I recently published an article in Infosecurity Magazine about the dangers of putting our trust in Virtual Private Networks (VPN). Though VPNs have been with us for two decades, now that many more people are working from home, organizations are depending on them more and more.
As WFH and VPN use has increased, so have attempts by cyber-criminals to penetrate VPNs. A hacked VPN probably started the Mitsubishi Electric attack, and an unpatched Pulse Secure VPN server enabled the attack on the UK National Grid.
Once an attacker penetrates an organization’s VPN, he can freely explore the network and find system vulnerabilities, redirect users into fraudulent sites, impersonate one of the organization’s users and use the identity it maliciously. The consequences can be dire and include data manipulation or even destruction of the system.
In the article, I outlined basic steps organizations need to take to strengthen their VPN – including enforcing strong password policies and demanding multi-factor authentication for privileged users. But this is far from sufficient, as some vulnerabilities will always be unknown and systems will never be 100% updated in time, and therefore someone who is determined enough will find a way to directly exploit them.
The key to securing your organization is a system that can gather a large diversity of logs - from your end points, network based solutions, Domain Controllers, VPN devices and others - and be agnostic to the source of the data. This will make it possible to identify the results of these malicious system exploits early enough to provide the chance to mitigate the impact.
So how do we achieve this level of protection? A technology that can make it happen effectively is one that can identify anomaly behavior of the compromised entity (an entity can be a user account, an email account, an application or a host). The market is calling it User Entity and Behavior Analytics, or UEBA.
One of the main things the cyber security community realized is that UEBA, which typically digests only Domain Controllers and OS log,s cannot provide sufficient coverage by itself, as these logs sources don’t provide enough visibility, and therefore the market demanded a consolidation of the UEBA technology into SIEM platforms, which are today called NG-SIEM (If you have a SIEM that doesn’t include UEBA, this is a flashing red light).
One of the roles of the integrated UEBA engine is to digest and correlate wider ranges of entity related logs which are coming from a wide variety of data sources beyond OSs and DCs logs. The problem that arose, which we see with all SIEMs today (even those who call themselves NG-SIEM) is that digesting and correlating a wider range of data source logs by the UEBA engine requires to manually define many many rules, and then maintain them, making for a reactive approach – and in general a very big headache for your security team.
To clarify the issue, let’s see what the process of log ingestion from a VPN looks like with the burden of manual correlation rules, for instance in the case of a failed login attempt. One security product will call it “access failed”, another “password incorrect”, another “4625”, and yet another “unsuccessful login”. If an analyst is dealing with this problem with the traditional SIEM rules, he or she will need to create an “if/then” rule for each of these products with a threshold. Multiply this by the dozens, hundreds, even thousands of logs and data inputs a day and you can see the difficulty.
The difference between ALL others and empow’s unique “no rules” SIEM engine is that our technology translates all the logs from different sources into one unified activities language at the gate, before they even enter the our SIEM’s integrated UEBA and correlation engines. Moreover, this is done without the need for manual rules. The result is a SIEM that is much less cumbersome, much faster, more scalable and ultimately more effective.
Another important benefit of this approach is a better experience for the analyst during investigation. He or she doesn’t necessarily have decades of hands-on experience to know off the cuff that Microsoft’s definition for a failed login is 4625, for example. Our language is simple and intuitive.
Lots of organizations are becoming hybrid and moving part of their assets to the cloud. empow’s platform knows to automatically identify different accounts belonging to the same user and empow’s integrated UEBA engine takes this into account and thus analyzes the malicious behavior against a user across all of his or her possible accounts. This results in a more effective way of protecting the organization from identity theft and account takeover.
Below is an example of empow’s UEBA engine alerting on “2 concurrent logins from 2 remote locations” that was classified as “ valid account” technique (as defined by MITRE ATT&CKTM - a standardized security language). The use of valid account means that the adversary is using stolen valid credentials as a means of evading detection. i-SIEM detected and validated it by observing logs from different sources that don’t include the same username. empow’s entity management was still able to identify which user owns this email account, in addition to IP addresses that were enriched with the location.
In addition, empow’s SIEM also alerted on “Password Guessing” by detecting abnormal login attempts for this user, raising the confidence level that someone stole the user’s credentials and is trying to log in to the account. Following these events, the user’s security score was raised to “High” and it will now appear in the top entities as requiring the attention of the security team.