Need of Alarm Centralization prioritization and Orchestration

1. LTS Secure provides high-level Cybersecurity Protection by: Centralization of Cybersecurity Alarms Prioritization of CyberSecurity Alarms Orchestration on Prioritized Alarms Authors: Satyen Jain Sagar Saurabh 10.21.2019 LTS Secure | 2406 Schumacher Drive, Mishawaka, IN, 46545| www.ltssecure.com

2. Cyber Security Alarm Threats: The rise of unknown Alarms monitoring is contributing to the maximum cybersecurity fraud and cyber threats internal as well as external to the organization. CyberSecurity Problem Statement: The statistics of Cyber Security Alarms are increasing every day and is becoming a prime challenge for the IT team to review and take action on real-time basis. The additional challenge that comprises is that the alarms are delivered in silos as most of security solutions deployed are implemented in silos. Background: Organizations attempt to build SIEM solutions such as SOC as a Service but that leads to incremental alarms for the organizations. Most organizations have reported the biggest challenge of detecting false positive alarms from their SOC team with limited data leads to the investment of time to monitor each alarm. This challenge leads to the growing realization that the ROI on only SIEM as a Service is very low. CyberSecurity Solution Statement: After the removal of the noise and eliminating the false positives, SOC should have the intelligence to reprioritize the alarms keeping the context and impact in mind. AI technology plays a vital role in the orchestration stage based on Prioritization, SOC should provide a provision to automate some of the alarms where human second eye is not required. It has been observed that the organization is buying orchestration solutions to automate alarms but enrichment of alarms and re-prioritization is still a missing piece. Encroachment of alarms will support reprioritization, which will assist the organizations to classify the alarms for automation and for L2 team. 2

3. LTS Secure - Cybersecurity Solutions: Solutions provided using Alarm Centralization & Prioritization & Orchestration: LTS Secure UEBA also enables you to centralize the storage of all your Alarms data from various disparate Critical-Security-Controls and also other SIEMs on the UEBA platform which is a compliant environment. This alleviates the burden of having to manage and secure logs on-premises while providing a compliance-ready log management environment. 3

4. Secondly, it gives you immense capabilities to Enrich, Prioritize & Orchestrate response through GUI enabled intuitive LTS Secure UEBA. Security information and event management (SIEM) systems are designed to detect suspicious network activity. Unfortunately, most of the SIEMs produce a lot of False Positives/Noise — in some cases, millions per day — and despite efforts to deduplicate, contextualize, and correlate these alerts, SIEMs still drown the security teams in irrelevant and/or false-positive data. Prioritizing and addressing alerts from your SIEM and security stack is a massive undertaking for security teams and SOC managers — until now. LTS Secure UEBA automates and streamlines Alarm validation and prioritization, so you don't have to. Filter out false-positives and instantly identify which alerts to escalate Significantly reduce the time and resources required to review alerts Enable your SOC managers and security team to focus on real threats Leverage and make better use of your existing security investments 4

5. Automated Alarm triage helps you to determine which Alarms can be filtered out as noise and which are actionable threats that need escalation and prioritization thus effective automation can be created as workflows. Alarm Centralization: We are able to collect Alarms from various Critical Security Controls (Data sources) be it Endpoint Security Management (EDR solutions), DLP Solutions, NGFW, etc. to a centralized repository being LTS Secure UEBA then Enrich them with User/Asset/Business Context to be able to do various analytics-based use cases. Alarm Prioritization: Asset Context User Context Business Context Alarm Prioritizati on a. Understanding the User Context: Scenario: An Alarm on SIEM for Login Failure with a User id: vinayp, which was earlier marked by HR as “Resigned” on HRMS application. User IDs: vinayp, Kartik with logon Alarm being generated on LTS Secure SIEM. Enrichment & Orchestration Hence, thus as an Orchestration is required wherein the same user id which is ought to be deleted from AD as well as user in the organization in our HRMS application, the user is deleted, however due to certain reasons it still exists as a stale account on AD. 5

6. If we get a Logon event from User ID: vinayp, it should have a priority raised as P1 and Risk: 9, rather than a normal login event on the same server with User ID: vinayp That can be easily achieved on LTS Secure UEBA using Alarm Prioritization which is a three-step quick process to create workflow as depicted as follows: •Extracted the interesting field from Alarm Windows logon failed event with User ID and Field/Status: Resigned Using a Pipeline with Multiple stages to firstly validate, then increase Prioirity & Risk of Alarm, finally implement a response through a script later to be able do preprogrammed action of deleting the user •Pipeline & Staging •Final Automation via call to script. Using Alarm/Alert Condition to finally callout a script for Deleting the user on AD /Database. 6

7. Step1: Parsing the appropriate Alarm via an Orchestration: 7

8. Step 2: Prioritization & Enrichment via addition of User Context 8

9. Step 3: Using Alarm/Alert Condition we can dictate 3 types of actions  the configured alert receivers when the conditions are triggered. Email alert callback: The email alert callback can be used to send an email to  that will be called when the alert is triggered. HTTP alert callback: The HTTP alert callback lets you configure an endpoint  Script. Execute Alarm Callback: This provides the user to call for a script to execute a 9

10. As depicted below, as part of the example workflow, we finally callout a script for deleting the user on AD/Database. Also similar to this use case we can have: PIM: Privileged Identity Monitoring PAM: Privileged Activity Monitoring It can be undertaken, with enrichment of even logs and staging, to derive analytics-based use cases. 10

11. b.Understanding Asset Context- With many different solutions to secure devices and users, all of the information exists to ensure that assets are adhering to policy. The challenge is that the data lives in different silos. For example, when an alert from a SIEM solution comes into a SOC, an incident responder must look to many different sources to understand: 1.What device is the alert referring to? 2.What user(s) had access or were logged in? 3.Was the core software up-to-date? 4.What vulnerabilities are present? 5.What other devices share the same vulnerabilities and may be impacted Thus, on this basis, a High-Value asset in contrast to a normal endpoint we can have High Severity alarm for an asset which is an HVA (High-Value Assets)and similarly downgrades the Alarm to a low severity one.This can be easily achieved through LTS Secure UEBA Alarm Prioritization Feature. c.Understanding Business Context: To understand this, lets quickly talk about another scenario wherein we are getting Alarms of similar Priority from: A => Primary DC hosting critical app servers B => An On-Prem Asset/Endpoint Machine The alarm relates to Bruteforce attempts using LTS Secure UEBA Alarm Prioritization feature we can create a rule where if the P2 Alarm is originated from “A”, We can have it escalated to P1 priority and Severity “Serious” and similarly, we can have the same P1 downgraded to P2 & Severity “Medium”. Thank You For more information, contact: Sagar Saurabh enquiry@ltssecure.com 11