As technology becomes more advanced, so do the security threats businesses face. This rising trend correlates with the increasing variety and forms of attacks. Because of this, most organizations today deploy a Security Incident and Event Management (SIEM) solution to proactively measure and monitor threat management. Additionally, this allows them to obtain an accurate and centralized view of their organization’s security positioning while producing an advanced level of reporting of both possible and real security incidents.
Timing is everything and when dealing with cyberattacks; the longer it takes to detect the attack, the more time a threat can mature and access data. During a breach, agents behind these attacks can conduct surveillance, steal data, and spy on your organization, all of which increases the cost and the consequences of an attack.
Simply collecting logs and alerts on possible security breaches against your IT infrastructure is not enough. Locating, analyzing, and mitigating malicious attacks requires swift and accurate action. As such, organizations need to continuously monitor all the elements of their infrastructure, correlate the security events for meaning, add and apply historical context and trending information, and analyze the outcomes to smartly and quickly spot trends and patterns that are out of the ordinary. This is exactly what you get with CenturyLink’s Security Log Monitoring, delivered via our Managed Security Services Portal.
In an age of rapid evolution of increasingly efficient password cracking tools, brute force attacks are prevalent. The detection of such attacks is essential to businesses to safeguard their data and systems. A brute force attack is essentially a trial-and-error method used in an attempt to obtain valuable and private information such as a user-generated password or a personal identification number (PIN). In this type of attack, automated software can be used to generate a large number of consecutive permutations of a word and numerical combinations to access the desired data. Malicious hackers may use this to crack and access encrypted data externally, or security analysts and IT managers could use it to test an organization's network security internally.
Most diligent enterprises employ an intelligent set of guidelines when configuring specific logging practices for security events, like a maximum number of log-in attempts, the unauthorized modification to system files, or repeated attempts to probe private systems to steal data. Using a Security Log Monitoring Service helps mitigate any possible attack well in advance and deals with any that are already underway, as they get noticed and treated before the attack succeeds.
When both data and timing are key factors, relying on a service like CenturyLink’s Security Log Monitoring is paramount. It collects and tracks incidents in near real-time, and has the ability to categorize them by severity and deliver reports to both the customer and the CenturyLink SOC team for review and escalation. CenturyLink security experts have the ability to then cull the data and prioritize events into the top incidents requiring greater analysis or immediate action.
CenturyLink’s Managed Security Services Portal incorporates a leading-edge SIEM solution and provides deep visibility, reporting and threat analysis tools, and a highly-skilled staff of analysts to deliver a comprehensive security solution. We combine log data from the risk profiles of each customer asset with near real-time threat intelligence data from CenturyLink’s global corporate network and partner threat feeds to deliver superior results.
Foundational Monitoring consists of rule sets that find correlations and add context to logged events so that they can turn clues into leads. Additional external threat feeds are also used to discover meaningful correlations indicating a need for further investigation.
Rather than applying rules primarily to filter out noise, this approach builds a case from clues to leads to the investigation. The result is substantially fewer false-positive, time-wasting events per analyst hour while providing threat alerts on events of interest across all customer data.
This is ideal for small and medium businesses with limited security staff and capability, as well as clients who want to pace their SIEM adoption commitment. Designed to grow with security needs, the platform can be expanded at any time by drawing from a suite of advanced services designed to seamlessly work with Foundational Monitoring to provide best-in-class threat protection.
Foundational Monitoring gathers raw system and application logs, then a base set of algorithms parses and contextualizes them into normalized events. Metadata is retained remotely for viewing in our portal or through a mobile app that optimizes user experience with the ability to effectively monitor events of interest. Query capability extends for the past 90 days of investigative metadata, meeting regulatory compliance needs for data retention and retrieval.
Subscribers to Advanced Monitoring Algorithms gain access to CenturyLink’s entire library of several hundred use cases, extending their ability to detect anomalies across log sources. This includes any new rules created as this library grows.
These algorithms enable themselves based on log source types and threat indicators. Clients’ ingested data will be enriched with our ATI-curated Threat Intelligence feed and have advanced correlation performed in support of their active Threat Hunting initiatives, easing the provisioning process.
Advanced Monitoring Algorithms is ideal for customers with compliance requirements, those that have more complex or unique threat monitoring needs, and those specifically looking to search for threats across their environment. Understand that not every rule in the library will apply to every environment — some may be operating system specific.
Customers with in-house security skills can build and maintain their own use case libraries unique to their specific environment, allowing them to develop and maintain highly relevant use cases. Our analysts will also support up to 10 requests per month to define additional rules customized for an organization’s unique needs to apply logic to their logs.
The detection of an insider threat is essential to the protection of a network. According to reports from the Information Security Forum (ISF), more than 30% of attacks can be traced and sourced back to some insider in the organization. While not every insider breach or flagged security event is malicious or intentional, the threat is still real. As such, organizations must maintain a consistent level of security policies for both internal and external threats. Unfortunately, this doesn't make much difference in the aftermath of an incident — the damage has been done.
Should the threat come from a malicious insider who knowingly and purposely abuses internal access to wreak havoc or gain access, an organization needs visibility into their infrastructure. CenturyLink's Security Log Monitoring allows customers to go from reactive to proactive, from defensive to offensive. Because malicious insiders generally have the knowledge, speed of access, and information required to bypass existing security solutions, they are often the most difficult to detect and the costliest to remedy.
Organizations must also deal with unintentional insiders installing corrupted applications, or forwarding or opening files that may have devastating effects. For example, on-boarding new employees, issuing workstations and laptops, or allowing unmanaged software installations may introduce vulnerabilities. The new machines may not have security measures installed or the new user may not know to run the required security checks at regular intervals. A service needs to be in place to account for the unintended consequences of any security breach. Even something like uploading the wrong file may seem innocuous, but the fall-out can cause massive damage.
From phishing emails sent out on leaked distribution lists and the increased practice of remotely accessing an organization's systems, there's a good chance that attackers will have an in-route to privileged information and platforms. When attackers gain access to an endpoint, targeting and stealing privileged credentials and information is easier. Eventually, attackers can escalate their illegal access privileges and move laterally within the network until attaining full domain-level access and ultimately, total control over sensitive data and IT systems.
CenturyLink’s Managed Security Services Portal offers the ability for to view your attack surface, monitor user activity, watch and verify SOC activities performed by your own staff and collaborate with expert CenturyLink SOC staff. The portal also provides invaluable insights in the form of updates, customized reports, and visual outputs reflecting activities inside your network. This allows you to improve your operational and cost efficiency, and most importantly, to focus on business matters that deliver real competitive advantage.
The Digital Transformation Age has arrived. Taking advantage of rapid provisioning enables service activation and the addition of new tasks and clients in minutes or hours, rather than days or weeks or even months.
Organizations hoping to remain competitive in the digital landscape must undergo changes in the way they conduct business, how they operate in a rapidly-changing market, and must find solutions to maintain pace without compromising the security of their data and network. All these changes are part of Digital Transformation — for businesses of all sizes and maturity levels.
Customers depend on enterprises for their ability to protect and safeguard them and their data from cyber threats. Locating and securing that protection is a real-world challenge, especially in an age where attacks are more sophisticated and occur more often than ever. As such, incident response times and their associated costs increase, too.
CenturyLink's Managed Security Services Portal helps businesses expand and strengthen their offerings and portfolios by delivering automated and targeted threat management and threat intelligence on a highly interactive and immediate platform. By leveraging this in conjunction with a dedicated and trained staff of professionals to deal with cyber threats, businesses can better position themselves to remain operational and in compliance, especially if these resources are scarce.
By engaging in proactive and actionable threat intelligence practices using CenturyLink's Managed Security Services Portal, businesses can identify the most dangerous and recurring threat patterns well before they compromise a network or system across vertical markets. Additionally, customers can identify the source of the attack while building threat management strategies in real-time.
Utilizing threat intelligence capabilities through the collection and correlation of potential threats and categorizing them across a multitude of modules allows CenturyLink to action on the threats while freeing customers up to focus on their specific business needs. Through the Managed Security Services Portal’s intelligent user-interface, configuration and operation is simplified. The results of a query are easily identifiable and integrated with other security solutions like Security Incident and Event Management, Intrusion Prevention Service (IPS), Intrusion Detection Service (IDS), and firewalls through API, SDK, and plug-ins.
For one company, monitoring access to Microsoft solutions was becoming increasingly complex. Although the Microsoft summary page offered some data, security analysts captured more detailed information to show activity from employees logging into Microsoft Exchange, Office 365, and OneDrive. Using a single API offered more unified logging: instead of monitoring Microsoft Azure or Office 365 separately, these processes were combined into a comprehensive view.
Through a single interface, Cloud Security Monitoring can show any business where people are connecting, what the accounts are, who accessed what data, and when they logged into various applications. They can also monitor access to SharePoint, including who has uploaded and downloaded files within that environment. By monitoring these access points, the company is better able to determine gaps in processes and policies, and take immediate steps to remedy them.
When security analysts began monitoring a U.S. company’s Microsoft Exchange account, geographic data was one stream that was closely observed. Some of the metadata monitored included the contents of the logs and other metadata such as geo-fencing, which enabled the company to see any unusual activity.
In one instance, a user logged in from Kuwait, which raised alarms in the Managed Services Security Portal. After investigating this anomaly, the company determined that the login was from a current employee working on a legitimate assignment. The company also saw many additional attempted logins from other countries, however and after further investigation, determined that they were from threat actors.
Security analysts began monitoring VPC logs from an Amazon instance for a U.S. company. The analysts could see traffic hitting SSH services that were exposed to the Internet on one of the company’s machine instances. This raised concerns as it was clearly someone with bad intentions trying to get into the SSH. Investigation launched from the Managed Services Security Portal revealed that threat actors were trying to hit the root account or a blank named account. The company quickly took steps to address the threat and ensure their systems were well-secured.
Implementing a multi-layer approach to cybersecurity has been an established best practice for years. Combining elements of several network layers can create an effective protection scheme that allows access to legitimate sites, devices and applications by authorized users while blocking access to addresses that may cause harm to the enterprise.
Understanding False Positives
While implementing a multi-layer approach is the most effective way to develop a security strategy, it takes careful coordination between devices to prevent confusion between policies that are implemented at different layers. One typical scenario is confusion resulting from deploying web content filtering with CenturyLink® Adaptive Threat Intelligence.
Adaptive Threat Intelligence works primarily at Layer 3 by understanding which IP addresses may be hosting malicious sites. While future releases will incorporate domain analytics (reputation at the domain name level), current products are focused at the IP level. Web content filtering primarily works at the Layer 7 (the “application level,” where domain names are used), so this can lead to reporting that the customer has attempted to communicate with a known malicious site, even though it was blocked by the WCF application. Customers may report this as a “false positive,” when it is more precisely a “true positive that has been mitigated.”
Solution: High-Fidelity Threat Intelligence
Adaptive Threat Intelligence deploys filters to reduce reporting of threat events that are identified solely through the TCP handshake. This approach will filter out ALL threat events that are based on packets in the TCP handshake — even those NOT mitigated in WCF or other applications — so it’s advisable to occasionally run without these filters to ensure no actual threats are missed.
Once an IP address is entered into the threat flow, Adaptive Threat Intelligence will report all observed interactions with that address. Included in each threat event are the source port, destination port and service fields, which will reflect the information in the observed packets and may differ from the ports and services typically used by the malware.
Using a multi-layer approach for deploying a security strategy is an industry best practice, but not all information from these layers easily correlates into a coherent story. Having a flexible filtering strategy can help create high-fidelity threat intelligence that aids security personnel in optimizing incident response and investigation.
Security Analysts – the main consumer of CenturyLink Adaptive Threat Intelligence – require high fidelity threat intelligence to prioritize work for themselves, their teams and stakeholder organizations. The Risk Score is a powerful metric to use for such prioritization.
ATI Risk Scores vary from 1-100 and appear in several different areas of the collection of threat reports available in ATI. Sorting on Risk Score can be an effective way to prioritize threat hunting and incident response activities.
Risk scores are also incorporated into threat management platforms and applications that consume ATI data. CenturyLink® Secure Log Management (SLM) correlates ATI data with local device logs to indicate which customer-premises devices are under attack.
How is a Risk Score Determined?
Broadly speaking, the ATI Risk Score is a combination of three major factors: Severity, Confidence and Time. While a significant amount of leading-edge research and development goes into the determination of accurate and relevant Risk Scores, the result for ATI customers is the availability of a simple, actionable metric to use in the prioritization of their work.
Our research shows that the duration in which a threat is relevant varies between threat categories, indicating that the best practice is to commence the decaying process when the difference between the last notification of the threat (from its source) and the current time exceeds a pre-defined interval that is unique to the category.
ATI enables customers to see potential threats before they become breaches, because we are continuously sourcing information from one of the largest IP backbones in the world. The validation and original threat discovery done by the ATI Threat Research Team drives the fidelity of this information to an industry-leading level.