Visibility into the activities within assets enables network security analysts to detect network compromises. Analysts monitor these activities directly on the device by means of endpoint visibility and in the communications going to and from the device on the network. In our earlier blog posts on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility and network visibility.

However, endpoint and network visibility will do little good if analysts don't have tools to help them analyze the collected data, respond to any identified issues, and document the analysis, the issues, and the response. In this blog post, we discuss the components of cybersecurity that particularly relate to monitoring and incident response. We will discuss several monitoring and response tools, ranging from general tools to service-specific ones.

General Tools

Some of the most widely deployed data-analysis tools are security information and event management (SIEM) tools. These tools receive events from a variety of sensors and allow users to chain these events for analysis of both attacks and defensive actions on the network. Some SIEM configurations allow for automated or triggered defensive actions, including pre-set changes to firewall configurations and fielding of additional rules for intrusion-detection systems (IDSs) and intrusion-prevention system (IPSs). SIEM allows for a common operational picture across a variety of sensor and response technologies, often involving both graphic and tabular information displays.

Security orchestration, automation, and response (SOAR) tools offer more capabilities to integrate reports from security tools (event logging, indicator-detection, IDS/IPS, firewalls, and others as available), then automate analyses to estimate security conditions and risk levels, as well as support both automated and assisted incident-response capabilities. Along the way, SOAR tools offer capabilities to assure compliance with company policies, track key security metrics, provide data visualization, and produce reports to document events and responses. In particular, SOAR offers direct incorporation of threat-feed information and vulnerability reports.

User and entity behavioral analytics (UEBA) employ machine-learning methods to the interpretation of collected information, differentiating normal behavior of users and hosts from anomalous activity that may identify attackers or compromised systems. To use UEBA, defenders need to build training sets that characterize normal behavior, and also identify combinations of conditions and events that specifically differentiate benign and malicious activity. Based on this information, UEBA systems can build models to characterize individual users or entities and to alert when there is evidence of suspicious changes in behavior. UEBA rarely provide a complete user interface, but can provide a useful integration-and-analysis capability that can feed SIEM and SOAR systems.

Tools for Specific Services

Beyond these general tools, there are specific tools that integrate data to identify key changes to specific services. Host-auditing systems employ both configuration scanning and event-log analysis to identify hosts that are out of compliance, including those displaying indicators of compromise. These should be deployed for specific operating-system releases and configurations.

Domain-name system (DNS) change-monitoring systems seek violations of configurations and cache contents to identify indicators of compromise. Of greatest concern are data or a service compromise that may leak information or facilitate compromise. By integrating a variety of DNS-specific information, these tools can provide regular and timely alerting.

In a similar manner, web-change monitoring tools look for characteristic changes in certificates, web content, and web traffic to provide integrated alerting of indicators of compromise. All of these specific tools reduce the velocity of data that analysts need to deal with by focusing on the subsets of data that is of specific interest in incident detection and response.

CERT Tools

CERT has developed several tools in this space. These tools work together to provide flexible options to support cyber situational awareness. To support effective use of these tools, CERT also provides tool training, sample analytics, pipeline integrations, and implementation support. These tools include

SiLK: The System for internet-Level Knowledge is a suite of more than 40 tools that process IP Flow Information Export (IPFIX) records into a highly compact repository and then access that repository to identify and characterize traffic of interest. This suite provides a retrospective look at enterprise and supra-enterprise traffic logs, allowing for situational awareness over a broad range of addresses and extended times, but providing only selected details on each interaction. Output from this suite is either textual or binary results, which can then be processed through other tools to provide visualizations or formatted reports. SiLK is distributed at https://tools.netsa.cert.org/silk/index.html.

YAF: Yet Another Flowmeter is software that receives network packets (either live or in capture files) and produces IPFIX records to feed into other tools. This tool also has the capability to identify packets that were assembled into an IPFIX record. In addition, this tool provides logging of network packets in a manner that other tools use to provide situational awareness, either retrospective or streaming. YAF is distributed at https://tools.netsa.cert.org/yaf/index.html

Analysis Pipeline: This tool receives a stream of IPFIX or SiLK-format records and generates near-real-time alerts in a variety of formats. In addition, this tool provides for limited but fast-reaction detection of network events to support situational awareness across a broad range of addresses. Its alerts feed into a range of security information and event management (SIEM) tools. Analysis Pipeline is distributed at https://tools.netsa.cert.org/analysis-pipeline5/index.html

In addition to these tools, there are supportive tools available at https://tools.netsa.cert.org/. Extensive documentation and some sample data are available there as well.

Wrapping Up and Looking Ahead

Taken together, the tools described in this blog post provide a means for analysis teams to deal with the sometimes-overwhelming amount of data they need to process, as well as to support timely detection and response to incidents. By using explicit rule sets, models, and configurations, these tools provide a basis for clear documentation of incident-response activity. Likewise, by providing integrated information display in tabular and graphic form, they make the task of incident reporting simpler and less time intensive.

The next installment in this blog-post series will focus on the practice of architecture in the service of cybersecurity situational awareness.

Additional Resources

Read the first blog post in this series on situational awareness, Situational Awareness for Cybersecurity: An Introduction.

Read the second blog post in this series, Situational Awareness for Cybersecurity: Assets and Risk.

Read the third blog post in this series, Situational Awareness for Cyber Security: Three Key Principles of Effective Policies and Controls.

Read Engineering for Cyber Situational Awareness: Endpoint Visibility, the fourth blog post in this series on situational awareness.

Read Situational Awareness for Cybersecurity Architecture: Network Visibility, the fifth blog post in this series.

Read about the SEI's work in network situational awareness.

Read other SEI blog posts about network situational awareness.

Learn about FloCon, which provides a forum for exploring large-scale, next-generation data analytics in support of security operations.