WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Editor’s note: This is part three of a series on threat detection.
Security is an ongoing journey, not a one-time achievement. By treating it as an ongoing and continuous process, you can ensure a comprehensive approach that addresses the ever-changing threats and protects your valuable assets.
To enhance your security operations journey, it’s crucial to identify the most important data sources for effective threat detection. Improving threat detection is a gradual process that adapts to both new threats and your evolving attack surface. However, it’s important to start with a solid foundation.
To help you build this foundation, here are the top five data sources we recommend for detection along with relevant baseline detection rules.
As you might expect, effective detection rules are crucial to starting off the threat detection, investigation, and response process on the right foot. Deploying relevant detection rules through technologies like security information and event management (SIEM) platforms and endpoint detection and response (EDR) solutions enables you to promptly locate potential threats.
It’s important to note that detections are not a numbers game, where the person with the most detections wins. Quality in detection engineering triumphs over quantity, allowing you to effectively identify potential risks while avoiding alert noise that can distract a security team.
When it comes to deploying detections, it’s important to consider the various technologies and security tools in your environment. By understanding your technology ecosystem, you can tailor your detection strategies accordingly to improve identification of and response to potential threats. This ensures a more secure environment for your organization.
There are a few important considerations to keep in mind regarding detection rules. The ability to deploy specific detection rules is dependent on the security technology you have implemented. It’s also worth noting that the same detection rule can be deployable across multiple technology types (e.g., the same rule might be deployable using identity and access management, user behavior analytics, privileged access management, or operating system data sources), while some detection rules might require multiple inputs to fire (e.g., event A followed by event B detected by two different log sources).
Endpoints, such as laptops, servers, and mobile devices, are often the primary targets for cyberattacks. They can contain valuable data and serve as gateways to reach data repositories throughout the enterprise. EDR security solutions provide organizations with real-time visibility into endpoint activities, allowing them to quickly detect and respond to potential security incidents. This visibility enables security teams to identify and contain threats, minimizing the impact of an attack. With granular visibility into processes, network connections, and file behavior, EDR facilitates deep inspection and detection of advanced threats that bypass traditional security measures.
Detection outcomes: EDR technology allows you to detect attacks such as malware and ransomware, fileless attacks, suspicious processes, anomalous network traffic, data exfiltration, and insider threats.
Key takeaway: Ensure you have telemetry available that you can search and correlate on for endpoint properties for categories including:
Baseline Detections for EDR:
Acting as an intermediary between a user and the internet, a forward proxy plays a critical role in inspecting and analyzing incoming and outgoing network traffic for potential threats. Beyond its role in safeguarding the network against threats, forward proxies also facilitate the logging and monitoring of network traffic, providing valuable insights for threat detection and incident response. For example, forward proxies can log, detect, and block communication with malware command-and-control (C2) infrastructure.
Detection outcomes: Forward proxies allow you to detect data leakage, DDoS attacks, malware distribution, and unauthorized access attempts.
Key takeaway: To facilitate investigations, make sure you can search and correlate on forward proxy properties including:
Baseline Detections for Forward Proxies:
IAM authentication and account auditing verify the identity of users and grant access only to authorized individuals. By implementing strong authentication mechanisms, such as multifactor authentication (MFA), organizations can mitigate the risk of unauthorized access attempts and credential theft. Account auditing complements IAM authentication by monitoring and logging user activities, providing a record of user actions such as suspicious login attempts or abnormal user behavior.
Detection outcomes: IAM detection rules allow you to detect attacks such as insider threats, privilege escalation, brute force attacks, unauthorized access and identity theft.
Key takeaway: Make sure you can search and correlate on account and authentication properties derived from key Windows events such as Windows Event IDs 4624, 4265, 4771, 4776, 4768, 4769, 4720, 4732, 4735, 4729, 4728 and 4756.
Baseline Threat Detection Rules for IAM:
Email security safeguards against various malicious activities carried out through email communication. It involves filtering and analyzing incoming emails to identify and block phishing attempts, malware attachments, and suspicious links. By implementing email security measures, organizations prevent these attack attempts from reaching end users, eliminating the risk of users inadvertently falling victim to these attacks. Advanced filtering techniques, combined with comprehensive malware scanning and link analysis, enhance the ability to detect and prevent malicious activities.
Detection outcomes: Email security solutions enable you to detect email-borne attacks including phishing attempts, malware-laden attachments, and spam emails.
Key takeaways: Make sure you can search and correlate on email security properties like sender/recipient address, sender/recipient IP address, subject, message ID, delivery status, action, disposition, attachment name/type/hash, URL/links, and message headers.
Baseline Threat Detection Rules for Email Gateways:
Firewalls and intrusion prevention systems (IPS) provide proactive defense against potential attacks. Firewalls act as a barrier between a trusted internal network and untrusted external networks, filtering and controlling network traffic based on predefined rules. IPS goes a step further by analyzing network traffic in real-time, detecting and blocking malicious activities to prevent potential cyber threats before they can cause harm. Together, firewalls and IPS provide layered protection, decrease the likelihood of successful cyberattacks and enhance overall threat detection capabilities.
Detection outcomes: Network security solutions enable the detection of a wide range of cybersecurity attacks, including distributed denial-of-service (DDoS) attacks, network intrusion attempts, malware propagation, and unauthorized access attempts.
Key takeaways: Make sure you can search and correlate on firewall/IPs properties like IP source/destination, port source/destination, bytes in/out, signatures, action, and protocol/application.
Baseline Threat Detection Rules for Network Security:
Detections serve as the starting point for threat hunting, providing indicators or alerts that something potentially malicious or suspicious has occurred. However, to dive deeper into understanding the nature and extent of the threat, threat hunting becomes necessary. This systematic and proactive investigation analyzes available data and conducts forensic analysis.
When engaging in threat hunting, it’s essential to examine multiple data sources to gather a comprehensive understanding of the threat landscape. This includes network traffic logs, system logs, application logs, endpoint information, and other relevant data sources. By leveraging the insights from various data sources, threat hunters can correlate information and identify any hidden or subtle signs of malicious behavior that may have been missed by automated tools.
By combining both automated detections and threat hunting, you can detect and respond to threats more effectively. While automated detections provide the initial alert, threat hunting helps to uncover the tactics, techniques, and motivations behind malicious activity. This integrated approach to security operations enables you to maintain a higher level of situational awareness, enhance incident response capabilities, and improve your overall security posture.
Once you’ve implemented baseline detection rules, measuring the results and improving your processes allows you to accelerate your detection journey over time. To measure how well your detection process is working, you should examine:
Having a metrics dashboard, such as the ReliaQuest GreyMatter Model Index, helps to measure the effectiveness of detections and improve security operations. It provides a centralized visual representation of key metrics (e.g., data source visibility, data source diversity, MTTR, and other metrics), enables real-time monitoring to identify anomalies promptly, facilitates trend analysis for long-term performance tracking, and supports data-driven decision making. The use of a metrics dashboard helps improve rule sets, enhance detection capabilities, and ensure a more efficient and accurate security posture for your organization.
This blog serves as a starting place for maturing your detection capabilities by describing foundational detections, threat hunting, and offering guidance on measuring effectiveness. As we continue in our blog series, we’ll be focusing on two critical aspects of improving threat detection: Ransomware Threat Detection and Phishing/BEC Threat Detection. We’ll provide actionable guidance and practical tips to improve your threat detection capabilities. Security is an ongoing journey, and by continuously improving your detection strategies, you can adapt to the evolving threat landscape and protect your valuable assets.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.