Black Hat 2011: SIM rule maker on attacks and defenses

David Pack, manager of LogRhythm Labs, explains how he and his team create rules for the vendor’s SIM appliance. While log management and SIM systems have been driven by compliance, Pack believes organizations can do a better job blocking and defending attacks using SIMs. The former security operations center analyst said SIM rules have gotten more extensive than the general out-of-the-box rules. Today, Pack and his team study attacks and the type of trail they leave behind to build correlation rules around the attack patterns. The result is a much broader defense from sophisticated attacks and lower false positives if the rules are applied by organizations.

Read the full transcript from this video below:  

Black Hat 2011: SIM rule maker on attacks and defenses

Rob Westervelt: So we're here with David Peck, he's manager of LogRhythm Labs, and you get to see a lot of the activity logs that come in from the SIM systems, don't you?

David Pack: Yes, absolutely. What we do is we actually, my team we write all the rules that parcel these logs that come in from all the systems, write the correlation rules, all the compliance reporting, alarming, that type of stuff. So pretty much all the content that makes LogRhythm useful, we produce.

Rob Westervelt: How long have you been doing that?

David Pack: Coming up on two years with LogRhythm; this is the first vendor I've been with. I come from a security analyst background, working in a SOC, that type of stuff.

Rob Westervelt: Have the rules that you're writing changed over the last two years? Or have they pretty much remained the same, with the same kind of issues?

David Pack: They've absolutely changed. We started off with more general out of the box rules, then as we matured as an organization, we've started actually testing various types of attacks in a lab environment. Seeing what type of log trail they leave behind. We're able to build correlation rules around those patterns which kind of covered all sorts of attacks where we don't have to necessarily worry about the specific way the exploit worked, or the specific way the attack worked, but the pattern surrounding them. So now we get a lot more coverage with a lot lower rate of false positives.

Rob Westervelt: Can you give an example of maybe some attacks you've had to design?

David Pack: Sure, absolutely. Seems like every few weeks there's some sort of Adobe vulnerability found and a new zero-day out there, so our approach to those, we don't really care about looking into the actual Adobe file for shell code, or scripting or anything like that. What we found is most of them, the pattern they leave behind in the log trail is similar basically. The Adobe process will crash, and then some sort of network connection will quickly open from the same machine going outbound.

So we can correlate that log and the Windows event log of the Adobe process crashing, and then something on the perimeter, whether it's a firewall or some net-flow that might be coming in, that new connection going outbound. So there's a type of pattern we look for, and then we don't care how that exploit actually works in that Adobe file, or PDF, we just care about what happens afterwards. We're kind of the net that catches things when AV or IDS fails.

Rob Westervelt: So you're writing the rules, and organizations actually have to apply those rules, right? That's the important piece. 

David Pack: Yes, absolutely. They come out of the box with our correlation engine, we have over a hundred of them, and they basically just have to turn them on. The way Logarithm is architected, there's minimal configuration as long as they've deployed the log management piece properly to actually collect what needs to be collected. But we do our best to make the rules work with minimal configuration.

Rob Westervelt: One of the things that we hear, one of the criticisms that we hear constantly, is that organizations seem to treat SIM like they do some other technologies that they put in place: you set it and then you forget it. They don't necessarily have any people behind it monitoring those logs. Are you seeing that as well, is that pretty common?

David Pack: Yes, we do see that initially. Compliance is still the big driver for most people buying SIM solutions. So they'll buy it for compliance and then usually our pro-serve team or my team, throughout the deployment process, we'll kind of show them some of the other things that can be done with the SIM. Then it's like a light bulb goes off, and they realize they can use it for a lot more than compliance reporting and log management stuff. They start using it for security issues, for operations issues. We have some customers that have customized it and are using it for business intelligence.

Rob Westervelt: What's your take on the threat landscape? I know it's kind of a general question, but over the last several years, we've seen some real high profile attacks. Are we seeing more sophisticated attacks out there?

David Pack: Absolutely, we're seeing more sophisticated attacks. The defenses are getting more sophisticated, so the attacks are going to be more sophisticated. There's a lot more tools being released that make it easy for pretty much anyone to launch these sophisticated attacks. So the people designing the attacks, and finding those vulnerabilities, and designing the exploits, are having to get a little more sophisticated. Windows has done a lot of work locking down their kernel. All the manage code type stuff requires some different tricks. So it's getting more sophisticated, but the tools are being written and released to the public making it easy for anyone to launch these exploits. There's the whole crimeware thing which kind of took off in the last few years. It's a whole new business model. There's crimeware as a service now where you can pay for your own botnet pretty much. It's a pretty interesting underground economy going on right now. It's definitely getting complicated. Hacktivism is huge right now, even if your company may not have lost any critical data or anything important in a breach, just that headline is damage enough. It's a black eye, so it's something definitely to be concerned about.

Rob Westervelt: You mentioned hacktivism, is that something though that a log management system, or a SIM system, can actually defend or protect against?

David Pack: There's really no difference when it comes down to the technical details. There's really no difference in hacktivism versus a targeted attack to extract some certain data. They're going to be going through their reconnaissance, they're going to be finding vulnerability, they're going to be exploiting it. It's not much different from the defense perspective. Either way you have to keep everything locked down in your system.Your perimeter, you need to be looking for insider activity, so there's not much to differentiate between the actual driving force of why you're being attacked. An attack is an attack. 

Rob Westervelt: Well, thanks very much.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.