Friday, May 5, 2017

Hacking the SIEM

Day 1 of Security B-Sides Austin is in the books. One talk in particular stuck with me: "Hack the SIEM" by John Griggs of Meta Studios, Inc.

Your SIEM is an aggregation of lots of data about your company - it contains information about endpoints, network controls, detective capabilities, and incidents. To an attacker, it is a gold mine of recon.

John brought up a different point, one I had not considered: your Security Information and Event Management system, or SIEM, may also be the single pane of glass that your SOC relies on. If an attacker doesn't show up in the SIEM, your SOC may not be aware of the incident - even if the originating network control is squawking at the top of its lungs.

Ergo, an attacker doesn't have to cover all of its tracks - they only need to stop their actions from showing up in the SIEM. Sure, original logs will show the attacker's trail in the post-mortem, but depending on their objectives, avoiding real-time detection may be all the attacker needs.

Is your SIEM locked down to prevent it from being used and abused by an attacker?