Monitoring to stay ahead of the threat landscape
It is often difficult to catch everything crawling around your network. Especially what is outside your network. That is also where new vulnerabilities get discovered every day and every hour.
Recently there was a Zero-Day vulnerability in Exchange that shook the industry. Thankfully, Microsoft was quick to provide mitigation steps so people could secure their systems. Two days later it was confirmed that attackers had bypassed the mitigation. That’s how quickly things can change. From zero danger to full danger, all in hours and minutes. Even a put-out fire needs to be monitored so it doesn’t reblaze.
Almost all applications save everything happening in the application to a log file. These can be extremely valuable when investigating a security incident or looking for an unnoticed breach. If we were to read all of these logs we would quickly get information overload. These logs are extensively detailed to the point that it could take an hour to read forty two seconds worth of logs. It is simply Too Much Information (TMI).
Tools like Microsoft Sentinel can help us stay ahead of the logs by monitoring and analyzing them as they are created. Sentinel is a tool that leverages Machine Learning using predefined rules to define alerts, behavioral patterns and anomalies to these patterns. This ensures that all logs are investigated and we only need to act on actual security incidents.
Attackers also often leverage known weaknesses in applications but sometimes they use unknown weaknesses. These are known as zero-day vulnerabilities or exploits. They are especially dangerous as there are often no known mitigation to stop the attack and are hard to trace as no one knows how they function. They are almost impossible to defend against. How are we supposed to? We are looking for a needle in a haystack without knowing what the needle looks like.
To be able to defend ourselves against zero-day vulnerabilities like this we would need to scour the internet for both the known and unknown exploits to see if any of our own systems are affected. We would have to do this day-in and day-out because we never know when a new vulnerability or exploit would be known.
To get a birds-eye view of the threat landscape, we could automate the monitoring. Then, searching forums and new outlets we would get the automation to alert us to news related to cybersecurity and relevant teams. Cross-checking the new information with our own systems lets us see how we are impacted.
Sentinel can also automate this by subscribing to what we call threat intelligence feeds. These feeds contain detailed information about the latest security news. Here we get granular information and can corelate specific files, ip-addresses, links and domain names to real security events around the world. This type of information is also known as an Indicator of Compromise (IoC). With IoCs we can for example be alerted when a user accesses a known domain correlated to ransomware. This ensures that all the newest threat intelligence is active and helping us at all times.
And that's how we monitor to stay ahead of the threat landscape.