Atlant Security’s Cyber Security Monitoring services help small businesses see every suspicious activity happening in their network. They could answer the most crucial question in the field of security monitoring: “what has been going on in our digital assets in the past 24 hours?”
Imagine: you gain access to the minds and experience of the best cybersecurity experts in the world. The ones employed by Amazon, Microsoft, Google – but they work for YOU!
Imagine the difference in working with them, versus working with your local talent or the solution providers you have worked with until now.
Imagine the results-oriented attitude, speed of solving your challenges, the professional documentation after each successful project.
Our mission is to make every one of our customers feel every interaction with us being like flying in a private jet. No hassle, just fast and mind-blowing results.
If your business needs cyber security monitoring, why settle with a low-quality local provider when you work with the best experts in the world?
Have there been logins from strange places? Attempts to login indicating an ongoing attack? Has anyone accessed anything they should not have?
We check for mitigation controls for 17 types of cyber attacks: account compromise, unauthorized access, ransomware, network intrusions, malware infections, sabotage, security policy violations, etc.
The most important security monitoring question to answer, every day: did anything suspicious happen on any computer in your network in the past 24 hours?
Microsoft 365 has 280+ security settings. Amazon Web Services and Azure have hundreds of security configuration options. Do you monitor their changes over time?
We help our customers build visibility into their IT infrastructure by implementing Server & Network Device monitoring, Desktop monitoring, Network & Web Service security monitoring, backup monitoring, and much more.
How many vulnerable machines / apps can a company have in its network?
We help our customers establish and manage a Vulnerability management program which will gradually reduce the vulnerabilities in their network.
Getting access to a corporate account may grant a hacker access to all internal systems, too. We protect our customers by helping them monitor and detect a breach as soon as it happens and before severe damage is done.
Breach simulation is an integral part of every Information Security Program. Our customers can rely on us to support them in the initiation, execution and conclusion of a Penetration Test.
Secure Work From Home is one aspect of remote access, but we also take care of third party partners and outsourced employees, vendors and guests. Remote access to data is not limited to VPN.
Our team has been a part of the best cybersecurity consulting departments on this planet. Before founding Atlant Security, our founder, Alexander, was part of Microsoft’s security consulting team.
The price for customers to work with Microsoft’s consulting team is set high – so we decided to change that.
You have the opportunity to work with the best at a very affordable price.
We achieve that by using the expertise of one stellar expert to serve several customers, rather than utilizing them as a full-time employee at just one company.
By using the economies of scale principle, we give our customers the best in cyber security monitoring without sacrificing anything.
“We already monitor our systems and have logs enabled.”
Every IT department out there gives us this response when asked if they need external help with their security monitoring configuration.
Just look at this graph. Every one of these companies had an IT team, and every one of them firmly believed in their IT team’s ability to detect an attack before it became an incident.
There is one problem with this belief: it is wrong. IT teams have minimal experience in cybersecurity attack & defense methodologies. Their job is to build infrastructure and keep it running, much like every country has a construction industry.
We believe this usually happens before a company gets hacked – their IT department takes over the responsibility of defense. It inevitably leads to a security breach, in 100% of the cases.
Microsoft 365 is the most widely used cloud service (previously called Office 365) and is the most underestimated one, too, especially when it comes to its defense!
You see, most security settings available to customers when they purchase a license are turned off by default, and most possible policy configurations are not enabled.
To ensure the highest level of usability for the most significant percentage of businesses, they keep half the security settings disabled – but if you need to protect highly confidential data or are under attack, the default setup is not enough.
With more than 280 security settings in the cloud email and office suite productivity offering alone and hundreds of highly detailed policies to configure, our skilled security experts team is your best choice.
There are 17 types of cybersecurity attacks used by hackers regularly. The only way to detect one or several are being used against your business today is to have cyber security monitoring in place.
IT departments are ordinarily aware of 3 or at most 4 of them – phishing (stealing credentials through fake login forms and pages), malware, password guessing (brute force), and DDoS (Distributed Denial of Service). Even when they are aware of them, they often don’t know how to detect or configure the right logging and auditing tools for detection and noise reduction.
Most small businesses are getting hacked because their IT departments lack awareness of 14 of the 17 attack types mentioned above!
Our cybersecurity monitoring services help you detect all 17 types of cyberattacks.
We all know how people pass security awareness training. Click next, repeat, – done!
And in a few minutes, people don’t remember anything – but the company is compliant.
Do the hackers care you’re compliant? Highly doubtful.
Our team continuously tests and monitors the awareness of all your employees with social engineering and hacking simulations, recording the gradual improvement and regular reporting.
If you need to work on this topic, I suggest you read the book of Anton Chuvakin – Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management. It has helped me tremendously in several projects, and I would like to pass on the fact that it is an incredibly useful book.
Besides that, we have a few ideas to share, which might be useful to you and are not present in the book above.
Before even starting to collect logs, you need to understand your environment. That is why audits and assessments are useful. But that is not all – you need to know how much data your devices are producing in log format every second, minute, hour, 24 hours – then you need to understand how to optimize what is logged and what is not.
It is straightforward to lose yourself in the amount of logging information generated on each of your devices, especially if you add them all at once to your SIEM (even if you add only servers/switches and firewalls and omit the desktops).
The noisiest devices in our experience are Windows systems – especially domain controllers and mail servers. Second would be your proxy servers and firewalls.
To understand how logging in a Microsoft Environment works, I suggest you read these two links:
Once you’ve read the above and understand the difference between basic and advanced audit policy configuration, move on to the next link:
It explains in detail the changes you need to make to have an optimized for detection logging environment. It also emphasizes which EventIDs you should target.
To clean up your logs and only collect what is needed, you need to know what can be discarded. To understand what is being logged, a good idea would be to export the logs from your noisiest server for a day to a CSV file, open it in Excel, and filter by EventID. It should be easy to distinguish by a percentage which events are happening most frequently and which are not.
In one case, I saw thousands of events per second with the word “Filtering engine” in them. It turns out packet logging was turned on – and every single network packet coming through the internal Windows firewall was being logged! You can imagine the number of logs generated by this server per hour and the usefulness of these logs.
Unfortunately, such a level of detail can render your SIEM and your storage incapacitated – and you should be very careful what you log and what you discard.
If you want a good start with configuring your SIEM, you could only set it to log the events in as in the book which we mentioned earlier: “Spotting the Adversary with Windows Event Log Monitoring” paper by NSA – and expand to other systems/events once you are sure you got that one right. Don’t just plug in your SIEM and all your devices into it in a shotgun manner – all your money spend on storage and SIEM will go to waste if the system is not optimized and tuned for effectiveness.
It would help if you also focused on the following events:
(List is taken from http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist)
The same process can and should be repeated for all your systems/devices. Only plug a device into your SIEM solution once you fully understand the format of logging it uses, the amount/type of events, and how you could fine-tune the number of details in these logs.
You can find an excellent set of guides on configuring Windows Logging here, too.
These links will be useful during your work on optimizing your logging environment.
LogExpert – especially this one!
One of my favorite tools to analyze logs quickly and filter them is Mandiant Highlighter.
Before even thinking about buying anything, think about optimizing your logs and storage – storage is utilized very quickly and becomes expensive if not managed properly.
There are multiple log storage calculation options online – what I used back in the days were a set of spreadsheets with pre-configured EPS (events per second) per device or operating system, or one of the online tools, such as http://codepen.io/packetinspector/details/vxjbL/
Another way of obtaining proper log storage calculation spreadsheets is to ask SIEM vendors for them in a pre-sales meeting – their engineers have them and are willing to share them.
There are a few outstanding open source solutions for centralized log storage and analysis (well, not as in a SIEM, but with a perfect searching and filtering capability which is still good) for smaller budgets.
One of them – a classic – is Syslog-NG.
One of the cybersecurity monitoring tools often used with our clients is Wazuh – it is worth checking out.
Another excellent open-source log management product is GrayLog2 (https://www.graylog.org/).
It is very similar in operation and performance to the ES/Logstash/Kibana – with the difference that it is a bit simpler to set up and get up and running and that the user interface of GrayLog2 does not use Kibana – which is a weakness, as Kibana is incredibly powerful in terms of what you can do with its dashboards and custom filtering/reporting capabilities.
I will spare you the screenshots / comprehensive technical capabilities – and I’m just mentioning the projects so you could have them in your mind when comparing to commercial solutions.
I cannot possibly write a chapter on security monitoring without mentioning this security Linux distribution.
It is installable on your hardware – and for a small (500 endpoints) would require at least 16 gigs of RAM and many TB of storage (as much as you can / want to afford) to store all the network traffic passing through your gateway.
It operates by running all network traffic through a set of open-source intrusion detection systems. As with all of them turned on the machine would need a significant amount of RAM and CPU power as well as the maximum IO you can push it is not recommended to run it on a VM. It is also recommended that your storage is built out of high-performance disks.
The distro allows you to look back in time in a way, and if an incident happens, to extract the exact packets containing the attack. The more extended period you can store your network traffic for, the better.
The value of having threat intelligence data fed into your SIEM can be seen when events from your IDS/IPS/Firewalls/other devices properly correlate with it. This new data will help make sense of the unknowns and generate alerts when a pattern matches a known threat indicator when unknown binaries or traffic patterns enter your network.
Since it is humanely impossible to read all the information passing through your SIEM, you would probably rely on its alerting capability whenever it detects anything suspicious. Let us set aside anomaly detection and spike detection for a moment and focus on threat intelligence as that is a very good source of alerts whenever something matches your network.
External threat intelligence feeds usually comprise of file hashes, IP addresses, hostnames, domain names, Indicators of Compromise (IOCs), matches to YARA rules.
Companies make a living from dissecting botnets, malware, and breach investigations to produce valuable information on detecting even small portions of malware based on similarity and functionality rather than hashes (so-called fuzzy hashing, for example). Then they convert that data into actionable form and sell access to it – so you could plug it into your SIEM.
Once your SIEM is fed with one or more threat intelligence feeds it could notice any similar activities, files, portions of files, accesses to suspicious networks or hosts – and alert you.
Below I will list some free and commercial threat intelligence feeds. It is your choice which ones to use, but I would focus on the commercial ones (after reading reviews from their customers and comparing them).
Commercial threat intelligence providers:
Kaspersky Security Intelligence Services:
TrendMicro Security Threats Connect: http://www.trendmicro.com/us/security-intelligence/current-threat-activity/threat-connect/
Norse Intelligence Service: http://www.norse-corp.com/products/norse-intelligence-service/index.html (they also have a pretty cool (funny to look at) map of ongoing attack traffic here: http://map.ipviking.com/ )
iSightPartners ThreatScape®: http://www.isightpartners.com/products/threatscape/
VeriSign Security Intelligence: http://www.verisigninc.com/en_US/cyber-security/security-intelligence/threat-intelligence/index.xhtml
CrowdStrike Falcon Intelligence: http://www.crowdstrike.com/falcon-intelligence/
And finally, one service by Microsoft, which is focused on internal data analytics rather than external:
Open Source / Free Threat Intelligence providers:
AlienVault Open Threat Exchange (OTX): https://www.alienvault.com/open-threat-exchange
Thanks to http://cyberwarzone.com/30-malicious-ip-list-and-block-lists-providers-2015/, we have a list of 31 (30 active) malicious IP/domain list providers:
You can also use these to plug into your Web Filter appliance/proxy server blacklist.