Even before the COVID-19 pandemic hit, the Office of National Statistics (ONS) had predicted that 50 per cent of people would be able to work remotely by 2020 in the UK. It’s safe to assume that now, this figure has soared and very quickly, corporate security teams have had to adapt their networks.
With a large section of the workforce working from home, combined with the unique challenges presented by the current crisis, it has become critical to be able to provide a secure, reliable remote working setup that enables employees to effectively work from home.
Here are ten ways in which SIEM is being used within organisations to have a positive security impact on the network and keep people cybersafe while working remotely:
1. Insider threat monitoring – Excessive permissions
With bulk of users suddenly working from home, a lot of sensitive data is been exposed through channels that it has not been before. Security teams have not had the time to evaluate and deploy strong security controls. This introduces a huge risk where users may end up with excessive permissions to critical data and infrastructure.
Organisations are looking to SIEM and other security solutions to help identify these permission creeps and take corrective action. User and Entity Behaviour Analytics (UEBA) based SIEMs with the ability to ingest and analyse access permissions can leverage techniques such as peer analysis to compare permissions against job role and peers to detect outliers. Even better if it can also integrate with IAM and IGA tools to recommend corrective action.
2. Insider threat monitoring – Data exfiltration
With remote workforce and data exposure through new channels, the risk of data compromise has increased significantly – this could either intentional or accidental compromise.
Organisations require their SIEM to detect and alert on data exfiltration attempts. With built in UEBA, behaviour profiling and rarity algorithms can help to build a normal baseline and alert on a rare or sudden increase in access to sensitive data.
3. Insider threat – Credential sharing
In the remote work environment, it is very likely that certain users may not have the permissions they had before. In this scenario, users may resort to sharing credentials, which in turn may lead to security challenges with unauthorised access, SOD violations, etc.
SIEM monitoring should have use cases catered to monitoring credential sharing. With a variety of machine learning and identity context-based checks to detect potential credential sharing attempts, security teams can check:
- Land speed analysis (aka superman use cases) – user logging in from two distinct locations at the same time when it is humanly impossible for him/her to be physically present at these locations
- Physical and logical geo-location correlation – with identity context, a good SIEM can identify the home office location of the user; if they are logging in from another country or state that could be red flag (especially at this time, when there are strict travel restrictions across the globe)
- Rare logins – user logins from a rare location for his/her profile, but the location happens to be normal baseline location for a peer within the organisation
4. Monitoring for phishing and fake alert email campaigns
The COVID-19 pandemic has made people hungry for as much knowledge on the situation as possible. The bad guys obviously are looking to cash in with fake email alerts and impersonation campaigns. We have seen organisations getting an average of 350 emails daily to this end.
SIEM use case should be able to detect and alert on malicious phishing campaigns. A SIEM that uses machine learning algorithms to analyse email data - senders, email domains, subjects, attachment name, etc. to detect phishing attacks has the benefit of being able to recognise these commonly used attacker techniques:
- Typo- squatting (misspelled domains)
- Emails from newly registered domains
- Spear phishing targeting a specific peer group of users
- Emails from malicious domains (integrating threat intelligence)
5. Monitoring for suspicious logins and account compromise
With a huge surge in remote logins, user accounts are more vulnerable to attacks than before. The bad guys are looking for any weakness in the authentication process that they can exploit. This includes weak passwords, weak multi-factor authentication or weak detection for brute force attacks
SIEM use case should monitor for suspicious login patterns and leverage machine learning and identity context correlation to monitor for several scenarios that are an indicator of a suspicious login or an account compromise. These include:
- Enumeration behaviour patterns to detect sophisticated brute force attacks
- Rare login behaviours (based on time, geo-location, IP etc.)
- Spike in failed logins
- Logins from fake accounts (dictionary attack)
6. Security monitoring of cloud applications
A large percentage of enterprises today utilise the cloud for both critical and non-critical applications. In the current remote work set up, it is important to monitor activities within the applications to detect any patterns of misuse or compromise.
SIEM should be able to monitor application activity to detect suspicious patterns. SIEMs that differentiate themselves based on the ability to monitor enterprise and custom applications will be a big help here. With packaged connectors and content for all major cloud applications and services including O365, Salesforce, Box, AWS, Azure, GCP among others, it can monitor for data compromise, excessive privileges, unauthorised activity, and sabotage.
7. Security monitoring of VPN and remote auth devices
With the remote work from home setup, the remote Authentication and VPN devices can be single point of failure and result in significant business disruption if unavailable.
SIEM should monitor for threats to remote auth and VPN devices to detect any suspicious behaviour patterns including spike in failed logins, bulk password resets, suspicious connections, shutdown/reset, privilege escalations, and more.
8. Security monitoring for host compromise
With the increased phishing activity, it is only a matter of time that one or more users fall into the trap and have their systems compromised. Identifying and isolating such systems is critical to prevent damage.
SIEM should monitor end-point activities for malware communication, anomalous process and endpoints for suspicious behaviour patterns including
- C2 communication/beaconing
- Rare or suspicious process execution
- Anomalous connection patterns
- Communication to newly registered or unregistered domains
9. License and compliance monitoring
This is not a usual cybersecurity challenge that would come to mind, but we are not in usual times either. With the shift to remote work setup, organisations are struggling to track and report on usage of licenses for various technologies that enable the remote setup.
SIEM should support monitoring for software license usage with entity based monitoring to implement use cases that monitor and report on usage of applications by users, hosts, and IP addresses.
10. Productivity monitoring
With a remote work setup, one of the concerns for organisations that do not have the work from home culture, is the drop in the productivity. Organisations are looking for ways to monitor productivity based on login and activity patterns and SIEM can help support this to be able to detect the session time and duration and able to report on employees that do not meet a certain threshold
With user session timeline tracking, organisations can monitor session time, duration and activities within the session. This data can then be used to create monitoring reports and dashboards to alert on patterns of drop in activity.
Identifying the use cases that are relevant and important in the current business environment and preparing for them should be the top priority for security teams. As the use cases are identified, solutions that can work for those use cases and provide the security required to enable enterprises to continue with business as usual, even in an extremely open remote working environment, will need to be identified and invested in.
Nitin Agale, VP of product & strategy, Securonix