Page 141 - Cyber Defense eMagazine August 2024
P. 141

●  Correlation Controls: Necessary for detecting patterns and anomalies that many control fami-
                   lies mandate.
               ●  Threat Intelligence / Malware controls: SC related controls specifically related to malware.

            We  designed  the architecture  where  subdivided  the functionality  that  SIEM  traditionally  provided  and
            distributed those functionalities to various components.  Primarily  -

               -   We leveraged AWS S3 (Amazon Simple Storage Service) for storage and
               -   We deployed numerous Lambda functions to funnel logs from various non-AWS-native  applica-
                   tions into AWS S3.
               -   Several compute jobs to correlate logs from multiple sources

            The effort is super successful.  We managed the environment with barely one full time person, we come
            out of yearly audits in full colors, through multiple years of audits. Our success was largely due to the role
            security played in shaping the entire organization's  practices.

            We collaborated with all departments to ensure the following -

               -   We were able to collaborate with all the application teams and get all the logs in specific stand-
                   ard formats we needed them to
               -   We were to work with devops teams and make the environment managed and operated only
                   through CI/CD pipelines, the DevOps team delivered. This seamless integration made correlat-
                   ing production alerts to approved change tickets effortless.


            Challenges Outside FEDRAMP Environments

            However, replicating  this architecture  outside FEDRAMP  environments proved challenging.  I pondered
            about the reasons over multiple months as we encountered the hurdles.  The reasons for the challenges
            are  the  same  challenges  that  led  the  rise  of  SIEM  and  SOAR  technologies  in  mainstream  security
            engineering.

               ●  Log Format Control: It is impractical to enforce a uniform log format across diverse sources,
                   and so SIEM became a dump of all logs and a place to bring uniformity into all logs
               ●  Rule Development: Writing rules against the various vendor-specific log formats at source is
                   cumbersome, so learning a single SIEM DSL became preferable.
               ●  Centralized Intelligence: Since logs are in a central place, SIEM systems evolved to provide
                   intelligent log dumps, abstracting rule development and offering comprehensive dashboard ca-
                   pabilities.
               ●  Reach into the sources with API and conduct actions (SOAR): As the SIEM management
                   complexity grew, SOAR systems emerged to automate the response actions, checking sources,
                   and conducting interventions.









            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          141
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   136   137   138   139   140   141   142   143   144   145   146