Introduction
Hi, my name is Simon and I’m a senior solutions engineer here at Graylog. We have been helping NHS trusts achieve their Cyber Essentials Plus certification and meet their DSPT obligations with centralized logging and security analytics. By doing so, trusts have increased efficiencies within multiple IT departments, removed data silos, and have an increased visibility of security threats. Because the threat landscape is continuously evolving, so must your discrete organizational units. It is no longer efficient to operate in individual silos, but rather, those teams need to work together to serve the common purpose of maintaining a robust security posture.
The Problem
The advanced persistent threats associated with data exfiltration, data corruption, and service outages do not always happen quickly. Often, these attacks are performed over weeks and months so that the malicious activity blends into the background knowledge of day to day operations. Leveraging the Graylog security analytics platform gives you a holistic view of your entire organization’s log data from one console, and in doing so, it enables your IT teams to mitigate risk, protect sensitive information, and always stay compliant.
About Graylog
At Graylog’s core is its search engine. Built using a human readable query language, and optimized for incredible speed, it makes a wide range of activities, from simple ad hoc searches to proactive threat hunting, fast and efficient, helping simplify your security operations. Graylog is capable of handling massive volumes of log data. We have customers ranging from 10 gigabytes a day, or 150 events per second, to 80 terabytes a day, or in excess of 1 million events per second. Graylog is highly adaptable to continuously evolving use cases and environments, and is capable of collecting log data from all of your different devices, from perimeter firewalls, SaaS services, and your interconnected medical devices. Graylog’s disruptive approach to security analytics, combined with our expert partners own security, means that all of this is achieved while decreasing platform complexity and overall total cost of ownership, as compared to other tools of this type.
Graylog in Action
Let’s now take a look at Graylog in action. In this short demo, we’re going to look at a use case where an account has been compromised, and using that account, another malicious account has been created. We will see that a new account has added a rogue DNS server to our environment, [inaudible 00:02:17] file data and exfiltrated it. Our journey begins when we notice the tool fgdump has been used on a desktop machine to dump out password hashes. We have a look at a dashboard created to look at change activity within the active directory, and notice that not only has a new user group been created, but also some event logs have been cleared in an attempt by our adversary to hide their tracks. What’s interesting here is that that log data is no longer available on the local machines, but has all been captured in Graylog and is available to us for a forensic analysis. We also notice that the account lockout policy has been changed. Our assumption here is that this will make attacking other accounts in the future easier.
We jump across to another dashboard that is focusing on DNS related log data, and can see that a rogue DNS has been added. In addition, looking at the trend in our DNS by its outbound data, we might conclude that some DNS tunneling activity is going on, and this is now starting to look like an attempt to exfiltrate some sensitive data. Now that we have a clear understanding of what has been occuring, we investigate further, looking at our dashboards relating to file data, file permissions and network connection activity. We can confirm our suspicions that some data has been exfiltrated, we can pinpoint where and how that breach happened to ensure this type of activity is prevented in the future.
In some cases, access to sensitive data will be restricted to specific machines within restricted areas behind physical security controls, such as door swipe systems. In those instances, our security can further be enhanced by collecting that log data in Graylog for use in investigations such as these. The scenario we have looked at during this video has utilized Graylog’s extremely fast, easy to use searching and dashboarding capabilities. In order to prevent breaches of this type from occurring, we could implement a number of correlation rules to automatically notify the relevant groups within your IT team that activity of this type is happening in near real time.
The End
If you would like to know more about how we can support your trust in driving productivity, meeting compliance requirements, whilst reducing overall costs, please feel free to book a meeting with Taylor and I, using the email address here, to discuss your specific needs further.
