search

empow i-SIEM – Analyst Guide

Table of Contents

 

empow i-SIEM

The i-SIEM is an adaptive security analytics and orchestration software platform that implements targeted defense strategies against threats to an organization’s network assets.

Key System Components & Terms

empow UI
Main user interface for the empow system

Security Stack (SST)
Main platform server

Elasticsearch
Used for attack data storage and forensic searches (data lake analytics functions)

Kibana
Used for supplementary customizable views and RAW data search capabilities including data sources dashboards, hunting dashboards, reporting and more.

Logstash
Used for ingestion & parsing of data source feeds

DPI
Deep Packet Inspection network agents – receives network traffic, extracts valuable L2-L7 traffic characteristics, and forwards the data to empow’s Network Traffic Analytics engines.

Classification Center
The empow classification center includes four main services: auto-threat classification, powered by AI and Natural Language Processing (NLP), threat intelligence feeds, and empow’s Security Use Cases with predefined defense strategies that define monitoring policies.

Entity
A network entity is defined by one or more of the following identities: hostname, user account, email account, and website. Enrichment of the entity’s identities is done via data pulled from identity management services such as DCs and AD, as well as via data from log sources.

Attack
A correlation of ingested events that appear suspicious or signal at malicious actions

Security Service
A category of security technology, such as an IDS/IPS, Firewall, Anti-Malware, Reputation, etc. that help promote security.

Security Score / Attack Risk
A calculated risk score attributed to an entity/attack based on correlated events to highlight the level of confidence and severity of the associated risk.

 

Using the i-SIEM – Analyst Flow

In this section, we describe the recommended flow for a security analyst using the system for threat detection and incident response.

Unlike in traditional SIEM systems, the recommended analyst flow is to implement an entity-centric approach. empow defines an entity as either a user or a host. Since the i-SIEM conducts the correlation of attacks and the entities in them, the system can direct analysts to the entities with the highest threat risk. This allows the analyst to focus on entities and resolve incidents using the contextual information about the entity and the attacks it was part of.

Top Down Flow

The flow starts in the main dashboard that shows the operational status of the system. There, the analyst can make sure that all data sources are working and there are no major problems in getting the data into the system. The next step would be to review the top entities, ordered by their security score, indicating potential threat for the entity. Next, the analyst reviews the entity, its observed techniques, attacks and other information that help to determine the next steps needed to handle the threat.

The Dashboard – Operational View

From the main dashboard, an analyst can get a quick view into the status of data sources, including the trend of data flow from that source. It will also show the last week’s 10 prioritized attacks and 10 prioritized entities at top-risk within the monitored environment.

Use this view to:

      • Review the status and health of your data sources
      • Review the status of your existing security posture per security service
        • Volume of logs associate with your IPS, FW, EDRs, etc.
      • View peaks and anomalies related to the data flow (the logs) from your data sources
        • This can indicate networking issues (e.g., reduced EPS), as well as peaks that might represent security issues that should be further investigated.

Top Entities

The Top Entities page lists the entities who experienced the most significant attacks. The threat level is indicated by the Security Score.

Since an entity can be either a user or host, two main view options are available; User and Host. Additional filters allow the analyst to focus on more specific security use cases of interest such as Phishing and social engineering, Identity Theft, Ransomware, Data Leak, etc. to further define view preferences. Once the filter is selected, the system will show prioritized entities within the defined security use case.  These filters can be saved for future use and for setting notifications.

From the top entity page, investigate which entities have an elevated security score. These are the entities who are, with higher confidence, either a target (victim) of an attack, already compromised and/or a performer of an attack.

What’s next?

Once an entity needing investigation is selected, click on the entity name to open the entity card for further investigation. The entity card consolidates all the information required for you to evaluate the potential impact of the attack, plan and document your response process.

Using the Entity Card

Entity cards contain information about the host or user you’ve selected and enable you to track the status of the entity.

The entity card has the following elements:

Filters and entity response status:
      • Date Filter – for selecting the time period in which to view the entity’s details.
      • Review status – General status of handling the entity, used to inform the security teams and track the current investigation status of the entity.
      • Reset security score – by resetting the security score, the analyst indicates that at that point in time, the entity was analyzed and handled and there are no further tasks. The security score of the entity will be reset and the entity will be removed from the list of top entities.

General Entity information:

For both user and host:

      • Current Security Score
      • A text field for users to add a summary of their findings regarding this host.

In a Host entity card, additional information gathered may appear:

      • The tenant the entity belongs to
      • The asset group this entity belongs to
      • The data sensitivity given to the asset group the entity belongs to
      • The office this entity belongs to

In a user entity card, additional information gathered may appear:

      • Phone number
      • Cell phone number
      • Email
      • Department
      • SID
      • OU (organizational unit)
      • Manager
Incident Response Journal

This will provide you and others the option to add notes and response steps regarding your investigation of this entity, including both text and file options.

Top 5 Techniques:

This section has two view options, Victim and Performer, in which you will be able to see the top 5 MITRE ATT&CK® techniques used against or by this entity:

As a Performer in attacks As a Victim in attacks
Highest Security Score Attacks the entity was involved in

This section presents the top attacks, sorted by the security score, that the entity was involved in. Clicking on an attack shows the full picture of the attack that the entity was involved in, the specific sequence of events that took place, root-cause, as well as potential other entities involved within the same attack campaign.

5 Recent Logged in Users / 5 Resent hosts the user was recently logged into

Enables an analyst to immediate discover the associated entities exposed to the threats, and which hosts or accounts might be compromised by the attack:

Attack Investigation

One of the best ways to validate the attack, as well as investigate the root-cause and pivot into other potential victims, is to review the attack stories which the entity is/was involved in.

This can be done from the entity card via the associated attacks table, or alternately can be accessed from the attacks table in the main menu.

Investigating an attack

The attack map helps you understand the steps and stages that occurred within an attack and all the entities who were involved in it.

The attack map shows entities, denoted by circles, and lines connecting the entities, indicating the security events that caused the system to connect them. Internal entities are marked by plain circles while external entities are circled with a ring around them.

From the image above, we see there are five attack stages highlighted in the bottom section for this attack. You can select to filter in or out of each stage; External Delivery, Control, Internal Recon, Lateral Movement, and Network Action.

Additionally, a time slider on the bottom left hand corner allows you to see how the attack developed over time from start to finish.

Above the time slider, filters are available if you would like to further refine your search and the attack view.

Each item within the attack diagram is clickable and provides further context and additional options for continuing your investigation, exploring other entities that were involved in the attack, pivoting from the root-cause to potential other victim entities and more.

You can also document your finding and response steps within the attack incident response journal, as well as tag the attack according to its response stage, including customizing your own tags within the attack’s review section:

Documenting and tagging the attacks allows you to quickly track the response stage of the prioritized attacks.

Options to add items to the whitelist, and search based on the attack and event are all available in the context of an entity and the link in the attack map.

A “Go to table” option leads to a view of the empow risk chain table providing the sequences of events in the attack referred to as segments. Additional tabs, such as the incident response journal for the attack and a notification log, are available there as well.

From the risk chain table, you can click on the lead information to reveal additional information about that segment.

For events generated by empow’s engines, such as the NTA, detailed information about the anomalies are presented.

From here, you can click into the vendor event details providing more context, including raw log info for the event by clicking the eye (  ) icon in the lead details list.

Based on the information found in the attack, it may be necessary to investigate additional hosts and users or dive deeper into the raw data available.

Utilizing the RAW logs – Deep investigation and Threat Hunting

Some investigations may require a better understanding of what may have happened by looking into the raw event data from your various data sources. When this is necessary, you have the full power of Elasticsearch and Kibana on your side

To access Kibana, you can choose to get there from the attack map or from the side bar. Clicking on the options within the attack map’s “Search events by” menu will perform a filtered search for you within Kibana and display the results.

Alternately, you can choose the “Forensics” option from the side bar to get to Kibana.

NOTE: Although there is similarity in the look and feel between the i-SIEM and Kibana, Kibana will have different side bar menu options than the main empow UI.

Incident Management on the Platform

Logging your findings

After you have started your investigation, it is important to notate your findings and results. Within the empow UI, we recommend using the incident response journal within the host and user entity cards to detail the findings from your investigation regarding their involvement or exposure, and to add details regarding the attack finding in the attack’s incident response journal as well.

Post investigation clean-up

Once the investigation has been completed, options within each of the entity cards are available to reset the entity’s security score. An option within the attack view is also available to close the attack, document the attack findings and response stage as well as tag it via customized tagging.

Reducing the Noise

Throughout investigations, events or entities may need to be whitelisted to ensure that actions that may appear malicious or suspicious, but are authorized, do not add to an entity’s security score or be considered as an attack.

Safe listing Before and After an Attack

As mentioned above, within the attack map, you can choose specific entities or segments from the map and safelist them from the context menu there.

The way to add items to your safelist before an attack is discovered is via the global menu on the side bar in POLICIES module. From there, click on the Safelist tab at the top of your screen.

 

Clicking on the “+” button will bring up your options to add different items to the whitelist such as IP, URL, Asset groups, Email and more. Additionally, you will set the services and techniques allowed for this specific item via the multi-select dropdown menu and can set a schedule for this whitelist item including recurrence.

Notifications

You can configure the system to send notifications about entities, attacks and devices that match specific risk factors to your email or ticketing systems. To do so, the notification device, such as an email account, will need to be configured in the device menu of the settings tab.

To add and edit notifications go to the notifications tab and use the “+” to add notifications.

Notification rules allow you to define the type of risk(s) you would like the system to notify on. An example risk you may want to be notified about is when any host reaches a high security score and is involved in Identity Theft or Account Take Over threats. This risk will generate an email alert notification to the security team.