This post addresses how SOC operators can leverage Security Information and Event Management (SIEM) platforms in conjunction with ISG’s AgileSec Analytics. The approach leverages the SOC investment by providing visibility to the cryptography that undergirds enterprise operations, and a means to operationalize and automate new findings(AgileSec Analytics Exceptions) both for management of cryptography. The additional advantage of this approach for SIEM users is that it can correlate the cryptographic status of hosts correlated with real time threats to provide an actionable insight during threat investigations.
We will use IBM’s QRadar as a use case example.
What does IBM’s QRadar do and what is the value for SOC?
Security Information and Event Management platforms such as IBM’s QRadar typically provide their users with central visibility across their infrastructure. Centered in security operations, the approach enables organizations to organize, analyze, and prioritize remediation of threats based on the organization’s business priorities and the severity of the potential threats discovered.
This security operations model accommodates the addition of new security events, i.e. new technology that performs an essential enterprise security function. Integration of new security events from these technologies leverages the current investment and program developed, by bringing new security technologies under enterprise management.
Some organizations employ some sort of user behavior analytics that alert security operations of user behavior outside of corporate policy. The SOC performs validation and if confirmed, routing function of forwarding findings to the identified user’s manager for remediation. The key SOC function then is to identify events out of compliance with Corporate Security Policy and collect sufficient information to effect remediation. The remediation can be forwarded electronically to a case management system for resolution, verification, and auditing.
How does ISG’s Crypto Analytics complement IBM’s QRadar?
ISG’s AgileSec Analytics provides visibility to the cryptography employed across selected services (servers). It identifies the cryptographic libraries, algorithms and protocols used across the organization’s TLS servers and selected hosts. It discovers and collects the cryptographic elements, analyzes each against modern profiles of security risk, and provides an overall status and exception status to organizationally acceptable cryptography.
Leveraging existing SOC Operations, ISG’s AgileSec Analytics integrates with IBM QRadar to enable central visibility to cryptographic threats. These threats are in the form of weak, compromised, or obsolete cryptographic elements, that can expose the organization to attack or compromise. A key feature of the 2020’s ‘Supply Chain’ hacks was weak default cryptographic configuration that enabled offline password cracking and privileged account creation.
Example Use Case: XYZ Bank
XYZ Bank is a mid-sized financial institution in North America. Over the past 5 years it has developed a policy driven security operations program that employs IBM’s QRadar and a number of ancillary technologies for case management. XYZ Bank, a user of ISG’s AgileSec Analytics scans their key servers monthly, identifies compromised, weak, or obsolete elements, and provides a report of the status and exceptions to the organization’s cryptographic policy.
XYZ Bank adopted ISG’s AgileSec Analytics to discover, identify, analyze, and centrally manage deployed cryptography across its core services. As a user of IBM’s QRadar, XYZ Bank with ISG’s AgileSec Analytics automatically forwards the exception report as an event to QRadar. QRadar identifies the exceptions and uses configured routing rules to make available to the appropriate triage team. The SOC Operator charged with processing these events can validate the findings and then route the exceptions with remediation guidance to their case management system.
By sending periodic (monthly/quarterly)cryptographic exception as Security Events in QRadar, these events are available for correlation against any other Security Events. By enriching the SIEM’s events database with cryptographic policy exceptions, the organization gains the ability to identify cryptographic vulnerabilities as elements of any other threat being investigated. By knowing any particular host’s cryptographic status, the threat analyst has a key vector from which to identify and eliminate threats to the organization.
Result?
XYZ Bank is now managing new security technology events, while leveraging the existing infrastructure and SOC Program. They have visibility at will to their infrastructure’s cryptographic status and have enabled SOC Analysts to correlate observed threats to specific cryptographic exceptions, in platform.