Security Information and Event Management (SIEM)
Let’s talk about SIEM. Are you having consistent challenges with responding to threats, breaches and related incidences? Do you find it increasingly draining to get to the root cause of breaches in light of the increasing numbers of attacks and related downtimes in your network? If yes, a SIEM solution is just what you may need.
More often than not, the above pain points are brought about by a lack of collaborative efforts between the Network Operations Center (NOC) and the Security Operations Center (SOC). The NOC is primarily interested in network performance and uptime while the SOC teams are primarily focused on network security, regulations, and compliance.
To further deepen the disconnect, they each make use of a diverse variety of tools and software that are not integrated so as to give a global view of the enterprise’s overall network. These factors introduce a complex monitoring and reporting environment which increases the likelihood that threats and breaches can go undetected for some time.
What is SIEM software?
Security information and event management (SIEM) software give enterprise security professionals a better handle on events within the enterprise. This is done through the collection of Security Information and Event Management (SIEM) network and security logs, in a central repository from multiple diverse sources e.g access points, active directory and database servers, routers, switches, firewalls, intrusion detection, and prevention systems, etc. SIEM is a fundamental element of a successful Cyber Resilience strategy.
A SIEM must be aware of what is attached to the network and be able to collect event and log data from all of those attached items. FortiSIEM is the only SIEM tool in the market that has a self-learning, real-time asset discovery and device configuration engine built into its platform. SIEM does parsing, data normalization and categorization on any type of device, as long as it’s able to send logs to it.
SIEM software should have an intelligent context, such that it is able to identify the specific kinds of running devices, applications, servers, and their corresponding configurations among other data so as to add relevant context to the events and notifications. This is a critical element of ensuring the SIEM product doesn’t raise false alarms.
SIEM software also requires that it is fed quality data for maximum yield; the bigger the data source you give it, the better it gets and the better it can see outliers.
How SIEM works:
SIEM software collects and aggregates log data generated throughout the enterprise’s endpoints, applications, firewalls, and antivirus filters.
SIEM delivers on the below objectives, which are to:
- Provide near-real-time analysis. SIEM systems focus on providing faster identification, analysis, and recovery. It could for instance help detect zero-day attacks.
- Align enterprises with auditing and regulatory requirements e.g PCI and HIPAA. SIEM generates automated compliance reports whilst sending notifications to relevant personnel. For instance, the SIEM receives an alert from Active Directory or RADIUS stating that it has detected a Repeat Attack_Login attack (3 or more failed login attempts in 60 seconds) against one of the hosts. A notification is then sent to a security administrator.
- Automated cross-correlation and analysis of all the raw event logs from across the entire network. A SIEM’s differentiating factor from a typical log collector is in its ability to cross-correlate data from multiple different threat feeds and system data before determining the threat level of an incident.
- Convert security event and log data into visually appealing charts to assist in seeing patterns.
- Enable Forensic Analysis: The ability to search across logs on different nodes and time periods based on specific criteria.
Security teams often start by chasing down a staggering amount of false alerts. False alerts are one of the most nagging challenges in implementing reliable cybersecurity initiatives. These refer to “useless” alerts that end up wasting an enterprise’s SOC teams time since they are not real threats.
According to Ciscoâ€™s 2017 Annual Cyber Report: The Hidden Danger of Uninvestigated Threats. Only 28% of security alerts that are investigated turn out to be legitimate, from these, only 46% are remediated, meaning 54% of legitimate threats are not resolved!
This is partly a result of the redirection of the SOC team’s effort to investigating false alerts. So how exactly can an enterprise deal with false alerts?
Dealing With False Alerts:
- 1. Clearly define false alerts. If a trouble ticket is consistently created with no tangible immediate action specified, it probably is a false alert. Such alerts can be removed from the ticketing system and only included in a report.
- 2. Turn off the default rules that don’t apply in your environment, for instance, a SQL injection attack rule if there’s no SQL server installed in your network.
- 3. Finetune the rules to match your unique environment thresholds. This requires time though. After installation, monitor your environment to determine the most appropriate thresholds for various attributes, for instance, what is normal and abnormal traffic.
- 4. Implement a SIEM solution that has intelligent context capabilities. It should be able to cross-correlate event data from multiple feeds simultaneously and intelligently come to a reliable conclusion as to whether a threat is real or not.
- 5. Adjust SIEM product criticality to match your environment. Most default vendor settings are too high for most settings. This you will soon notice after having the SIEM in operation for a while. Save yourself the pain!
- 6. Use a high quality regularly updated threat feed and geolocation data. This will help add more context to your events and logs. For instance, if a source IP is from a known hacker cell, the criticality of such a log is increased to high. Geolocation data also helps determine whether the traffic is internal, remote or foreign traffic. Low-quality threat feeds could actually increase the number of false alerts!
- 7. Avoid duplication. If a firewall blocks some kind of traffic, don’t raise an alert ticket on what has already been blocked! What’s the point of having the firewall device installed in the first place?
Proactive organizations will learn to tune the tooling over time so that the SIEM understands what are normal events and thereby reduce the number of false alerts. After getting a false alert, make an adjustment to your SIEM so that it doesn’t catch that again. Finetuning should be done often to reflect both internal changes e.g the commissioning and decommissioning of devices, changes in the global threat landscape, etc.
Managing SIEM is a resource-intensive process that requires regular evaluations and adjustments to maintain optimal performance. Despite this, going without a SIEM solution isnâ€™t the answer, because this can leave you vulnerable to attack. With this in mind, many IT professionals don’t know how to do this efficiently, thus, expert SIEM consultancy may be required.
To develop proficiency with accurately managing SIEM products, you can sign up for an Insoft instructor-led FortiSIEM training here.
SIEM Tools and Vendor Selection
SIEM tools come in both paid-for commercial offerings and free opensource alternatives. Different SIEM tools draw their strength from a myriad of different features and capabilities, so it’s upon you to carefully choose one that addresses your enterprise needs.
There are a couple of leading vendors, they include Solar Winds, HPE, IBM, Splunk, Fortinet, and Intel, we also have opensource SIEM tools which are supported by the community. They are not vendor backed, hence they may not be as reliable; especially in critical enterprise-grade environments. Some of the best free opensource SIEM tools include Elasticsearch, ELK Stack, Ossim, Splunk Free and Ossec.
FortiSIEM Case Study:
FortiSIEM is a SIEM product manufactured by Fortinet. It offers SOC and NOC data correlation capabilities. It collects and normalizes a variety of logs, for instance, transaction, SNMP, connection, application and user logs.
These logs are then used for IT network and security monitoring and troubleshooting, consequently enabling organizations to eliminate blind spots by monitoring and analyzing a diverse set of events from multiple sources. Organizations, therefore, get an upper hand when it comes to the identification of threats and their root causes for even more agile remediation.
In addition to security metrics, FortiSIEM also monitors infrastructure resource utilization, application health, performance and availability metrics. The collection of all these data is done at a set polling interval. The results are converted into logs, which follow the typical SIEM processing logic. You can also read more about What is SIEM software? How it works and how to choose the right tool here.