How can this be?  The vulnerability Conficker used to spread was patched 3 years ago!  Every AV vendor I know of has been able to detect and remove the worm since then.  Many have even issued “Conficker Removal Tools” to assist in the event a system gets in a state where standard AV isn’t working properly.  So why is Conficker still a problem?

It really comes down to fundamental security practices (or should I say lack of fundamental security practices).  The early variants of Conficker spread by exploiting a vulnerability in the Windows Server Service, then downloading a payload from a remote site.  The worm continues to spread via this method, but also by attempting to execute copies of itself on ADMIN$ shares on computers visible on the network, launching a dictionary attack if the shares are protected.  In addition, copies are saved to removable media devices and spread via AutoRun.

Any organization with a basic patch management program and AV strategy, both very standard things to have in a defense arsenal, should be protected against Conficker.  However, with an ever-expanding mobile workforce, many organizations are losing control over systems connecting to corporate networks, which might be one of the reasons older malware such as Conficker are still prevalent.  Even home users that don’t have corporate resources should be running one of the free AV products, and have Windows Updates enabled to ensure their systems stay patched.

So that covers the “now.”  What about when the next worm that hits, one that utilizes a zero-day vulnerability that by definition isn’t yet patched, and unlikely to be picked up by many AV engines?  This is where SIEM can help.  Instead of worrying about detecting the exploit itself, a SIEM can look for general worm-like behavior.  Worms are noisy.  Once a host is compromised, the worm will continue to try to spread to other hosts on the network, as outlined above.  By utilizing advanced correlation rules against this rather noisy activity, specifically rules that target internal network activity, a SIEM can alarm on worm-like behavior, even if the exploit being used to spread the worm is unknown.

The timing could not be better.  This year has been unprecedented from a cyber-threat standpoint.  More companies are finding themselves in the cross-hairs as a result of cyber-crime, hacktivism, cyber-warfare and cyber-espionage.  LogRhythm 6.0 includes significant innovations squarely targeted at addressing these threats and the risk they present organizations worldwide.

We also recognize that organizations large and small must juggle security concerns in this increasingly stark threat landscape while meeting complex compliance requirements.  To help with this, LogRhythm 6.0 provides further compliance automation and a new list-based administration model that will help our customers achieve additional compliance assurance with less overall effort.

In support of defending against advanced threats and automating compliance efforts, we introduced the next required evolution in SIEM – usable automatic remediation.  SmartRemediation provides a plug-in based automatic response capability that alleviates past technical and political hurdles when automatically remediating high-risk events.

LogRhythm 6.0 includes many improvements around knowledge management and embedded expertise.  LogRhythm Labs will utilize these capabilities to transfer experience and knowledge directly into LogRhythm deployments – helping our customers defend their networks from the latest threats while staying current with compliance requirements.

As always, new features were added with an eye towards ease of use and scale while providing industry leading speed and performance.

Unlike other vendors in our space, the innovations introduced in LogRhythm 6.0 were designed and purpose built by LogRhythm engineers rather than added via acquisition.  Our architecture stems from our initial vision which gives us a uniquely integrated platform we continue to build on with innovative capabilities serving the SIEM market.

As the CTO and CoFounder of LogRhythm, I have never been more excited about a release.  LogRhythm is a vision we have been executing to for many years and 6.0 is a giant leap forward for our company and our customers.

I was on a train recently, heading to customer meetings.  I would only have paid cursory attention to the couple standing in the aisle had it not been for one small detail.  While the man was clearly very enamoured with his partner and was demonstrating it, the woman looked ready to commit murder.  Specifically HIS murder.  The visible deficit in their respective levels of engagement amused me, but on second glance, I was interested to see another detail.

The woman’s work identity badge was clearly on show.  Her employer was a major bank. The woman had a very common surname, but a distinctive first name.  We’ll call her Mrs P.  As I was online at the time, I jumped out to LinkedIn.  No profile for that name at that employer.  Facebook was a different story.  There she was, with a completely open profile.  All it took was a couple of clicks to ascertain her husband’s name, her home town, the names of some of her family and the fact that she had a pair of terriers called Fred and Ginger.

OK, so the names have been changed to protect the guilty, but the highlights are true.  Role playing for a second, I’m a criminally inclined social engineer who rides the commuter lines looking for clues like these.  All it takes is a couple of calls to some colleagues and Mrs P receives a call threatening Mr P and the dogs, and all of a sudden a vector has opened up into one of the largest banks in the world.  This is the thing about Social Engineering.  A vector is a vector – whatever intelligence you can gather about a possible target is, literally, gold.  The manipulation of human factors involved in corporate operations remains the single easiest thing for a criminal to do in order to make money from YOUR company.  Even if Mrs P’s blissful unawareness of the risk she has created doesn’t result in tangible losses, I would certainly never bank with this organisation, because they have no pervasive culture of security.

Which brings me to my final point. Security is cultural.  Let me say that again.  Security is cultural.  Unless you’re absolutely aligning the use of enterprise class tools to support your security professionals with regular training to people like Mrs P., on how she’s putting her company and her personal life at risk, then you’re nowhere.

Recently I sat and watched a trusted colleague deliver a presentation to a roomful of security personnel and liken their industry to an air wreck.  I believe his exact words were ‘if this were a plane, I’d be running up and down the aisles screaming that we’re all going to die!’.  Needless to say this was not well received on the day, but I can’t help but think that he had a point.

Now, I work for an SIEM vendor – the best on the planet, in my opinion, but I’m not going to ambulance-chase this one.  There are crucial issues raised now.  This raises questions about whose responsibility personal privacy actually IS.  As I’ve said before, Amazon, Barclays Retail, Dell, Dabs – any of these guys could get hacked tomorrow and lose YOUR data.  What then?  It can take weeks to recover from a personal identity breach – resetting email accounts, changing card numbers, suppliers and addressing the huge numbers of interconnected services and locations where your identity converges.  This is not to mention the consequences if you actually lose money.

What more can individuals do?  Most of us are getting it right:  Don’t throw old business cards in the bin.  Go for strong passwords, changed at least monthly.  Don’t show identity badges in public places (watch out for my next blog on this!).  Speak to everyone about the need for security.  Educate the less technically literate about malware.  Don’t respond to emails or phone calls about online matters unless you initiated the conversation.  Keep one eye on the security blogs.  Learn the language.

Can companies say the same thing?  What about the people who I entrust my identity to?  Invest in security – with all that entails.  Infrastructure.  Dedicated FTEs.  Education.  Compliance.  Regular reviews.  Fire drills.  Specific executives whose job IS security.  Clearly the people who take online privacy seriously are being let down by the companies who don’t, and the more companies that are breached, the more excusable it seems.

My own view on Sega and the bi-monthly additions to the ranks of large companies who didn’t make the grade, is that it’s time to think of security as a multi-partite affair.  Your strategy should start with compliance, then loop through infrastructure best practise, via rigorous HR policies and finish by directly addressing social engineering.  The modern breach is a blended affair.  Only a blended security strategy will work.  One that centres around human factors.

Ten years ago, I was put into the position of having to figure how to manage a serious gap in enterprise security for a vitally sensitive environment.  The problem was introduced to me like this:  “The team can read 3,000 pages of logs per day but they receive 55,000 pages.”  Adding more heads to the problem wasn’t the right solution- they were losing context, were inaccurate, under-trained, and bored.  The success stories from this team were few and the needle-in-a-haystack factor was high.  This process needed to be automated.

There was another serious problem besides log volume.  I explained the systemic issues to my supervisors like this; “The security controls in our organization are like musical instruments in an orchestra.  We have firewalls, anti-virus, intrusion detection devices, file integrity monitoring, content filters, anti-spam, host security, and application security.  But right now each does security ‘solo’.”

Each control was managed by a different group.  Reporting was all hand constructed and carried to the security team.  The firewall manager would deliver the firewall report daily, intrusion detection was handled by the incident handling team once a week, anti-virus reports were delivered monthly by the IT staff, and so on.

The whole of the system was as reliable as clockwork: each piece did its part exactly as planned and yet each was still ineffective.  The whole process was too high-level to determine if a problem existed, too low-level to see the problem as it happened, incomplete because not all data was reviewed, and lacked the context to determine if a threat was real even if it was suspected.

The bottom line?  All controls play a different piece in the same symphony.  They need to work together to turn noise into music.

The promise of SIEM was that computers can solve large, complex and tedious problems faster and more accurately than people; as such they are the ideal tool to police themselves and their users.  We wanted the entire system of security controls in the enterprise working cooperatively, in harmony, and armed with the intelligence needed to protect the organization.

The emerging SIEM (SIM, SEM, or ‘master console’) technology was often focused on specific tools such as Intrusion Detection or Host Security that ‘extended’ into logging. Many critical systems had no logging whatsoever and companies withheld such features in an attempt to keep their proprietary systems closed.  It would take most of the 2000′s to get the message to vendors that 3^rd party auditing was a requirement.  Now SIEMs can be practical and more creative means of using them can be applied.

Once the orchestra is together, the Conductor can lead. It’s of utmost importance that the managers, investigators, analysts, engineers and operators hear the same song.  What SIEM needed and has achieved today the ability to connect logs to organizational regulations, policy, plan, procedures, organizational divisions, and even by individual project requirements.  Alerts can be tailored to correlate between identified events, known threats, and critical assets.  Reports can be automated and customized to fit any manner of output requirements rather than being limited hand-made spreadsheets.  And valuable metrics can be mined from the official record of events that the SIEM establishes.

Thanks to SIEM technology, logs can be reviewed properly, human resource requirements to review them are less, and can handle volumes that now may exceed tens-of-millions of pages of data per day rather than just 55,000.  Coverage now extends to the entire networked enterprise and information can be presented in a timely manner and in ways that are useful to all stakeholders.  There is no doubt to me, SIEMs are a key innovation for information technology and will be critical for what is shaping up to be a brutal future for security problems.