Datashield Partner Digest for the Week of July 22, 2020 - At Datashield, we pride ourselves on partnerships and are always looking for way to highlight what's new in the industry and with our partners. This helps us bring out the latest and greatest trends and key features for the services we use to bring you the best in MDR service.
Check out our latest partner updates:
What Data Types to Prioritize in Your SIEM - Top 7
Customers regularly ask me what types of data sources they should be sending to their SIEMs to get the most value out of the solution. The driver for these conversations is often because the customers have been locked into a SIEM product where they have to pay more for consumption.
Firewall Logs – Firewall logs are a great source of detailed flow information. However, with many of the next generation firewalls, you also get rich data on application types, threats, malware, C2 and other similarly interesting things.
It’s important not to limit this data to just your perimeter firewalls. If you have firewalls between your user segment and your Data Center or even micro-segmentation inside the Data Center, send all of these logs to your SIEM. Where your end users are connecting is critical information from a threat analysis perspective. Internal visibility is key to looking for lateral movement.
Proxy/Web Filtering Logs – Your NG Firewall may already include this data, but if you use a separate Proxy or Web Filtering solution, these logs should absolutely be sent to your SIEM too. The IP, Domain, and URL information is naturally very important and can give you information on connections to known-bad locations. And if you can also capture the User-Agent string, then you should. This can give the threat hunter lots of insight into what might be happening. There are countless stories about finding major breaches and issues by monitoring the various user-agent strings in an environment and investigating the anomalous or uncommon ones you find.
Other Network Security Products – Some of these may already be covered with a next generation firewall, but you may have standalone systems in place. Logs from tools like Network IPS/IDS, Network DLP, Sandboxes, and even router NetFlow data are all rich intelligence sources for the SOC analyst.
Read more here
6 Best Practices to Fight a New Breed of Insider Threats
The current global pandemic has disrupted how organizations work. Some businesses quickly adapt while other organizations are still figuring out the new landscape. Unfortunately, criminals are exploiting vulnerabilities during this challenging time. There has been an 238% increase in cyberattacks attacks during the pandemic according to data presented in the VMware Carbon Black Modern Bank Heists 3.0 report.
Use the following 6 best practices to combat these insider threats.
- Visibility is key—Know when you’re under attack, and when you aren’t. Conduct threat hunting on a monthly basis. Make sure you’re capturing all the data about your environment and storing it for at least 30 days. Leveraging data and analytics is crucial to creating a window into what is happening—or has happened.
- Don’t have a knee–jerk reaction—Don’t rush to turn off all your servers. Find out what they’re doing. You need to sit and watch them, map out their activity.
- Take communications offline or on a separate channel—Odds are the attackers are monitoring your communications. Establish secure communications on a separate channel to make sure the attackers are following your every move.
- Create a separate war room—Here you can do physical forensics on compromised hardware. Make sure the room is separate and controlled, too. It’s important to log all the activity.
- Employ micro-segmentation—Flat networks are more susceptible to hacking methods, like lateral movement. Micro-segmentation divides the data center into distinct security segments, which are then assigned unique controls and services.
- Cover your bases legally—As covered, it’s vital to log all the activity for analysis and research but also to have an audit trail.
Read more here...