All posts by misnomer

Security in Developer first organization…

Security in an Agile, Developer First organization is a constant ”tug-of-war” between “more security controls vs more developer usability”. The reason for this is primarily the need of Security professionals to maintain control over the “hacky” by nature developers. I am a big fan of Mordoc and the comic strip below shows exactly how this tug-of-war is:

Developers typically use a lot of tools in their machines like:

  1. Build Tools (iOS, Android EMU, IDE, VM, Containers etc.)
  2. Browsers
  3. Repo tools constantly updating
  4. Testing tools.

On such machines, there is always a risk of developers being the target to steal source code or sensitive information. In order to protect these developers, Security teams become overzealous and implement several security tools like Endpoint Security solutions (AV, EDR, HIDS etc.) and Compliance tools (DLP, Web Proxy, Patching, logging etc.).

A typical machine that has all the security tools installed and running looks something like this. This pattern is true across typical enterprise organizations.

The question always is – Where is the balance between Security controls vs Developer productivity?

I gave a talk at a conference on this topic and the slides are available here.  There are various strategies we can employ to secure the developer machines or in general any enterprise computing asset. Some of the innovative ways (they are real and implementable) we can use are described with examples. I thoroughly enjoyed working on this talk and all the associated research that went with it.

 

 

Please leave your comments below. Until next time!!!

Is the SIEM dead?

change siem technology

It has been several years since SIEM emerged into the Security industry as an “Security Alerting” system. Since then, it has grown into a huge market with several vendors like ArcSight , QRadar, Splunk, Nitro, becoming successful since they were the first movers. Today, in 2020, they are becoming more and more obsolete. While people still buy SIEM for compliance needs, the real question to ask  is “Is the SIEM dead?”

What does a SIEM do?

SIEM by definition does the following:

  1. Log Collection from multiple devices/vendors
  2. Log Parsing and normalization into proprietary formats
  3. Log Aggregation
  4. Log Storage across a variety of data stores
  5. Rules Engine
  6. Management workflows
  7. API Driven Integration

Every vendor does all the above in different ways with varying degree of efficiency. However all the vendors have some common issues as well:

  • Poor Scalability: By definition, SIEM products scale very well in the Log Collection and Aggregation department. However, when it comes to Correlation, the SIEM falls short on Scale. Use case based Correlation rules, Log Filtering, Tuning etc need to be performed with ruthless focus on minimizing the need to scale the Correlation engine. While “on paper” vendors claim their correlation engines can be scaled, however, in practical use and effectiveness they fail.
  • Poor Intelligence: Contrary to popular belief, the Rules engine has no intelligence at all. All out of the box rules are stock compliance driven or basic security best practice driven. The pattern recognition rules are so archaic that seldom do organization detect any malicious attacker in the network using them.
  • Limited scope: Outside of Security operations centers (SOC), there is not much of a scope for SIEM to be relevant and valuable. This is primarily because while they are good at alarm based event management, they are miserable at “Event Searches” and “Reporting” thereby making it less and less attractive outside of the SOC realm.
  • Steep Learning curve: Every SIEM product  suffers from the steep learning curve. The learning curve on “General Use” is comparatively easy however, the “Power Use” and “Admin” is steep. Often times organization rely on a very small set of people (often 1 person) who is an expert on the product to keep this beast of a system up and running.
  • Maintenance Nightmare: The more you scale the SIEM, the more the maintenance needed to keep it up and running. This is especially a huge problem when you have mission critical functions depending on alerting and monitoring from SIEM. The amount of engineering resources burnt on this is significant.
  • Poor Analytics: While the SIEM vendors claim to be “Analytics” providers, what they provide is sub-par. Analytics requires the ability to analyse large volumes of data and run meaningful queries, however, most of the SIEM vendors because of “Poor scalability” , can’t process, store and provide analytical output on large volumes of data. Splunk for sure is an exception on this point as they are an Analytics platform first and a SIEM (poorly) later.
  • Poor ITSM capabilities: Again, SIEM vendors don’t do cases management as well as ITSM tools, thereby relying on 3rd party integrations which often times is a “one-way” integration, meaning cases can be created, but updates cannot be tracked in return.
  • Poor Automation: Reliance on 3rd party automation & response tools makes the SIEM ecosystem even more complex.

There are probably a few more issues depending on the SIEM vendors we see, but in general the above are the most common ones.

So the question is “Is the SIEM dead”??

Let me know in the comments section

Accelops – An innovative take on Monitoring

AccelOps-LOGO-Grey-Blue

AccelOps – An innovation take on Monitoring

We at Infosecnirvana.com have done several posts on SIEM. One of the most common request from readers of our SIEM posts is to review Accelops. So this post is our answer to those repeated questions.

Introduction: 

How many of you remember Cisco MARS? Well, if you don’t, let me remind you that they were one of the earliest SIEM products around that stemmed from the infrastructure monitoring space. MARS was geared more towards monitoring and reviewing network infrastructure including their utilisation, performance availability and logs. After a brief run in enterprises that were Cisco heavy, the product died a natural death. People who were involved in the product left Cisco and started AccelOps (Accelerate Operations). As a product, they took the fundamentals of data collection and integrated infrastructure log, event monitoring to the data analytics platform. The result is a promising product called AccelOps.

They have since been acquired by Fortinet, marking their foray into the larger Enterprise SIEM market dominated by the likes of HP, IBM, Splunk etc.

AccelOps:

As you can guess, by virtue of collecting data from various sources like Network devices and servers, AccelOps is a product that provides fully integrated SIEM, file integrity monitoring (FIM), configuration management database (CMDB), and availability and performance monitoring (APM) capabilities in a single platform.

  • APM Capability: This is their strong suite and it is MARS on steroids. AccelOps excels in capturing statistics to provide insights into how the system health is. This is value in a MSSP/NOC/SOC setup as there is no need for an additional monitoring platform. Again, Syslog or SNMP are your best bets for APM.
  • File Integrity Monitoring: Very few SIEM products (think Alienvault) offer native FIM capabilities and to see it in AccelOps is refreshing. The way they do is no surprise as FIM can only be done effectively using an Agent-based approach and Accelops also does the same.
  • CMDB: Accelops has the capability to keep track of all the elements in an organisation’s network infrastructure like network devices, UPS, servers, storage, hyper-visors, and applications. Using the data, a Centralised Management Database (CMDB) is available in AccelOps. This again is very unique and even AlienVault with all its Unified SIEM branding, does not shine as much as AccelOps does.
  • SIEM: Now that all the data from various network infrastructure is available in AccelOps along with CMDB, the ability to cross-correlates, in real-time becomes easy and AccelOps does that using its own patented correlation engine. The SIEM capability comes with all the bells and whistles one would expect – Rules, Dashboards, Alerting, Analytics, Intelligence, etc.

Now let us look at the Strengths and Weakness of AccelOps as a product

The Good:

  • AccelOps’ combination of SIEM, FIM and APM capabilities in a single box helps in a Centralised operations as well as security monitoring.
  • AccelOps serves as a centralised data aggregation platform for system health data, network flow data as well as event log data.
  • AccelOps has a mature integration capability with traditional incident management and workflow tools like ServiceNow, ConnectWise, LanDesk and RemedyForce
  • From a deployment flexibility, AccelOps excels in virtualisation environments. However, they are also available in traditional form factors. If customers prefer cloud, they are also available for deployments in either public, private or hybrid clouds.
  • From an architecture perspective, they have 3 layered tiers.
    1. The Collector tier does exactly what the name suggests – collects data from end log sources.
    2. The Analytics tier receives data from the collector tier. This analytics tier is built on big data architecture fundamentals supporting a master/slave setup. In AccelOps terms, it is Supervisor/Worker setup.
    3. The Storage tier then serves as the data sink housing the CMDB and the big data file system.
  • Because of the architecture setup, the scalability is not an issue with AccelOps. It does scale well with clustering at Analytics and Storage tiers.

The Not So Good:

  • The most obvious is that AccelOps as a product has relatively low visibility in the market. However, this is bound to change with the Fortinet buy. They will hopefully be seen in more competitive bids and evaluations.
  • While AccelOps tries to be a “Jack of All”, it unfortunately is a master of none. This means that the product has poor support for some third-party security technologies, such as data loss prevention (DLP), application security testing, network forensics and deep packet inspection (DPI).  This hinders the product versatility in large environments.
  • Parsing is a key aspect of SIEM and in this area too AccelOps lacks extensive coverage as seen amongst competition. While most of the popular ones are parsed out of the box, the others require a custom parser development skills, which unfortunately requires steep learning curve or product support to help build.
  • While for Network engineers and analysts, the interface makes sense, from a SIEM view, the usability could definitely be improved. This issue is evident when looking at dashboards, report engines, alerts etc. which seem to be afflicted with information overdose.
  • Ease of deployment is there, however, the configuration takes a lot of time considering the fact that there are several tool integrations to be done before it can generate value. Some of the configurations are really complex and may lead to user or admin being spooked. We were reminded of the MARS days time and again while evaluating this product.
  • The UI, while presents data in a very informative way, suffers from too much clutter hindering usability. While this is a personal opinion, when compared against the likes of IBM, Splunk and even LogRhythm, the AccelOps UI does not excite. We hope that Fortinet brings to fore its UI maturity to AccelOps, thereby becoming much more savvy.
  • Correlation capabilities are very good when it comes to data visibility, compliance and infrastructure monitoring use cases. However, when it comes to Threat hunting, trend analysis, behaviour profiling, AccelOps has a lot of ground to cover.
  • Without Infrastructure data, AccelOps loses its edge. As a traditional SIEM collecting only Event logs makes it look like a pretty basic SIEM. This can be quite an issue in organisations where Infrastructure monitoring is already being done by other tools. Unless customers duplicate data sets across  the tools, the value is poor.

Conclusion:

All in All, the product is a well rounded performer when it comes to combined Infrastructure and Security monitoring, however in traditional SIEM bake-offs, they need a lot more flavour to make it exciting. Hopefully the Fortinet buy will do just that. We will continue to watch out for this product and its road map in coming months.

Until next time – Ciao!!!