Hi, everybody. Thank you for joining. My name is Rich Murphy and I’m here with Andre and Nick from SOC Prime. We’re going to talk to you today about how we’ve been working with SOC Prime to leverage the MITRE ATT&CK Framework to help better protect our customers using Graylog.
Agenda
So just a little bit about the agenda:
- Andre is going to talk a little bit about the great work that SOC Prime has been doing,
- Nick will walk through a little bit of the feature set that they provide
- And then I am going to talk a little bit about how we are integrating those rule sets into Graylog and our new six products coming out in a few weeks.
So with that being said, I’m going to turn it over to Andrii.
Words From Andrii Bezverkhyi CEO and Chairman of SOC Prime
So thank you, Richard, for the introduction and thank you for having us here. It is truly a pleasure to kick off our partnership with a webinar and yeah, we’d like to share what we’ve been doing at SOC Prime and how it can help Graylog existing customers and maybe new people who are considering Graylog to their detection stack.
SOC Prime, in case you haven’t heard about us, we are really busy with detections code. It was actually called after the first several years of our companies this would provide a collective cyber defense platform which provides algorithms for threat intelligence and ways to add them to a SIEM to find threats. How does that all connect to the MITRE ATT&CK?
SOC Prime Journey
Well, on the next slides, we have prepared actually a short evolution of the journey. So we are big fans of MITRE ATT&CK since 2017 since its version 0.3, if I’m not mistaken and reasons for all kinds of things started with attack attribution to tag and sigma rules and it was coders threat bounty and action 2024 is a big year for us because we are well trained with MITRE ATT&CK.
And we became the benefactors of the framework and training TRAM LLM.
So to us, MITRE ATT&CK is more than just a framework. It underpins everything we do in SOC Prime. If you look at our product architectures, the next slide actually helped us to build a module platform called a suite for detection, engineering, and threat hunting so most of the organizations themselves for threat detection marketplace, which is libraries for detection, rules for hunting and firing alerts in your SIEM.
SOC Prime Uncoder AI
Uncoder AI, is another project that we built back in 2018 and will now actually use as a copilot for detection engineers. And so it helps to write rules. Test rules translate into multiple languages. For example, if you’re in Sigma, you can translate to Graylog at the click of a button.
We also support backwards translations. If you are migrating from legacy SIEM for basic queries, it’s now automated for advanced queries that can be edge cases, it can be different scenarios, but Uncoder is going to enable every detection engineer to speak in any language held there. And we already support in like more than 20 open releases attack detective. It’s the latest products we release. It actually helps to find gaps in your detection cover issues in MITRE ATT&CK and automatically apply hunting queries to it.
Soc Prime Threat Detection Marketplace
So today will be focused mostly on threat detection marketplace. So if we can go to the next slide, they actually have prepared some insights on how the marketplace operates and what it will actually just released yesterday. Lists of the content which can work as alerts for a SIEM and we have raised them by MITRE ATT&CK tactics. So this is how many unique rules you have per MITRE ATT&CK tactic. I think any company on the planet needs to have a thousand rules and once but won’t look very nice to look through them. And based on the logs that you’re collecting, applying to the logs select would might make sense for your SOC.
And these are just rules for alerting. So I just posted there. LinkedIn said there is over 12,000 sigma rules and many of them are for threat hunting, but roughly 1/5 of them is for alerting. So special announcement. These rules are now available to Graylog. You will see how they can be integrated and how Graylog customers can leverage them to find all kinds of threats and on the next slide, we can go a little bit more into hunting. So we have scored all the rules based on their, I wouldn’t say really prevalence of the terms MITRE is using, but based on how many rules you really need for addressing, specific technique or sub technique per MITRE ATT&CK. So this is a MITRE ATT&CK Navigator layer built on top of 12,000 Sigma rules, which were just exported from our platform today.
You can see the green arrows, a particular technique is and we have kind of aggregated some techniques into the technique here. The more detections you have for this technique. So it may seem overwhelming, but it’s actually empowering because you can see how often do you need to look into technical controls, into rules, into queries for each particular technique.
And we have picked the top five in the bottom of the slide. On the right hand side, you can see how to manage the threat landscape really is because it wasn’t about vulnerabilities alone. There’s more than 29,000 released last year. 3% of that is exploitable. We cannot really address all that are vulnerable to exploitation with one rule always ten rules.
We need to roll them for the five year cycle because this is what is used of modern cyber warfare. But that’s not the most optimally updated set of techniques, right? Because exploitation literally spans six techniques. And if you look at the second one from the bottom, it’s 72 hours is often used as a new detection for a CVE is being released and a detection is being released.
It means there’s a way to exploit that CVE. Right. But the most popular is, of course, command and scripting interpreter. Pretty much every 48 hours is something new or an update to something that existed. Good news is you don’t need to have an alert for all those rules. And all those rules, right? It’s only 1/5th of them actually make it to be like stable status, low noise rules which you would want to consider to onboard to your SOC.
Most of what the SIEMs need to hunt for, and this is why there are different ways to practice them and then apply them to assume. I mean, today you will not find any on the market that ships, you know, was 5000 to 10000 false because for many, many years seems one of the reasons used for the main purpose of threat detection right originally brought seems for compliance for internal controls.
But these days we are being successful with searching and finding various threats inside the seems as long as you can collect data at scale, you can search fast enough. And that’s one of the big reasons why we’re happy to team up with Graylog to deliver at scale because on SOC Prime, we may have all the rules we want, but if there is no data our customers can’t get value, right?
I think that’s about it. About my slides. I’d be happy to comment. The incident comes across a lot, so I’d be happy to. That’s over. Audio Rich Yeah, I’m actually going to pass over to Nic so he can talk a little bit more about your rule sets and and some of the features you have there. So I’m going to hand that off to you, Nick.
Nicholas Saucier, Sales Engineer / Customer Success Manager
Soc Prime Intelligence In Graylog
I want to quickly demonstrate where this intelligence that is going to be available within Graylog is coming from. So here’s the cybercrime threat detection marketplace. Main thing I’m trying to drive in the few minutes that I have to describe this vast, vast toolset and repository we aim to help you go from awareness of something to actionable code as quickly as possible.
Use Cases
So for that, I usually break that down into two main use cases. We’re going to be selecting content and then implementing content. Within the lane of selecting content. I have three approaches a tactical need, meaning I know what it’s called. It’s relevant to me and time is of the essence. That would be a situation like say, XZ.
We’re going to throw a simple keyword search in there, get your results. If you’re a Graylog client. I highly encourage anybody in security that’s looking to defend themselves, to consider this platform. They’re doing this for you great logs commitment to post sale security delivery is demonstrated here. They’re baking this organically into their platform.
Next, when we need to use the platform to guide us to our next detection. What should be on my radar like to be on the lookout for type of list here you can see I have filtered everything by gray log and I use case of proactive exploit detection. This is a curated list from our research and development team. This is what they think is prudent to be hunting for at the given moment based on feedback that we see out in the wild.
Utilizing MITRE ATT&CK Framework
Next, we can go into selecting content through the lens of the MITRE ATT&CK Framework. This is a representation of how you have used the SOC prime repository while the search profile is active. I clearly have a dent here in exfiltration. I’m going to drill down into that, narrow it by technique, see if there’s anything new that I haven’t yet looked at. I’m literally in here every single day, but there’s 41 pieces of content that I have explored and not yet implemented. If you are in the midst of a SIEM migration, and say you have an expensive or for whatever, whatever the reason may be, you’re jumping from one to another. In this case, I’m going from Sentinel to Graylog. I would have given my right hand for this type of tool when I was doing some onboarding and migration work, because drafting in one query language and going to another can be very difficult. It can not necessarily bear fruit each time and you can also use this to preserve your detection set by saving it in Sigma and get rule parity and translate on other platforms that you may have in your stack, in the interest of time and wanting to allow Graylog to have as much opportunity to showcase their efforts in of our partnership of the floor is yours. Mr.. MURPHY Thanks, Nick.
Graylog Rich Murphy Demo
Illuminate and Sigma Rules
Can you just pass back the presenter, please? There we go. So, what what we’re trying to get down to is obviously we have lots of different rule sets and content that we can potentially use, to detect these threats that are coming in. What Graylog is doing is we’re taking subsets of the SOC Prime ruleset that make sense that work best with illuminate right and illuminate is are passing our spotlight packs all the enrichment that we do to the content that’s coming in already.
Graylog V6.0 and SOC Prime Out of The Box Content
So we’re finding which ones work best, you know right out of the box and we’re packaging goes in to eliminate content packs and so we’ll be able to see that in just a minute here. So I will get out of the slides for a sec and jump to my Graylog and so here, so the first thing I’m going to show is just as mentioned, right, we’re going to deliver this content through Illuminate as we have in the past. And so another thing I should mention is that I’m actually currently going through our Version 6.0 release candidate. So you’ll see a couple of new things here as I’m as I’m going through this. But yes, everything here is about as normal where we’re going to go grab the our latest Illuminate, it will be V5.0 when it’s released and you’ll download and apply that Illuminate bundle.
User Activity Monitoring
After that, you can go to the Illuminate content packs and there will be one. We’re starting with a pack specifically focused on user activity monitoring and we’re going to be adding more packs as we go. You know, as we as we build them out. And so once we’ve enabled that Illuminate pack, what you’ll see here is I’m actually going to jump to our new security perspective to show you. But in the Sigma ruleset, we’ll have a handful of new rules that are specifically Illuminate written, right. So so these are eliminate rules. If you open them to take a look, you’ll see these are some of the ones coming from the SOC prime team that they’ve curated and they’ve built for us. So so once we have these enabled, we should start to see some events coming through.
Security Events and Investigations Management
If I head over to my security event section, we should see a few things here. I’m going to just pop one open. This is not one of the SOC Prime rules, but I just wanted to show kind of the new the new feature set here where we have some users being added to a privileged group.
The new thing with V6.0 is we’ll be able to actually work with these events directly. So if I wanted to work on this:
- I could assign myself to the case.
- I could mark this as investigating
- I could add some notes.
- We also provide where appropriate remediation steps to give you guys some guidance on how to properly address the situation.
- You might need to take machines off networks or run particular patches or things like that.
Risk Scoring, Remediation Steps and Guidance
And you know, as best we can both throw those in the remediation steps for you. So you guys at least have a little bit of a starting starting points. So, so we have that. Another thing we can do is we’re implementing a risk score to these alerts as well based on the severity of the log messages we saw in the events, the severity of the event definitions themselves, and also if there’s an asset that’s associated with that event. Those asset scores and criticalities that you’ve set will also factor into that risk score.
So if I were to sort by the risk score, you see I have one that’s a little higher than the rest. This one is remote desktop from the Internet, so that doesn’t sound great. Again, I could replay that investigation. It will pop up right here. You’ll see the log message that triggered it was this remote desktop event. So I can again, I can work on this event directly or I could add it to an investigation. I could also, if I wanted to send, you know, notifications manually. Right. We can configure them to automatically send us an event triggers. But also we could send a notification, you know, just directly one off from the event itself.
But after I’ve done any it that if I do think it’s a more complex issue, I want to add it to an investigation with other evidence I’ve collected. I can do that here. So I’m going to add to one that I already have that exists, and then I’m going to hop over to my investigations page and what you’ll see here is we you know, if you’re in back in the general perspective, you’ll still have your investigations drawer. You’ll be able to, you know, work as you did before, where you can have the investigation open and jump back and forth with the security perspective.
What we’re doing is everything will be all on the one page and you’ll be able to kind of redirect as needed from there. So, again, if there’s any assets involved, that information will show up here. My evidence, my individual logs and the alerts that I just popped in here, right, the remote desktop will pop in here. If I had any dashboards associated it, I could link to those and get back to those dashboards.
Pre-Built Security Dashboards
You could see here we have one that’s around Windows log activity that I’ve added. So again, part of the Illuminate content is some of these dashboards pre-built and of course you can create your own as you’re working on these cases. And yeah, and also we can we can lastly we cam add notes. So if I and this is a markdown editor, so if I wanted to, I could I’m calling Nick out, but Nick, please investigate and then we’ll add that and it’ll pop up here.
So again, the investigation framework, we’re it’s kind of a new angle to look at it with the security perspective. And again, you’ll be able to work either with these events directly as they come in from the SOC Prime alerts, or you can add those to your investigations along with all your other, you know, anomaly detectors and sigma rules that we already provide with the illuminate content.
So yeah, that is a little sneak peek at not only the SOC Prime rule sets that are coming into Graylog, but also, you know, the V6.0 product which will be released in a few weeks. So jumping back to the slides. Yeah. So again, just lots of benefits between the partnership, obviously you’re going to want to be staying ahead of emerging threats like the vulnerability that Nick mentioned.
TDIR Done Right
You know, we’re trying to get you from 0 to 2 to TDIR as quick as possible. Right. And by allowing and by installing Illuminate bundles, you’re parsing, your spotlights and now your Sigma rules that’s coming from SOC Prime, you’ll definitely be able to do that and just improve your security posture in general, so and that’s basically yeah, it was we wanted to just kind of give you a brief look into, into the ruleset.
Thank you, Nick and Andre for jumping on Really appreciate it. And now if there are any questions, we can start to answer those now.
I’m sure Andre can go into that much greater length. I can’t too, as well. We’ve got a lot under the hood that we’re excited to talk about with Graylog. Like we’re just scratching the surface, things that will be very impactful on all aspects of SOC operations. We really look forward to showcasing this in future webinars as well. Yes, definitely.
And also I should mention, we’ll all be at RSA, if you want to stop by our booths, you know, we can chat more about that as well. So I’ll be there as well.
Questions and Answers
So yeah, so one of the questions and Nick, maybe you can help me with this as well. But you know,
What are the top three pitfalls when migrating or creating Sigma rules for like a new a new SIEM?
I know that you kind of mentioned one. Definitely trying to translate old rule sets into your new technology. Right? And so, you know, with Sigma, obviously that’s become a lot easier, right? That’s an open standard. That’s that’s something that you can translate easily. But some of the custom-built definitions might be might be tricky. Right?
And that’s that’s something where I think SOC Prime could be a huge help for that. Right? Certainly, we had it.
Yeah. Maybe we can comment. So on Sigma itself. Right. It’s very good for expressing threat-hunting queries. Right. So you have to create some hunting query is the likelihood is that you can recreate it and Sigma actually if it is a basic queries, if it doesn’t use any kind of correlation operators or any custom functions, you can translate it easily on the Uncoder, right?
So you can, for example, take some of the language and put it into Sigma or into Graylog. Right. That’s already available. There’s actually even open source. I’m part, which is on GitHub. I’ll that does this right.
So for basic works well with advanced queries are any kind of queries which support like, multi-band multi-device correlation, like going beyond just thresholds and that was not supported by Sigma itself by design because Sigma was made to be as simple as possible to become a shareable language.
Also, good news coming up this week because the agenda for MITRE ATT&CK conference in Brussels just got announced and Thomas Pascal is going to speak about top Sigma correlation. So we’re excited to see what’s going to be brought by Sigma in SOC Prime.
However, you do have like a classification of every Sigma role translation it’s called a rule or query, So it’s a query it’s for hunting, It’s for if it’s a rule, it’s for learning and it has correlation parameters. So if you have created something in a native SIEM language and you can record the query part into Sigma, then so you can actually add a threshold. So for example, exceptions filters among multiple correlation levels, you will not find robust correlation logic in Sigma as of today.
But I think this will change because essentially we will release a massive volume of content as a community which allows us to expand the languages using Sigma itself or using RootA, which is kind of a wrapper on top of Sigma, and those languages. So that’s from my perspective. Nic, maybe as you deal with more practical cases, have you seen anything that you talk about, unlike the service provider side, just from one of the quick wins that you can get using Sigma and SOC Prime would be around presets and filters and using attack Detective as an onboarding tool.
I know I’m kind of jumping the gate here a little bit, but if you have what are going to be likely things that will be excluded. So you have like an application white list or you’re breaking out your detections by data component Sigma lends itself really well and SOC Prime technology along with Graylog to scaling out.
So if you’re in managed security service practices and you want to do tons of like boilerplate work like you’ve got to do standard naming conventions, severity, whether or not it’s enabled and it varies client to client to client, and they’ve all got different data schemas and field mappings. You can knock out all of that within our continuous content management system, what we do in future publications, and development on that with Graylog as well.
But it really makes getting these things out and scaling much more achievable and much less painful, resulting in you being more effective and efficient as a threat detection engineer,.
Thank you, guys. Yeah, we just got a handful of questions that popped in, so I’m just going to kind of go down the list here. First one,
When will Illuminate V5.0 be out?
That is actually scheduled to be released the same day as Graylog V6 is released. Both of those, you know, give or take, the first week in May. So so that’s the current plan there should be the latest release candidate will come out next week and a few weeks after that assuming all goes well we’ll have first week of May the successor release and the Iliminate V5..
Another question will the capability to use private get repos ever be added? This would be sort of a detector. Yes. That is on our list and is definitely coming. We are working through some issues on the GitHub authentication there. But yes, that will be coming in a future release for sure. How often are illuminate PACs helping to eliminate PACs come outs?
What happens if there’s a new critical exploit and how fast of we react?
So yeah that’s a great question. Illuminate PACs typically in the normal release cycle will come out every roughly 8 to 10 weeks, depending on the passing and the spotlights that we’re adding to it when there’s new campaigns or active campaigns. Obviously, if it’s something super urgent, we could, we will release it out of band Illuminate for, you know, special situations or circumstances.
Another thing I would mention is if you had to our websites, you know, there’s definitely going to be blog posts around active campaigns and things of that nature that could help out and we might provide some sample rule sets or things to help you detect that sort of thing within the blog post outside of our Illuminate packs.
Another thing I would recommend is also checking out the SOC Prime site. If you’d like to get some more detail because obviously, they have a lot of talented people working on those detection rules from their side as well.
So another question that I also just got was where can we get training on these?
Again, I would ask if you had to our websites, there is a learning section that has some on-demand training that you can that you can look at.
Also from the support section, there is a great link for the academy where you can schedule to take part in a training class and there’s some other great resources there as well. So see I encourage you to the website and check that out if you’d like to get some training, from the SOC Prime side, just hit me up on LinkedIn or at Nicholas at SOC Prime I will gladly hop on a call to a demo best practices training, whatever you want to call it. Hit me up. Yeah.
I also want to say on the emergence threats, right so again between accounts because ready for it’s going to be just needed to find the latest bleeding-edge exploit, we have a discord channel which is open and we have that are like emergence threats channel.
So every time something pops up we index it and all the websites and blogs. And if there is a section rule, or the rule was updated, it will make it into the emergence threats channel. So that’s kind of just a Discord channel you can follow without any strings attached. So we’ll be sharing the link I think, publicly on there.
Yeah, but obviously, is there something critical? We’ll work with Graylog to make sure it makes it to limit access as soon as possible.
Awesome. Okay. Well, I know more questions are coming in at the moment. I, I think we’re ready to end. I just want to again, say thank you to Nick and Andrii thank you for jumping on and discussing with us. We’re really happy about the partnership and all the great stuff coming not only in SOC Prime but in Graylog in the next few weeks with V6.0 and like I said, if you guys are going to be at RSA, please stop by the booth. We can talk more about the partnership, Graylog V6.0 all things TDR. So thank you again and been a pleasure.
Thanks guys. Everybody Thank you.
