Root Causes 291: CLM and SIEM

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk today about CLM and SIEM. The role that certificate lifecycle management plays in SIEM which, of course, is spelled S-I-E-M and stands for Security Information and Event Management. So, Jason, CLM, SIEM, what’s your take on how they interact with each other?

• 

  Jason Soroko

  It’s not talked about often enough. We want to do a podcast just to bring it up and to make people think about certificate lifecycle management and PKI as well as an adjoining topic.

  And think about what are some of the important events that happen that you might want to cross-reference within your SIEM. There’s a lot of things you can do once you have those events logs within a SIEM.

  We were just talking very recently with one of our developer managers about the fact that we keep those logs for customers for an awfully long time. And then the question is, should we? Because what happens if even at the customer side there’s some kind of a breach of logs and people can start getting insight about timings of issuance and things like this and processes. So, that’s one side but I think the most important side right now - because that’s the esoteric thing that we could go down the rabbit hole. We are gonna go down in the future. Right now, let’s keep it real simple and talk about just issuance itself.

  So, in other words, events such publicly trusted issuance trigger points. So, in other words, if your company knows that they are on 90-day certificates or one-year certificates and you have a policy of renewing those slightly less than a year, slightly less than 90 days, geez.

• 

  Tim Callan

  Those are events. And the role of certificates is chalked full of events because as we’ve talked about in the past, every certificate expires.

• 

  Jason Soroko

  You’ve got it. And so, therefore, hey, man, just cross-reference like does it make sense. If you see some sort of events that are happening more often than they should or at time periods, like, hey, that’s an odd one. What happened there? You can at least cross-reference that against maybe there was a revocation, Tim. Maybe there was this server had to be moved and we just needed to, we lost the cert. No big deal. We’re just gonna renew another one against that domain and away we go.

  For other types of things, if you have administrators logging into your certificate lifecycle management system, then logging those log in events because whoever is logging into that CLM, that’s a sensitive event and you want to know, hey, just simple questions. Is that time of day it happened correct? I'm certainly way, way oversimplifying what’s capable from a statement and event log and those of you who are tracking these kinds of things, I’m just bringing up the simple administration logging event, is a very, very key event.

• 

  Tim Callan

  It’s not just service roots. Like every time I provision a laptop, if I’m using PKI-based access, then every time I provision a laptop that’s an event. Every time I retire a laptop, that’s an event. Or let’s say I have an employee who leaves the company and I need to revoke their cert, that’s an event. Every time I give somebody an S/MIME certificate or take away an S/MIME access, that’s an event. I mean, there’s a lot of these things.

• 

  Jason Soroko

  There’s a lot of these things. ACME logs. ACME generates.

  And so, therefore, let’s actually see what happens, log what’s going on. I would even go so far as to say various kinds of the typical things in a certificate lifecycle management system such as changing administrators, you know, provisioning somebody new. At the administrator level, that’s all human level stuff that’s pretty basic. But I’ll say to you that in good certificate lifecycle management systems, if you know that your Microsoft CA system really should never be logged into except for extreme disaster recovery events, because you have a certificate lifecycle management system that’s augmenting it and then all of the sudden you start to see administrator activity, well, there’s your red flag.

• 

  Tim Callan

  There you go. That’s interesting. Sure. I like that. So, part of what you think about is what role should your CLM be playing and what are the expected behaviors organizationally that will surround that and if you are seeing something that doesn’t match that then perhaps something malicious is going on. Perhaps somebody is misusing the tools. Perhaps your understanding of what you really have and what needs to be done is incomplete or false. These are all things you could look into and clarify.

• 

  Jason Soroko

  Absolutely. So, the lowest hanging fruit definitely are systems that are kind of locked down and there might be an administrator event due to disaster recovery or something like that and maybe you are set up really well and you’ve got your PAM to do a fire ticket so that you only create the credential to log into it moments before you log in and it gets killed when it - - I’m stretching into PAM territory but we are talking about a holistic way of thinking about this. Once you have that, you start to see administrators logging into any kind of shut down, closed off systems, that’s your lowest hanging fruit. But I would say it’s gonna be worth it to become your own Center of Excellence in a way of understanding how often does your IT organization issue certificates into devices with SCEP, devices with MDM, into laptops. Maybe make a policy that only happens between 1:00 p.m. and 2:00 p.m. and then anything else happens after that, it’s like a great big honey pot for yourself.

• 

  Tim Callan

  Ok. I like that. And then, of course, obviously, you touched on revocation. Those are events. There’s a variety of reasons why event revocations could occur. Different revocations occur for different reasons. Some of them might be perfectly legit. Employee left the company. We don’t want their access anymore. We are gonna revoke the cert. Some of them might be problems or errors. Private key was stolen. We are gonna revoke the cert and recording those and understanding the difference between those - this was an incident; this was normal operation of business – seems like that’s valid as well.

• 

  Jason Soroko

  Exactly. Tim, let’s flip it around now.

  So, what’s the worst – not just the worst practice because sometimes it could be a legitimate practice – but if it doesn’t have to be this way, then change your habits. And that is, the less random your events are, if they are kind of planned out then, for example, you only log into your CLM at certain times. You only do your provisioning of laptops that invokes private certificates at a certain time. That may not be possible. It might have to be random. But, even if you had to do it throughout the day, plan on doing it on the half hour. And then all of the sudden, if anything else happens beyond those kinds of times maybe your SIEM can help you to determine, hey, this is not a qualified time for this to be happening. There must be an exception that we can log.

• 

  Tim Callan

  And then, of course, why? We go back to the earlier conversation.

• 

  Jason Soroko

  That’s right.

  So the most complex things and where SIEM kind of doesn’t help as much is when you have kind of random events happening probably in working hours that are normal practice. It becomes difficult. There are other contexts. For example, if a CLM administrator that happens to be logging in from a known HR location, maybe the HR doesn’t do this kind of work and so you can find that. Hopefully you don’t have as flat of a network as that but keep in mind there’s a lot of other IT things to be done here to help to get those kinds of things locked down. But the less random your CLM and PKI events are – because they are so darn critical, Tim – then SIEM can help you and help you from those event logs, from those systems to be able to create a higher contrast of legitimate to illegitimate activity.