world that has a Web presence and markets their products over the Web will have some homework to do.

Does your firm need to become GDPR compliance? not necessarily if there is zero business relation with EU, but that is very unlikely for most businesses even in USA.

References

EU member countries

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • UK

For details refer to official publications:

EU GDPR 2016_679 General Data Protection Regulation

GDPR glossary of terms