Overview

The New Zealand’s Government Communications Security Bureau (GCSB), through its National Cyber Security Centre (NCSC), has implemented a series of measures to strengthen the country’s defenses against malicious cyber activity.

This follows a thorough review of practices concerning cyberattacks targeting members of the Inter-Parliamentary Alliance on China (IPAC), an organization committed to addressing the growing influence of China’s policies on global security and governance.

The review was initiated in May 2024 by Lisa Fong, the Deputy Director-General of Cyber Security at GCSB. Fong recognized a need for improvement after concerns arose over how the NCSC responded to a cyber incident involving IPAC members. These concerns were particularly focused on the NCSC’s handling of reports related to state-sponsored cyber activities and the broader implications of such incidents on national security.

IPAC members, who represent a coalition of lawmakers across various countries, were targeted in a large-scale cyberattack by APT31, a Chinese state-sponsored hacker group. The attack included over 1,000 emails sent to more than 400 IPAC-associated accounts, compromising the sensitive communications of numerous politicians. Despite the seriousness of the attack, many victims were not informed of the breach by their respective governments, prompting an outcry from international lawmakers.

To address these concerns and strengthen the NCSC’s cybersecurity protocols, a thorough review of the NCSC’s procedures was carried out, culminating in a report published in July 2024. The review focused on the NCSC’s handling of the cyberattack, assessing both the technical response and the broader implications for security and intelligence management.

Key Findings and Recommendations

The review highlighted several areas where the NCSC could improve its procedures. While the NCSC did not identify any successful compromises of classified information, it did detect numerous phishing attempts targeting the parliamentary email addresses of IPAC members. The review’s key recommendations included the following:

1. Broader Consideration of Implications: The NCSC needed to expand its focus beyond the technical response to cyber incidents. It was recommended that the NCSC develop a more comprehensive approach, one that not only addresses immediate technical threats but also considers the wider geopolitical and societal impacts of cyberattacks.
2. Enhanced Engagement with Targeted Individuals: The review called for greater engagement with individuals who had been targeted by foreign state-sponsored actors. This recommendation emphasized the need for a more proactive communication strategy to ensure that those affected by cyber threats are informed in a timely manner.
3. Improved Briefing Procedures: The review also stressed the importance of enhancing the NCSC’s process for briefing the Minister Responsible for the GCSB and their office. Effective communication at all levels of government was seen as crucial for a coordinated and quick response to cyber threats.
4. Public Guidance for High-Profile Individuals: As part of the review’s fourth recommendation, the NCSC developed and published new guidance on its website for New Zealanders considered “high-profile individuals.” This initiative was designed to offer advice on how to protect against cyberattacks, particularly for those in sensitive roles who might be more likely to become targets.

NCSC’s Response and Implementation

Following the review, the NCSC wasted no time in implementing the recommended changes. Lisa Fong confirmed that all identified improvements had been quickly actioned. “I’m pleased to confirm that we have put in place measures to address all recommendations outlined in the initial review,” said Fong in a statement.

The NCSC took several steps to strengthen its internal processes. These included updating procedures to ensure better alignment with international best practices, particularly in managing incidents involving foreign state-sponsored cyber activity. New internal guidance and standards were also established for NCSC staff to ensure that similar concerns do not arise in the future.

Ms. Fong further explained that while these improvements completed the review’s immediate actions, the NCSC remained committed to continuously enhancing its cybersecurity practices. “We are committed to identifying opportunities for improvement in our practices and procedures and implementing these where we have the ability to do so,” she said.

International Reactions to the Attack

The attack on IPAC members was not an isolated incident but part of a broader pattern of state-sponsored cyber activities targeting global political figures and institutions. Following the attack, several countries with IPAC members took important steps to address the breach and secure their own digital infrastructures.

Canada was one of the countries most affected by the attack, with 18 parliamentarians targeted, including prominent figures such as Garnett Genuis MP and John McKay MP. In response, these members issued a joint statement demanding an explanation as to why they were not notified about the cyberattack sooner. Public debates, including a call for a privileged debate in the House of Commons, highlighted the urgency of addressing these security lapses.

In Belgium, lawmakers, including Representative Els van Hoof and former Prime Minister Guy Verhofstadt, were targeted. These individuals, along with others, rallied political leaders to pursue legal action, pushing for both a parliamentary inquiry and potential criminal proceedings against those responsible.

Meanwhile, in New Zealand, former IPAC co-chairs Simon O’Connor and Louisa Wall, along with other targeted figures such as academic Anne-Marie Brady, pressed the government to ensure that MPs would be informed of similar threats in the future. In response to these concerns, the GCSB initiated a public inquiry, promising to provide further assurances to the affected individuals.

Elsewhere, countries such as France, Germany, and Italy saw similar reactions from their political leaders, who demanded accountability from their respective security agencies and called for international sanctions against APT31. These coordinated international efforts reflect the growing recognition of the threat posed by foreign state-sponsored cyberattacks on democratic institutions.

Broader Cybersecurity Context

The NCSC’s actions come at a time of heightened global concern about the security of democratic institutions and their susceptibility to cyber threats. State-sponsored actors, particularly those associated with China, have increasingly targeted foreign governments, institutions, and political figures to advance geopolitical objectives. The focus on IPAC members is part of a larger trend of foreign interference in democratic processes through digital means, including espionage and disinformation campaigns.

To counter this growing threat, New Zealand’s NCSC has worked closely with international partners such as the National Cyber Security Centre (NCSC) in the United Kingdom and the Government Communications Security Bureau (GCSB) in New Zealand. These agencies have exchanged information and best practices to strengthen cyber defenses against these cyber threats.

Moreover, the NCSC is actively collaborating with the IPAC to enhance global cybersecurity cooperation, ensuring that targeted individuals and organizations receive timely and accurate information about potential threats. This international collaboration is essential to developing a unified, effective approach to defending against state-sponsored cyberattacks.

Conclusion

The review and subsequent improvements undertaken by the NCSC represent a significant step in enhancing New Zealand’s cybersecurity posture, particularly concerning foreign state-sponsored cyber activity. By acting swiftly on the recommendations of the IPAC review, the NCSC has not only addressed specific concerns raised by the targeted individuals but also ensured that its processes and practices are better aligned with international standards for cybersecurity.

As cyber threats continue to evolve, New Zealand’s commitment to continuous improvement and proactive engagement with global partners like the GCSB, NCSC, and IPAC will be an important factor in protecting the nation’s cybersecurity infrastructure and the integrity of its political institutions. As Lisa Fong emphasized, this is not the end of the journey but a part of the ongoing effort to protect New Zealand from emerging cyber risks.

References:

• https://www.ncsc.govt.nz/news/ncsc-delivers-all-recommendations-following-ipac-review
• https://www.ncsc.govt.nz/news/response-to-ipac-incident
• https://www.ipac.global/news/lawmakers-respond-to-news-of-cyber-attack

The post NCSC Implements Key Improvements Following IPAC Review of Cyber Threats appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Cyble’s December 19 IT vulnerability report to clients highlighted nine vulnerabilities at high risk of attack, including five under active discussion on dark web forums.

Cyble vulnerability intelligence and dark web researchers also noted threat actor claims of zero-day vulnerabilities for sale affecting Palo Alto Networks devices and Chrome and Edge browsers.

In total, Cyble researchers examined 13 vulnerabilities and 8 dark web exploits to arrive at the list of vulnerabilities that security teams should prioritize for patching. At-risk products include Apache Struts, Qualcomm digital signal processors (DSPs), a WordPress plugin, a Bluetooth flaw affecting Ubuntu, and more.

The Week’s Top Vulnerabilities

CVE-2024-53677: This file upload logic vulnerability in the Apache Struts web application framework has been rated 9.5 severity by the Apache Software Foundation but is still undergoing NVD analysis. An attacker could exploit the vulnerability to manipulate file upload parameters to enable path traversal and potentially upload a malicious file that could be used to perform remote code execution. Recently, researchers disclosed that threat actors are attempting to exploit the vulnerability using public proof-of-concept exploits to allow remote code execution, and exploitation has also been discussed on dark web forums. Cyble also published a separate blog on this vulnerability.

Cyble researchers noted that there are nearly 200,000 vulnerable Apache Struts instances exposed to the internet (image below):

CVE-2024-43047: This vulnerability affects Qualcomm’s Digital Signal Processor (DSP) service, which is utilized in many Android devices. It allows for privilege escalation and arbitrary code execution, posing significant risks to affected systems. Google Project Zero marked the vulnerability as actively exploited in October 2024 and received a fix on Android in November 2024. Researchers also observed that the Serbian government exploited Qualcomm zero-days, including CVE-2024-43047, to unlock and infect Android devices with a new spyware family named “NoviSpy.”

CVE-2024-11972: The CVE for this vulnerability has been reserved but has not yet been created. The flaw affects the Hunk Companion WordPress plugin, which is designed to enhance functionality and build visually appealing websites without extensive coding knowledge. The vulnerability allows attackers to perform unauthenticated plugin installation through unauthorized POST requests, enabling them to install and activate other plugins that may contain known vulnerabilities. According to researchers, attackers are exploiting the vulnerability to install outdated plugins with known flaws from the WordPress.org repository. This allows them to access vulnerabilities that can lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS), or the creation of backdoor admin accounts, posing significant risks to site security.

CVE-2023-45866: This medium-severity vulnerability affects Bluetooth HID Hosts in systems utilizing BlueZ, particularly in Ubuntu 22.04 LTS with the BlueZ 5.64-0ubuntu1 package. This vulnerability allows an unauthenticated peripheral HID device to initiate an encrypted connection, potentially enabling the injection of Human Interface Device (HID) messages without user interaction.

Vulnerabilities and Exploits on Underground Forums

Cyble Research and Intelligence Labs (CRIL) researchers also identified the following exploits and vulnerabilities discussed on Telegram channels and cybercrime forums, raising the risk that they will be exploited in attacks.

CVE-2024-28059: This critical security vulnerability, which was identified in the MyQ Print Server in versions prior to 8.2 (patch 43), allows remote attackers to gain elevated privileges on the target server.

CVE-2024-38819: This high-severity path traversal vulnerability in the Spring Framework specifically affects applications that utilize WebMvc.fn or WebFlux.fn functional web frameworks.

CVE-2024-35250: This high-severity privilege escalation vulnerability in the Microsoft Windows operating system specifically affects the kernel-mode driver.

CVE-2024-40711: This critical vulnerability identified in Veeam Backup & Replication software allows for unauthenticated remote code execution (RCE) due to deserialization of untrusted data.

CVE-2023-27997: This heap-based buffer overflow vulnerability in certain FortiOS and FortiProxy versions may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests, specifically affecting SSL VPNs.

Threat actors were also observed offering a zero-day exploit weaponizing a vulnerability claimed to be present on Palo Alto Network’s PAN-OS VPN-supported devices (asking price: $60,000) and a zero-day exploit weaponizing a vulnerability allegedly present in Chrome and Edge (asking price: $100,000).

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in sensitive products and vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

The post IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More appeared first on Cyble.

Blog – Cyble – ​Read More

Cybersecurity has long been an essential element of organizational defense, with the growing complexity and frequency of cyberattacks propelling the development of cybersecurity practices. Among these practices, Threat Intelligence (TI) has become a central element, helping organizations anticipate, understand, and counter various cyber threats. As we approach 2025, however, a new evolution in threat intelligence is emerging: Predictive Threat Intelligence (PTI).

While traditional Threat Intelligence (TI) focuses on collecting, analyzing, and sharing data on cyber threats after they occur, Predictive Threat Intelligence goes a step further. It uses advanced techniques, particularly AI (artificial intelligence) and machine learning (ML), to predict cyber threats before they materialize. This field holds great promise for proactively strengthening an organization’s cybersecurity posture by providing early warnings, reducing damage from potential attacks, and enabling defense strategies based on anticipatory insights.

What Is Cyber Threat Intelligence (CTI), and how is it Different from Predictive Threat Intelligence (PTI)?

Cyber Threat Intelligence (CTI) is the practice of collecting, analyzing, and sharing data about cyber threats. By gaining insights into threat actors’ behavior and tactics, techniques, and procedures (TTPs), organizations can better understand potential cyber threats, allowing them to prepare, respond, and mitigate potential attacks.

Traditional Threat Intelligence tends to focus on reactive measures, where security teams analyze attack patterns after a breach or threat occurs. In contrast, Predictive Threat Intelligence (PTI) takes a more proactive stance. By leveraging AI and ML, PTI not only understands current cyber threats but also forecasts future attacks before they materialize.

Machine learning algorithms analyze large datasets, including historical threat data and emerging patterns, to predict the types of threats organizations might face in the near future. For example, if an AI model detects a surge in phishing attacks against a particular industry, it can alert organizations in that sector to prepare for a potential escalation in attacks. This predictive capability allows organizations to take precautionary measures before a threat becomes imminent.

Predictive Threat Intelligence enhances the traditional threat intelligence model by offering actionable, anticipatory insights that enable proactive security measures, such as patching vulnerabilities or reinforcing defenses against specific attack vectors before they are widely exploited. This shift from reactive to proactive cybersecurity is positioned to transform the way organizations approach risk management and threat mitigation.

Why Is Cyber Threat Intelligence (CTI) Important?

Understanding the importance of Cyber Threat Intelligence (CTI) is important to appreciating its role in the cybersecurity ecosystem. As cyberattacks become increasingly damaging, the need for effective threat intelligence grows. Without comprehensive CTI, organizations would be left scrambling to respond to attacks, often too late to prevent significant damage.

CTI provides essential insights into cyber threats, including information about threat actors, their motives, and the vulnerabilities they exploit. With this knowledge, organizations can develop more rugged defense mechanisms and avoid becoming targets for specific types of attacks.

The most compelling reason for investing in CTI is its ability to elevate organizational security beyond reactive measures. By enabling organizations to recognize online threats early, CTI empowers security teams to adopt a proactive security posture. Proactive defense strategies allow vulnerabilities to be patched before they can be exploited and preparations to be made for impending threats, all of which contribute to reducing the overall risk of a breach.

How Does Predictive Threat Intelligence Work?

Predictive Threat Intelligence works by combining AI, machine learning, and advanced analytics to analyze vast amounts of historical and real-time threat data. By understanding the TTPs of cyber adversaries, these tools can identify patterns that signal emerging threats. Here’s how it works in practice:

1. Data Collection: Predictive threat intelligence platforms collect data from diverse sources, including the surface web, deep web, and dark web, as well as intelligence from private threat-sharing organizations and public cybersecurity resources. These datasets provide crucial insights into potential vulnerabilities and attack vectors.
2. Data Processing and Analysis: AI models and machine learning algorithms process the collected data, identifying potential threats based on historical attack patterns and emerging trends. For instance, if a surge in phishing attacks targeting a specific industry is detected, AI models can recognize similar characteristics or tactics that might indicate future attacks.
3. Threat Forecasting: Predictive intelligence platforms then forecast potential threats based on identified trends. For example, AI can predict that a new form of ransomware is gaining traction among cybercriminals, alerting organizations to prepare for a possible attack.
4. Proactive Response: Once potential threats are identified, the predictive system provides actionable intelligence to help organizations bolster their defenses. These could include patching known vulnerabilities, updating defense strategies, and alerting stakeholders to prepare for specific attack scenarios.

The Role of Artificial Intelligence and Machine Learning in Predictive Threat Intelligence

While Predictive Threat Intelligence (PTI) involves more than just AI, artificial intelligence and machine learning play a crucial role in its development. AI’s strength lies in its ability to analyze massive volumes of data, recognize patterns, and make predictions about future events, including cyberattacks.

However, despite the potential, AI and ML alone are not enough to guarantee a fully predictive threat intelligence model. Predictive intelligence is complex, and building reliable, actionable insights requires a balanced integration of human intelligence and automated systems.

The role of AI and machine learning in predictive intelligence includes:

• Threat Detection: AI can identify anomalous behavior in network traffic, suggesting potential attack attempts.
• Risk Analysis: By analyzing attack vectors and patterns, AI models can prioritize potential risks based on the severity of the threats and their likelihood of occurring.
• Automation: Machine learning models can automate certain security functions, such as scanning for vulnerabilities and patching security gaps, without the need for human intervention.

The Challenge of Implementing Predictive Threat Intelligence

While predictive threat intelligence is a highly promising approach, it faces several challenges, especially in terms of implementation.

1. Data Availability: One of the primary hurdles is the availability of quality data. AI and machine learning models require large, diverse datasets to learn and predict threats accurately. However, data is often fragmented and may not be available in a standardized format, making it difficult for predictive systems to integrate and analyze it effectively.
2. Complexity of Predictive Models: Predicting future threats is an inherently complex task. As with any prediction, there is a degree of uncertainty, and not every forecast will be accurate. The dynamic nature of cybersecurity means that there will always be a level of unpredictability when it comes to forecasting attacks.
3. Human Expertise: Although AI and machine learning are powerful tools, human expertise is still necessary to interpret the data and provide context. Human analysts play a critical role in identifying nuanced threats and validating AI predictions to ensure the intelligence is actionable.
4. Data Privacy and Sharing: Threat intelligence requires data from multiple sources, including potentially sensitive or confidential data. Therefore, sharing threat intelligence can raise privacy concerns, especially in industries like finance or healthcare. Developing systems that allow for safe and ethical sharing of threat data is essential for the success of PTI.

The Future of Predictive Threat Intelligence in 2025

As we look toward 2025, the role of Predictive Threat Intelligence (PTI) in cybersecurity will become increasingly important. By predicting threats before they materialize, PTI will enable organizations to stay one step ahead of cybercriminals, minimizing the risks of cyber threats.

In the near future, advancements in AI-powered threat intelligence will allow organizations to:

• Improve the automation of cybersecurity workflows, enabling faster, more accurate threat detection and mitigation.
• Enhance the integration of AI and human expertise, creating a more effective hybrid threat intelligence model.
• Develop better predictive models that consider a wider array of threat actors and attack vectors, leading to more accurate forecasts.
• Better share threat intelligence across industries, increasing collaboration and improving overall cybersecurity resilience.

Cyble, an industry leader in Cyber Threat Intelligence, has been at the forefront of this evolution. Cyble’s Cyber Threat Intelligence Platform provides real-time insights into potential threats, combining historical threat data with AI-driven analysis to deliver actionable, predictive intelligence. By integrating diverse data sources, Cyble enables organizations to identify potential threats, prioritize risks, and take proactive measures to mitigate potential breaches.

Why Choose Cyble?

Cyble offers a comprehensive cyber threat intelligence solution that empowers organizations to tackle cyber threats more effectively. With features like dark web monitoring, vulnerability management, and AI-driven analysis, Cyble helps companies not only detect threats but also predict and prevent them before they cause damage.

Cyble’s platform integrates seamlessly with your existing security infrastructure, enabling you to:

• Gather intelligence from various sources, including the deep and dark web, to identify emerging threats.
• Augment data with contextual insights for better decision-making.
• Receive timely notifications about potential threats and vulnerabilities, enabling proactive defense strategies.

Cyble is ready to help businesses understand and walk through this dynamic landscape and stay protected against cyber threats in 2025 and beyond.

Conclusion: Stay Ahead with Cyble

Predictive Threat Intelligence is the future of threat Intelligence. By leveraging advanced technologies like AI and machine learning, organizations can anticipate threats before they emerge, minimizing the damage caused by cyberattacks. As we move towards 2025, Predictive Threat Intelligence will be an essential tool in every cybersecurity strategy.

If you want to strengthen your organization’s defenses and stay protected from upcoming threats, Cyble’s threat intelligence platform is your go-to solution. Schedule a demo today and discover how Cyble can help you proactively secure your assets against the threats of tomorrow.

The post Predictive Threat Intelligence – Predictions for 2025: The Future of CTI appeared first on Cyble.

Blog – Cyble – ​Read More

“I have a question. I have USDT stored in my wallet, and I have the seed phrase. How to transfer my funds to another wallet?” — we found a comment like this under a finance-related video on YouTube. And the seed phrase was revealed in full in the comment.

This looked suspicious: even a complete cryptocurrency beginner should know better than to share their seed phrase with the entire world. We were wary, and for a good reason — this comment turned out to be a scam.

Keep reading to find out what can go wrong if you somehow come across someone’s seed phrase…

“I give you the seed phrase, and you help me transfer my money to another wallet”

Let’s start with the basics. A seed phrase is a randomly generated unique sequence of dictionary words that together form a phrase needed to recover access to a cryptowallet. When someone shares their seed phrase — essentially the key to their wallet — it looks extremely suspicious. We then discovered similar comments, each containing the same recovery phrase and a request for help transferring funds to another platform. Notably, all these messages were posted from newly created accounts.

In similar comments written from newly created accounts, supposedly “crypto newbies” generously share their seed phrases

Now, let’s imagine for a second that someone reading one of these comments is a little unscrupulous and, instead of helping the newbie, decides to take a peek inside the wallet (after all, they have the key). Upon opening the wallet, they’re pleasantly surprised to find it stuffed with USDT: a TRC20 token on the TRON network tied to the value of the US dollar. The wallet contains the equivalent of eight thousand dollars. Well, what to do next? The correct answer would be to remember that there’s no such thing as a free lunch, and steer well clear of the wallet.

Finding several thousand US dollars in someone else’s wallet looks like a lucky chance to get rich for a immoral person

However, the scam assumes that our nefarious passerby will want to appropriate all or at least part of the cryptocurrency. But to withdraw USDT, a small fee must be paid in another currency: TRX (the TRON cryptocurrency token). Unfortunately, the wallet doesn’t have enough TRX, so the thief tries to transfer TRX from their own personal wallet — only to discover that the tokens they transferred immediately ended up in a completely different, third wallet.

The list of transactions details the scammers’ earnings

The catch is that the bait is set up as a multi-signature wallet. To authorize outgoing transactions in such wallets, approval from two or more people is required, so transferring USDT to a personal wallet won’t work — even after paying the “commission”.

So, the scammers are impersonating beginners who foolishly share access to their cryptowallets, tricking equally naive thieves — who end up becoming the victims. In this scenario, the scammers are something like digital Robin Hoods, as the scheme primarily targets other crooked individuals. But this twist is nothing new — we’ve previously covered a much more elegant crypto fraud scheme, also aimed at unprincipled people.

How to protect yourself from crypto scams

The way to protect against the above-described scam is quite simple: just be a decent person and don’t try to get into other people’s cryptowallets — even if the seed phrase is left in the comments of your favorite YouTube channel or even slipped under your front door.

In all other cases, crypto asset owners can follow these universal tips and recommendations:

• Learn about the latest scams aimed at stealing cryptocurrency to stay aware of current trends.
• Secure your devices with reliable protection.
• Double-check any information received from strangers: scammers can pose both as beginners in the crypto world or as experienced trading sharks.

Kaspersky official blog – ​Read More

At some point, the information security department of any large company inevitably begins to consider introducing a SIEM system — or replacing the existing one, and must therefore estimate the budget required for its deployment. But SIEM isn’t a lightweight product that can be deployed within existing infrastructure. Almost all solutions in this category require additional hardware, meaning that equipment must be purchased or rented.

So, for accurate budgeting, it’s necessary to take into account the expected hardware configuration. In this post, we discuss how SIEM hardware requirements change depending on the company’s profile and system’s architecture, and provide rough parameters to help estimate the preliminary cost of such equipment.

Evaluating the data flow

Essentially, a SIEM system collects event data from internal and external sources and identifies security threats by correlating this data. Therefore, before considering what hardware will be required, it’s essential to first assess the volume of information the system will process and store. To this end, you need to first identify critical risks to the infrastructure, and then determine the data sources that must be analyzed to help detect and address threats related to these risks. These are the data sources to focus on. Such an assessment is necessary not only to determine the required hardware, but also to estimate the cost of licensing. For example, the cost of licensing for our Kaspersky Unified Monitoring and Analysis Platform SIEM system directly depends on the number of events per second (EPS). Another important aspect is to check how the vendor calculates the number of events for licensing. In our case, we take the events per second after filtering and aggregation, calculating the average number of events over the past 24 hours rather than their peak values — but not all vendors follow this approach.

The most common sources include endpoints (Windows events, Sysmon, PowerShell logs, and antivirus logs), network devices (firewalls, IDS/IPS, switches, access points), proxy servers (such as Squid and Cisco WSA), vulnerability scanners, databases, cloud systems (such as AWS CloudTrail or Office 365), and infrastructure management servers (domain controllers, DNS servers, and so on).

As a rule, to form preliminary expectations about the average event flow, the size of the organization can serve as a guide. However, the architectural particularities of specific IT infrastructure can make company size a less decisive parameter.

In general, for small and medium-sized organizations with just one office — or up to several offices with good communication channels among them and IT infrastructure located in a single data center — an average event flow of 5000–10 000 EPS can be expected. For large companies, making an estimate is more challenging: depending on the complexity of the infrastructure and the presence of branches, EPS can range from 50 000 to 200 000 EPS.

Architectural components of an SIEM system

An SIEM system generally consists of four main components: the management subsystem, event collection subsystem, correlation subsystem, and storage subsystem.

Core (management subsystem). You can think of this as the control center of the system. It allows managing the other components, and provides visualization tools for SOC analysts — enabling them to easily configure operational parameters, monitor the SIEM system’s state, and, most importantly, view, analyze, sort and search events, process alerts, and work with incidents. This control center needs to also support log viewing through widgets and dashboards, and enable quick data search and access.

The core is an essential component and can be installed as a single instance or as a cluster to provide a higher level of resilience.

Event collection subsystem. As the name suggests, this subsystem collects data from various sources and converts it into a unified format through parsing and normalization. To calculate the required capacity of this subsystem, one must consider both the event flow intensity and the log format in which events arrive from sources.

The server load depends on how the subsystem processes logs. For example, even for structured logs (Key Value, CSV, JSON, XML), you can use either regular expressions (requiring significantly more powerful hardware) or the vendor’s built-in parsers.

Correlation subsystem. This subsystem analyzes data collected from logs, identifies sequences described in correlation rule logic, and, if necessary, generates alerts, determines their threat levels, and minimizes false positives. It’s important to remember that the correlator’s load is also determined not only by the event flow but by the number of correlation rules and the methods used to describe detection logic as well.

Storage subsystem. An SIEM system must not only analyze but also store data for internal investigations, analytics, visualization and reporting, and in certain industries — for regulatory compliance and retrospective alert analysis. Thus, another critical question at the SIEM system design stage is how long you want to store collected logs. From an analyst’s perspective, the longer the data is stored, the better. However, a longer log retention period increases hardware requirements. A mature SIEM system provides the ability to strike a balance by setting different retention periods for different log types. For example, 30 days for NetFlow logs, 60 days for Windows informational events, 180 days for Windows authentication events, and so on. This allows data to be optimally allocated across available server resources.

It’s also important to understand what volume of data will be stored using hot storage (allowing quick access) and cold storage (suitable for long-term retention). The storage subsystem must offer high performance, scalability, cross-storage search capabilities (both hot and cold), and data viewing options. Additionally, the ability to back up stored data is essential.

Architectural features of Kaspersky SIEM

So, we’ve laid out the ideal requirements for an SIEM system. It probably won’t surprise you that our Kaspersky Unified Monitoring and Analysis Platform meets these requirements. With its built-in capability to scale for data flows reaching hundreds of thousands of EPS within a single instance, our SIEM system isn’t afraid of high loads. Importantly, it doesn’t need to be split into multiple instances with correlation results reconciled afterwards — unlike many alternative systems.

The event collection subsystem of the Kaspersky Unified Monitoring and Analysis Platform system is equipped with a rich set of parsers optimized for processing logs in each format. Additionally, the multi-threading capabilities of Go mean the event flow can be processed using all available server resources.

The data storage subsystem used in our SIEM system consists of servers that store data, and servers with the clickhouse-keeper role, which manage the cluster (these servers don’t store data themselves but facilitate coordination among instances). For data flows of 20 000 EPS with a relatively low number of search queries, these services can operate on the same servers that store the data. For higher data flows, it’s recommended to separate these services. For instance, they can be deployed on virtual machines (a minimum of one is required, though three are recommended).

The Kaspersky Unified Monitoring and Analysis SIEM storage system is flexible — allowing event flows to be distributed across multiple spaces, and specifying the storage depth for each space. For example, inexpensive disks can be used to create cold storage (where searches are still possible, just slower). This cold storage can house data that is unlikely to require analysis but must be stored due to regulatory requirements. Such information can be moved to cold storage literally the day after it’s collected.

Thus, the data storage approach implemented in our SIEM system enables long-term data retention without exceeding the budget on expensive equipment, thanks to hot and cold storage capabilities.

SIEM architecture deployment using our SIEM as an example

The Kaspersky Unified Monitoring and Analysis Platform supports multiple deployment options, so it’s important first to determine your organization’s architecture needs. This can be done based on the estimated EPS flow, and the particularities of your company. For simplicity, let’s assume the required data retention period is 30 days.

Data flow: 5000–10 000 EPS

For a small organization, the SIEM system can be deployed on a single server. For example, our SIEM system supports the All-in-One installation option. In this case, the required server configuration is 16 CPUs, 32GB of RAM, and a 2.5TB of disk space.

Data flow: 30 000 EPS

For larger organizations, separate servers are needed for each SIEM component. Dedicating a server exclusively for storage ensures that search queries don’t affect the processing of events by the collector and correlator. However, the collector and correlator services can still be deployed together (or separately, if desired). An approximate equipment configuration for this scenario is as follows:

• Core: 10 CPUs, 24GB of RAM, 0.5TB of disk space
• Collector: 8 CPUs, 16GB of RAM, 0.5TB of disk space
• Correlator: 8 CPUs, 32GB of RAM, 0.5TB of disk space
• Storage: 24 CPUs, 64GB of RAM, 14TB of disk space

Data flow: 50 000–200 000 EPS

For large enterprises, additional factors must be considered when defining the architecture. These include ensuring resilience (as the substantial data-flow increases the risk of failure) and the presence of company divisions (branches). In such cases, more servers may be required to install the SIEM system, as it’s preferable to distribute collector and correlator services across different servers for such high EPS flows.

Data flow: 200 000 EPS

As EPS flows grow and the infrastructure divides into separate independent units, the amount of equipment required increases accordingly. Additional servers will be needed for collectors, storage, correlators, and keepers. Moreover, in large organizations, data availability requirements may take precedence. In this case, the Kaspersky Unified Monitoring and Analysis Platform storage cluster divides all collected events into shards. Each shard consists of one or more data replicas. And each shard replica is a cluster node, meaning a separate server. To ensure resilience and performance, we recommend deploying the cluster with two replicas per shard. For processing such large EPS volumes, three collector servers may be required, installed in the offices with the highest event flows.

Kaspersky SIEM in holding companies

In large enterprises, the cost of implementing an SIEM system increases not only with the volume of data, but also depending on the usage profile. For example, in some cases (such as MSP and MSSP environments, as well as large holding companies with multiple subsidiaries or branches), multi-tenancy is required. This means the company needs to maintain multiple “mini-SIEMs”, which operate independently. Our solution enables this through a single installation at the head office, without the need to install separate systems in/at each branch/tenant. This significantly reduces equipment costs.

Let’s imagine either (i) a holding company, (ii) a vertically-integrated enterprise, or (iii) a geographically-distributed corporation with either various independent security teams or a need to isolate data access among branches. The Kaspersky Unified Monitoring and Analysis Platform tenant model allows for segregated access to all resources, events, and third-party integration settings. This means one installation functions as multiple separate SIEM systems. In this case, while each tenant can develop its own content (correlation rules), there’s also the option of distributing a unified set of resources across all divisions. In other words, each division can have its own collectors, correlators, and rules, but the HQ security team can also assign standardized bundles of security content for everyone — ensuring consistent protection across the organization.

Thus, using the Kaspersky Unified Monitoring and Analysis Platform ensures the necessary performance with relatively modest computing resources. In some cases, savings on hardware can reach up to 50%.

For a more accurate understanding of the required resources and implementation costs, we recommend talking with our specialists or integration partners. We (or our partners) can also provide premium support, assist in developing additional integrations (including using API capabilities for connected products), and oversee the deployment of a turnkey solution covering system design, equipment estimation, configuration optimization, and much more. Learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, on the official product page.

Kaspersky official blog – ​Read More