Morgan Holm

Cygna Auditor SIEM Event Forwarding

Cygna Auditor can now forward events to SIEM systems in a standard syslog format or in a structured view to Splunk. Cygna Auditor events are presented in plain language which greatly simplifies the understanding and consumption of the audit information.  This enables operational and security teams to work efficiently and make decisions and react quickly.

Structured View

The structured view for Splunk normalizes the audit data in the SIEM views by the Detail (expandable list of the modification), Item (object/attribute that was changed), Source (system or platform of modification), Success (if the action succeeded or failed), What (the object/attribute that was changed) When (timestamp), Where (the system where the change was applied), Who (account that made the change).

structured event

In the following example, the expandable Detail node provides the GPO setting that was modified with both the old and new values.

Native Windows Event in SIEM

The following is a native GPO change event imported into a SIEM from the Windows Event Logs.  There is a substantial amount of text to sift through to try to understand what has occurred.  Since the friendly name of the GPO is not shown you would either have to know the GUID or do a search to find out which GPO was modified.  This also does not show you what has changed.  You would need to have a previously exported GPO report prior to the change and manually compare the settings with the current version.  Needless to say, this would be a very time-consuming task.

Cygna Auditor provides SIEM systems a data translation layer service that converts non-human readable raw log data into plain language values as they occur.

Configure Splunk for Structured Cygna Events

To send Cygna structured events to Splunk you will need to configure an HTTP Event Collector.  For more information on this topic please select the following Splunk documentation link or see the following example configuration.

The first thing you need to ensure the HTTP event collector is enabled in Splunk UI through:

  1. Settings -> Data Inputs
  2. HTTP Event Collector
  3. Global Settings

Make sure it is enabled and make note of the port #.

The second step is to create an Event Collector token:

  1. Settings -> Add Data
  2. Monitor
  3. HTTP Event Collector

For the Source Type under Input Settings step, make sure you pick  Select and then in the Select Source Type dropdown pick Structured  _json

Once the configuration is saved you will see a token value that will be required to configure the connection to Splunk from the Cygna server.

Configure Cygna Server to Send Structured Events to Splunk

 Enable Remote Logging

From the Cygna Server UI:

  1. Configuration -> System
  2. Select Remote Logging tab in the System Configuration window
  3. Change the type drop down to Splunk
  4. Enter the URL for the Splunk HTTP Collector with port#
  5. Enter the Splunk HTTP Event Collector Token Value
  6. Ensure the message format is set to JSON
  7. Save the configuration

Configure Which Events to Forward

Once both Cygna and Splunk have been configured to be able to send and receive events you can decide what events you want to send.  This is done through alert remote logging on the Cygna server.

Enable Event Forwarding

Cygna events can be forwarded to SIEM systems through the alerting feature in Cygna reports.  The alerts events can be sent via email notification or through remote logging to SIEM systems or both.

From the Cygna Server UI:

  1. Reports
  2. Alert settings

(a) For existing reports, select its menu icon (hamburger) and then Alerts and enable the toggle

(b) When creating a new report under the Manage alert settings tab choose Remote Logging and enable the toggle

Once the alert is saved any event matching the filtering criteria will be sent to the SIEM system defined in the Cygna Remote Logging configuration.

Arno Therburg

Cloud Computing Demystified – Part 3

Cloud Computing (Part 3) – The Risks & Challenges

In the previous blog, Cloud Computing Demystified – Part 2 – The Benefits, we discussed the benefits of cloud computing, and there are many, but we also need to be aware of the challenges and risks associated with cloud computing.

If you didn’t read the previous blog, check it out at:  https://cygnalabs.com/en/blog/

Most of these challenges and risks can be addressed and mitigated through proper planning, and due diligence.

Again, just like in the previous two blogs, keep in mind, this is with a focus on the larger cloud providers, such as Amazon Web Services, Microsoft Azure, Google Cloud and so on, with smaller providers you will experience different risks & challenges to some extent.

 

So, let’s jump in and discuss these risks and challenges…

Risks of cloud computing

Before considering cloud computing technology, it is important to understand the risks involved when moving your business into the cloud. You should carry out a risk assessment before any control is handed over to a service provider.

Below are a few of the major points to be aware of:

Privacy agreement and service level agreement

You need to have suitable agreements in place with your service providers before services commence. This will protect you against certain risks and outline the responsibilities of each party in the form of a service level agreement (SLA). You should read the SLA and ensure that you understand what you are agreeing to before you sign. Make sure that you understand the responsibilities of the service provider, as well as your own obligations.

An SLA serves as both the blueprint and warranty for cloud computing and should act as a guide for handling potential problems, such as lawsuits.

It’s a tool for protecting the stability of the service and protecting the assets of the company and minimizing the expense should drastic actions be required.

Security and data protection

You must consider how your data will be stored and secured when outsourcing to a third party. This should be outlined in the agreement with your service provider and must address mitigations to governance and security risks. It must cover who has access to the data and the security measures in place to protect your data.

Location of data

Cloud computing service providers could be in a different country. Before committing, you should investigate where your data is being stored and which privacy and security laws will apply to the data.

Legislation and regulation

You will need to be aware of legislative and regulatory requirements when storing personal data. If the data is being stored outside of your country (e.g. if your business uses an overseas service provider), you will also need to be aware of the legislation and regulation requirements in that geographic location.

Biggest Challenges of cloud computing

Cloud computing makes accessing data and applications more reliable and efficient, with less administrative effort. It’s used to enable global access to mutual pools of resources such as services, apps, data, servers, and computer networks.

It’s the choice for many businesses and organizations, since it’s very scalable and in a lot of cases makes perfect financial sense for these companies. It also provides less of a need for worrying about business continuity planning, availability, upgrades and so on.

However, the on-demand and scalable nature of cloud computing services sometimes makes it difficult to define and project quantities and costs.

There are challenges involved in cloud computing, but if you’re aware of what they are, and address them, you will be able to reap the benefits.

Cost

Cloud computing itself is affordable but tuning the platform according to the company’s needs can be expensive.

Even if you host your data and systems off-site, there are internal labor costs, as you scale up to handle workload, there’s a complexity with managing large numbers of cloud instances, just like managing large number of servers.

Furthermore, the expense of transferring the data to public clouds can prove to be a problem for short-lived and small-scale projects. It can cost tens of thousands of dollars per year to move large volumes of data to public cloud services and to store that data for long periods of time.

Long-term data storage in the cloud can be a significant cost. You pay for it every month, and if you consider data growth over the next few years, the life cycle cost of data can be quite high when stored in the cloud.

Although companies can save some money on system maintenance, management, and acquisitions, they also must invest in additional bandwidth, and the absence of routine control in an infinitely scalable computing platform can increase costs.

Network bandwidth accounts for much of the cost of moving data, cloud providers might charge upload and download fees.

Also, cloud data backup is expensive, could be as much as three to four times what it would cost to keep data internally.

Lack of Cloud Specialists

Organizations are increasingly placing more workloads in the cloud while cloud technologies continue to rapidly advance. Due to these factors organizations are having a hard time keeping up with the tools. Also, the need for expertise continues to grow.

Small and medium-sized enterprises without cloud computing expertise lose more than $258 million annually, according to a Rackspace and London School of Economics and Political Science report. Around 65% of IT pros said the cloud skills gap is hurting innovation and creativity.

Organizations may find adding cloud specialists to their IT teams to be prohibitively costly. Luckily, many common tasks performed by these specialists can be automated.

Governance & Control

IT governance policies are critical to ensure that agreed upon policies and procedures are being followed when implementing new IT assets, to make sure they are properly controlled and maintained, supporting your organizations strategy and business goals.

In cloud-based environments, in some cases, IT departments do not always have full control over the provisioning, de-provisioning and operations of infrastructure.

This results in increased difficulties to provide the governance, compliance and risk management required.

To mitigate the various risks and uncertainties in transitioning to the cloud, IT must adapt its traditional IT governance and control processes to include the cloud.  To this effect the role of central IT teams in the cloud has been evolving over the last few years. Along with business units, central IT is increasingly playing a role in selecting, brokering, and governing cloud services. On top of this, third-party cloud computing/management providers are progressively providing governance support and best practices.

Password Security

Industrious password supervision plays a vital role in cloud security. However, the more people you have accessing your cloud account, the less secure it is. Anybody aware of your passwords will be able to access the information you store there.

Businesses should employ multi-factor authentication and make sure that passwords are protected and altered regularly, particularly when staff members leave. Access rights related to passwords and usernames should only be allocated to those who require them.

Security issues

If a company outsources the processing or storage of data that it is required to protect, then it is relying on a cloud service provider to maintain their compliance.

When you’re auditing a cloud service provider’s security and privacy laws, make sure to also confirm the third biggest issue is taken care of: compliance.

Your organization needs to be able to comply with regulations and standards, no matter where your data is stored.

 

Conclusion (Cloud Computing Part 1 -3)

In my humble opinion – Cloud computing is here to stay, the benefits are so many, and if you only do your due diligence, the benefits greatly exceed the concerns, with its flexibility, scalability, and ease of adoption.

There’s no longer a need for businesses to buy their own hardware, build and maintain their own data centers, having to deal with costly server maintenance, or worrying about business continuity planning and disaster recovery, all this while having the opportunity of the flexibility to scale up or down overnight.

For startups and small to medium sized businesses (SMEs), having the ability to quickly adopt to new circumstances such as growing business opportunities, or during slower business periods is especially beneficial.

 

Arno Therburg

Cloud Computing Demystified – Part 1

I was at a dinner party the other night, and after a while a discussion emerged about the mysterious “Cloud”, it’s interesting how many different “realities” people have about what the cloud is.

This conversation made me realize that there are quite a few misconceptions of what the “cloud” really is.

I understand that it can be a bit confusing since it contains many different components and can be utilized in a lot of different ways, depending on how and what you want to use it for.

So, I figured that maybe a brief explanation of what the cloud is, what it consists of, and who the players are, could be beneficial before the next dinner party.

Read more…