Information security tools review: data and incidents

Ruslan Rakhmetov, Security Vision

Fig. 1 - Information security tools and interconnections

In the first part of the overview of data protectiontools, we mainly looked at systems that focus on users and organising their safe and efficient work. In this article, we will look at systems that focus on the data itself and protecting it from accidental or intentional manipulation.

Figure 2 - Data Leakage Prevention or Data Loss Protection (DLP) - protecting against sensitive data leaks

DLP systems are the closest to the data itself, as they analyse its contents for sensitive data. To provide maximum functionality, they include components at the network level (mail gateway, print server, proxy server) and an agent part on employee PCs (which controls external devices, keyboard input, sending files to cloud services and messengers and other data transmission channels).

Of course, there are purely agent-based or purely network-based DLP, for example, in Google's corporate cloud services, but for maximum protection, on-premise solutions are most often used, installed in the infrastructure or inside a private cloud, if an external data centre infrastructure is used.

It should be noted that such complex data protection tools need to be configured: it is necessary to define the list of protected data and ‘teach’ the system to recognise them, so implementation is often linked to the results of IS audits and consulting work.

OBJECTIVES:

- Protecting sensitive data from leaks

- Control traffic within the organisation and transmission outside the protected perimeter

- Logging user actions and conducting IS and ES investigations.

Fig. 3 - Information Leakage Detection (ILD) - identifying leaks and their sources

Systems of this class allow you to investigate leaks that have already occurred and that DLP systems cannot protect against. The investigations themselves are performed by analysts by comparing the leaked materials with the data to which the company's employees had access. To organise the comparison, each employee is given access to a unique copy of the data, which, by adding watermarks or affine transformations with high accuracy, allows identifying the user who was involved in the incident.

Modern ILD systems operate invisibly to users and no longer use watermarks. Athene transformations shift parts of text, letters and lines, but make it visually invisible to users. Such complex systems also need to be set up first: data and accesses, files and directories need to be defined (e.g. in EDMS or web services like CRM systems), after which the original data is ‘swapped’ with a copy that is labelled without watermarks.

OBJECTIVES:

- Labelling sensitive data

- Organise centralised access to documents and services

- Investigating CI leaks by visual (automatic) comparison.

Fig. 4 - Static/Dynamic Application Security Testing (SAST/DAST) and IAST (Interactive Application Security Testing) - application source code analysis and testing.

Useful data can be contained not only in databases and documents, often critical information is located in the source code of developed applications. There may also be ‘bookmarks’ and vulnerabilities inside the code that can be exploited by attackers from outside the perimeter. A number of technologies are used to analyse application source code: static and dynamic analysis, as well as their combination and interactive interaction.

In static analysis, source code in the form of text is loaded into an analyser, which reads it and compares it with databases of known vulnerabilities, bookmarks and other ‘problematic’ elements (for example, the presence in the code of directly prescribed logins and passwords to information systems). Dynamic analysis uses another approach similar to penetration testing: the analyser ‘ pings ’ the application with safe attacks (for example, GET requests with empty headers). Thus, it becomes possible to detect vulnerabilities that are not yet described in databases. Dynamic analysis uses an already compiled application and is not bound to the language in which its code is written.

The further evolution and combination of these two approaches has led to systems for interactive collaboration and on-the-fly patch release, which allow vulnerabilities to be closed with temporary stubs and increase the security of the application until a new update cycle within DevSecOps.

OBJECTIVES:

- Enhance the security of applications under development

- Create patches and hotfixes to resolve development issues

- Automate testing as part of DevSecOps.

Fig. 5 - Security Information and Event Management (SIEM) - monitoring and correlation of IS events

During the operation of various information systems, events are generated from which incidents need to be extracted for response. This can be done in several ways: firstly, grouping and deduplication of events as a mechanism of SOAR systems and secondly, correlation of events with each other as a mathematical tool of SIEM systems. In the first case it is necessary to analyse incoming logs and events and create rules on your own, while when using SIEM-systems you can take advantage of expertise packages that are developed by the vendor and used as ready-made tools ‘out of the box’.

As an example, consider unsuccessful authorisation attempts in applications. On the one hand, a user may forget his password and try to retrieve it several times, but there are cases when a hacker behind the perimeter tries to automatically brute force passwords and eventually successfully authenticate to the system, increasing his privileges. The SIEM system then collects password events from the logs and correlates them with each other, highlighting to the IS/IT officer the corresponding risks and generating a single incident from the event stream with a description of the possible consequences.

OBJECTIVES:

- Reducing the number of false positives

- Reducing the number of incidents and grouping them for response

- Determine correlation between individual events and analyse the chain of actions.

Figure 6 - Threat Intelligence Platform (TIP) - collecting cyber intelligence and looking for indicators of compromise

In the work of SOC specialists, employees often have to deal with new types of incidents. All incidents within the company can be correlated using SIEM systems (see above), but third-party feeds can further increase efficiency. TI-platform allows to aggregate feeds as a newsletter and use the experience of experts around the world who have already faced similar incidents.

The work of TIP-systems itself consists of several steps: collecting information (feeds) and indicators of compromise (IoC), supplementing tickets of detected incidents with useful data from experts outside the organisation, creating new entities for further SIEM analysis and response in SOAR-platforms. In this way, a kind of Wikipedia with useful information is created to respond to incidents and cyber threats, only the enrichment is automatic, and it is possible to go beyond the existing expertise within the company to successfully protect it.

OBJECTIVES:

- Search for indicators of compromise in known databases (feeds)

- Utilising global expertise and reducing requirements for IS specialists

- Automatically enrich incidents with useful data and response methods.