Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

Fatal SIEM flaw: No body, no murder

Mike Banic, VP of Marketing
November 7, 2017

Over lunch last week, a customer who recently deploy our Cognito™ platform told me that his SIEM sales person said “We can do what Vectra does with our analytics package. I simply looked at him and said, “No body, no murder – no they can’t.”

He was puzzled, so I explained.

SIEMs receive security event logs for a wide range of systems – everything from your computer to servers, authentication systems, firewalls, and many more including Vectra Cognito.

Event logs record events that happen on systems and networks. Examining the events in these logs can help you trace activity, respond to events, and keep your systems secure.

As the volume of event logs inside an enterprise number in the millions of events per day, the purpose of a SIEM is to store and provide real-time analysis of all these security alerts generated by applications and network hardware.

A clever cyber attacker knows that event logs are typically sent in batches rather than in real time to reduce the impact on network availability due to transmitting large amounts of logs from every device.

This gives an attacker a window of opportunity on the operating system to have system access, including to the underlying logging system. If the cyber attacker can erase the log of his administrative access on your machine before the log is sent, then there is no body and, therefore, no murder.

At the same time, if the attacker can perform this system authentication without triggering a network anomaly or by not using malware, no event logs will be generated by network monitoring systems either. No body, no murder.

This came as a startling revelation, leading to the question of why is this so.

This is when I broke my rule of no iPhones at a customer meeting. I pulled up the NIST Guide to Computer Security Log Management. I scrolled to the executive summary and read two sentences.

“The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management.”

“A fundamental problem with log management that occurs in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data.”

After saying “Okay, I get it,” he went on to ask, “But what about logs from Cognito?” Now he was asking the right question.

An event log from Cognito is not the same as an event log from any other device. An event log from Cognito is an intelligence report about the threat hunting, analysis, scoring, correlation and risk level of a device demonstrating attacker behaviors.

An event log from a firewall or an intrusion detection system is generated from a network detection event lacking context of the bigger picture of an attack. This requires a security analyst to triage across multiple events in their SIEM, score each event based on the level of impact it would have on the organization, correlate all associated events to a single host at the center of an attack, and prioritize those hosts and associated events that need to be addresses immediately.

The ensuing series of activity easily consumes hours of an analyst’s time, all at the risk of missing important events in real time while working with historical evidence that may not even be correct.

An event log from Cognito is a cybersecurity dossier. Cognito continuously monitors network traffic and performs threat hunting. Manual, labor-intensive triage, scoring threats, host correlation, and threat and host prioritization are automated by Cognito. The sum of this work is sent as a completed attack event log to the SIEM, with precise information on where analysts should focus their time.

There won’t be a log of the cyber attacker stealing the admin credentials from your computer, and no malware or anomaly detection might occur either.

However, Cognito will detect the remote access Trojan (RAT) that was used to access your device as well as the abuse of those credential and related admin protocols. Even if the attacker uses the admin credentials from another machine, the artificial intelligence behind the Cognito Attack Campaign report will correlate these attacker behaviors over multiple devices.

“Are all these other logs in my SIEM doing me any good?” he asked with a tone of hope.

Typically, the data lake created with these logs will drown your security team because – without context – it is impossible to know the right questions to ask. However, the “security dossier” log from Cognito gives you an accurate starting point for a threat investigation in the SIEM.

To learn more about Cognito, join our upcoming Bootcamp webinar, or visit the Cognito product page.

About the author

Mike Banic

Mike Banic is the vice president of marketing at Vectra. Previously, he was vice president of global marketing for networking at Hewlett-Packard. Mike joined HP from Juniper Networks where he held the roles of VP of enterprise marketing and VP of marketing for Ethernet switching. Mike joined Juniper through the acquisition of Peribit Networks where he was VP of corporate marketing. Mike has held product marketing and product management roles at Trapeze Networks, Rhapsody Networks and Extreme Networks. He started his career as a system engineer at Artel Communications. Mike holds a BSEE from Worcester Polytechnic Institute in Massachusetts and previously served on the board of the Ronald McDonald House at Stanford.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Fatal SIEM flaw: No body, no murder

November 7, 2017
Read blog post

What’s an adaptive security architecture and why do you need it?

February 2, 2017
Read blog post

Time to update how we manage and address malware infections

June 28, 2016
Read blog post