eIQviews

Am I being attacked? Don't know, I forget...

Today’s attackers are very patient. The old “smash and grab,” where the attacker tries to get as much data as quickly as possible is gone. Basically because most enterprises have gotten pretty good at detecting those kinds of attacks. The correlation engines built into security information and event management systems (SIEM) are finely tuned to look for these kinds of attacks. And the attackers know that.

So like any other businessmen (and women), the bad guys have adapted. They know the defenses, so they are working around them to ensure a constant flow of stolen data. They have lots of mouths to feed, don’t you know! One of the ways they’ve adapted is to mount a low and slow attack, since they know the SIEM product can only correlate across a few days (typically 3-5) of data. So they know if they wait for 10 days between stages of their attacks, they are less likely to get caught. And more likely to keep stealing information.

It’s actually kind of dastardly ingenious. They compromise a device, turn off logging, install stuff, turn logging back on and then wait. A few days later, they go back into the machine, look for additional vulnerable devices, compromise another and then wait some more. Yes, these attacks can happen over a few months. But don’t feel bad for the attackers, I doubt a lot of them have low golf handicaps. They are working hundreds of attacks on thousands of zombies at the same time.

So how do you detect this kind of low and slow attack. Well, we’ve already discussed how to deal with the reality that logging will be turned off by the attackers. Another method we use at eIQ is to extend the correlation window. That’s right, SecureVue correlates data for up to 90 days, outside the attack windows of even the most patient attacker.

Gosh, that seems too easy. Why don’t other SIEM vendors do the same thing? Because it’s hard and it requires a purpose-built architecture to maintain that much data in memory to do correlation across that length of time. Other SIEM and log management offerings would need to totally rebuild their offerings to provide a similar capability, and we know that isn’t going to happen.

You can think of most SIEM products as having Alzheimer’s, as sad as that is. They have very limited short term memory and their long term memory is shot. And that’s what the attackers are counting on. Which is another reason that log data is not enough.