Introduction
Traditional security monitoring is often focused on system and network logs, which nonetheless supply a big bulk of useful security information. An efficient system should be able to gather, consolidate, and normalize data from a mixture of different logs and information sources, and send this information to a secure database where it can be examined.
Security Information and Event Management (SIEM) solutions [1] provide real-time or near- real-time analysis of security alerts generated by network hardware and applications. SIEM technology is often used to provide expanded insights into intrusion detection and prevention through the aggregation and correlation of security intelligence. SIEM solutions can be implemented as software, hardware appliances, or outsourced managed services.
SIEM collects data from many other sources within the network. It provides real-time monitoring of traffic and analysis and notification of potential attacks. Additionally, it provides long-term storage of data, allowing security professionals to analyze the data.
A SIEM typically includes various characteristics. Because it gathers data from dissimilar devices, it lets in a correlation and aggregation feature converting this data into useful information. Advanced analytic tools within the SIEM can analyze the data and raise alerts and/or trigger responses based on preconfigured rules.
Tasks may be performed automatically for you with tools such as Security Information and Event Management (SIEM):
• Filter out unnecessary or duplicate information
• Combine sources
• Synchronize events logged in different origins
• Normalize data formats
• Store data securely
• Data Collection, Analysis, and Correlation
SIEM Configuration
A SIEM handles the job of several analysts by correlating logs and producing meaningful reports. SIEM products attempt to aggregate real-time security events from multiple data sources into an integrated real-time analysis system. SIEM are most useful when they receive information from a wide variety of sources, which they can aggregate to reveal better insights than any of those sources can produce alone.
Stick to these guidelines when configuring your SIEM [4]:
• Configure your SIEM to aggregate information from many boundaries, network, and data defenses, such as firewalls, intrusion detection, enterprise malware tools, and data loss prevention, where they can drive reports and alerts, and be correlated with other events to provide improved security intelligence.
• Configure your SIEM to identity unauthorized assets and software. By using the SIEM to maintain your inventory of authorized assets and software, you deliver a reference baseline.
• Use the SIEM to monitor configurations of hardware and software on servers, workstations, and notebook computers, and provide alerts when a misconfiguration is identified.
• Use the SIEM to monitor configurations of wireless devices and wireless intrusions, and provide alerts when a misconfiguration is identified.
• Use the SIEM to monitor configurations of rules, policies, access control, and other configuration on network devices such as firewalls, routers, and switches.
• Configure the SIEM to report on the unnecessary use of administrator privileges, such as a user with administrative access running a web browser on a server.
• Correlate user activities with user rights and roles to discover violations of least privilege enforcement.
• Configure the SIEM to perform continuous vulnerability assessment and remediation.
Log Management
Logs are particularly useful when investigating security incidents. These logs provide records of the connections between systems and the amount of data transferred. The organization can use logs to re-create events leading up to and during an incident, but only if the logs haven’t been modified. If attackers can modify the logs, they can wipe out their activity, effectively negating the value of the information. It is important to protect log files against unauthorized access and unauthorized alteration [1].
It is common to store copies of logs on a central system, such as a SIEM, to protect it. Even if an attack modifies or corrupts the original files, personnel can still use the copy to view the events. One room to protect log files is by delegating permissions to determine their access. Organizations often have strict policies mandating backups of log files.
Security controls such as setting logs to read-only, assigning permissions, and implementing physical security controls protect archived logs from unauthorized access and modifications. It is important to destroy logs when they are no longer required.
Logging systems should also make use of the Network Time Protocol (NTP) to ensure that the clocks are synchronized on systems sending log entries to the SIEM as well as the SIEM itself. This ensures that information from multiple sources has a consistent timeline.
Market Player
SIEM market major players are IBM, Splunk, LogRhythm, ArcSight and AlienVault as stated in this Report “Security Information and Event Management (SIEM) Buyer's Guide and Reviews May 2018” [3]. This report is made up of a list of enterprise level Security Information and Event Management (SIEM) vendors. The reviewers of these products have been validated as real users based on their LinkedIn profiles to ensure that they provide reliable opinions and not those of product vendors. The Report included the following subjects for evaluation:
• Valuable features
• Improvements to my organization
• Room for improvement
• Pricing, setup cost, and Licensing
How to choose the right SIEM solution?
It is important to assure that the chosen solution meets immediate tactical requirements (i.e. Log management to meet specific compliance requirements) and longer-term strategic requirements and includes: security information and event management, network activity monitoring, advanced threat detection, vulnerability monitoring, and/or risk management, among other things. The following proposal items define requirements for the choice of a SIEM solution. It has been split into multiple logically connected sections. The SIEM must provide following requirements: (Only a few points are listed)
Administration and Configuration Requirements |
Auto-discovery of assets that are being protected or supervised. |
Automated categorization of assets that are being protected. |
API for access to data stored in the information database(s). |
Ability to encrypt communications between components. |
Integrate with 3rd party directory systems, as an authentication method. |
Operational Requirements |
Enable a phased roll out of log management and security intelligence functions. |
Framework for future expansion and integration with other 3 rd party solutions. |
Demonstrate ease of usage. |
Maintain high availability. |
Automate internal health checks and notify the user when problems come up. |
Power to deliver multiple dashboards that can be customized. |
Maintain a database of all assets discovered on the network. |
Architectural Requirements |
Integrate with other security and network intelligence solutions. |
Easily expand to support additional demand. |
Distributed database for event and network activity collection. |
Ensure the integrity of the information collected. |
A distributed model for correlation. |
Transparent retrieval, aggregation, sorting, filtering, and analysis of data across all components. |
Passive asset discovery to allow new or possibly unauthorized devices to be tracked. |
Log Collection, Retention and Processing Requirements |
Log collection and archive architecture support both short-term and long-term event storage. |
Log archives on 3 rd party storage. |
Capabilities for efficient storage and compression of collected data. |
Agent-less collection of event logs whenever possible. |
Ability to distribute both event storage and processing across the entire log management. |
Long-term access to detailed security event and network flow data. |
Simple architecture with a single appliance to collect logs and network flow data. |
Log normalization and categorization Requirements |
Ability to store/retain both normalized and the original raw format of the event log. |
The ability to normalize and aggregate event fields. |
Real-time event view of monitored information in raw/original as well as processed/parsed. |
Event Filtering and Analysis Requirements |
Near-real-time analysis of events. |
Long-term trend analysis of events. |
The ability to aggregate and analyze events based on a user-specified filter. |
More advanced event drill down when required. |
The real-time streaming view that supports full filtering capabilities. |
Alerting based on observed anomalies and behavioral changes in network and security events. |
Maintain a history of user authentication activity on a per asset basis. |
Roll up all events and network flows into single offenses. |
Identify certain protocols that need to be monitored and controlled. |
Profile traffic by application type. |
Reporting Requirements |
Configurable reporting engine for customized report creation (incl. Templates). |
Out-of-the-box reports for specific compliance regulations and control frameworks. |
Dashboard for quick visualization. |
Automated distribution of reports. |
Capability to provide historical trend reports. |
Ability to centrally deliver vulnerability reports and asset reports. |
Ability to generate reports on flows and events |
Ability to search and data/log management. |
Correlation and Alerting Requirements |
Alerting based on observed security threats from monitored devices. |
The ability to correlate information across potentially disparate devices. |
Alerting based on observed anomalies and behavioral changes in network activity. |
Alerting based on established policy. |
Weighted alerts to allow for prioritization. |
Ability to take action upon receiving an alert. |
The ability to correlate with 3 rd party security data feeds and vulnerability scan results. |
Monitor and alert when there is a disruption in log collection from a device. |
An out of the box mechanism to discover and classify assets by system type. |
The correlation for a missing sequence and additive values over time. |
Mechanism to optimize rule tuning. |
Correlation in real time. |
Network Activity Monitoring Requirements |
Display visual traffic profiles in terms of bytes, packet rates and a number of hosts. |
Application definition beyond protocol and port. |
Ability detects “zero-day” events. |
Dynamically learn behavioral norms and expose changes as they occur. |
Detect denial-of-service ( DoS ) and distributed denial-of-service (DDoS) attacks. |
Detect and present views of traffic pertaining to observed threats in the network. |
Identify network traffic from potentially risky applications. |
Display traffic profiles in terms of packet rate. |
Profile and present information in multiple time frames. |
The support level of customization. |
Collection and analysis of packet capture data. |
Ability to extract specific attribute and use the fields in correlation rules. |
Identify network traffic within a virtual network environment. |
Ability to contextually link application activity on the network with security. |
Advanced Threat Management Requirements |
Ability to contextually link reported security events with real-time knowledge of the assets. |
Ability to automatically weigh the priority of reported security events according to importance. |
Ability to automatically weigh the severity of reported security events. |
Ability to assign credibility ratings to monitored security devices. |
Forensics must include originally logged events with access to raw events at any time. |
Workflow Requirements |
Ability to send notification of correlated alerts. |
An embedded workflow capability that security operations staff can use to guide their work. |
Bi-directional integration with 3 rd party trouble ticketing/help desk systems. |
Mechanism to capture all relevant aspects of a security incident in a single logical view. |
Mechanism to annotate a security incident as it is addressed by the security operations staff. |
Mechanism to track security incidents across a wide range of relevant attributes. |
Risk Management Requirements |
Have the ability to compare the configuration of a device when configuration changes occur. |
Detect and notify configuration change. |
Provide a Layer 2/Layer 3 topology of how the network is configured. |
Prioritize vulnerabilities in such a way to allow the vulnerability to be compromised. |
Data Source Requirements |
Ability to observe all information collected from all devices and services. |
Ability to observe all information industries-leading vulnerability scanners. |
Ability to understand virtual host within a virtualized environment looking for suspicious activity. |
Support the ability to create custom device support at no additional cost. |
Incident Forensics Requirements |
Must include full packet capture and network forensics capabilities |
The incident forensics analysis tool must accept input from multiple 3 rd party packet capture. |
The packet capture and incident forensics capabilities should be especially well equipped. |
The packet capture capability needs to be expansive and accommodating of the need to retain information. |
Guidelines
SIEM is mostly used where compliance [1], [2] with regulations remains a strength.
• Recommended for PCI-DSS deployments
• Recommended for Threat Analytics and Security best practice
• Recommended for various compliance mandates
Observe these guidelines [4] to insure that your use of a SIEM will enable you to substantiate compliance:
• Preserve data as required in their original forms. SIEM generate new versions of data that may not satisfy some compliance requirements. Be careful to preserve original logs and other data that might be required by applicable regulations and standards.
• To support compliance regulations and help ensure follow-up, configure the SIEM, if possible, to generate important alerts in a form such as support tickets, which automatically document threats you have detected and are following up on.
• Review your logs on a frequent, regular basis.
• Ensure that SIEM monitoring can generate documentation to prove that your arrangements are frequently scanned for threats and that log and alerts are regularly reviewed by personnel.
Conclusions
In reality, it is impractical for people to continuously monitor system configurations and traffic activities. However, automation tools such as SIEM systems can help by continuously monitoring items such as software configurations, traffic activities, access controls, and generating an alert when a change to the system has resulted in a potential security problem that can be resolved by taking specific corrective actions.
SIEM, it is one of the most powerful log analysis tools available to you [5]. A properly configured SIEM can provide you with incredible insight into your security intelligence within your IT environment, which assists to build your technical infrastructure invincible.
References
You’ll find it useful to review Security Institute (SANS) and the National Institute of Standards (NIST) documents when developing for the SIEM solution to yield you a fuller idea of different security concepts for log and threat management.
[1] https://csrc.nist.gov/publications/detail/sp/800-92/final
[3] https://toolbox.itcentralstation.com/categories/security-information-and-event-management-siem
[4] http://logicaloperations.com/certifications/1/CyberSec-First-Responder/ (Section: CyberSec First Responder: Threat Detection and Response - Analyzing Log Data)
[5] http://public.brighttalk.com/resource/core/197693/security-platform_web-april-2018_418795.pdf
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (4)
Commented:
Commented:
Commented:
Commented: