Security information and event management (SIEM) software fulfill an organization’s most crucial role: It protects an organization’s most sensitive data and establishes proof the business is doing so to meet compliance requirements.
This complex set of technologies provides an overall view of the effectiveness of your security stack, acting as a force multiplier for the efforts of security analysts. By collecting and collating data from a variety of data sources and performing preliminary analysis on the collected data, SIEM solutions can focus an analyst’s attention where it is most needed. However, the effectiveness of an organization’s SIEM is largely determined by how robustly it is deployed and used.
Every organization’s environment and threat landscape is different. As a result, the “optimal” SIEM configuration for any two different organizations may differ dramatically. However, every organization using a SIEM can benefit from a few important common practices:
A common way in which organizations limit the effectiveness of their SIEM solution is by failing to provide it with data from all relevant sources. To address this need, the true first step is to learn about your environment. This entails creating an inventory of your assets and understanding your systems to identify exactly what you are trying to log. Once you’ve done your due diligence, it’s time to address coverage.
A SIEM is designed to aggregate data from several different sources and use the resulting context to provide intelligent alerts to an analyst. If a SIEM is only set up to process data from the organization’s firewall or only from critical systems, it may miss dangerous events due to a lack of complete visibility of the operating environment. Also, each host in an environment has several potential sources of valuable data (firewall logs, application logs, etc.), and a SIEM can (and should) have access to all of these.
» Caveat: In a perfect world, achieving complete coverage and visibility is possible. However, the universe most of us live in is subject to budget and resource constraints. In this scenario, the next best answer is to formulate a strategic plan to assign criticality levels to your assets so you know which ones to give priority in order to identify appropriate data sources to bring into the SIEM first.
This leads us to Step 2:
Although a SIEM is intended to monitor all an organization’s networks, some resources are more important than others. Alerts regarding an employee workstation should probably be categorized as less significant than those related to critical systems.
Assigning criticality levels to systems in an informed fashion is a vital component to ensuring alerts are appropriately ranked by the SIEM. Consider that what you assume is mission-critical may not be the case. Fully explore the subject with company leadership to answer the question, “What type of data loss would kill our business if we were to suffer a breach?” This may be financial data, personal health information of customers/patients, or proprietary information.
These assignments should be made based upon the use of threat modeling, where potential attack scenarios are explored and systems’ criticality is defined based upon their importance to various types of attacks.
SIEM solutions are designed to aggregate and analyze massive amounts of data, but not all data is good data. Feeding every potential source of data into a SIEM solution, regardless of relevancy or value, can be a waste of resources as the SIEM stores and processes all the extraneous data. The Department of Defense Information Quality Guidelines provide a baseline for determining what good data is for your business.
When deciding which data to feed into a SIEM, consider the type of information you would like it to provide to analysts. By defining rules and collecting data based upon desired intelligence outputs, it’s possible to prioritize SIEM input data based upon relevance. These rules and data flows should be reviewed regularly to identify ones that do not provide useful data and create new ones as needed.
Another important aspect of data collection for a SIEM is taking advantage of static, referential data. IP blacklists or descriptions of systems' intended functionality change slowly, but they can be very valuable for rapidly gaining context about a specific alert.
These referential data sources are also valuable in the generation of anomaly-based detection rules. While signature-based rules are excellent at detecting known threats, anomaly-based rules can identify even unknown threats. By learning what is “normal” for an environment and defining rules looking for outliers or deviations, it’s possible to detect events of interest without knowing in advance what makes them interesting.
Staying up to date on current threats will assist you in making educated decisions regarding SIEM configuration. Created five years ago, Mitre’s ATT&CK framework, a living knowledge base of threat tactics and techniques, has become a go-to resource for cybersecurity professionals for building network defense. A related resource called Common Attack Pattern Enumeration and Classification (CAPEC) focused on application security provides the common attributes and techniques employed by bad actors to exploit known weaknesses in cyber-enabled capabilities.
SIEM solutions are excellent at collecting and analyzing data from within the organization, but external data sources can be just as valuable. Subscribing to threat intelligence feeds that provide Indicators of Compromise (IoCs) and other data about potential threats can help with keeping SIEM detection rules up to date.
External sources can also be valuable as an initial step when analyzing a potential threat or alert. Services that provide APIs allow the software to automatically determine if a potential file, IP address, or domain is malicious.
Integrating this intelligence into a SIEM makes it easy for an analyst to determine where to focus their energies when investigating a particular alert.
The use of external data sources is one of many valuable uses of automation in a SIEM solution. Any analysis steps that can be performed automatically reduce the load on a human analyst, allowing them to manage more alerts or investigate them more fully. Other useful applications of automation within the SIEM include classifying potential threats and ranking and scoring alerts to ensure that analysts engage with the most critical ones first.
Proceed with caution, though. Use only trusted and valid threat sources.
SIEM solutions are an effective tool for detecting and analyzing an attack in progress. However, this is not their only use.
The vast amount of data and analytical capability contained within a SIEM solution makes them a valuable tool for threat hunting within an organization’s network. With threat hunting, a security team can get in front of an attack by identifying potential attack vectors before they’re exploited or identifying a subtle attack in its early stages. The cost of an attack increases with the duration, so identifying threats as soon as possible is definitely within an organization’s best interests.
Security Information and Event Management (SIEM) solutions are an extremely powerful but complicated tool in an organization’s cybersecurity toolkit. While some aspects of configuring and using a SIEM are dependent on an organization’s unique situation, others, like those described here, are universal. For more information about how to best use SIEM technology to protect your business, contact us for a consultation.