Threat Hunting vs. SIEM
To reduce attack surfaces and improve one’s cybersecurity posture, organizations can adopt two stances: a reactive approach and a proactive approach. The reactive approach involves traditional methods of detection (e.g., IDS and IPS) and prevention (e.g., firewalls and SIEM), whereas the proactive approach uses offensive tactics, such as those found in a threat-hunting program.
Threat hunting is the act of aggressively tracking and eliminating adversaries from your corporate network as soon as possible. Threat hunting discovers attacks, reduces the detection delta and stops adversaries from compromising your critical systems. Many organizations prefer to rely on measures such as SIEM to protect themselves; however, according to a TechBeacon survey, less than 25% of organizations are getting the full value from their SIEMs and only 32% are getting more than 80% of the value they expected. Due to advanced persistent threats (APIs) and breaches, SIEM solutions alone do not ensure reliable protection.
Therefore, both a reactive approach (such as SIEM) and a proactive approach (such as threat hunting) are indispensable and should be implemented in parallel to enhance the security posture of organizations. In this article, you will learn how an SIEM plan paired with threat hunting can complement each other in expanding the net of security for a company.
What Do I Need to Know About a SIEM System?
A SIEM — Security Information and Event Management — is a security solution that enables security professionals to discover, monitor, record and assess security incidents within a real-time IT environment and centralize all of their relevant data. A SIEM system offers various features, including security alerts, interpretation of logs, advanced analytics, profiling, threat intelligence feeds, forensics, dashboards and data aggregation. SIEM is the combination of two closely-related tools, namely:
- Security Information Management (SIM)
- Security Event Management (SEM)
SEM is used to collect, aggregate and perform real-time monitoring of logs and events, whereas SIM performs correlation, normalization, and analysis and reporting of collected logged data and security records. SIEM technology is utilized for threat detection and incident response by using a real-time acquisition and historical analysis of security incidents from a wide range of contextual data sources.
With a SIEM solution, the security professionals monitor user activities, thwart data breaches, determine the root cause of security incidents, mitigate cybercrimes and meet regulatory compliance. Three types of SIEM include:
- In-house SIEM
- Managed SIEM
- Cloud-based SIEM
You may have noticed that SIEM only provides threat-detection capabilities rather than pursuing advanced threats and adversaries. What your organization should do if it is at greater risk of being compromised, such as banks or government agencies? In this scenario, obviously, SIEM will not be able to pursue adversaries and eliminate the possibility of future attacks and safeguard your organization from being compromised. You will be stuck always playing a defensive game.
Just having a SIEM is not sufficient. You must ensure that your SIEM is offering necessary features to play its part effectively in this collaborative security defense. The following sections illustrate some core features that every type of SIEM system must offer to reliably work with threat hunting capabilities:
Log Correlation: The Heart of SIEM
SIEM log correlation is a critical feature of any SIEM solution, as it analyzes and aggregates log data from network systems, devices, security appliances and applications. Using this feature, your SIEM provides centralized visibility into potentially non-compliant and insecure network activities. This permits it to discover threats and malicious patterns of behavior that otherwise will not be noticed.
In order to strengthen this tactic, threat hunting can be twinned with SIEM log correlation by using log analysis. Using these logs, threat hunters can discover the source of the attack and prevent further intrusions.
Prevent Pesky False Positives
Cisco’s Security Capability Benchmark Study (2017) revealed that only 28% of examined security alerts were legitimate. Your SIEM solution must prevent a maximum number of false positives. Most SIEMs incorporate legitimate events in their configuration settings and compare suspicious activities in the event of possible detection. Doing so prevents false positives against the legitimate event. Some out-of-box SIEM correlation rules can be irrelevant and must be disabled in order to prevent false positives.
Log Management and Storage Capabilities
Effective SIEMs must provide efficient log management and storage capabilities. It’s possible to set rules for every single log source in order to increase the effectiveness of collection, storage and the performance of indexing.
Almost every SIEM has the capability to collect logs and events from divergent sources. Once this process is done, your SIEM must normalize all collected data to provide a clear understanding and make such data easy to work on. It should filter, parse, and enrich log fields and unify them as the structured fields.
Per Netwrix’s SIEM Efficiency Survey (2016), 83% of SIEM solutions produce too much noise. That is why organizations deploy additional security controls to reduce the noise. However, most of the noise has a direct link with the false positives, as they are the predominant source of it. Therefore, preventing false positives and ensuring the accuracy of security events can reduce the noise tremendously.
Processing Only Security-Related Data
Your SIEM must process only security-related data instead of exhausting resources for non-security-related data. If your SIEM system only processes security-related data, you will observe an immense change in the Events Per Second (EPS) ratio.
Prevent Vulnerable Protocols
Vulnerable protocols, such as Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), and Border Gateway Protocol (BGP), can provide openings to attackers. Your SIEM system must filter such protocols using an additional security control, such as a Snort IDS system that is fed into the SIEM system. Snort IDS adds as an additional security layer for SIEM and can also be designed further by generalizing rules to detect novel attacks. If you have a security operation center (SOC) as a proactive approach for threat hunting, your team of SOC analysts will also be monitoring vulnerable protocols to prevent a potential breach.
How is a Threat-Hunting Program Essential When Paired With SIEM?
As said above, security analysts use threat-hunting solutions to aggressively track and eliminate adversaries from their corporate network as soon as possible. There is no such thing as a perfectly secure network; adversaries can always exploit your reactive defense mechanisms with their sophisticated attacks. Therefore, a proactive security policy that includes threat hunting should be an essential part of your overall security posture. The survey notes that 52% of organizations reduced risks significantly through the use of threat hunting.
Conversely, the survey indicates that 48% of organizations are still not satisfied with threat-hunting capabilities. You cannot always rely on threat hunting’s proactive approach because the sophisticated attacker can compromise your offensive gestures. Therefore, you must also have the reactive approach you get with SIEM in order to confront the enemy on all possible fronts.
Like SIEM, your threat-hunting program should be effective and reliable in achieving its targets. The security analysts should adopt the following goals to build a mature threat-hunting program.
- Providing accurate and early detection
- Controlling and mitigating damage with faster response
- Improving defenses to make attacks unsuccessful
- Knowing your organization’s weaknesses
The successful threat-hunting program has two essential parts. The first part involves a formal process that should be built on a well-defined methodology. The second part contributes to performing a continued threat hunting operation through automated tools. The continuous and timely detection of adversaries will certainly mitigate the damage and improve efficiency.
Below are some critical aspects of threat hunting.
Threat-Hunting Staffing and Skills
Integrating people, technology and processes is an essential part of any security program. In general, enterprise organizations prefer investing in technology first. When this approach doesn’t work, they seek formal processes and appropriate people to manage these processes.
When it comes to threat hunting, technology should be the primary focus and then people should be taken into consideration. However, training of personnel is vital because they need to be able to manage, configure and interpret the results of the technology. People who have served in an SOC or as incident responders are highly appreciated for threat hunting roles because they are already trained in the rudiments of security. Many organizations convert their SOCs to perform threat-hunting operations. Under such circumstances, your SOC team can simultaneously deal with SIEM and threat hunting capabilities. However, if your SOC team is only staffed for threat-hunting tasks, you can either hire an additional team (not more than five analysts) for SIEM operations or outsource its essential features to a third party.
The Essence of Threat Hunting and SIEM
The fundamental goal of threat hunting is to reduce damage and potential exposure of sensitive information. Your key metrics should be mitigated exposure and timely repair. Furthermore, these metrics must show a positive return on investment (ROI) on your threat-hunting endeavors.
Threat hunting also plays a crucial role in early detection of adversaries and swift elimination of vulnerabilities exposed during the hunt. If an adversary somehow manages to penetrate your corporate network, your SIEM as an additional security layer will still play a crucial part in salvaging the scenario and preventing disaster.
Value of Response Time
When launching a threat-hunting campaign, you can use three primary indicators to make sure that your hunting efforts bear fruit. These indicators include:
- Dwell Time. How much time has the adversary spent in your company?
- Reinfection. How many attacks have been launched against your company?
- Lateral Movement. How much damage has been caused by an adversary, in terms of a number of systems that have been compromised?
If you have significant improvement in these areas, your threat-hunting program is reliable. Otherwise, it needs to be enhanced. An immature threat hunting program always fails to prevent all attacks and will miss potential adversaries. Again, your SIEM will be working as an active defense to defeat these adversaries and is your first and fastest line of defense.
Methods of Threat Hunting
When running a threat-hunting program, security analysts use two methods — namely host- or network-based threat hunting. Host-based threat hunting is used to analyze an individual system in order to look for the indicators of attack. On the other hand, network-based threat hunting is utilized to monitor and analyze network traffic to find the signs of adversary’s existence on the network.
You must remember that while you are hunting threats and adversaries, you are potentially also being hunted. Hence, the continuous improvement of your threat-hunting capabilities and your defense strategy is indispensable. For this purpose, you need automation and customized tools. You need to make sure that these tools are properly aligned with and complimentary with your threat SIEM solution.
The Way Forward
Cybersecurity threats and adversaries are stronger than many organizations’ security postures. Even with very high defensive systems, organizations cannot ensure 100% security and, therefore, adversaries will successfully find ways to penetrate your corporate network. Nevertheless, organizations can adopt both reactive and proactive approaches, combining an SIEM solution with a team of active threat hunters to protect themselves as efficiently as possible.