InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Cyber Security operations center is protecting organizations and sensitive business data of customers. It ensures active monitoring of valuable assets of business with visibility, alerting and investigating threats and a holistic approach to managing risk.
Analytics service can be in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.
Events are generated by systems which are error codes, devices generate events with success or failure to its normal function.so event logging plays an important role to detect threats. In the organization, there are multiple number and flavors of  Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware etc.
These devices usually track attackers footprints as logs and forward to SIEM tools to analyze. In this article, will see how events are pushed to log collector. To know more about windows events or event ids refer Here.
Log Collector
Itâs a centralized server to receive logs from any devices. Here I have deployed Snare Agent in Windows 10 machine. So we will collect windows event logs and Detect attacks to windows 10 machine attacks using Snare Agent.
The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT)Â Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.
âWin11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,â David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.
Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.
Minimizing the RDP attack vector
The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold â a specific number of failed logon attempts â after which a user account will be locked.
Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is âguessedâ.
From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.
The revelation has set off calls for the control to be backported to older Windows and Windows Server version â a move thatâs apparently in the works.
Yes itâs being backported
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of usersâ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasnât evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.
Fortunately, there is an alternative way for procuring security expertise: by retaining the services of managed security service providers (MSSPs) and managed detection and response (MDR) providers.
MSSPs usually assist organizationsâ IT departments in managing the IT infrastructure and keeping it secure by managing security equipment/systems, monitoring security logs, supervising patch management, and similar preventative security measures. MDR providers concentrate on monitoring network traffic and data, providing threat hunting/detection services and responding to discovered threats â capabilities that are difficult for most SMBs to cultivate in-house due to resource limitations.
For example, when the existence of the Log4Shell vulnerability and a PoC for it was revealed, Milton Security, a California-based MDR provider, has been inundated with concerns and requests from customers, prospects, and the public asking to help make sense of the situation, provide credible and timely updates, and monitor networks for any suspicious activity that might be related to Log4j exploitation.
But they have also been getting a lot of requests for their application security testing, penetration testing, incident response, and even their vCISO service.
Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)
Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably donât know whether youâre using OMI or not.
Yâsee, Open Management Infrastructure (OMI) is often silently installed on Azureâas a prerequisite. And, to make matters worse, Microsoft hasnât rolled out the patch for youâdespite publishing the code a month ago. So much for the promise of âThe Cloud.â
What a mess. In todayâs SB Blogwatch, we put the âmessâ into message.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Difficult Hollywood.
Your next stepâ Microsoft Azure users running Linux VMs in theââŠâAzure cloud need to take action to protect themselves against the four âOMIGODâ bugs in theââŠâOMI framework, because Microsoft hasnât. ⊠The worst is rated critical at 9.8/10ââŠâon the Common Vulnerability Scoring System. ⊠Complicating matters is that running OMI is not something Azure users actively choose. ⊠Understandably, Microsoftâs actions â or lack thereof â have not gone down well. [And it] has kept deploying known bad versions of OMI. ⊠The Windows giant publicly fixed the holes in its OMI source in mid-AugustââŠâand only now is advising customers. ⊠Your next step is therefore obvious: patch ASAP.
Recent research indicates that 51 percent of SOC teams feel emotionally overwhelmed by the impossible volume of security alerts they must deal with, with the stress impacting their home lives.
Increasing the maturity of a SOC allows analysts to stop fighting fires and focus on higher value work. With careful planning and the right combination of automation and standardized processes, a mature, effective, and world-class SOC can be established.
The danger of alert overload
The cybersecurity landscape has become increasingly hostile, and teams must deal with an ever-increasing barrage of security alerts. Teams have reported spending nearly a third of their time simply dealing with false positives, and we have long since passed the tipping point where these numbers can be dealt with on a manual basis.
This is exacerbated by the fact that the on-going skills gap means recruiting and retaining a full team of analysts has become an increasingly costly proposition. Few firms can afford large teams, and even an army of analysts will not be able to comfortably tackle hundreds of alerts a day in addition to their other duties.
In addition to the sheer number of alerts they must deal with, SOC teams are hampered by inefficient processes. Many analysts end up using an ad-hoc suite of security solutions cobbled together from different providers and great deal of time can be wasted every day as analysts swap back and forth between different solutions. There is no easy way to compare data from different tools to identify trends and more complex threats. Uniting solutions under a single management system can help to win back lost time and establish a single view of threat data.
The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services
This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible.
Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation.
This guide will be indispensable for everyone responsible for delivering security servicesâmanagers and cybersecurity professionals alike.
* Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology * Identify, recruit, interview, onboard, and grow an outstanding SOC team * Thoughtfully decide what to outsource and what to insource * Collect, centralize, and use both internal data and external threat intelligence * Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts * Reduce future risk by improving incident recovery and vulnerability management * Apply orchestration and automation effectively, without just throwing money at them * Position yourself today for emerging SOC technologies