Home > Articles

This chapter is from the book

This chapter is from the book

CompTIA Security+ SY0-601 Exam Cram, 6th EditionCompTIA Security+ SY0-601 Exam Cram, 6th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

CompTIA Security+ SY0-601 Exam Cram, 6th EditionCompTIA Security+ SY0-601 Exam Cram, 6th Edition

Learn More Buy

Threat Assessment

Since evolving from SIM and SEM, SIEM has for years played a vital role in identifying threats and detecting security incidents. Now organizations are looking for ways to combine threat intelligence with SIEM as the intelligence gained can provide enriched data with greater context through correlation with external information. One trend that has emerged in recent years is that organizations now tend to assume that they have already been breached. Rather than be reactive, security teams look for ways to be proactive rather than simply respond to incidents. Targeted threat hunting assessments have gained popularity as a result, and the programs and tools continue to evolve.

Security Information and Event Management (SIEM)

A security information and event management (SIEM) system provides the technological means to accomplish a number of goals related to security monitoring, including the following:

  • ▸ Identifying internal and external threats

  • ▸ Monitoring activity and resource usage

  • ▸ Conducting compliance reporting for internal and external audits

  • ▸ Supporting incident response

SIEM tools collect and correlate and subsequently provide alerts and information dashboards based upon that data. SIEM output can be used proactively to detect emerging threats and improve overall security by defining events of interest (EOI) and resulting actions. SIEM systems are the main element in compliance regulations such as SOX, GLBA, PCI, FISMA, and HIPAA. SIEM systems provide a plethora of fine-grained details to support incident response programs. The purpose of SIEM is to store and turn a large amount of data into knowledge that can be acted upon. SIEM systems are generally part of the overall security operations center (SOC) and have three basic functions:

  • ▸ Centrally managing security events

  • ▸ Correlating and normalizing events for context and alerting

  • ▸ Reporting on data gathered from various applications

EXAMALERT

Individual log data sources can generate more than 100,000 events each day, so answering critical questions about how much data to log from critical systems is important when deciding to use a SIEM system.

Consider, for example, that just one intrusion detection sensor or log data source can generate more than 100,000 events each day. SIEM systems rely on log collectors, which are responsible for aggregating and ingesting the log data from the various sources such as security devices, network devices, servers, and applications. Log aggregation is the process by which SIEM systems combine similar events to reduce event volume. SIEM systems aggregate data from many network sources and consolidate the data so that crucial events are not missed. By default, events are usually aggregated based on the source IP address, destination IP address, and event ID. The purposes of aggregation are to reduce the event data load and improve efficiency. Conversely, if aggregation is incorrectly configured, important information could be lost. Confidence in this aggregated data is enhanced through techniques such as correlation, automated data filtering, and deduplication within the SIEM system.

Event aggregation alone is not enough to provide useful information in an expeditious manner. A common best practice is to use a correlation engine to automate threat detection and log analysis. The main goal of correlation is to build EOIs that can be flagged by other criteria or that allow for the creation of incident identification. To create EOIs, the correlation engine uses data aggregated by using the following techniques:

  • ▸ Pattern matching

  • ▸ Anomaly detection

  • ▸ Boolean logic

  • ▸ A combination of Boolean logic and context-relevant data

Finding the correct balance in correlation rules is often difficult. Correlation rules that try to catch all possible attacks generate too many alerts and can produce too many false-positive alerts.

A SIEM facilitates and automates alert triage to notify analysts about immediate issues. Alerts can be sent via email but are most often sent to a dashboard. To help with the large volume of alerts and notifications that SIEM systems generate, these systems typically provide data visualization tools. From a business perspective, reporting and alerting provide verification of continuous monitoring, auditing, and compliance. Event deduplication improves confidence in aggregated data, data throughput, and storage capacity. Event deduplication is also important because it provides the capability to audit and collect forensic data. The centralized log management and storage in SIEM systems provide validation for regulatory compliance storage or retention requirements. Regarding forensic data and regulatory compliance, WORM (write once read many) drives keep log data protected so that evidence cannot be altered. WORM drives permanently protect administrative data. This security measure should be implemented when an administrator with access to logs is under investigation or when an organization is discussing regulatory compliance.

Some SIEM systems are good at ingesting and querying flow data both in real time and retrospectively. However, significant issues are associated with time, including time synchronization, time stamping, and report time lag. For example, if a report takes 45 minutes to run, the analyst is already that far behind real time, and then time is also needed to read and analyze the results.

When designing a SIEM system, the volume of data generated for a single incident must be considered. SIEM systems must aggregate, correlate, and report output from devices such as firewalls, intrusion detection/prevention systems (IDSs/IPSs), access controls, and myriad network devices. How much data to log from critical systems is an important consideration when deciding to use a SIEM system.

SIEM systems have high acquisition and maintenance costs. If the daily events number in the millions per day and events are gathered from network devices, endpoints, servers, identity and access control systems, and application servers, a SIEM might be cost-effective. For smaller daily event occurrences, free or more cost-effective tools should be considered.

NOTE

SIEM systems can aggregate syslog data. Syslog is a decades-old standard for message logging. It is available on most network devices (such as routers, switches, and firewalls), as well as printers and Unix/Linux-based systems. Over a network, a syslog server listens for and then logs data messages coming from the syslog client.

SIEM systems continue to evolve to capture more and more use cases and to be combined with other solution sets. SIEM systems, for example, continue to help secure organizations against threats. Consider user behavior analysis, for example. A SIEM system can establish a baseline for user activity and identify anomalous behavior that deviates from that baseline. This often involves advanced techniques such as machine learning, and the SIEM system needs to be capable of comparing data across time horizons and across groups, such as the department the user works in. More recently, this data has been combined to perform sentiment analysis: Data can be tracked and analyzed to look for patterns that rely on human sentiment. In this way, systems are able to recognize threats before they become threats. This type of analysis should leverage external data sources, including those from the public domain. As discussed in the next section, SIEM systems are now being combined with other functions to perform security assessments.

EXAMALERT

Know that sentiment analysis studies human emotions present within data—for example, negative, neutral, or positive opinions or attitudes. This data can be tracked and analyzed to look for patterns that rely on human sentiment.

Threat Hunting

Threat hunting is a proactive approach to finding an attacker before alerts are triggered. It is not reactive or detective. A reactive approach requires data such as the data a SIEM system provides; a detective approach relies on the use of various algorithms and rules. Threat hunting has the following key attributes:

  • Hypothesis: Threat hunting starts with a hunch, often based on clues. Drivers may include analytics such as user behavior analytics, situational awareness (for example, based on internal risk assessment, trends, or high-value targets), and intelligence based on intelligence bulletins, intelligence feeds, or vulnerability scans.

  • People: While many sources—such as those discussed in Chapter 5, “Threat Actors, Vectors, and Intelligence Sources,” and earlier in this chapter—are used, threat hunting is centered around the security analyst, who has deep expertise and knowledge of the organization’s environment.

  • Assumptive: Threat hunting does not take a breach-preventive approach but rather assumes that the organization has already been breached.

  • Iterative: Much like a penetration tester, a threat hunter must pivot frequently in order to continue lateral movement while seeking further evidence.

Throughout the process, a threat hunter is looking to disrupt the attacker during any phase of what’s known as the cyber kill chain, which is a framework developed to track the steps or phases that an attacker goes through as part of an intrusion. (We examine the cyber kill chain more closely in Chapter 27, “Incident Response.”) The threat hunting process combined with knowledge of the cyber kill chain allows a security analyst to quickly outmaneuver an attacker. The goal of the security team is to completely disrupt the attacker or quickly impede the attacker’s ability to move across the attack chain.

A threat hunter relies on a number of intelligence sources, such as a SIEM system and external sources. Recall that in Chapter 5, we discussed various open and closed sources of threat intelligence and research. All the gathered data may be intelligently pulled together using commercially available software and services. This bringing together of internal and external threat feeds is known as intelligence fusion, and it enables an organization to establish a more accurate threat profile. Internal and external sources are defined as follows:

  • Internal threat data: Internal threat data consists of alert and event data from the SIEM system and any other raw log sources. It includes previous knowledge about prior attacks, including vulnerabilities exploited, previous indicators of compromise, details about the attacker, and packet captures. Baseline data on network traffic also makes it possible to understand what’s expected and aid in identifying anomalies.

  • External threat data: External threat data consists of structured threat information such as STIX, as well as unstructured data from security advisories, bulletins, and other OSINT tools. External threat feeds from security organizations providing such data as a service can also be used as data sources. Attacks across organizations are often similar in their techniques. Chances are good that your organization isn’t the first to see an attacker and his or her methods, and external threat data can give you a warning about what is happening elsewhere.

Fusion analysis can aid in processing data and yielding more meaningful insights to provide a comprehensive look at the threats to an organization. This analysis can even compare internal telemetry data with external data to provide prioritized insight. A threat hunter with good threat data can more quickly identify indicators of compromise and indicators of attacks. Some intelligence platforms integrate with and can also provide capabilities to automate and orchestrate the actions required by security.

Security Orchestration, Automation, and Response (SOAR)

Security orchestration, automation, and response (SOAR) tools can aggregate intelligence from internal and external sources to provide fusion analysis and other insights. SOAR combines data and also provides for case management and automated workflow. Gartner, a leading technology research company, came up with the idea of SOAR. According to Gartner, SOAR primarily does three things:

  • ▸ Threat and vulnerability management

  • ▸ Security incident response

  • ▸ Security operations automation

You can see that, as a combined platform, a SOAR solution combines security orchestration and automation (SOA) with threat intelligence platforms (TIP) and incident response platforms (IRP). SOAR works with and augments SIEM. Gartner expects that in the future these capabilities will merge.

EXAMALERT

SOAR integrates all the security tools available in an organization and then automates incident responses.

CRAM QUIZ

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this chapter again until you can.

  1. 1. After conducting a vulnerability assessment, which of the following is the best action to perform?

    • A. Disable all vulnerable systems until mitigating controls can be implemented.

    • B. Contact the network team to shut down all identified open ports.

    • C. Immediately conduct a penetration test against identified vulnerabilities.

    • D. Organize and document the results based on severity.

  2. 2. Your team is tasked with conducting a vulnerability assessment and reports back with a high number of false positives. Which of the following might you recommend to reduce the number of false positives?

    • A. Have the team run a vulnerability scan using non-credentialed access.

    • B. Have the team run a vulnerability scan using credentialed access.

    • C. Have the team run a port scan across all common ports.

    • D. Have the team run a port scan across all ports.

  3. 3. SOAR combines functions from which of the following? (Select three.)

    • A. Security orchestration and automation

    • B. Incident response platforms

    • C. Threat intelligence platforms

    • D. Penetration tests

  4. 4. Which of the following studies human emotions in data to detect patterns such as negative, positive, or neutral opinions or attitudes?

    • A. False positive

    • B. False negative

    • C. Sentiment analysis

    • D. Log aggregation

    CRAM QUIZ ANSWERS

  5. Answer 1: D. After an assessment, the results should be organized based on the severity of risk to the organization. Answer A is incorrect because it is generally an extreme response, except in rare situations. Answer B is incorrect because many open ports are required for a network to function. Answer C is incorrect because, although a penetration test often does follow a vulnerability scan, it is not an immediate necessity and certainly is not required for all identified vulnerabilities.

  6. Answer 2: B. Non-credentialed vulnerability scans result in a greater number of false positives. This type of scan provides an outsider point of view, and although it might indicate what an outsider is more likely to see, it does not show as effectively the full extent of vulnerabilities. A credentialed vulnerability scan provides access to systems that might otherwise not be accessible, making it possible to further determine legitimate vulnerabilities. As a result, answer A is incorrect. Answers C and D are incorrect because vulnerability scans initially do scan specified ports as part of the process.

  7. Answer 3: A, B, and C. Security orchestration, automation, and response (SOAR) combines functions from security orchestration and automation, incident response platforms, and threat intelligence platforms either as a complete solution or as an integrated solution. Penetration tests are not part of the SOAR platform, so answer D is incorrect.

  8. Answer 4: C. Sentiment analysis studies human emotions present within data, such as negative, neutral, or positive opinions or attitudes. The data can be tracked and analyzed to look for patterns that rely on human sentiment. Answers A and B are incorrect because a false positive occurs when a security scanner detects or flags a vulnerability when one does not exist and a false negative says you don’t have a vulnerability when in fact you do. Answer D is incorrect. Log aggregation is the process by which SIEM systems combine similar events to reduce event volume. SIEM systems aggregate data from many network sources and consolidate the data so that crucial events are not missed.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020