Why Deploying a SIEM Tool Doesn't Need to Be Complicated: A Pirate Story

Last updated at Mon, 28 Oct 2019 17:42:39 GMT

Ahoy! In this Blackbeard-inspired blog, we will tell ye’ a tale of navigating your SS SIEM, InsightIDR, through the unpredictable waters of cybersecurity to reach a tropical paradise we call Remediation Island. What does it take to start this journey off right? What supplies do you need to be successful? And how do you survive your quest in both clear skies and stormy seas?

Key components of InsightIDR

Just like any ship, InsightIDR relies on key pillars to ensure smooth-sailing deployments and a clear path to success. Foundational data sources such as LDAP, Active Directory, and DHCP will help you map out the behavior of your crew and what you’re facing out on the open ocean. Without these three streams flowing into your tenant accurately, you can expect to hit some rough waters and deep swells on your journey. However, just like the ocean, InsightIDR will normalize itself if anything was missed upon initial deployment or rollout, so don’t worry!

Let’s break down each of these pillars one by one, discuss how they power analytics, and explain how to implement them:

LDAP

Lightweight Directory Access Protocol (LDAP) data helps InsightIDR track user, admin, and security group activity across your domain. As LDAP automatically mirrors data across all LDAP servers, you only need to feed one LDAP event source into InsightIDR. Our trial walks you step-by-step, along with our help docs for event source configuration.

Active Directory

Next up is Active Directory (AD), which focuses its efforts on Security Logs coming from the Domain Controllers. Not to be confused with LDAP, both of these event sources are required to be effective with InsightIDR. The AD event source brings in all the security events coming from not only admins, but your users as well.

Responder, take note: There are two ways to collect security logs from Domain Controllers: using the included Insight Agent and using WMI. The Insight Agent is quick to deploy, monitors important event codes, and doesn’t require Domain Admin—simply get in touch with Rapid7 Support through an Insight account to opt in to the feature. However, if you want deeper flexibility into unfiltered log data, we suggest WMI.

DHCP

The final pillar is DHCP, as this ties together asset and user data from our LDAP and AD event sources. Similar to Active Directory, you need an event source for every server/DC and/or service running DHCP. For example, if one Domain Controller is hosting multiple services, create individual event sources for each respective source. DHCP (and DNS logs) do not replicate and require their own sources for InsightIDR to be effective and remain afloat.

Endpoint visibility and detection with the Insight Agent

Now that the three pillars are finished, your main dashboard will start to populate user information and you’ll immediately start monitoring for threats. Some common early alerts include Account Leak incidents for employee accounts that have been compromised in public data breaches, and insecure ingress onto your network from non-expiring user accounts or service accounts.

The next milestone is understanding the assets across your network, where InsightIDR helps with the Insight Agent.

Detect

• Find modern malware (e.g. PowerShell, obfuscated commands, multi-stage payloads).
• Find signs of compromised accounts with user behavior analytics.
• Meet security compliance with File Integrity Monitoring (FIM).

Investigate

• Gather endpoint artifacts during an investigation (e.g., registry, process, host information).
• Understand important security events on the endpoint (e.g., PowerShell activity, FIM).

Respond

• Kill a malicious process on the endpoint.
• Quarantine an asset so that it cannot communicate with the attacker’s command and control.

Beyond your endpoints, pre-built integrations with your security tools and log sources are shown below:

There’s a lot here, but don’t worry! These pre-built event sources are very easy to set up and come with great documentation to guide you through the waters. Most of the configuration for InsightIDR to be successful lies outside of the tool in the plethora of third-party integrations we provide for event sources—setting up a syslog server or forwarding the audit logs into InsightIDR over a port, via watching a remote directory, or through another log aggregator tool. These flexible options are based on your preferences and what you determine is best for your environment.

Unlike your typical SIEM cargo ship, you can get up and running in an hour—you just need access to the data sources we touched on above. As you expand your deployment by bringing in new endpoints, domain controllers, cloud services, and more, InsightIDR will continue to normalize and account for that new data automatically. Always remember, when sailing with InsightIDR as your SIEM, the rougher the seas, the smoother we sail. Ahoy, mateys!