SIEM-Based APT Protection
Advanced persistent threat (APT) is when an intruder gets into a corporate network and stays unnoticed for a long time causing data leaks and financial losses. With 21 years in cybersecurity domain, ScienceSoft implements IBM QRadar SIEM to resist and detect APTs, eliminate their potential impact.
Putting SIEM at the Core of APT Protection Strategy
APTs are performed by highly-skilled professionals using the entire array of sophisticated techniques from spare phishing to refined, disguised, on-site espionage. Sophistication of APT attacks can only be addressed by experienced SIEM consultants who fine-tune a SIEM solution and build up a deeply personalized security environment.
By placing a SIEM solution at the front line in your battle against APTs, you gain the following advantages:
|
SIEM solutions ensure a 360° view of a company’s IT ecosystem and allow to correlate heterogeneous security events. This helps security administrators draw up a holistic picture of the attack, track its path and disclose attackers, which is impossible with standard security tools such as firewalls, antiviruses or IPSs. |
|
SIEM solutions guarantee a quicker and better automated analysis of all security events within a single location. Companies don’t need to manage a whole array of scattered security systems or acquire additional APT protection tools since a fine-tuned SIEM system consolidates log management, network monitoring and vulnerability scanning while providing a wide set of customizable correlation rules to address proliferating cyberattacks. |
|
SIEM solutions allow to flexibly tailor companies’ defense to particular needs, thus creating a unique security posture aligned with corporate security policies and best practices. |
To make a SIEM system your ally in APT detection, we will assist you in configuring your current QRadar-based solution, as well as carry out migration of third-party SIEM systems to IBM QRadar SIEM to build up a vigorous anti-APT protection.
Recognizing APT Symptoms at Different Stages
Unlike one-time aggressive and open attacks, APTs represent a set of latent cyber actions allowing intruders to stay anchored within a network and exploit several vulnerabilities at once. At the same time, persistence of such threats implies that criminals leave a lot of traces in the course of their actions. Armed with a relevant SIEM solution, security administrators will have multiple touchpoints to detect intruders and stop them before their illegal activities lead to dramatic data and money losses.
By boosting IBM QRadar SIEM capabilities, our SIEM team aims at creating security traps to reveal signs of an APT regardless of its stage.
Spotting malware infections and spear phishing
To stop APT at its very first stage, our security experts will help you complement IBM QRadar SIEM’s out-of-the-box reconnaissance detection correlation rules with custom rules. Thus, to detect malware infections or massive spear phishing campaigns by pinpointing abnormal network traffic and activities implicating atypical email distribution, for example:
- Enormous amount of emails sent from the same account.
- Email messages sent in non-business hours from a corporate account.
- Suspicious messages with the same subject delivered to different mailboxes.
Additionally, our SIEM experts will analyze network flows and implement anomaly rules to detect video and screen capturing activities, thus identify attackers trying to latently control your organization and better understand your internal systems.
Scanning network activities
To maximize effectiveness of your APT protection, we prioritize fine-tuning a SIEM solution’s flow collectors (QFlow in IBM Security QRadar SIEM) to ensure constant monitoring of the network traffic and quality processing of sessions and flow information, in order to baseline network traffic and implement custom anomaly rules, as well as build up specific correlation rules to detect:
- Communications with known botnet control centers and malicious IP addresses.
- Communications with unusual and potentially malicious countries and regions.
- Communications via unusual ports (e.g., 6667/IRC).
- Communications containing specific payloads (e.g., bot control commands).
We will also assist you in deploying and configuring IBM QRadar Risk Manager to let your security administrators:
- Track even minor modifications to network devices’ configuration.
- Analyze the configuration history to discover who and when created a security hole.
- Build the network topology and discover both existing and possible connections between network devices in order to immediately identify and close risky communications throughout the network.
Stopping attackers’ lateral movement
To settle down within your network, attackers apply privilege escalation methods in order to get access to critical network points via illegitimately extended user permissions. To counteract them, we:
- Focus on a deep analysis of log data collected from employees’ workstations.
- Map user accounts and roles to a SIEM solution using information from the corporate AD to let security administrators be alerted when any user with no administrative role acts with extended privileges and accesses unauthorized servers or network devices.
To increase user visibility throughout the network, we complement the native capabilities of IBM QRadar SIEM with QRadar Session Manager, ScienceSoft’s proprietary tool that investigates security events by analyzing session information, even if no user name is available in an initial log message.
Stalling sensitive data exfiltration
If attackers managed to go as far as the data exfiltration stage, a SIEM solution armed with data-centric correlation rules will help you detect abnormal activities with sensitive data. We will also assist you in connecting your SIEM solution with specialized DLP systems for a more thorough analysis of data flows within your network and will build up baselines to reveal any small yet critical data extraction.
Aligning an Anti-APT Plan With Your Network's Specifics
Our 16 years of SIEM consulting practice has proved that even a well-developed anti-APT plan will turn ineffective if not aligned with a company’s unique IT landscape. That’s why we combine our APT protection approach with the following important steps:
1.
In-depth analysis of the current security state
ScienceSoft’s SIEM consultants analyze the current network to reveal existing threats and a company’s security fitness. The analysis let us see if the network has already been affected with APTs’ symptoms and sort out the most numerous/dangerous types of attacks targeting the network. As an integral part of this step, we study security policies in place to smoothly integrate the future APT defense into the corporate IT environment.
2.
Step-by-step planning of an APT protection strategy
Relying on these findings, we develop a personalized protection plan aiming to enhance the current security state and make a company resistant to both ongoing and potential APT attacks. The plan includes an overview of necessary changes to the existing IT infrastructure, a precise guidance into a QRadar fine-tuning to make it susceptible to APT signs, as well as clear recommendations on minimizing the impact of APTs on corporate assets.
3.
Consistent configuration of a SIEM solution
We assist in deploying and configuring IBM QRadar SIEM as well as help to migrate any current solutions to the IBM Security Intelligence Platform. Furthermore, we ensure a full-cycle setting of the SIEM solution from connecting log sources to creating custom APT-focused correlation rules, thus helping to develop a well-thought APT security system.
4.
Concurrent penetration testing and vulnerability assessment
To help our clients stay in the vanguard of cybersecurity, we provide penetration testing services to carry out a deeper investigation of a corporate network, detect existing vulnerabilities and security holes and patch them promptly, as well as assess a company’s resistance against various types of attacks and help security administrators to adopt relevant security approaches to protect their network.
Why Entrust Your APT Protection Strategy to ScienceSoft
With about 200 successful projects in information security, today ScienceSoft helps their customers to adopt security practices and create a steady persistent threat detection system to counteract a myriad of cyberattacks.
Our information security milestones include:
- Over 21 years of working in Security Intelligence.
- Creation of IBM TSIEM/TCIM and TSOM products and co-development of IBM’s official TSIEM to QRadar migration guide.
- SIEM projects in North America, Europe, the Gulf region and Africa.
- A range of proprietary SIEM solutions, including QRadar Session Manager and QLEAN for QRadar SIEM.
- ScienceSoft is a 3-Year Champion in The Americas’ Fastest-Growing Companies Rating by the Financial Times.