Posts by Matt Hathaway

5 min Log Management

If You Work In Operations, Your Security Team Needs The Logs, Too

This post is the final in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the previous six, click one [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], two [/2015/10/29/whether-or-not-siem-died-the-problems-remain], three [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], four [/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], five [/2015/11/19/siems-dont-detect-attacks-a

4 min Incident Response

Even With 80% Automation For Detection, You Need to Ease the 20% Human Diligence

This post is the penultimate in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first five, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here [/2015/10/29/whether-or-not-siem-died-the-problems-remain], here [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], here [/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], and here [/2015/11/19/siems-dont-detect-a

5 min Incident Response

Making Sure Search Is Not Your Incident Response Bottleneck

This post is the fourth in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first three, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here [/2015/10/29/whether-or-not-siem-died-the-problems-remain], and here [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter]. Nearly a year ago, I likened the incident handling process to continuous flow manufacturing [/2014/12/12/attackers-prey

4 min Incident Response

Investigating An Incident Doesn't End At The Perimeter

This post is the third in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first two, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations] and here [/2015/10/29/whether-or-not-siem-died-the-problems-remain]. In the second blog of this series [/2015/10/29/whether-or-not-siem-died-the-problems-remain], I touched on the need for solutions more flexible than the traditional SIEM architecture focused prima

5 min SIEM

Whether or Not SIEM Died, the Problems Remain

This post is the second in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the previous, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations]. Various security vendors have made very public declarations claiming everything from “SIEM is dead.” to asking if it has merely “lost its magic”. Whatever your stance on SIEM, what's important to recognize is that while technologies may fail to solve a problem, thi

4 min Incident Response

Search Will Always Be A Part of Incident Investigations

This post is the first in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. Strong data analytics have recently enabled security teams to simplify and speed incident detection and investigation, but at some point of every incident investigation, a search through machine data is nearly always necessary to answer a one-time question before the investigation can be closed. Whether your incident response team is just trying to combat the flood of

6 min Transportation

Low and Slow: Attackers Easily Hide From Time-Blind Alerts

Many organizations focus their detection strategy almost exclusively on malware, not realizing that attackers don't need it to compromise their networks. When you start to look at the extensive intruder behavior outside of malware, you quickly recognize the massive detection challenges we face today. Not only do these intruders change their techniques when they become easy to detect, but all too much of the detection available depends on events occurring at a single point in time. This inability

3 min Incident Response

Detecting Intruders Early Can Ruin Their Business Model

If you look at attackers as faceless, sophisticated digital ninjas, it instills fear, but doesn't really help to stop them. While there are many motivations for attacking an organization and stealing its data, the most frequent are based on money. This is why it sometimes helps to view them as you would any other business: as having costs and needing to generate revenue to survive. Attacker groups are similar to high-tech startups There is a thriving economy full of people who breach organizati

4 min Incident Response

Remove Your Alert Triage Bottleneck To Speed Response

Recently, I wrote about the two largest incident response bottlenecks [/2014/12/12/attackers-prey-on-incident-response-bottlenecks] behind the massive gap in time to compromise an organization and time it takes incident response teams to verify the true incident and take appropriate action. I then discussed the second bottleneck of incident analysis [/2015/01/23/remove-your-incident-analysis-bottleneck-to-improve-your-time-to-contain] , and to close the loop, I want to discuss the first bottlene

4 min Incident Response

Remove Your Incident Analysis Bottleneck To Improve Your Time To Contain

Last month, I wrote about the two largest incident response bottlenecks [/2014/12/12/attackers-prey-on-incident-response-bottlenecks] behind the massive gap in time to compromise an organization and time it takes incident response teams to verify the true incident and take appropriate action. This post is meant to go into much greater detail on the second bottleneck: incident analysis (AKA investigation). Challenge #1: Incident analysis with existing security tools can be very frustrating In th

3 min Malware

"Skeleton Key" Exhibits Increased Blending Of Credentials And Malware

Dell SecureWorks published a very informative blog [http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/] this week about a new type of malware they have appropriately labeled “Skeleton Key”. Our community manager quickly wrote a note of appreciation for setting a great example through disclosure and a quick mitigation strategy [/2015/01/14/effective-information-sharing-exposing-skeleton-key?et=watches.email.blog] that every security professional should

5 min Authentication

The Sony Breach Demonstrates The Importance Of Moving Beyond Perimeter Defense

If you force yourself to forget the attribution argument over the recent attack on Sony Pictures Entertainment, you need to recognize that too little effort has been made to learn from the technical details of the attack, and while the technology was not as sophisticated as some believe, there are definitely important lessons here for those charged with protecting their organization. Prevention and detection are universally too focused on the perimeter Getting in may be the hardest part for a

4 min Authentication

Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit

On Tuesday, November 18th, Microsoft released an out-of-band security patch affecting any Windows domain controllers that are not running in Azure. I have not yet seen any cute graphics or buzzword names for it, so it will likely be known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being exploited in the wild to completely take over Windows domains" because it rolls off the tongue a little better. There is a very informative description of the vulnerability, impact, and

3 min Networking

UserInsight Detects Network Zone Access Violations

Information security regulations are often vague and open to some interpretation, but one common theme across most is that you need to separate the systems with critical data from the rest of your network. The vast majority of employees in your organization should never have access to systems that: * process or store payment card data -- PCI DSS * qualify as Critical Cyber Assets (i.e. have a role in the operation of bulk power systems) -- NERC CIP * provide services not needed for intern

4 min Incident Response

The Significance of Fast and Organized Tools for Incident Investigations

Incident response processes have become more standardized in the past two decades, but any organization without a dedicated development team has had to design its processes to take available tools into account. I want to talk about incident investigation tools and how they are analogous to those used in the non-"cyber" criminal investigations that we have seen for years on television. There is a point where a security incident investigation gives way to a criminal investigation, due to a crimina