Managed Security Services (MSS) and Eyes on Glass in the Real World
October 11, 2018
“Eyes on Glass” is a common saying when it comes to reviewing SIEM logs and managed services but is often misunderstood. A layman notion is that you simply have someone looking at a large quantity of log data with a low level of skill required to see if something important appears requiring escalation. Technically “eyes on glass” requires a high degree of skill and capabilities to interact directly with unique client technologies, something not commonly included with managed services.
Optiv MSSP Overview
Optiv has a robust solution set for Managed Security Services, 24x7x365:
Optiv MSSP Actionable Services
As you can see in the flow diagram above, Optiv MSSP is geared towards actionability. This is a continual process of tuning logs and alert data, rules to improve processing, threat correlation and escalation, with research and response for the client for prioritized events and incidents.
SIEM vs. MSSP
A Security Information and Event Management (SIEM) solution is designed to collect log data and provide real-time analysis towards alerting of events that require security management (e.g. virus infection or brute force attack attempt). A Managed Security Service Provider (MSSP) provides security monitoring and management which may include review, research, and response to alerts and data collected from a SIEM. For example a client may use an endpoint product that detects a possible virus, initiating a log and alert, collected by the SIEM which is then forwarded to a MSSP for research and response. The MSSP does not actually have access to the “eyes on glass” endpoint product at this point, just the alert or log data that is sent to them from the client endpoint product and SIEM.
One of the key ingredients for success in an MSSP is proper log ingestion. All too often logs are not collected, ranging from syslog, to firewall, antivirus, IDS/IPS, Windows Active Directory and more. If logs are sent to the SIEM and MSSP, what information is included in the log? It is not uncommon to see logs and alerts that only report the IP related to a domain of a phishing attack when the entire URL, including domain, could have been reported instead. Proper log inclusion and configuration for maximum meta-data is critical to enabling research and response as well as orchestration and automation of potential threats.
Below is an obfuscated example of a default alert that is then improved to be more actionable for security research and response:
Default Alert Data:Phishing Threat IP 185.158.xxx.0
May 10, 2018 2:10 PM
Tuned Alert Data:Phishing Threat IP 185.158.xxx.0
May 10, 2018 2:10 PM
In the example above the tuned alert contains the entire URL, the protocol and domain and/or URI elements, which is far more actionable than just an IP address and warning seen in the default alert data.
Scale and Efficiency
True “eyes on glass” is not a scalable service. Each client has their own software and products configured in their own unique way to meet their security needs. Support of customized configurations and technology is expensive and time consuming. This is why proper tuning of detailed log data from multiple solutions is critical to supporting MSSP operations, whether it be internally or externally managed. It is far more efficient to configure logs to submit as much data as possible than have an employee or service provider perform “eyes on glass” investigations on one or more devices or software services used within an organization.
Recommended SIEM Data
Optiv MSSP recommends the following SIEM data related to four primary categories of controls:
Items in bold are common pillars of enterprise security programs, core to MSSP operations. Each type of log has value in research and response. For example, review of VPN logs for Active Directory may reveal attempted compromises on an account and actions taken with the account.
Key Elements for MSSP Success
In order for an MSSP to be successful the following must be available:
- Storage Space – data from one organization can easily take up 1 TB of data daily.
- Updates – Updates to signature-based solutions are critical to enabling visibility and detection of threats in real-time, such as anti-virus software.
- Baseline Configuration – A baseline configuration must be performed to ensure proper configuration and operation as desired. This is key towards maximizing log data sent to the SIEM and MSSP via alerts.
- Authorized Access – Should “eyes on glass” be required, proper authentication for authorized individuals is essential. All too often credentials change or managed in such a way that it is not possible to easily authenticate into an environment to perform additional research and response.
- Incident Response – Teams, internally and externally, are likely required to handle incidents which go beyond the scope of MSSP alerting.
“Eyes on Glass” is sometimes required to dive deeper into a threat as one researches and responds to an incident. For daily operations the most cost-effective monitoring solution is to properly configure and tune detailed alerts sent to a SIEM and MSSP solution enabling research and response. This is an ongoing process – not a one-time configuration – that is continuously being updated and changed based upon a variety of update and threat variables impacting a client environment. Properly allocating resources towards this important function is critical in ensuring the effectiveness of this first line of defense into threat visibility and incident response.