JACADIS Thought

Of course it does.  The real question is this: Is your SIM (or log management solution) optimized to hear it?  Simply having a SIM doesn't mean any and all attacks will be reported.  Detection is based on processes that record critical events as they occur within your card holder environment or other subnets where restricted data (SOX, GLBA, HIPAA, etc.) resides.  These detection processes run on your firewall, IPS, or antivirus system.  They also run on your servers and PCs in the form of event logs and syslogs.  If they're not enabled, there's nothing to be logged and correlated.

So, if a tree falls in a forest, does it make a sound?  Chances are -- yes!  But you won't know unless someone (or some process) is there to record the results.  It's the same with your SIM or LMS.  It simply won't detect or correlate what it cannot hear.

So what if auditing and logging is enabled across all systems?  What if you have IPS coverage across all restricted data subnets?  Is that a guarantee that you'll detect the one breach that secretly transfers thousands if not millions of SSNs from your network?  No, sorry.  The SIM/LMS must still be optimized.  Case in point:

Last month we conducted a Detection and Response Test (DART) for a multi-billion dollar firm.  This highly professional, well established, and smartly controlled organization has invested in several layers of security, as well as the professional services to have it installed and properly configured.  A Cisco ASA, inline Cisco IPS sensors, and CS-MARS work simultaneously to monitor, detect, and respond to incidents.  Domain level audit events are relayed to CS-MARS, as well as malicious code events.  Not a bad start...

Until we began our tests.  Our client side attacks (delivered by email) were not blocked at the edge.  Execution of desktop malicious code (Core IMPACT agents) was not detected at the desktop level by AV.  Internal attack and penetration techniques targeting restricted data servers was also missed.  And finally, attempts to compromise a site outside the company yielded no actionable alerts.

The problem?  Let me indulge a little with a "tree-fold" answer:

1. There is nothing near the tree to hear it fall.  Your network is probably like an M&M.  Hard on the outside, but soft and ready to melt on the inside.  Expect the adversary to take advantage of this.  Cyber criminals attack the desktop, then leap frog to sensitive systems.  If you don't have internal network segmentation, IPS coverage, or event auditing enabled, what you don't know or cannot see will hurt you.  Solution: Test your systems -- thoroughly.  Don't just run a scanner.  Identify where your restricted data lives.  Build threat scenarios against those systems, attack them, find your  blind spots, then increase your visibility.
2. The process knows what a falling tree sounds like, but not what a flying tree sounds like. AV and IPS have signatures for "falling trees", but not trees behaving oddly.  This reveals the problem of signature based detection.  Our network behavior didn't look like a falling tree, but a flying tree.  IPS and other sources did detect our activities, but it did not fall into the correlation rule set configured on the SIM.  Among thousands of other events for the day, the behavior did not stand out.  Solution: understand current threats, test them on your network, and teach your SIM/LMS what that behavior looks like.
3. IT cannot see the forest through the trees.  To compensate for signature based flaws, vendors use heuristics to give their solutions "intelligence." What this really amounts to is trigger happy signatures that fire often and for the wrong reason.  This leads to a security related sickness called "SADD" -- SIM Attention Deficit Disorder.  This occurs when overstressed, understaffed, and over tasked IT security administrators become inundated with false-positives.  Those that stick with it, get lost in sauce, chasing bits and bytes down rabbit holes, rarely getting anywhere.  Their zeal for security alert monitoring and incident analysis eventually diminishes. It is conveniently replaced with even the most mundane of operational requests, like password resets, investigating account lockout mysteries, and other tasks the helpdesk doesn't care to handle.  Despite their best intentions, security staff simply cannot get into SIM analysis.  SADD indeed.  Solution: Organize and label your assets within the IPS/SIM product.  Tune signatures based on this organization of assets,  eliminating signatures that have no meaning on your network.  Where feasible Replace "any" source IPS signatures and SIM rule sets with "Restricted Data Servers" groups, for example, to increase responsiveness to particular assets.  Disable poorly written signatures, then have your vendor fix them.  Test the configuration per the solutions for #1 and #2 above.

I've lost count of the number of penetration tests I've performed over my 16 year security career.  I've not lost count, however, of one critical metric:

A 100% successful penetration history when social engineering or client-side attack is permitted

That's right -- 100% success rate.  Now some of you are thinking I just stated the obvious and you're right.  But I do this to make it painfully clear.  The human element, or Layer 8 as I like to call it, is the weakest link.  When direct attack against Internet systems fails, then indirect attack using Phishing and malicious attachments is a sure bet.  It only takes one user to get us in.  Once we're on that user's PC, the soft and chewy center of the internal network is ours to exploit. 

I've heard CIOs, Security Managers, and System Administrators all say, "End-users should know better!" Newsflash: If you've not taught them, tested them, reinforced the message frequently, monitored for infractions, and taken corrective action, well... they don't know better.

If you do not have a formal security awareness program, you're one careless click away from an incident.  Annual training is entirely inadequate.  If I only told my children annually to look both ways before they cross the road, the results would be devastating.  It's no different with your employees.  You don't need to treat them like children, but you do need to stop assuming they're equipped to make good decisions when faced with danger. 

Today's threats aren't as obvious as a car speeding down our neighborhood road.  They look more like an ice cream truck driven by a friendly looking man.  What could be dangerous about that, right?  Stay tuned for more posts on social engineering, client-side attacks, and helping employees develop a healthy dose of suspicion that doesn't create more work or slow them down.