”Only amateurs attack machines; professionals target people. And any solutions will have to target the people problem, not the math problem” – Bruce Schneier.
Today, the Security Operation Center (SOC) is the heart of enterprise security management. Security analysts in a SOC often use some kind of Security Information and Event Management (SIEM) system as a core platform in daily operations. SIEMs are the primary tools to process and correlate alerts coming from various security systems of the enterprise. Analysts,the most limited resources of security operations, are often overwhelmed by alerts generated by SIEMs. As a result:
- They struggle to prioritize which alerts should be analyzed.
- Even if they have a shortlist of alerts, they have limited time to investigate and decide if a red-flag alert is a false positive or indicates a real incident.
Hijacking privileged accounts is a common technique for cyber-criminals – they steal the credentials of a privileged employee (e.g. a system administrator) and, acting as a legitimate user, gain potentially UNLIMITED access to customer data and the underlying IT infrastructure (e.g. servers, databases, etc.). Sophisticated, well-funded cyber criminals target privileged accounts because the access they provide makes it possible to steal data on a massive scale, disrupt critical infrastructure, and install malware. Attacks usually unfold over a period of months, allowing intruders to perform reconnaissance, escalate privileges, cover their tracks and finally exfiltrate data. Research indicates such attacks take months or even years to discover. Furthermore, according to this ZDNet article, NSA also targets sysadmin personal accounts to exploit networks… Nevertheless, a disgruntled employee or a financially motivated insider can also do harmful things in systems: among companies experiencing data breaches internal actors were responsible for 43% of data loss.*
All in all, research indicates that the common denominator across the top four security incidents – accounting for nearly 90% of incidents – is people.** So, collecting and reporting detailed data about privileged user activity in SIEM systems is key from an SOC efficiency viewpoint.
A Helping Hand for SOC Analysts
Balabit’s strategic goal is to improve the efficiency of SOC by providing faster incident investigation related to privileged account misuse. In order to improve the productivity of security analysts, Balabit Privileged Session Management (PSM) offers certified integration with the leading SIEM systems, HP ArcSight and Splunk. PSM can send user-related logs and activity information to these systems. With the help of PSM’s real-time monitoring and movie-like replays, security analysts can gain a deeper view of suspicious sessions. By having the complete user context, analysts can make more informed decisions. On the top of that, integrating Balabit’s privileged user behavior analytic module, the Privileged Account Analytics (PAA) in SOCs can further increase the productivity of security analysts. PAA can provide results of its algorithms to SIEM tools, including:
- Issued commands and applications
- Algorithm scores
- Prioritized user and activity lists or
- Quick access to the session recordings of privileged users.
Daily security operations are greatly simplified, as manually downloading and inspecting user-related logs become unnecessary – all the information is searchable and visualized in the SIEM GUI via a single pane of glass. Besides lowering forensics costs, it also helps prevent successful APT attacks and find the root cause of a problem as it offers reliable, easily interpreted evidence about user activities. All in all, the incident management is improved by more reliable alerting, faster investigations and deep, forensics level visibility of high-risk user actions.
* Intel Security, Grand Theft Data – Data exfiltration study: Actors, tactics, and detection
** Verizon, Data Breach Investigations Report 2015