How to Use Security Incident & Event Management (SIEM) for Early Threat Detection
As businesses continue to embrace more and more technologies, IT environments become increasingly complex and distributed. This scenario is not likely to change over the next few years; current and emerging technologies such as Cloud computing, mobility and IoT should become ever more present in corporate environments.
But what does this mean for information security? What is the best approach for ensuring a sufficient level of protection, while at the same time allowing business activities to go on, and even making the adoption of new technological trends a possibility without overly exposing the organization to unnecessary cyber risks?
The solution is using information in your favor: Collect and aggregate relevant data from multiple sources, identify whatever deviations from the norm may happen and take appropriate action. As doing so manually in a complex environment is virtually unfeasible, using a security information and event management (SIEM) becomes essential.
What Is A SIEM System?
A SIEM is a combination of products and services that combine both security information management (SIM) and security event management (SEM). Security information management includes the long-term storage, analysis and reporting of log data from multiple sources (i.e., antivirus software, intrusion-detection systems (IDS), intrusion-prevention systems (IPS), file systems, firewalls, routers, servers, endpoints, switches and Wi-Fi). Security event management includes the real-time monitoring and correlation of security events, including notifications and console views for security teams.
How Do SIEM Systems Work?
A SIEM can provide real-time analysis of security alerts generated by operational systems, applications, network hardware, databases and basically any other piece of technology that produces collectable logs.
Basic SIEM functions should include:
- Data aggregation: IT environments can be quite complex and distributed, with each component generating a multitude of relevant security logs.
One of the central aspects of a SIEM solution is the ability to reach each of these hosts, collecting relevant information and managing it, and providing the ability to consolidate monitored data to help avoid missing crucial events.
- Event correlation and alerting: A SIEM should not be confused with a SYSLOG. The idea is not only collecting data, but creating meaningful information from it. For example, a web filter may generate a log for an employee accessing the Internet late at night. Provided he/she has proper Internet rights, there should be nothing wrong. The problem is, this individual already left the company a few hours ago, and that was registered in a log entry of the time clock system. Individually, as neither the web filter or the time clock system “speak” to each other, both logs would only report a normal situation.
A SIEM would be able to correlate data from both devices and send an alert that would basically ask: “if an employee already left the company for the day, who is using his/her password to access the Internet?” This is exactly the sort of intelligence an incident response team requires for the early detection of security breaches.
- Creating dashboards: Expanding on event correlation, most SIEM systems can correlate information and display dashboards with informational charts that can assist with checking for patterns, or identifying abnormal activities.
If properly constructed, dashboards can be much more than simple “eye candy” for executives visiting a security operations center (SOC). They should provide security teams with a quick view of ongoing events and abnormalities, reducing the time to detect an incident.
- Log retention: Most SIEMs are optimized not only to collect, but retain information. This should facilitate correlation of data over time, while also providing the retention necessary for compliance requirements.
- Event reporting and forensics: As historical data is stored at the SIEM, it is possible to generate reports and detect incidents that were not identified in real-time. This should come in handy during any forensic analysis, making it easy to correlate and search across logs from different devices and time periods, using specific criteria.
The fact that historical logs are stored and protected away from the devices where they originated, should enable a rapid, in-depth and court-admissible forensics investigation.
What Is the Role of SIEM In Incident Response?
As explained before, by enabling the real-time collection and correlation of information from multiple nodes, a SIEM essentially creates actionable information for incident response. This could either mean a dashboard displaying information in real-time or sending an alert if something abnormal is detected, in either case, the incident response team could act immediately and reduce the impact or even totally prevent a security breach from happening.
As the information stored at a SIEM is both detailed and retained for a long time, an incident response team performing a root cause analysis could also benefit from its functionalities. A SIEM stores information away from where it was originated, so in the case of a forensic analysis, it is great for providing court-admissible evidence.
What Are the Enterprise Benefits of SIEM Systems?
The primary benefit of a SIEM system to any organization, is the fact it immensely increases the effectiveness of incident response teams. The early detection of occurrences is a key factor for incident containment and eradication, which means a reduced overall impact.
Since SIEMs can correlate events from different data nodes and devices, this allows for detecting incidents that would otherwise be completely missed. For example, a network intrusion prevention system can usually only see a part of an attack, while the affected host (e.g., a notebook or a server) can see the other part. A SIEM sees the bigger picture by combining logs from both devices, thus making it possible to have a complete picture of the incident.
Aside from the technical aspects, SIEMs can also help in corporate compliance efforts, as virtually every regulatory body, such as PCI DSS, HIPAA, Sarbanes-Oxley (SOX) and GDPR, will most likely require some form of log management to preserve an audit trail of activity.
In fact, SIEM reports can provide auditable information that should confirm certain requirements are being met. It is quite common for SIEM vendors to supply basic reports that directly map to specific compliance regulations.
What Should You Look for When Choosing a SIEM?
There is plenty of good SIEM vendors, so finding a solution that is suitable to your environment should not be too difficult.
The first key point to consider when looking for a SIEM solution is the fact it is, in essence, a detection tool. It will not replace other security components such as a firewall or antivirus solution. In fact, some SIEM solutions have the ability of interfacing with other security solutions to try to stop an ongoing attack once detected. This is a very neat feature to have.
Another important consideration is having a SIEM compatible with the size of the environment it is trying to protect. Factors such as the number of data nodes and devices it is going to interface with for log connection directly affects the quantity of generated data per second. Make sure you have enough storage capacity for long-term retention.
An adequate SIEM solution should allow for scalability, or capacity for growth alongside expected changes in your IT environment.
The overall benefits of a SIEM solution makes them a primary necessity for corporate data protection. Having the ability to understand the big picture of security events is vital for any incident response team.