Log4j: Is The Sky Really Falling?

Every year there are several defining cyber security events. Some are critical – like what happened with SolarWinds and Kaseya. Vendors jump onto the bandwagon to share how their technology would have stopped each new headline event. The latest alarm bell is Log4j.

Brian Stoner,
Author: Brian Stoner, VP of service providers, Stellar Cyber

Should you cry WOLF to your customers every time the alarm bell goes off if you have a solid plan in place to detect anomalous behavior? The answer is “No” if you’re leveraging XDR with unsupervised machine learning.

The reason is simple. When you use rules-based detections with a traditional SIEM tool, you would need a specific rule to detect each of these new cybersecurity events. Rules take time and resources to create and deploy, which is why many SOC operations have three times as many analysts as partners that leverage XDR.

Unsupervised machine learning baselines normal behaviors for assets, users, and network behavior. When there is anomalous behavior, it can be alerted on immediately. As the IDS logs are ingested, we also correlate the log data with a dozen different sources of threat intelligence to determine if it is a known vulnerability. In the case of Log4j, we triggered several alerts for our customers when it was still an emerging threat:

  1. Public to Private Exploit Anomaly
  2. Private to Public Exploit Anomaly
  3. Private to Private Exploit Anomaly
  4. Public to Public Exploit Anomaly

Instead of sending up an alarm bell at Stellar Cyber, we take our time and send out a Security Advisory to our partners. We provide a definition of the vulnerability, its potential impact, and how to detect it within the Stellar Cyber platform. With Log4j, we shared the instructions to create an Automated Threat Hunting rule for customers for additional visibility.

Stellar Cyber provides these rules out of the box on our Open XDR platform. All ML-based detections are mapped to the XDR Kill Chain, which is mapped to the MITRE Attack Framework for additional context. If you would like to learn more, please reach out to Brian Stoner – [email protected].

Guest blog courtesy of Stellar Cyber. Read more Stellar Cyber guest blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.