One of the concerns for the Security Operation Center is they need to prove without any doubt that the account specified entry in the log belongs really to a user and that the log entry has not been tampered with (non-repudiation). The last part is a technical exercise and can easily be done (signed logging, encrypted data transfer, and key verification during data ingestion and usage). The trouble is the first part. Connecting the username in the log entry to a human person.
Every time a person is starting to work for a company; an account is created, and the…
If I continue the comparison with the army, the army threat intelligence reports first about possible hostile activity close by, before widening the circle. An enemy close by is more likely to attack than an enemy far away.
With the highly interconnected world, it doesn’t really matter anymore where the digital attacker is. He/she can be in the same country, but also he/she can be in Asia or Africa. The sole difference is the IP address and perhaps the speed of the attack. Low network bandwidth is more an issue for the attacker than for the environment that is being…
First, let’s clarify the various architectural roles. Then let’s talk about education and career paths. I understand and recognize the list of architectural roles is not complete. I merely talk about those roles that I find the most significant ones.
The enterprise architect is busy with long-term architecture (strategy-minded). Therefore, it is necessary to stay up-to-date with the latest technology in both hard- and software. The enterprise architect is one of the first ones to know about the hard- and software lifecycle. And if required the enterprise can initiate a life-cycle replacement or upgrade program, but the enterprise architect is…
No matter how mature your Security Department is if you cannot communicate you have an issue. Businesses suffer no problems with understanding their core business processes. But as long as security is not their core business, the business will have issues with understanding the Security Department.
If you overhear the comment ‘The security department is just a cost center.’, you know you are in trouble. Notably when you are responsible for the Security Department. Absolutely, running a Security Department will cost the company money. Similar to HR, Legal, and Finance. But these departments have already established and demonstrated their value…
By mapping a ransomware attack to this framework, it is possible to see an attack throughout its lifespan. All the way from Reconnasaince to Exfiltration/Action on objectives.
I will examine each step of the Cyber Kill Chain and describe what you can undertake to establish a strong defensive security posture. However, as important as creating a strong defensive posture, is the ability to act when (bad) things do happen. I will come back to this after I have explained the Cyber Kill Chain.
We, humans, are lazy when it comes down to…
Let’s rewind a little bit. If you have read this article, you know and/or realize an incident starts with an event. The event is transmitted to the centralized detection environment (usually the SIEM environment). Once it has reached this environment, the event will be compared with all configured detection rules (detection rules are the result of implemented use cases.). Once there is a complete match with a use case, the action part of the use case kicks in. By default and still applicable for most Security Operation Centers this action is to generate an alert in the tool.
In this article, I will be focussing on the DNS traffic that has been captured by Zeek. A screenshot of some of the captured data is shown above. The log entries generated by Zeek (shown below) are JSON formatted. And this is super convenient. You do not need to create special parsers. Python and R can easily read it.
I’ve downloaded from a research environment 24 hours of DNS data and saved it as a Microsoft Excel file. I already did some data cleansing.
When you enable all features on the NGFW/UTM, the device will slow down considerably. And then you are forced to buy a bigger one to ensure you can handle the network traffic volume that is passing the device. But do you need all security controls to be enabled for each network packet that is passing a firewall? No.
The primary job of a Security Operation Center Level 1 Analyst is to ensure each reported alert is addressed, analyzed and if required is pushed to a resolver team. Depending upon the structure and the load of the Security Operation Center the Level 1 Analyst might rotate between several roles. And this is where it might become interesting for the Level 1 Analyst because in the Security Operation Center there are many roles to be fulfilled. Just to name a few roles:
To ensure you did not miss any updates, it is crucial to implement a vulnerability management solution like the one from Tenable and run weekly vulnerability scans, daily if the asset is internet-facing.
However, the output of a vulnerability scan can be enormous especially when you just started the vulnerability and patch management programs. You might be dazzled by data. Therefore, I suggest adopting the following fundamental rules.
A passion-ed security professional who shares his knowledge and experiences while trying to achieve a more secure IT/OT/IIoT world.