SIEM (Security Information and Event Management) is an effective reactive security solution that offers a bird’s eye view of your network infrastructure.
Its two main functions are detecting security incidents (almost) in real time and managing logs efficiently. These functions, originally referred to as SEM (Security Event Management) and SIM (Security Information Management), respectively, have now been merged into a single feature known as SIEM.
Broadly speaking, SIEM gathers data in the form of logs, events, and flows from multiple network devices, correlates and analyzes it in order to detect incidents and abnormal patterns, and, finally, stores this data for future reference in the form of reports, behavior profiles, etc.
A properly implemented and configured SIEM solution offers organizations:
- Detection of internal/external threats
- Monitoring of user activity and access to resources
- Compliance reporting
- Incident response capabilities
SIEM gathers logs and events from various data sources that can be divided into the following four categories:
- Network devices (routers, switches, etc.)
- Security devices (IDP/IPS, firewall, antivirus, etc.)
- Servers (web, mail, etc.)
A connector retrieves data from each device of these categories and formats it before sending the logs to the SIEM core engine, where they are stored in a database for a certain period of time, depending on the company’s retention policy.
The core engine uses various algorithms and data mining techniques to correlate all the collected data in order to identify suspicious behaviors and patterns, thus greatly facilitating intrusion detection and auditing.
Logs, Events and Flows
A SIEM system can use large amounts of data of different types, including logs which generally serve a number of purposes such as debugging, system administration, and security audits.
While syslog remains the most popular logging standard, other standards may be used depending on the device. For example, most web servers use the W3C common log file format or other proprietary formats.
Another data type that can be retrieved by SIEM is event data, usually generated by such security devices as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), or IAM (Identity and Access Management).
Events may include data validation failures (such as invalid names and parameters), protocol violations, application errors, and system events (such as runtime errors, connectivity or performance issues, etc.).
In this context, SIEM checks various events for specific conditions and triggers an alarm if they are met. For instance, in case of a port scan, when the firewall receives requests for multiple ports over a short period of time (several seconds), it sends the events to SIEM which checks if they match the “port scan” rule and alerts the security team if necessary.
There are various event formats for better interoperability and easier device integration, including those developed by ArcSight, IBM, and Splunk.
One more data type used by SIEM is traffic flows. They provide better visibility into network activity and have two main standards: NetFlow and IPFIX.
Once a SIEM solution is deployed, the security team or the SOC (Security Operation Center), as the case may be, usually implement a detection and response strategy based on:
- Signature-based approach: The security system monitors activities and is regularly updated with signatures of known threats. The disadvantage here is that it protects only against known signatures (threats).
- Anomaly-based approach: The system focuses on detecting abnormal behavior. It can help detect unknown threats, but has a much higher false alarm rate. As a result, it takes longer for the security team to investigate events, which increases the probability of true positives being overlooked.
Due to the limitations of each approach, traditional reactive security is no longer enough, and companies must find new, effective ways to protect themselves.
While overall visibility provided by SIEM is a good start, proactive prevention of attacks requires another crucial element: Threat Intelligence.
Threat intelligence is the process of analyzing the identified, collected, and enriched relevant information, both internal and external, about attempted or successful attacks on the organization’s data network.
It is important to understand that threat intelligence is more than just correlation of information, as it provides an assessment of attackers, their motives and methods based on the collected data enriched with context.
When using threat intelligence, an organization can focus its actions on several crucial aspects to ensure efficient protection:
- Who is attacking? Here, attacks and/or malicious activities can be attributed to certain actors (independent hackers or organized groups, governments or national agencies, etc.).
- Why are they doing it? Knowing who is behind an attack helps the security team understand their motives, how much effort they might put into the attack, how targeted the attack might be (an advanced persistent threat).
- What are they looking for? This information allows organizations to prioritize their actions according to the importance of the assets targeted by the attackers.
- How are they doing it? This information includes the way in which the attackers usually proceed, the tools and infrastructures they use, their strategies, techniques, procedures, etc.
- Where do they come from? Knowing the attacker’s country of origin and its current geopolitical landscape can help the security team understand the adversary.
- How to recognize them? This data, also known as technical indicators of compromise (IP addresses, ports, user accounts, etc.), provides evidence that can be used to detect and signal malicious activities.
- How to mitigate them? The steps an organization can take to protect itself.
Threat intelligence may be implemented in different ways depending on who needs it and why:
First, there is strategic threat intelligence which is accessible and not too technical. It is intended to be processed by specialized personnel at all levels within the organization to give them an understanding of the impact of threats or attacks and help them with decision-making. Typical formats of strategic threat intelligence include reports and newsletters.
There is also operational threat intelligence. Here, the analyzed data in a machine-readable format is fed to the devices, allowing them to respond to threats. Operational threat intelligence is usually in XML format to enable exchange across different devices.
Thus, threat intelligence is incorporated into the security lifecycle which involves many stakeholders within the organization.
Internal and External Sources
With proper threat intelligence, an organization can easily eliminate invalid indicators to be able to focus on the threats it is actually facing.
Correlating the threat intelligence provided by third parties with the internal information collected by SIEM provides better insight into attacks in context and helps organizations proactively defend themselves against emerging threats.
External threat intelligence can be obtained from a variety of sources, including cybersecurity providers, independent researchers and laboratories, open-source projects, governments, and industry associations.
It is a good strategy to use threat intelligence tailored to reflect an organization’s specific business context (the environment of a bank differs from that of a factory, just like specific industries differ from each other). This is why security providers offer precise solutions for protection against specific threats existing in different environments.
It is also advisable to obtain generic threat intelligence (applicable to any environment), for example, to prevent leaks of intellectual property or employee’s personal information.
The use of threat intelligence can also improve vulnerability management by providing means of prioritizing security indicators and patches. This helps security personnel focus on the most dangerous vulnerabilities first.
By combining internal and external threat intelligence, organizations can enhance identification of threats in real time, minimize the time spent on analyzing irrelevant alerts and avoid alert fatigue caused by false positives.