No evidence of compromise is not the same as evidence of no compromise.

Your SIM is only as good as your network telemetry.

Blog originally published by FlowTraq™, authored by Dr. Vincent Berk

Just because you don’t see any evidence that somebody might be stealing your data, it doesn’t mean it’s not happening. If I’m not watching the backdoor, I can’t know for sure that someone is walking in or out. Not until I start paying attention. The same goes for your computer network. And it is time to start paying attention.

Over the years FlowTraq has helped many organizations figure out nasty security compromises and cases of data theft. In most situations there is some level of network visibility, however the overall completeness of the network picture is very poor. Network monitoring blindspots are everywhere, because most people only deploy the absolute minimum telemetry to keep the network going. Having blindspots leads to accidents.

This is especially true for those who have deployed expensive SIM/SIEM systems for log collection and analysis. The time and monetary investment in the justification, and ultimately deployment of a SIM gives in itself a false sense of security. “It took awhile to get this going, but thankfully we’re secure now!” — Yeah right.

Although SIM can help detect patterns and alert you, it won’t do so all by itself. A SIM must be fed information from sensors all over your network. This includes server logs, firewall logs, reports from your intrusion detection systems, and traffic behavioral anomaly detectors.

If you don’t stream the right data to the SIM, it will not help you be more secure. You cannot be too conservative deploying your telemetry. The deeper you can see, the better the chances you will pick up on suspicious behaviors. For instance, attackers have probably already infiltrated your network, and they will use reconnaissance techniques to find other vulnerable systems to attack. This reconnaissance behavior is only seen on locally on your network. By only monitoring your border you will be left exposed, as you may never see the signs of compromise on your internal network.

Malicious insiders with legitimate access may be searching the network for sensitive data to steal. This will likely result in unusual and very large data transfers to laptop computers that are subsequently carried out of the building. The more data you collect, the better you are prepared to catch the undesired behavior, and stop it.

The point here is that you simply don’t know what you don’t know until you measure it. Deploying network telemetry at various levels, including host and network, is not that hard. Bringing this data together, and making sense of it is a skill which can be learned. One thing is for sure: it is better to collect the data and not need it, than to need the data but not have collected it. Only then are you in a position to conclude that your network data provides evidence of no compromise.