Tuesday, November 13, 2018

From my Gartner Blog - The new (old) SIEM papers are out!

As Anton already mentioned here and here, our update of the big SIEM paper was turned into two new papers:

How to Architect and Deploy a SIEM Solution
SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology. This guidance framework provides a structured approach for technical professionals working to architect and deploy a SIEM solution.
Published: 16 Oct 2018
Anton Chuvakin | Anna Belak | Augusto Barros

How to Operate and Evolve a SIEM Solution
Managing and using a SIEM is difficult, and many projects are stuck in compliance or minimal value deployments. Most SIEM challenges come from the operations side, not broken tools. This guidance supports technical professionals focused on security working to operate, tune and utilize SIEM tools.
Published: 05 Nov 2018
Augusto Barros | Anton Chuvakin | Anna Belak



We decided to split the document so we could expand on those two main activities, deploying and operating a SIEM, without the worry of building a document so big it would scare away the readers. A great secondary outcome of that is we were able to put together separate guidance frameworks for each one of those activities. Some of my favorite pieces of each doc:


“User and entity behavior analytics (UEBA)-SIEM convergence allows organizations to also include UEBA-centric use cases and machine learning (ML) capabilities in their deployment projects.” (A hype-less way to talk about “OMG AI AI!”)

“Staff shortages and threat landscape drive many organizations to SaaS SIEM, co-managed SIEM and service-heavy models for their SIEM deployments and operation.” (Because, in case you haven’t noticed, SIEM NEEDS PEOPLE TO WORK)

“Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.” (I know it’s old, but hey, this is our key advice for those deploying SIEM! So, still a favorite)

“Deploy use cases requiring constant baselining and anomaly detection, such as user account compromise detection, using ML/advanced analytics functions previously associated with UEBA” (because it’s not all marketing garbage; these use cases are the perfect fit for UEBA capabilities)


“Creating and refining security monitoring use cases is critical to an effective SIEM. User-created and customized detection logic delivers the most value.” (because ongoing SIEM value REQUIRES use case management)

“Develop the key operational processes for SIEM: run, watch and adapt. When necessary, fill the gaps with services such as MSS and co-managed SIEM” (we promoted “tune” to “adapt”)

“Prepare and keep enough resources to manage and troubleshoot log collection issues. New sources will be added; software upgrades change log collection methods and formats; environment changes often cause collection disruption.” (ML capabilities, big data tech, all that is cool, but a big chunk of SIEM work is still being able to get the data in)


The post The new (old) SIEM papers are out! appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2OEUctf

Wednesday, October 3, 2018

From my Gartner Blog - Endpoint Has Won, Why Bother With NTA?

One of my favorite blog posts from Anton is the one about the “SOC nuclear triad”. As he describes, SOCs should use logs, endpoint and network data on their threat detection and response efforts. But we also know that organizations don’t have infinite resources and will often have to decide about which tool to deploy first (or ever). Leaving logs aside for a moment, as it usually has additional drivers (i.e. Compliance), the decision eventually becomes: Endpoint vs Network.

Considering a fair comparison, I believe endpoint wins. Some of the evidence we see out there apparently confirms that. Just look at the number of EDR and NTA solutions available in the market. The number of calls I get about EDR, compared to NTA, is also higher. Not to mention that some surveys are also pointing to the same thing.

Endpoint also wins on technical aspects:

  • The network is not yours anymore: With cloud, including PaaS and SaaS, it becomes harder to find a network to plug your NTA technology too. The number of blind spots for network monitoring today are huge, and growing.
  • Encryption: To make things worse (or better, I should say), network traffic encryption is growing tremendously. Almost everything that used to be HTTP now is HTTPS. Visibility on the higher layers is very limited.
  • Endpoint has better signal to noise: This may be more contentious, but it seems that less deterministic detection seems to work better on the endpoint than on the network. What does that mean, in practical terms? That the detection approaches that go beyond simple signatures or indicators matching will generate better alerts, in terms of false positive rates, on the endpoint instead of on the network. Some people may disagree here, but that’s my impression from clients’ feedback about products from both sides.
  • You can see all network stuff on the endpoint: If you really want to see network traffic, why not capture on the endpoints? Some products have been doing that for years.

I think these are some of the reasons why MDR service providers select EDR as delivery mechanism for their services. Having an agent in place also gives them more fine-grained response capabilities, such as killing a process instead of blocking traffic to or from an IP address.

So, endpoint wins. Why would anyone still bother with NTA?

There are reasons that could reverse the preference from endpoint to network. You may prefer to rely on NTA when:

  • You need to protect IOT, OT/ICS, BYOD, mobile devices: Simply put, if you cannot install an agent on it, how would you do endpoint-based detection? There are many technologies being connected to networks that do not support or don’t have agents available. Sometimes they do, but you are not allowed to install the agent there.
  • Organizational challenges: Not all organizations are a perfectly friendly environment for endpoint monitoring. The “owners” of the endpoint technologies may simple reject the deployment of new agents. Your silo may not have enough power to force the deployment of agents but may have better access to network instrumentation. There are many situations beyond simple technical reasons that would force you to look for an alternative to endpoint technologies.
  • Price? Not sure here, but depending on the number of endpoints and the network architecture, it may be cheaper to do monitoring on the network level instead of on each endpoint. If you have a huge number of endpoints, but a network that is easy to instrument and monitor, the bill for NTA could be friendlier than the EDR bill.

So, there are two reasons to still invest in NTA. First, PERFECT visibility REQUIRES both. If you are concerned about super advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility too. Second, organizational or technology limitations may leave you with network as the only option.


Do you see any other reason why NTA would be the preferred option, instead of endpoint? Do you disagree that endpoint has won?

(this post, BTW is the result of our initial discussions on upcoming NTA research…)






The post Endpoint Has Won, Why Bother With NTA? appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2yce5Sd

Friday, September 7, 2018

From my Gartner Blog - The “How To Build a SOC” Paper Update is OUT!

Anton and I have been probing the social media for some time about the trends related to SOC and incident response teams. All that work finally made its way into our “How to Plan, Design, Operate and Evolve a SOC” paper. It is the same paper we published a couple of years ago, but updated to reflect some things we’ve seen evolving since the first version, such as:

  • SOAR tools evolution and growth in adoption
  • Further convergence between security monitoring and incident response
  • Higher adoption of services to supplement internal capabilities

We also updated the guidance figure to include more details for each phase:

Please provide feedback if you read it via https://surveys.gartner.com/s/gtppaperfeedback

The post The “How To Build a SOC” Paper Update is OUT! appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2MaD2Cq

Tuesday, July 31, 2018

From my Gartner Blog - Gartner Security and Risk Management Summit Brazil – 2018

The Gartner Security Summit Brazil is fast approaching and I’m happy to be part of it again. This time it’s even more special, for many reasons.

This is my first year as the chairman of the conference. It’s very rewarding to be work on the content that will be delivered,  selecting analysts and external speakers. I’m happy to have Anton coming this year. He has quite a fan base there, I’m sure they will all be excited to attend his sessions!

I was also able to bring two very interesting external speakers:

  • Dr. Deltan Dallagnol – One of the prosecutors working on the famous “Carwash Operation task force”
  • Dr. Jessica Barker – The human aspects of information security always fascinated me. Dr. Barker is one of the specialists in this field and she’s bringing her perspective on why things are not so simple as “users are dumb”.

We’ll also have an stellar team of Gartner analysts there. You can check who’s coming here.

Of course, I have my own share of sessions too:

TUESDAY, 14 AUGUST, 2018 / 09:15 AM – 10:15 AM – Scaling Trust and Resilience — Cut the Noise and Enable Action (The opening Keynote)

TUESDAY, 14 AUGUST, 2018 / 01:45 PM – 02:30 PM – Roundtable: How Did You Start Your Organization’s Detection and Response Capabilities?

TUESDAY, 14 AUGUST, 2018 / 03:45 PM – 04:30 PM – An Overview of the Threat Landscape in Brazil

WEDNESDAY, 15 AUGUST, 2018 / 09:15 AM – 10:00 AM – CARTA Inspired Cases in Brazil

WEDNESDAY, 15 AUGUST, 2018 / 12:15 PM – 01:15 PM – CISO Circle Lunch: Lessons Learned in the Equifax Breach and Other Incidents

WEDNESDAY, 15 AUGUST, 2018 / 01:45 PM – 02:30 PM – Roundtable: Lessons From Using Managed Security Services


If you’re planning to attend, please come and say hi :-)

The post Gartner Security and Risk Management Summit Brazil – 2018 appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2OwjgDR

Tuesday, April 17, 2018

From my Gartner Blog - Threat Simulation Open Source Projects

It’s crazy how many (free!) OSS projects are popping up for threat and attack simulation! We are working on research about Breach and Attack Simulation (BAS) tools, and we’ll certainly mention these projects, buy I thought it would be valuable to provide a list of links on the blog as well. Here are all the projects that I’ve managed to track in the past few weeks.

So what? No excuse to not run some of these and see how your environment and your detection and response practices react. Go ahead and try some of these :-)

 Invoke-Adversary – Simulating Adversary Operations – Windows Security

The post Threat Simulation Open Source Projects appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2vqjKWA

Wednesday, April 11, 2018

From my Gartner Blog - Big data And AI Craziness Is Ruining Security Innovation

I don’t care if you use Hadoop or grep+Perl scripts. If you can demonstrate enough performance to do what you claim you can do, that’s what matters to me from a backend point of view. Now, can you show me that your tool does what it should do better than your competitors?

There is a trend about the messages I’ve been hearing during vendor briefings over the past few months. They spend a lot of time talking about how great their architecture is, all those Hadoop stack components so beautifully integrated, showing how aligned to the latest data management, machine learning and analytics they are. They are proud of the stuff under the hood. But, very often, without verifiable claims on their effectiveness.

This is getting close to the insanity level. “We have AI”. “We are hadoop based”. “We do ML and Deep Learning”. It’s like the technology and techniques being used are the only thing to look for, and not the results! This may work to lure the VCs, but I cannot see how anyone would buy something that uses all this cool technology for…what exactly?

You see advanced analytics that provide “confidence levels” that do not change based on user feedback. Crazy visualizations that don’t tell you anything and could be easily replaced by a simple table view. “Deep Learning” for matching TI indicators to firewall logs. The list is endless.

My concern with this craziness is that vendors are mixing priorities here; they want to show they are using the latest techniques, but not worried about showing how effective they are. There are so many attempts to be the next “next-gen”, but not enough attempts to do help organizations solve their problems. This is killing innovation in security. I want to see how your tool makes threat detection 10x better, not that you can process 10x more data than your competitor.

There are cases where performance and capacity bottlenecks are the main pain point of an industry. Think SIEM before they started moving away from RDBMS, for example. But this is not always true. Now we see vendors happy to claim their products are based on Big Data technologies, but the use cases don’t require more than a few hundred megabytes of data stored. Stop that nonsense.

If you’re getting into this industry now, do so with a product that will work better than what organizations already have in place: findings more threats, faster and using less resources during detection and response. If your next-gen technology is not able to do so, it’s just a toy. And the message I hear from our clients is clear: We don’t want another toy, we want something that makes our lives easier.


The post Big data And AI Craziness Is Ruining Security Innovation appeared first on Augusto Barros.

from Augusto Barros https://ift.tt/2qn5KIm

Wednesday, March 7, 2018

From my Gartner Blog - The Virtual Patch Analyst

Is there a need, or place for a “virtual patch analyst”?

If you look at our guidance on vulnerability management, you’ll see that one of the key components we suggest our clients to consider is preparing for mitigation actions, when the immediate vulnerability remediation is not possible. We often see organizations scrambling to do it because they haven’t spent time in advance to build the process, and they don’t have a menu of prepared mitigations to use. Those could include the NIPS, WAFs, etc, but how many would be comfortable to rush the implementation of a “block” signature on those?


Normally this wouldn’t require a FTE, but big organizations could in fact have enough work on this to justify one. Keeping in mind there are many mitigation options, including NIPS, WAF, HIPS, vendor workarounds, application control, additional monitoring, etc. So, one of the challenges for such role to exist is the broad skillset required. Someone capable of understanding the implications of SMB protocol configuration tweaking on Windows and, at the same time, able to write a WAF signature? Hard, but not impossible.

Even if the complete skillset to create the mitigation actions is something hard to find on a single professional, there’s still a lot of work around coordination and process management. The virtual patch analyst may not need all those skills, just some basic understanding of what is being done on each case. The bulk of the work is maintaining the menu of options, getting the right people engaged to develop them and coordinating the process when one needs to be implemented.  Having such role as part of a vulnerability management team is something a big enterprise could do to ensure unacceptable risks are mitigated while a definitive solution for them is not available.

Is there anyone out there working on such role? I would love to hear more about it!


The post The Virtual Patch Analyst appeared first on Augusto Barros.

from Augusto Barros http://ift.tt/2FnCdUl