security information and event management

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats
by Richard A. Clarke and Robert K. Knake
Published 15 Jul 2019

(Yu notes that when consultants say that their clients’ security programs are literally stuck in the 1990s, that is what they mean: relying on antivirus and firewalls and hoping for the best.) In the 2000s, we saw that attackers were able to bypass antivirus, firewalls, and other protective controls, and we needed a way to detect when that occurred. Thus were born technologies such as intrusion detection systems (IDS) and security information and event management (SIEM), which helped organizations home in on unusual activities detected in their logs. Security organizations shifted to include threat management programs and started building security operations centers staffed with personnel to continuously monitor and act upon alerts created by these detection systems.

…

L., Max, 264 9/11 attacks, 26, 88, 114, 123, 137, 155, 196, 222, 234 North American Electric Reliability Council (NERC), 158–59, 271, 304–5 North Korea, 18, 22, 26–28, 97, 187, 188, 195, 196, 198, 211 NotPetya, 8, 18–22, 26, 29, 37, 121 Nuclear Regulatory Commission, 115 nuclear weapons, 9, 11, 13, 27, 94, 115, 166, 182–83, 197, 240–41 Iran and, 20, 37–38, 85, 87, 97, 160, 193, 194, 270–71 missiles, 166, 303 Navy and, 150, 198, 201 Nudge (Thaler and Sunstein), 111 Obama, Barack, 6, 10, 11, 12, 21, 22, 25, 26, 33, 36, 44, 61, 77, 85–87, 89, 92, 96, 100, 109–11, 113, 124, 134–35, 152, 176, 177, 182, 193–94, 203, 205, 210, 221–23, 225, 233, 295 Odile, 149 offense and defense, 4, 5, 13, 35–39, 51, 83, 100, 102–4 collective defense, 58–61 cost and, 37 offensive advantage or preference, 4–10, 35, 37, 100–101, 297–98 Office of Information and Regulatory Affairs, 110–11 Office of Management and Budget (OMB), 111, 167, 175 Office of Personnel Management (OPM), 130, 168, 176 O’Grady, Stephen, 63 Ohio, 117 oil tankers, 116 Okta, 131, 133 OODA loop, 70, 72 Operation Glowing Symphony, 193 operations technology (OT), 270–74, 305 Oxford, Wil, 258 Ozment, Andy, 127 P5+1, 194, 305 Painter, Chris, 210 Palo Alto Networks, 60–61 Park Jin Hyok, 28 passports, 135 passwords, 45–46, 129–33, 251, 283–86, 292 patches, 275–76, 278–79, 305 Pate, Connor, 167–70, 173 Pearl Harbor, 123, 234, 235 People’s Liberation Army (PLA), 26, 28, 176, 305 personally identifiable information (PII), 115–16, 141, 283–84, 305 Petya, 18 phishing, 53–55, 59, 288 Point3 Security, 148–49 Policy Blueprint for Countering Authoritarian Interference in Democracies, 223–24 Politico, 97 Pollard, Neal, 295 Pompeo, Mike, 267–68 Ponemon Institute, 116 Postal Service, 135, 140 Power, Samantha, 111 power grids, 155–66, 190–91, 199, 270–72, 277 Russia and, 26, 159–61, 164–66, 200 secure segmented diverse-source microgrid, 164–65 presidential decision directives, 182, 305 Presidential Decision Directive 63, 10–11, 59, 89 privileged access management, 245, 305 “protect” function, 45, 66, 70 Putin, Vladimir, 220–23, 239, 241 QuAIL, 263 quantum computing, 6, 81, 241, 253–64, 280, 305–6 AI and, 263–64 encryption and, 260–62 quantum key distribution, 262 qubit (quantum bit), 253, 255–59 ransomware, 18, 38, 125–28, 188, 306 Rattray, Greg, 101–3 Raul, Alan Charles, 95 ReallyU, 138–40, 306 reconnaissance, 51, 52 “recover” function, 45, 66, 71 regulation, 109–20, 122–23, 139–40, 268–69, 278 Reitinger, Phil, 140 remote access tools, 38 Reno, Janet, 168 Republican Party, 11, 228, 268 resilience, 14–15, 42, 70–72, 82, 104, 105, 296–97 “respond” function, 45, 66, 71 Rice University, 80–81 Rickover, Hyman, 150, 198, 201 Rigetti, Chad, 253–54, 257, 259, 262–64 Rigetti Computing, 253–54, 259, 261 Rinard, Martin, 80 Rodin, Judith, 15 Rolling Stone, 207–8 Roosevelt, Franklin, 9 Rosenbach, Eric, 198, 221–22, 224–26, 233, 234 Rosenberg, Simon, 231–32 Rosenberger, Laura, 221–24, 231, 234 Rothrock, Ray, 14 Routh, Jim, 41–42, 133 RSA, 49, 69, 92, 102, 124–25, 129, 241, 306 Rubio, Marco, 223 Russia, 5, 17, 21, 28, 33, 46, 94, 97, 120, 121, 157, 163, 166, 182, 187, 188, 195, 196, 198, 200, 210, 219–34, 241, 248, 277 elections and, 26, 159, 160, 222–23, 227, 228, 230–35 GRU, 19–23, 25–26, 28, 165, 234, 277, 302 internet and, 206, 208, 210, 211, 219–20 power grid and, 26, 159–61, 164–66, 200 quantum computing and, 259, 260, 264 Ukraine and, 19–20, 25, 29, 157, 222 Salesforce, 75 Samsung, 24, 37 Saudi Arabia, 27, 274, 275, 277 Saudi Aramco, 27, 188 Savandi, Faramarz, 126 Schell, Roger, 103 Schengen Accord, 206–7, 212, 218, 306 for the internet, 205–18 Schmidt, Eric, 205 Schou, Corey, 167–69 Schulte, Joshua, 23–24 Schwarzkopf, Norman, Jr., 198 secure development life cycle (SDLC), 79, 80, 306 secure segmented diverse-source microgrid (SSDM), 164–65, 306 Securities and Exchange Commission, 8, 43, 87, 115 security information and event management, 71 security operations centers (SOCs), 71, 74, 153, 246, 248, 307 Seehra, Jasmeet, 111 Senate, U.S., 78, 232 Senior Cyber Service, 173, 178 sensors, 66–67, 83 Shanahan, Patrick, 181 Sharkseer, 95 Shavitt, Yuval, 120 Siemens, 37, 270 Silicon Valley, 5, 7, 63–64, 67, 73, 140 Singer, Peter, 101 smart cards, 129, 130, 133 smartphones, 131, 289–91 iPhones, 36, 68, 124–25, 292 Smith, Brad, 24 Snowden, Edward, 21, 23, 209 Social Security, 133, 134, 136, 138–40, 283 software, 21, 22 coding of, 78–82 security and, 288 software as a service (SaaS), 75, 76, 307 Sophos, 61, 288 South Korea, 27, 120, 188 Soviet Union, 13, 135, 182, 221, 234 Spamhaus, 73 spear phishing, 53–55, 59, 288 Stamos, Alex, 221, 228 State Department, 6, 25, 86, 93, 95, 136, 173, 202, 203, 210, 221–22 state governments, 117–18, 174–75, 177 Stein, Jill, 232 Stempfley, Bobbie, 151 stock transactions, 287 Stratton, Robert, 295 Stuxnet, 20–21, 37–38, 85, 160, 182, 193–94, 270–71, 277, 307 Sulmeyer, Michael, 100 Sunstein, Cass, 111 supervisory control and data acquisition (SCADA), 163, 270, 273, 307 Symantec, 24, 37, 46, 61, 83, 288 tabletop exercises (TTXs), 185–92, 198, 225–26, 307 Tailored Access Operations (TAO), 73, 148, 307 terrorism, 13, 110, 114–15, 123–25, 137, 156 9/11 attacks, 26, 88, 114, 123, 137, 155, 196, 222, 234 Terrorism Risk Insurance Act, 123 Thaler, Richard, 111 threat actors, 12, 41, 64, 77, 307 tractors, 269–70 Transportation, Department of, 278 Treasury Department, 21, 152 Trump, Donald, 11, 21, 27, 89, 92, 113, 123, 152, 160, 171, 181, 196, 203, 224, 267 TSA (Transportation Security Administration), 137, 140, 177 Twitter, 224, 231, 232, 276 two-factor authentication, 129, 131, 132, 285, 287, 308 Ukraine, 8, 19–20, 25, 29, 37, 157, 222, 269–70, 277 United Health, 40–41 United Kingdom, 17–18, 25, 96, 211–12, 220–21 United Nations (UN), 210 United States–Mexico–Canada Agreement, 213 U.S.

Network Security Through Data Analysis: Building Situational Awareness
by Michael S Collins
Published 23 Feb 2014

Vern Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks: The International Journal of Computer and Telecommunications Networking, Vol. 31, Issue 23-24, December 1999. Martin Roesch, “Snort—Lightweight Intrusion Detection for Networks,” Proceedings of the 1999 Large Installation Systems Administration Conference. * * * [9] A number of similar tools are associated with SEM, particularly security information management (SIM) and security information and event management (SIEM). Technically, SIM refers to the log data and information management while SEM is focused on more abstract events, but you are more likely to hear people say “SIM/SEM/SIEM” or some other aggregate. [10] This has the nice bonus of identifying systems that may be compromised.

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks
by Scott J. Shapiro

Every cybersecurity firm promises that its technology will keep your data safe. Walk through any trade show and you will see miles of vendors hyping a different silver bullet. They pitch “next-generation” everything: firewalls, antimalware software, intrusion- detection services, intrusion-prevention services, security-information and event-management utilities, network-traffic analyzers, document taggers, log visualizers, and unified threat-management dashboards. If you ask vendors what separates their products from their competitors’, they will say the same thing: “The ‘secret sauce’ is our AI. It’s the best in the business.”

Architecting Modern Data Platforms: A Guide to Enterprise Hadoop at Scale
by Jan Kunigk , Ian Buss , Paul Wilkinson and Lars George
Published 8 Jan 2019

Apache Ranger/Apache Sentry There are two competing projects in the Hadoop ecosystem that handle tag- or role-based user authentication and audit logging. Both store their users, groups, and associated rules and permissions in a database. All access to data and other protected resources is recorded for posterity, such as audits performed by security personnel or automated processes (like security information and event management [SIEM] tools). Sizing: The user, group, and permission information is often comparatively small and rather static in nature. The larger part is the audit log, which can be configured to hold only a certain number of entries. Also, that data can be exported to, for instance, a central log collection framework, keeping the amount of data stored in the transactional database system under control.