shoulder surfing cafeteria

Estimated reading time: 8 minutes

The term shoulder surfing might conjure up images of a little surfer on his shirt collar, but the reality is much more mundane. shoulder surfing is a criminal practice in which thieves steal your personal data by spying on you while using a laptop, ATM, public terminal or other electronic device among other people . This social engineering technique is a security risk that can cause disaster, especially if the stolen credentials are corporate.

The practice long predates smartphones and laptops and dates back to when criminals spied on pay phone users as they entered their calling card numbers to make calls . Many years have passed, but the technique has not been lost. Thieves have evolved to observe their victims typing their ATM PINs, paying at self-service petrol pumps, or even making a purchase in a store.

A similar technique for ATM theft involves a card cloning device superimposed on the card insertion hole and a micro camera to spy on the code. The micro camera performs an act of shoulder surfing . Card cloning is essential because without a physical device the pin is useless, but in the case of account credentials on the network, all you need is user and password.

Shoulder surfing ATM

When does Shoulder Surfing take place?

shoulder surfing can happen whenever you share personal information in a public place. This includes not only ATMs, coffee shops and POS devices in general, but virtually any place where you use a laptop, tablet or smartphone to enter personal data.

Long-time shoulder surfers did not usually loom behind their victims to scrutinize information. Instead, they stood at a safe distance and interpreted finger movements as people typed numbers on the keyboard . Similarly, today’s social engineers often escape attention as they quietly observe others in public places such as airport lounges and shopping malls, bars and restaurants, on trains or subways, or wherever there are people, to tell the truth.

Indeed, today’s most sophisticated criminals are watching from further away, hidden from view. They could use binoculars, micro cameras, or the camera of their phone or tablet to scan your screen or keyboard. Not only that, they may eavesdrop as you read credit card numbers on the phone or provide other sensitive information. Criminals could also take pictures, make a video or audio record of the information and then interpret it later.

Whatever the methodology, it is clear that technology has not only helped us to be more connected and be able to afford to pay for a frappuccino with our mobile phone, but it has also exposed us to security risks. When it comes to sensitive data, especially if there is a corporate account involved that could access other people’s sensitive data, you should never let your guard down , consequences could be very serious .

As shoulder surfing commonly happens

Before suggesting some methods to prevent shoulder surfing to be put into practice immediately, let’s take a closer look at how credential theft could happen with this technique.

At the bar or in the cafeteria

You’re in a busy restaurant bar waiting for a friend. To pass the time, you connect to Instagram. Unfortunately, you don’t notice that the person stuck in line next to you is looking at your password, which happens to be the same one you use for your email and bank account.

At the ATM

You’re taking cash at an ATM. You feel safe because the man after you in line is at least 10 feet away and is even looking at his phone. In fact, he is recording your finger movements on his phone and will later decrypt them to get your PIN number.

To the airport

Your flight is delayed, so grab your laptop and kill your time by reading a couple of work emails to keep up to date. Log in to the company website to read your mail and enter your username and password. You are so calm that you don’t see the woman a few places away as she stares at the screen while you enter data.

shoulder surfing cafeteria

What are the consequences of shoulder surfing?

Using your credit card information to make fraudulent purchases is just one example of the damage you could suffer if you fall victim to shoulder surfing . The more personal information a criminal captures about you, the more serious the consequences can be for your bank account and financial health.

A serious case of shoulder surfing can expose you to identity theft . A criminal could use your personal information, such as your social security number, to open new bank accounts, apply for loans, rent apartments, or apply for a job under your name. An identity thief could get their hands on your tax refund, use your name to get medical treatment, or even apply for government benefits in your name. They could also commit a crime and provide your personal information when questioned by the police, leaving you with a dirty record or arrest warrant.

Of course, if you suspect this has happened, you’ll need to go to the police immediately, block your checking accounts and notify the bank. If fraudulent actions have already been carried out in your name, you may need to prove that you are not involved.

Things get dangerous if the stolen data is from a corporate account. In fact, with the use of valid credentials, anyone could enter the company’s system and perform all kinds of actions, such as collecting additional data, placing malware, running a ransomware , steal customer data and then sell it online.

How to defend yourself from shoulder surfing

Two levels of protection can be identified, the first is proactive and is aimed at preventing credentials from being exposed to malicious people, the second is active and provides software to detect attempts to use stolen credentials.

Shoulder surfing

Defend yourself proactively

If you really can’t avoid entering sensitive data on your laptop, tablet or smartphone in a public place, you should follow the countermeasures listed below.

Tip 1: Before entering any sensitive data, find a safe place . Make sure you sit with your back to the wall. This is the best way to protect yourself from prying eyes. Avoid public transport, the central armchairs of a waiting room and places where there is a lot of people coming and going.

Tip 2: Use a privacy filter. This hardware device is a simple polarized translucent sheet that is placed over the screen. It will make your screen look black to anyone looking at it from any unnatural angle . This will make it much more difficult for unauthorized people to see your information.

Tip 3: Two-factor authentication requires a user to prove their identity using two different authentication components that are independent of each other. Since this type of authentication only passes when both factors are used correctly in combination, the security measure is particularly effective. For example, this method is often used a lot in online banking. There are many services that allow you to use your mobile phone as a second authentication factor . This is done through special apps.

Tip 4: Another solution is to use a password manager . By doing so, you no longer have to enter each password individually on your computer. The password manager will do this for you after you enter your master password . This prevents unauthorized people from using your keyboard to determine the real password, provided that you properly protect your master password .

Actively defend yourself with a SOC and behavior analysis

Now let’s imagine that the corporate account credentials have been stolen. At this point only a behavior control system can trigger an alarm and therefore block the user before there is any damage.

In fact, using correct credentials, a normal traditional SIEM would not trigger any alarms. For an older generation SIEM, access would be legitimate, because the credentials are correct. The attacker would have free undisturbed access to the system and could continue with his attack plan.

With SOD’s SOCaaS service, however, abnormal access would trigger an alarm. The SOC provided is equipped with a Next Generation SIEM and a system UEBA control behavior . This means that any deviation from the user’s usual behavior would be reported.

In the case of credential theft, as happens with shoulder surfing, the access made by the attacker would therefore trigger an alarm because something is wrong . For example, the login could take place at anomalous times, in another country / IP, from a different operating system, etc.

Conclusions

shoulder surfing is a social engineering technique that focuses on user carelessness while entering sensitive data into a system. In the event that a user’s corporate credentials are stolen, the only really efficient thing is to have a system that analyzes user behavior and reports whenever suspicious actions are detected.

If you want to know in detail how a SOC and UEBA system can help your company defend against social engineering attacks, do not hesitate to contact us, we will be happy to answer any questions.

Logic time bomb

Estimated reading time: 6 minutes

A logic bomb, also called slug code , is a piece of code inserted into an application, virus or malware that implements a malicious function after a certain time limit or under conditions specifications.

These “bombs” are often used via viruses, worms and Trojans to better manage your time and do maximum damage before you are noticed . They perform actions such as corrupting or altering data, reformatting a hard drive, and deleting important files.

In this article I want to explain what a logic bomb is and offer some suggestions for preventing damage.

Logic bomb virus

What is a logic bomb virus?

A logic bomb is often embedded in a virus or otherwise in an executable file. It consists of malicious code that triggers an attack when specific conditions are met. Conditions can be positive (something that happens) or negative (something that doesn’t happen). In the first case an example is that of opening a program, however, an example of a negative condition is a user who does not log in.

Logic bombs are often installed by someone with high level access, such as a sysadmin. Such a person can wreak havoc by setting these codes on multiple systems and programming them to “explode” simultaneously when a certain event occurs. For example, they could trigger when a certain employee is removed from the salary database, ie when he is fired.

The term slag code refers to manipulated code that makes an otherwise safe program malicious. The logic bomb time versions are the most common ones and use the passage of a certain amount of time as a positive condition.

Whatever the name used, the method of attack is clearly the same: the code remains dormant in the infected software until it is triggered . Common attacks involve data corruption, file deletion and hard drive wiping .

How does it work

How a logic bomb works depends on who designed it. Each logic bomb is unique, which is why they are difficult to track . They are usually customized to be as undetectable as possible. They are often disguised to look like a typical computer virus or embedded in other types of malware such as worms . Worms and viruses are different, but logic bombs don’t care about the distinction – they can cause damage through both.

Is a logic bomb actually malware? Since they are part of other programs, no, but they usually have malicious intent. This is why slag codes are so difficult to detect. Furthermore, being “only” code, potentially insertable anywhere, mitigating the risk is more complicated.

The best thing to do, as an end user who might be involved in a logic bomb attack, is to keep an eye out and ask your company’s IT experts to do the necessary checks if in doubt. The risk is to unintentionally trigger the bomb trying to find it.

Examples of attacks

Logic bombs can subtly change a snippet of code so that it appears technically normal to an automated threat detection system, while it would appear highly suspicious to the human eye. In 2016, a freelance programmer voluntarily caused a recurring spreadsheet malfunction at a subsidiary of the Siemens company. The subsidiary continued to hire him to solve the problem he had caused himself (Source). In this case, the employees did not suspect anything until a lucky coincidence forced the malicious code to come out.

Even companies can use logic bombs to hack their customers . In 2005, Sony was embroiled in a scandal for releasing CDs that triggered a logic bomb when inserted into a computer. The slag code contained on the CDs installed a rootkit that blocked the PC’s ability to copy CDs. (Source)

Another high-profile case occurred in the early 2000s, when a UBS Global employee, angered by a salary dispute, planted a logic bomb that caused more than $ 3 million worth of damage . A clear sign that a very small code snippet can cause a great deal of damage. (Source)

In 2013, a time bomb attack in South Korea wiped out the hard drives of several banks and broadcasting companies. The group responsible for the attack put the time bomb inside a piece of malware that ended up infecting over 32,000 systems . The bombs all exploded together, causing chaos across the country. (Source)

Logic bomb cover

Where did they come from and how to prevent logic bombs

As we have also seen in the examples, logic bombs are typically distributed within a closed network, such as that of a company or branch. One of the likely sources is a disgruntled employee with administrator access , so careful monitoring of staff outbound activities should reveal any suspicious activity . But that’s not all, logic bombs can also be placed in email attachments and suspicious file downloads , so users should be vigilant when choosing which files to download.

As we saw when we talked about phishing and social engineering , the most hackable part of a system are often the users. This is why a preventive campaign is always an excellent choice. Taking care of the staff also means offering specific training through ethical phishing services.

In addition to prevention, it’s good to limit administrative privileges to a select group of employees so that someone is less likely to cause serious damage to your network with a logic bomb. This preventative method also reduces the number of suspects in the event of an attack, making belonging to that specific group of employees in itself a deterrent against internal attacks.

The solution proposed by SOD

Where prevention fails and hackers win, it is the ideal field for implementing advanced monitoring and analysis systems.

SOD offers, for example, a SIEM system in the SOC as a Service solution. The SIEM constantly collects information on what is happening in the network . This information is then enriched with contextual metadata to standardize and manage it better. Already this is capable of triggering alarms if some suspicious events occur. But if this were not enough, the SOC also has a “ User and Entity Behavior Analysis ” (UEBA) tool that analyzes user behavior and, thanks to the interaction of an AI, is able to identify suspicious behavior. .

If you want to know more about the SOC service we offer, or if you have any questions about how SOD can help you keep your business safe, don’t hesitate to contact us. We will be happy to answer any questions.

Long-term Search Cover

Ransomware commonly comes up with an email that tricks users into trusting a malicious file. Many of the most recent data breaches have been completed because a user has been the victim of such an attack in the previous period. Threats such as ransomware, which focus on user compromise, are causing more and more companies to adopt user and entity behavior analysis (UEBA) in their security operations center (SOC). The new functions of the SOC service, including long-term search, are oriented towards the increasing offer of additional tools for the optimal management of corporate security.

We continue to innovate our platform to increase the power of SOC in fighting ransomware and other threats. In our latest release, we have added even more machine-learning and context-aware detection capabilities that enable security analysts to tackle the most sophisticated attacks. Furthermore, the latest updates bring an ever greater ease of use for security architects.

Long-term search - SOCaaS news

Long-term search for the security analyst

The service introduces a number of innovations to reduce detection and response times for security analysts and threat seekers.

Improved detection of sophisticated threats

Long-term search helps analysts discover hidden threats by providing a search capability on archived data. The search is scalable and does not affect SIEM performance.
Analytics Sandbox helps break down false positives by providing an online QA environment to test and validate use cases.
– Persona-based threat chains detect advanced threats more accurately, including the dynamic relationship between users, hosts, IP addresses, and email addresses. Analysts benefit from greater visibility into the progression of an attack. This feature combines suspicious activity from a single user into a single priority alert, instead of separate and unrelated alerts.
Relative Rarity offers analysts a broader context on how rare an event is compared to all other events in their environment.
Viewing security alerts using the MITER ATT&CK Threat Framework helps analysts prioritize risk and reduce response times.

Reduction of response times

Improved case management allows for better management, sharing and investigation of alarms, allowing operators to respond more quickly.
New EDR integrations improve incident response by providing additional endpoint data from CarbonBlack Defense, Tanium, Symantec DLP and others.
Better search views improve the analyst experience by reducing detection and response times. They help analysts easily identify compromised accounts, data exfiltration, and associated hotspots.

Why long-term search is so important

With a global dwell time of around 60 days on average, threat hunting continues to be an important part of cybersecurity resilience. However, searching through the data history usually takes a long time.

Many vendors are unable to dynamically scale a quick search through archived data without significant effort. The latest features of our SOCaaS provide this possibility for threat hunters with long-term search on an almost unlimited scale. With long-term research, organizations can reduce the time it takes to investigate and find threats that are already in their environment.

Analysts need to continually query the data to see if there are new threats. For example, an analyst might learn from a trusted source that their industry has been targeted. At this point we need to investigate a new indicator of compromise that has just been discovered to verify if an attacker is already inside.

Through long-term search, SOD’s native SOCaaS SIEM allows threat hunters to be proactive, making historical data research fast and convenient.

Conclusions

By introducing new technologies into our SOC service, we are offering more and more security for our customers.

We take care of your data by verifying not only that it is not safe now, but also that it has not been breached in the past. In case we suspect a new threat, we know how to spot it.

If you have any questions, contact us, we will be happy to answer all your questions.

Useful links:

shadow IT

The practice of shadow IT is the use of computer systems, devices, software, applications and services without the explicit approval of the IT department. In recent years, it has grown exponentially with the adoption of cloud-based applications and services.

While shadow IT could improve employee productivity and drive innovation, it can also introduce serious security risks to the organization due to data breaches, potential compliance breaches and more.

Why users practice shadow IT

One of the main reasons employees apply shadow IT is simply to work more efficiently. A 2012 RSA study reported that 35% of employees believe they need to bypass their company’s security policies just to get their job done right. For example, an employee may discover a better file sharing application than is officially allowed. Once you start using it, the use may spread to other members of your department.

The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT practices. The days of packaged software are long gone; Common applications such as Slack and Dropbox are available with a simple click, and corporate data is easily copied beyond work applications to employee personal devices, such as smartphones or laptops, especially in BYOD (Bring Your Own Device) working conditions .

Shadow IT: Security Risks and Challenges

The point is that if the IT department is not aware of the use of an application, they cannot support or guarantee that it is secure. Industry analyst firm Gartner predicted, in 2018, that by 2020, one-third of successful attacks businesses experience focus on their shadow IT assets.

While it is clear that the practice will not go away, organizations can minimize risks by educating end users and taking preventative measures to monitor and manage unauthorized applications.

Not all shadow IT is inherently dangerous, but some features like file sharing and storage and collaboration (for example, Google Docs) can cause sensitive data leaks. This risk goes beyond applications alone: the RSA study also reports that 63% of employees send work documents to their personal email to work from home, exposing data to networks that cannot be monitored.

In times like the one we are experiencing, in which teleworking is encouraged and, in some cases, the only possible solution, it is essential to have an eye for the applications in use on employees’ computers.

shadow IT

Benefits of Shadow IT

Despite the risks, shadow IT has its advantages. Getting IT approval can take time that employees can’t afford to waste.For many employees, approval is a productivity bottleneck, especially when they can get a fix in minutes.

Having IT behaving like an Orwellian “Big Brother” doesn’t always help productivity. Discerning cases of positive shadow IT can be the best compromise. Finding a middle ground can allow end users to research solutions that work best for them. This gives IT time to control user data and permissions for applications. If end users do not need to request new solutions, the IT department has been given time to focus on more critical tasks.

Proactive defense

Whatever the reason why shadow IT occurs, if the IT department is unaware of it, the risk of breach is high. What the corporate cyber security departments should do is implement automated traffic and behavior control systems.

The solution offered by a SOC as a Service is the most complete in this respect. It allows you to keep an eye on all the devices in the system and also monitor user behavior.

Thanks to the Nextgen SIEM and UEBA systems, in fact, the collection of usage data is easy and manageable in real time. The data collected is enriched and aggregated to give analysts the most complete view possible and allow rapid intervention. Meanwhile, the UEBA system checks that there are no anomalous behavior by users or suspicious outgoing data traffic.

Shadow IT, while not usually a malicious attack, is a practice that should be discouraged and, as it is risky, stopped in the bud.

Useful links:

SOAR Security Orchestration

An increasing number of companies leverage SOAR to improve the effectiveness of their cybersecurity operations. In this article, we explain how harnessing the value of SOAR could be crucial to improving the security of your organization.

What is SOAR?

Coined by the research firm Gartner, Security Orchestration, Automation and Response (SOAR) is a term used to describe the convergence of three distinct technology markets:

1. Security orchestration and automation.
2. Security Incident Response Platforms.
3. Threat Intelligence Platforms.

SOAR technologies allow organizations to collect and aggregate large amounts of data and security alerts from a wide range of sources. As a result, human and mechanical analysis has improved, as have standardization and automation of threat detection and recovery.

It is estimated that by the end of 2020, 15% of organizations with a security team will leverage SOAR technologies. In 2018 they were 1%.

How is SOAR helping companies overcome security challenges?

Rapid technological evolution is bringing complicated challenges to the IT industry. The threats are constantly evolving, the qualified staff is in constant shortage and the IT properties to be managed are constantly increasing. As a result, the SOAR concept is helping companies of all sizes improve their ability to detect and respond to attacks quickly. Let’s see how, in practice, SOAR can improve corporate security.

1. Provide better quality intelligence

Tackling the latest and most sophisticated cyber security threats requires a thorough understanding of attackers’ tactics, techniques and procedures (TTP), as well as the ability to identify indicators of compromise (CIO).

SOAR aggregates and validates data from a wide range of sources. Specifically, these are threat intelligence platforms, security technologies, intrusion detection systems, and SIEM and UEBA technologies. Thus, through the collected and validated data, SOAR helps SOCs to become more intelligence oriented.

The effect of this is that security personnel are able to contextualise incidents, make more informed decisions and accelerate incident detection as well as threat response.

2. Improve the efficiency and effectiveness of operations

The need to manage so many disparate security technologies can put a strain on security personnel. Systems need constant monitoring to ensure efficient performance. Furthermore, the thousands of daily alarms they generate can also lead to dangerous fatigue. The constant transition from one system to another only makes the situation worse, costing teams time and effort, as well as increasing the risk of errors.

SOAR solutions help SOCs automate and semi-automate some of the daily tasks of security operations.

By presenting intelligence and controls through a single panel and using artificial intelligence and machine learning, SOAR tools significantly reduce the need for SOC teams to perform ‘context switching’.

In addition, they can help ensure that processes are managed more efficiently. This improves the productivity and the ability of organizations to deal with a greater number of incidents without the need to hire additional staff. A key goal of the SOAR approach is to help security personnel work smarter and not harder.

3. Improve incident response

To minimize the risk of breaches and limit the extensive damage they can cause, a quick response is vital. SOAR helps the organization reduce mean time to detection (MTTD) and mean time to response (MTTR). Security alarms can be qualified and remedied in minutes, rather than days, weeks or months.

SOAR, therefore, allows security teams to automate incident response procedures. Automated responses can include blocking an IP address on a firewall, suspending user accounts, or quarantining infected endpoints on a network.

4. Simplify reporting

In many cyber security operations centers, frontline workers spend a lot of time managing cases, writing and reporting, and documenting incident response procedures. Instead, by aggregating information from a wide range of sources and presenting it via visual and customized dashboards, SOAR can help organizations reduce collateral work while improving internal communication.

In addition, by automating the tasks of procedures, SOAR helps encode knowledge about threats.

Ultimately, doing tasks faster means more time for threat resolution and mitigation. The longer these are not addressed, the greater the chances of damage and malfunctions.

In conclusion

While both security information, event management (SIEM) and SOAR accumulate relevant data from multiple sources, SOAR services integrate with a wider range of internal and external applications.

At present, many companies are using SOAR services to potential internal SIEM software. In the future, it is expected that as SIEM suppliers begin to add SOAR functionality to their services, the market for these two product lines will merge.

SOD applies SIEM Next Generation and UEBA technology for the management of cyber threats and SOAR processes. This guarantees prevention and timeliness of an excellent level. If you want to know more, visit our SOCaaS service page and contact us for more information.

[btnsx id=”2931″]

Useful links:

SIEM software: what it is and how it works

 

SIEM in computer science: history

SOCaaS

 

SIEM informatica

A SIEM solution in IT is one of the essential components of a SOC (Security Operation Center). Its task is to collect information and analyze it in search of anomalies and possible breaches in the system. But the defense process hasn’t always been that simple. What we now call SIEM, Security Information and Event Management, is the union of two different types of cyber security tools.

SIM and SEM: the origins

Before the arrival of a complete SIEM solution in computing, security was heavily focused on perimeter security and did not keep the internal network adequately controlled. The first solutions developed in the 90s were basic and basically dealt with security information management (SIM) or security event management (SEM). They were solutions available as tools that had to be deployed on-site in the data center to be protected. This limited scalability, because adding capacity required the purchase of additional equipment.

These early solutions were also built on proprietary databases that forced customers to use technology from a single vendor. If you wanted to move your data to another system, the process was long and complicated. It should also be noted that archiving was more expensive, so only the most valuable data was collected. Furthermore, although the SIM and SEM solutions contained all the data necessary for the defense, the search and alarm were rudimentary. Additionally, they depended on experienced security analysts to research, understand and interpret what they found in the data.

SIEM origins in computer science

As data became more sensitive and technology more powerful, SIEM systems (SIM + SEM) became capable of ingesting, processing and storing a great deal of data. Next-generation SIEM IT solutions are able to use signature-based alerts to identify threats in collected data. However, only those alerts that have identified indicators of compromise (IOC) of a certain threat can be identified in this way.

To be clear, if the type of attack to which a system is subjected has not been cataloged in a series of IOCs, a first generation SIEM is not able to detect it. The main drawback of those systems was the very limited ability to detect unknown cyber threats.

To give a practical example: it was possible to use a rule like this: “give a warning if a user enters 10 consecutive wrong passwords“. In theory this could be used to detect brute force password attacks. But what if the attacker only tried 9 passwords in a row? Or what if the alarm was given for a very forgetful user?

Next Gen SIEM (NGS)

A next generation SIEM is built on a large data platform that provides unlimited scalability and is hosted in the cloud. A next gen SIEM includes log management, advanced threat detection based on behavior analysis and automatic incident response, all on a single platform.

This eliminates the problems that old on-premises systems were prone to. Not having to install anything and being able to send the necessary data to the cloud quite simply, the computing power of the local machine is not compromised and the SIEM can manage all the data safely.

How a SIEM proceeds in cyber threat analysis

1. Data Collection: An IT SIEM solution collects data from across the organization using agents installed on various devices, including endpoints, servers, network equipment and other security solutions. Next generation SIEM includes support for cloud applications and infrastructure, business applications, identity data and non-technical data feeds.

2. Data enrichment: Enrichment adds further context to events. SIEM will enrich data with identity, resources, geolocation and threat information.

3. Data storage: The data will then be stored in a database so that it can be searched for during investigations. The next generation SIEM exploits open source architectures and big data architectures, exploiting their scalability.

4. Correlation and Analysis: SIEM solutions use several techniques to draw actionable conclusions from SIEM data. These techniques vary greatly.

5. Report: A SIEM, particularly a next generation SIEM, gives you the ability to quickly search for data, allowing you to dig through alerts and search for threat actors and indicators of compromise. The displayed data can be saved or exported. It is also possible to use out-of-the-box reports or create ad hoc reports as needed.

What a SIEM is used for

Threat hunting and investigation

The ability to perform threat hunting on a SIEM is critical to understanding the true patterns of attacks based on access, activity and data breaches. By developing a detailed and contextual view of attacks, security analysts can more easily develop policies, countermeasures and incident response processes to help mitigate and remove the threat.

Response in case of an accident

An effective response to incidents is essential to intervene more quickly and reduce the residence time of the threat. For this, a SIEM provides an incident response playbook with configurable automated actions. A SIEM is able to integrate with third party solutions for security orchestration (SOAR) or individual case management.

Defense against insider threats

The reason why insider threats are such a big problem is because it’s not about entering the perimeter, but about exploiting insider positions. They can be your employees, contractors or business associates. It may be they themselves wanting to exploit their location, or their account may have been hacked.

With all kinds of internal threats, the attacker tries to stay hidden, gathering sensitive data to exploit. This could cause significant damage to the company, its position in the industry and its relationship with consumers or investors. By using a SIEM, you avoid this risk.

Cyber threat detection

Your organization is likely to have at least one sensitive data repository. Cybercriminals thrive on looting this data for financial gain. Many breaches begin with a simple phishing email against an organization’s target. Simply clicking on an attachment can leave malicious code behind. A SIEM will allow you to monitor advanced cyberthreat patterns such as phishing, beaconing and lateral movement.

Compliance standards

For many industries, adherence to compliance standards is critical. A SIEM can help by providing reports focused on data compliance requests. Integrated packages covering all major mandates, including PCI DSS, SOX, and ISO 27001, are a standard feature of SIEMs as well.

Next Generation SIEM

A next generation SIEM is not just a cloud hosted system. It also makes use of the implementation of AI and Machine Learning to increase the defense of the IT system.

We will see it in a future article, but it is right to specify that the SOCaaS offered by SOD makes use of the latest generation technology offered by Next Gen. SIEM systems. Contact us to find out more about it and talk to experts who can dispel all your doubts.

[btnsx id=”2931″]

Useful links:

SOC as a Service

Security: Pentest and verification of vulnerabilities

What is a Network Lateral Movement and how to defend yourself

Is SOCaaS useful for your business?

Computer network security: PT vs. VA

MITRE Att&ck: an overview

 

 

SIEM - Raccolta e analisi dei dati
Tempo di lettura: 5 min

Evolvendosi al di la’ delle sue radici nella gestione dei log file, gli odierni fornitori di software per la gestione delle informazioni di sicurezza e degli eventi (SIEM) stanno introduciendo l’IA, l’analisi statistica avanzata e altri metodi analitici nei loro prodotti. Ma cos’e’ un software SIEM e quali sono i suoi utilizzi?

Il software SIEM

Acronimo di Security Information and Event Management, e’ un prodotto che fornisce ai professionisti della cyber security nelle aziende una visione d’insieme e un track record delle attivita’ all’interno del loro ambiente IT.

La tecnologia usata esiste da piu’ di un decennio, e si e’ evoluta della pratica di gestione dei log file. Ha combinato la security event management (SEM), che analizza i dati dei log e degli eventi in tempo reale per fornire monitoring delle minacce, correlazione degli eventi e risposta agli incidenti, con la security information management (SIM) che raccoglie, analizza e riporta i dati dei log.

Come funziona?

Il SIEM raccoglie e aggrega i dati di log generati in tutta l’infrastruttura tecnologica dell’organizzazione, dai sistemi e applicazioni host ai dispositivi di rete e di sicurezza come i firewall e i filtri antivirus. Quindi, identifica e categorizza gli incidenti e gli eventi, oltre ad analizzarli.

Il software persegue due principali obiettivi, che sono: fornire rapporti su incidenti ed eventi legati alla sicurezza informatica, come login riusciti e non, attivita’ di malware e altre possibili attivita’ dannose, e inviare avvisi se l’analisi mostra che un’attivita’ va contro regole prestabilite, indicando un potenziale problema di sicurezza.

Secondo gli esperti, negli ultimi anni la domanda delle imprese di maggiori misure di sicurezza ha spinto il mercato all’espansione. Oggi le grandi organizzazioni guardano al SIEM come a una base per la creazione di un centro operativo di sicurezza (SOC). 

Analisi e intelligence

Uno dei principali fattori alla base dell’utilizzo del software SIEM per le operazioni di sicurezza e’ rappresentato dalle funzionalita’ offerte.

Molti prodotti offrono, oltre ai tradizionali dati dei log file, anche feed di informazioni sulle minacce. Alcuni software SIEM hanno anche capacita’ di analisi della sicurezza ed esaminano il comportamento della rete e quello degli utenti per fornire piu’ informazioni sulla possibilita’ che un’azione indichi o meno un’attivita’ dannosa.

In linea generale, gli strumenti SIEM forniscono:

1. Visibilita’ in tempo reale attraverso i sistemi di sicurezza informatica di un’organizzazione
2. Gestione del registro eventi che consolida i dati provenienti da numerose fonti
3. Una correlazione di eventi raccolti da diversi log o fonti di sicurezza, utilizzando regole che aggiungono informazioni importanti ai dati grezzi
4. Notifiche automatiche degli eventi di sicurezza. La maggior parte dei sistemi SIEM fornisce dashboard per i problemi di sicurezza e altri metodi di notifica diretta

Il processo di funzionamento SIEM

Nella pratica, il processo di funzionamento di un sistema SIEM si puo’ suddividere nei seguenti passaggi:

1. Raccolta dati: Tutte le fonti di informazioni sulla sicurezza della rete (es. server, sistemi operativi, firewall, software antivirus e sistemi di prevenzione delle intrusioni) sono configurate per mandare i log file degli eventi. La maggior parte dei moderni strumenti SIEM utilizza agenti per raccogliere i registri degli eventi dai sistemi aziendali, che vengono poi elaborati, filtrati e inviati al sistema. 

2. Policy: Un profilo di policy viene creato dall’amministratore. Questo definisce il comportamento dei sistemi aziendali, sia in condizioni normali che durante gli incidenti di sicurezza predefiniti. Si forniscono regole predefinite, avvisi, report e dashboard che possono essere regolati e personalizzati in base alle specifiche esigenze di sicurezza.

3. Consolidamento e correlazione dei dati: Questi software consolidano, analizzano e controllano i log file. Gli eventi vengono poi categorizzati in base ai dati grezzi e vengono applicate regole di correlazione che combinano i singoli eventi.

4. Notifiche: Se un evento o un insieme di eventi fa scattare un allarme SIEM, il sistema notifica il personale di sicurezza.

E’ evidente che un SIEM si ferma all’analisi delle minacce e conseguente notifica. In seguito a queste, occorre che qualcuno intervenga, sia controllando i report che prendendo misure per mitigare l’eventuale minaccia. Questo puo’ avvenire solo se dietro al software e’ presente 24/7 una squadra di tecnici preparati che faccia manutenzione e intervenga quando necessario.

Conclusioni

Sebbene queste soluzioni offrono diversi vantaggi alle imprese di tutte le dimensioni e forme, esse presentano anche limiti e vulnerabilita’ che non dovrebbero essere ignorati.

Security Information and Event ManagementUn SIEM richiede un monitoraggio costante 24 ore su 24, 7 giorni su 7, dei registri e degli allarmi, una regolare manutenzione e configurazione, nonche’ un team di sicurezza dedicato responsabile della gestione del software. La maggior parte del lavoro inizia dopo l’implementazione del SIEM. Pertanto, le organizzazioni non possono fare affidamento solo su queste soluzioni per proteggere le infrastrutture IT critiche.

Anche con un sistema del genere in funzione, i professionisti della sicurezza devono assicurarsi di avere risorse, strumenti, budget e tempo adeguati per poter sfruttare le funzionalita’ e garantire una protezione completa contro le potenziali minacce alla sicurezza.

Sotto questo punto di vista, la soluzione piu’ interessante per le aziende e’ quella di un SOCaaS, che comprende SIEM e gli altri strumenti adeguati per una gestione completa della cyber security di un’azienda.

 Link utili:

SOC as a Service

Cos’e’ un Network Lateral Movement e come difendersi

Log Management

MITRE Att&ck: una panoramica

Il SOCaaS è utile per la tua azienda?

Customers

Newsletter