I’ve met the whole concept of APTs with personal skepticism.  After all, the analysis of Google’s hack did not prove that the Chinese government was directly responsible, that the tools used exceeded the complexity of botnets formed by malware such as Bagle or Cornflicker, or that a basic penetration test could not have yielded similar results against any company, let alone an open-architected, public minded company such as Google.

Regardless, there are many respected researchers that do claim the attack was government sponsored and that the attack was carried out with significant sophistication.  They claim far more resources are likely pushed into funded cyber attacks against influential organizations as a result of copycats from other governments and well funded criminal groups.

For those who have been dealing with cyber crime during the last decades, these threats sound similar to threats that have been seen all along.  Criminal profit-motivated organizations have created sophisticated malware with command and control systems that, among other things, search and steal anything of value from an infected computer and send it to data collecting exfiltration servers located in shady data centers all around the world.

The role of integrated Security Information and Event Management (SIEM) and Log Management products such as LogRhythm are coming to the forefront of APT defense, establishing them as a fundamental element of security that is just as important as the old familiar defenses.  APTs are likely to have a centralized command and control, and the defense is to have at least the same capabilities as the attacker, in the form of a Security Information and Event Manager.

Regardless if you are concerned about emerging threats from cyber crime, insider threat or feel your organization has a direct threat from government sponsored APTs, SIEM solutions like LogRhythm are an invaluable tool to respond to complex and targeted threats against your organization by addressing the following:

1) Event Layer collection, analysis, and reducing log data to highlight events of importance.
2) Automatic notification of compromises and security critical events
3) Robust and deep forensics abilities on a wide variety of log sources
4) Understandable dashboard highlighting activities and trends for the organization
5) Internal / External system awareness and GeoLocation identification of attackers
6) Detection and notification of potential data loss events

Without the right SIEM solution an organization may seem blind to even basic threats.  The illumination provided by a SIEM can expose complicated and unknown threats by tracking information with enough detail to spot anomalous behavior that APTs are not capable of hiding.  SIEMs are the most significant countermeasure against Advanced Persistent Threats available and are critical for stepping up to limit the impact of APTs.

What prompted me to address real-time? The simple fact that there’s been a lot of action in the news the last couple of weeks dealing with the real-time ‘fires’ that need to be put out. Between the recent unsuccessful Times Square Car Bomber to the ‘difficult to wrap-your-head around’ massive oil leaks vomiting hundreds of thousands of barrels of oil into the Gulf, real-time access to relevant is an absolute critical component to our investigative capacity to both identify and stop these types of threats.

Take the Times Square Bomber, Faisal Shahzad, for example. Despite a wealth of forensic data tying him to the bombing attempt, and a relatively quick path to identifying him as a suspect, Shahzad was minutes from successfully fleeing the country on a commercial airliner. Why? Because the process for adding his name to a no-fly list was not in real-time and the TSA was not notified until he had already boarded the plane. Fortunately federal officials were able to turn the plane around before take-off and apprehend him.

Likewise, the Deepwater Horizon oil spill is the result of a combination of process and technical breakdowns. A critical mechanical failure combined with a deadly buildup in methane gas going undetected ultimately caused a catastrophic explosion. The resulting environmental and economic disaster will be felt for years. It’s hard not to wonder what might have been different if the right people were notified of the faulty equipment in time to repair it, or if the methane build-up had been detected and eliminated before reaching critical mass.

And it’s no stretch that these examples are analogous to an enterprise I.T. environment — the power of real-time analysis is unmistakable. I’ve worked in I.T. environments where there was an infection that was undetected by the myriad of security products from the host based security tools to the NIDS product sniffing off the wire. Whether this infection was a zero-day exploit or simply just missed by the security products is another story – either way the question is, ‘How do you identify the root cause and prevent it…rapidly?’ Just as more pieces to a complex puzzle help paint the whole picture, access to log data from disparate sources provide core pieces to the puzzle providing the analyst visibility into the labyrinth of data available to help identify root cause. In order to accomplish this effectively you’ll need ‘fingertip’ access to all log data. Moreover, you’ll want to be able to view the data in real-time, at the time of capture.

In the example above, we were able to quickly identify the port the botnet was communicating on and quickly target the source IP address for communications from internal systems attempting to communicate on that port. This uncovered, in real-time, over 25 systems throughout the enterprise that were infected (by DNS name and IP address) and these systems were quickly removed from the network and cleansed.

Although in this example we’re discussing a security-related issue, the real-time use-case carries over into other parts of our business including operations. Consider a virtualized environment heavily reliant on the underlying system to run hundreds of production systems. What happens if the underlying system has an issue that potentially impacts our production environment? A critical failure in this case could create a significant event, impacting the business as a whole. I’ve dealt with this in the field and real-time access to the log data provided the root cause analysis necessary to understand the issue. This in turn triggered the effort to quickly resolve the ‘now known’ issue. The moral of the story: Immediate access to real-time log data can provide the magnet every analyst needs to quickly find the needle in their haystack.

Okay – I think I hear the kids stirring so I better focus on my wife and family before I get in trouble for working on this, of all days. Happy Mother’s day to all the moms out there.

To see some ideas for how you can help with the environmental cleanup and humanitarian efforts of what is being predicted to be one of the worst environmental catastrophes in United States history, please visit:
http://www.sierraclub.org/
http://crcl.org/
https://secure.oxfamamerica.org/site/Donation2?df_id=4360&4360.donation=form1&JServSessionIdr004=hxfvbljiv1.app240a