Cloud Incident Response Blog | Cado Security

How to add Forensics to your SIEM and Start Automating Investigations

Written by Katerina Tiddy | Dec 6, 2021 1:00:00 PM

By Adam Hillel and Katerina Tiddy

SIEM platforms are a key part of an organization’s security operations. A SIEM centralizes data from multiple sources, correlates it, and looks for indicators of malicious activity.
We're excited to announce a new Cado Response feature that allows you to add deep forensic data to your SIEM and correlate it with all other security telemetry:

Why add forensic data to your SIEM?

Most security programs are measured in terms of:

  • MTTD (Mean Time To Detect): the time it takes to identify a security incident; and
  • MTTR (Mean Time To Respond): the time it takes to remediate the security incident after it is discovered

Over the past decade, detection technologies have continuously evolved, and the Mean Time To Detect (MTTD) has dropped significantly. However, the Mean Time To Respond (MTTR) remains stubbornly high, and it’s not surprising when you consider the steps required to perform Incident Response:

  1. Initial detection
  2. Initial triage in a SIEM - Is it a false positive? No ↓
  3. Pull additional data into the SIEM
  4. Secondary triage - Is this a high severity incident? Yes ↓
  5. Collect forensic data, and copy to on-premise (if not there already)
  6. Perform detailed forensic analysis

With Cado, you can automatically pull triage analysis and forensic data into the SIEM as soon as a high-severity security incident occurs to decrease the Mean Time To Respond significantly.

A real-world example: crypto mining in AWS

  1. Detection

Crypto mining is generally detected via an endpoint agent or a device analyzing network traffic. In this case, Bitcoin mining was detected by AWS GuardDuty:

  1. Automated Capture

When something of high severity like crypto mining is detected, security teams can automate forensic data capture via their EDR or SIEM. But more often we’re seeing organizations leverage a SOAR or Lambda Function. From there, the Cado Response platform automatically collects a full forensic copy of the instance that triggered the Guard Duty alert for Bitcoin mining. The Cado solution is completely agentless to ensure security teams can get access to the data they need while ensuring zero impact to their production environment

  1. Cloud Processing

The Cado Response platform leverages the cloud to enable rapid processing of hundreds of files at once. Captured data is automatically preserved and normalized within the cloud.

  1. Analysis

Cado Response leverages machine learning and threat intelligence to do an initial analysis of the system. For example, below we see detections for malware, followed by suspicious web-shell commands in the logs on the compromised system:

  1. SIEM Output

Within Cado Response, you can enable the new SIEM integration feature on the settings page. Once enabled, you can select which events you want to export. These will then be saved as logs in S3:

  1. Centralised Analysis in a SIEM

After enabling the SIEM integration you can:

  • Apply your own intelligence and YARA rules to further enrich the data collected by Cado Response
  • Add incredible depth to your investigations by augmenting data captured via other systems with rich historical and forensic context

Here we can see a snippet of the type of events captured by Cado Response that can be imported into your SIEM:

  1. Detailed Analysis in Cado Response

The Cado Response platform offers additional investigation capabilities that can help analysts perform a deeper investigation after initial analysis within a SIEM. For example, you can browse through the full disk of the system, download files, and perform other forensic activities:

How it works

The Cado Response platform generates a single centralised timeline of events, pulling in multiple sources of evidence. This timeline, with the SIEM integration turned on, will be converted to logs which will then be uploaded to the AWS S3 bucket of choice. 

This approach is widely supported by most of the modern SIEM systems including:

CEF Format Logs

As mentioned above, SIEMs consume logs  from different systems. Those logs usually have a standard format, called CEF (Common Event Format).

Here is an example log:

CEF:0|CadoSecurity|CadoResponse|1.0.2|0|Content Modification Time|10|alarm=True evidence_id=2 evidence_name=aws_compromise.zip macb=M... source=FILE eventTime=1595194940 filePath=/tmp/file.txt eventId=Q5FBqHwBX9dvp1T5IsHT msg=Malicious File Detected: cryptomining_malware_wannamine

The log follows the below standard:

CEF:0|CadoSecurity|CadoResponse|Version|Signature ID|Name|Severity|Extension

The extension part of the message is a placeholder for additional fields that are represented by key-value pairs. You can enable this log export by going to Settings -> SIEM.


Ready to start automating investigations? Try Cado Response for free.