6 Things IT Admins Should Validate Right Now

To CyFlare Partners & Clients

We know that our partners and clients depend on CyFlare for cyber security services. Due to the pandemic, and the havoc that is being experienced across the world, we wanted to offer up some preventive measures as a follow-up to ensure security compliance.

As IT organizations modify and change controls to enable business resumption for remote workers, changes to operations and Identity & Access Management changes, this can result in human error with mis-configurations, other un-controlled actions etc.  IT groups are being tasked to get employees and other remote services setup and running with new configurations.

Below are some “use cases” identified for your awareness to potential exposures created due to emergency actions / reactions during this time.  Please validate and address these areas to reduce potential exposures:

  1. Lock Down RDP – Triple check access control lists responsible for limiting access to machines allowing RDP connections from the public internet. This is one of the most common but critical mistakes a security team can make. If you must expose a machine, be sure your whitelists are very explicit. We also have simple to deploy solutions that take away any requirement for public exposure to RDP.
  2. Scrutinize VPN – Setting up VPN tunnels to access the entire network with trusting everything and everyone. Be sure your VPN ACL’s are heavily scrutinized and limit VPN users to just the specific items needed. Bad actors are extensively targeting VPN’s for obvious reasons.
  3. Scrutinize Firewall ACL’s – Mis-configuration of Firewall’s that may expose some specific group’s/users/machines to the Internet. This allows for scanning, brute force capability, exploit delivery and additional reconnaissance that must be avoided.
  4. Identify & Monitor Un-Managed Devices – Un-managed devices allowed to access corporate resources allows for irregular and dangerous situations. Allowing un-managed machines or devices to access corporate networks and resources unrestricted allows for countless possible catastrophic scenarios . Constant monitoring and paranoia for anomalous internal and external traffic must be investigated immediately, particularly if it is an un-managed machine.
  5. User Behavior Analysis – User behavior and login activity monitoring is now more complicated to interpret due to the remote workforce. Keenly check for any UBA related detections such as login location anomalies, application usage anomalies, payload anomalies, login time anomalies etc.. Machine learning is now essential to capture these changing behaviors. Static analysis will not be effective.
  6. Force Endpoint Protection All Devices – Not having a proper Endpoint Protection solution on un-managed devices may also cause possible bad download, misc alarms, anomalous processes that in turn causes data leakage, loss of confidential information, harvesting etc., but still visible in the network due to the traffic being captured by the sensor that may trigger alarms.

All of these lead to increase attack potential and can cause account take overs, privilege escalations due to accessibility / usability, suspicious IOC’s and many other use cases that may not have been thought through.

At CyFlare, our Analyst are aware that Clients are making various changes to their environment and want to ensure your IT organizations review all changes to avoid incidents.  We look at these areas outlined as part of our initial steps of our triage process in incident response.

Thank you for being a CyFlare clients and entrusting us with your Cyber network threats and security needs. These are challenging times, but I want you to know that we stand ready to help however we can. We understand the critical role we play in the Cyber Security of our partners and client’s infrastructure and we are continually humbled by the trust you place in us. Together, we will get through this.

Please subscribe, if not already to the CyFlare Trust page to receive continued updates and instant notification should there be any disruption to service or related communications.


Maneesh Thammishetti
Platform Architect
CyFlare, LLC ( www.CyFlare.com )

7 THINGS YOU ARE PROBABLY NOT DOING WITH YOUR ALIEN VAULT DEPLOYMENT

Summary

On a weekly basis we encounter existing Alien Vault deployments marginally and key features are not being leveraged. This paper is meant to highlight that key features within Alien Vault that can quickly and easily be enabled. These features are a core part of our deployment checklist for Alien Vault and must haves for every deployment to extract maximum value out of the solution.

Vulnerability Scanning

Despite being a cornerstone for the Alien Vault platform most clients don’t enable credential based (more extensive) scans. This can be configured easily and major value realized within hours. An essential part of a security program is to understand what vulnerabilities you have on the network and be able to operationalize and update those systems. Patched and updated systems are far less likely to be exploited and the first step is to identifying the systems requiring the updates. Many customers even have Tenable as well as Alien Vault. Why?
Dark Web enablement Dark Web scanning is via an Alien App powered by the Spy Cloud service. It alerts you when there is a direct hit for your credentials using @yourdomain accounts, includes information on whether the password was posted as well as allowing up to 10 personal email id’s for monitoring. This provides immediate value on day 1 to identify possibly compromised user accounts that need to be investigated. We use this tool in the SOC consistently to correlate against login events, locations of those events, failed logins and brute force attackers. Turn this feature on straight away!

Asset Discovery & Classification

A quick and easy value added feature is to sweep your network segments to identify devices on your network(s). Performing asset discovery allows you to take inventory of assets on the network, discovery rogue devices and it helps your security team classify those assets. Classifying the assets becomes critical when investigation potentially anomalous events. Understand what the device is, its functional role and having context around what is normal usage goes a long way when determining if it is expected behavior or not.

Filtering Rules

Enabling filtering rules is an essential component of setting up the system. Filtering log data that is not essential, required for compliance or essential for investigation allows you to store less data, potentially reducing your Alien Vault costs as well as reducing additional noise from potential alarms that would be generated that are false positives and not essential. Filtering specific events and behaviors that are known should be done within the first 30 days of deployment.

Help Desk Integration For Alarms

Integrating alarm notifications once the solution is properly tuned is an essential piece for staying aware of the events that are happening as they happen. We highly recommend integrating with the Slack app to stay up to the minute on what Is happening with your deployment. Once the system is tuned and only meaningful alarms are being generated, it is recommended alarms are sent to the ticketing system for event tracking and proper diligence.

Compliance Reporting Enablement

Asset Classification Without classifying your assets as HIPAA, PCI, NIST assets etc.. the nifty compliance template reports will not populate any data, will not give your auditor what they need to see and will not help you achieve compliance. In-scope assets must be properly classified or the compliance correlation and reporting will not work. Simple fix, high value on this configuration step!

AlienApp Enablement

This is our favorite part of the deployment. Did you know you could be automating remediation actions right now? Alien Vault continues to publish direct integrations with major vendors to allow for easily ingesting event data as well as being able to take action by creating tickets, quarantining endpoints, shutting machines down, blocking IP’s at the firewall and much more. As of this writing there are 17 AlienApps available for integration. More information can be found here: https://www.alienvault.com/products/alienapps .