In this article, our eighth in the Cybersecurity Awareness Month series, we talk SIEM: what it is, why it’s beneficial and some example use cases pulled from my experience in the security world.
What is SIEM?
SIEM (usually pronounced ‘seem’ or ‘sihm’) stands for Security Information and Event Management. It comes in several forms and various price points, including as a software product, appliance or as a service. SIEM collects log and event information from servers, security devices, network devices and applications. It’s a single window into all of your network activity.
If you like movie references, think of it like the eye of Sauron tirelessly watching your network landscape…
But it doesn’t just collect the data. It normalizes, correlates and sorts everything into useful categories like threats, failed logins, successful logins, firewall allows, firewall denies and more. It provides a security operations analyst with the ability to see your network as more than a series of transactions — rather as a timeline of events that illustrates what people and systems are doing at any given time on your network.
Benefits of SIEM
The primary benefit is better visibility and efficiency. For example, a SIEM product provides easily-consumed data for security analysts without them having to collect the information from multiple systems manually. This can save hundreds of hours per year for each analyst, while also helping them eliminate false positives and focus on what is truly important.
Other benefits include:
- Increased speed in identification of potential security threats
- Identification of normal traffic and patterns
- Anomaly detection
- Correlation of logs
- Enhanced reporting
Example Use Case: Triaging Security Events
Your web content filter alerts you of a user trying to repeatedly access a known malicious website.
The Security Operations Center (SOC) analyst or security operator triages the case and starts gathering information from other related systems to corroborate the issue. Here is a summary of steps she might take:
- Look in the content filter to see if this user has gone to any other uncategorized or known malicious sites.
- Pull logs from the firewall to see if any other inbound or outbound connections have been attempted to the malicious IP, and understand how much data was in the attempted payload.
- Look at the ITIL system to identify the user of the internal computer the firewall has identified as the source of the traffic.
- Look in the full packet capture system to figure out if that machine has sent any other data in unusual quantities in the past.
- Check the anti-malware system to ensure that the machine is running the latest version and signatures.
- Check the local information sharing community to see if that site is being actively used in any attacks on the industry at large.
After an hour or two of digging, she finds nothing that definitively shows malicious behavior. It turns out the user mistyped his petsitter’s website URL and accidentally found a Russian hacker’s command and control false front. Just bad luck and nothing to worry about. The analyst adds the malicious site to the company’s DNS black hole and moves along to the next case.
Now imagine she has to try to do this 100 times per day on a busy day, manually triaging these alerts to verify if the event should be categorized as an incident.
The SIEM Approach
With a SIEM in place, the analyst has all of those log data sources (content filter, firewall, ITIL, threat management, full packet capture, anti-malware, and more) in a single pane of glass. Based on the incident’s timestamp and interactive utilization maps, the analyst quickly realizes that this is not a pattern of behavior.
She talks with the user and they both realize the typo. Ten minutes later, it’s time to move on to the next event.
Time saved. Money saved. Labor saved.
Example Use Case: Historical Analysis
A new threat or indicator of compromise (IOC) was identified by your company’s applicable ISAC group.
The security analyst needs to verify that the organization has not been affected by that threat or IOC. Without the SIEM, the security analyst would have to go to each required system, firewall, email content filter, web content filter, endpoint detection platform, etc and perform those searches on those systems. It is extremely time consuming, most of the systems do not keep logs with enough history, and logs can be extremely hard to search.
With a SIEM, the security analyst logs into one device, selects the timeframe they want to go search, inputs the search criteria from the IOC, and the SIEM identifies whether it’s applicable or not. This saves an immense amount of time. Not only can an analyst search the SIEM, but automated processes can also be put into place to ingest IOCs and look for evidence of compromise in the network.
Time saved. Money saved. Labor saved.
Tips for Effective SIEM Implementation
Here are some additional tips to consider if you are looking at implementing a SIEM solution:
- Find a product and a service that fits your company’s needs.
- Make sure the SIEM is ingesting ALL of the requisite information — not just an IDS at the border.
- Make sure the people monitoring it know what they’re doing! There are services in the marketplace that claim to serve as an effective SIEM, but they’re run by entry-level, poorly-trained, often offshore resources who are ill-equipped to understand your network and the threats it faces.
- This is arguably one of the most important security tools you have in your environment. Don’t get bamboozled.
Security Operations teams utilize the SIEM to more quickly identify, review and respond to security events before they turn into security incidents. The SIEM and its centralized log management allows for faster and more thorough analysis, reducing the severity that a security incident could inflict on an organization.
While the SIEM can make your security operations better, cheaper, faster, and more effective, there is one important thing to keep in mind — it’s not an automatic cure-all. The SIEM does some seriously heavy lifting but an organization still needs someone to keep an eye on the alerts it generates.
To gain the full value value and return on your investment, companies of all sizes should look to a 24/7/365 Managed Security Service Provider (MSSP) to run and respond to alerts generated within your organization. Because the bad guy doesn’t just work 9-5 M-F…
Contact our team at Alpine Cyber and we can guide you through the process and explain your best options.
Happy Cyber Security Awareness Month! If you missed our recent posts we covered IoT, cloud security, phishing attacks, vulnerability management, and identity theft tips. Follow us on LinkedIn and Twitter for these and more cybersecurity topics each week.