Who is attacking you today?
How did they managed to sneak in your defenses?
How did they get access to all of your corporate secrets?
Only your 'LOGS' tell you that...
Log collection is the heart and soul of a SIEM. The more log sources that send logs to your SIEM, the more can you accomplish with your SIEM. Sometimes back it was estimated that -- A Fortune 500 enterprise’s infrastructure can generate 10 Terabytes of plain-text log data per month!
Your network is also generating some vast amounts of log data.
Most security Controls you implement will contain the things they have detected, But they don't tell you what was BEFORE the event, and what was AFTER the event. Irony is that the "Before/After" context is highly vital, because it allows you to separate false positives from TRUE detections. This context is the difference between detecting an actual attack, rather than chasing after a merely misconfigured system.
WHY?
Because, most successful attacks on computer systems rarely look like real attacks, except in hindsight. That's why we need 'human' security analysts at one point in detection/response. Another reason is that attackers may try to remove and falsify log entries to cover their tracks. For this reason, having a protected source of log information that can be trusted is further vital to any legal proceeding from computer misuse. Right?
-
What Logs You May Want In Your SIEM?
All the log from all the critical components of your network & business infrastructure. You may want logs from your firewall, your key servers, your active directory server, your key applications, and your database servers, your IDS and Antivirus, your webserver, and so on...
So the point is straight and simple here. You have to THINK about ALL the key elements of your network from a business point of view. You have to think about all important parts of your infrastructure which are critical to your business operations.
1.
The best place to start with is 'Business Information' which is non-log type in nature. You want and need to know your process-maps of all important business-process. Most IT people wouldn't want to believe me, but it is true. You may want to know the persons who are sitting at various important points of contact to them and customers of the company. You may want to know the same info of company's vendors, suppliers, and all third-parties.
2.
Now you need to collect the information about your infrastructure, this is also of non-log type in nature. You surely want all the configuration of the network, network maps, locations, owners of the systems, the configuration settings (documents, config files), Vulnerability Reports which exists, Software inventory, etc.
3.
Now comes the real LOGS part. You will need logs from all of your network infrastructure that includes all your routers, Switches, Domain Controllers, WiFi Access Points, Application Servers, Databases, Intranet Applications, etc.
4.
Next involves all logs which are being generated by your security solutions that includes your firewalls, honeypots, web-filters, VPN Concentrators, DLP solutions, Endpoint Security solutions (such as Antivirus, Antimalware), IDS, etc.
-
Enormity of the Log-entries Creates a flood of false positives. A large number of alerts are triggered and whole of Incident Response Team gets roasted in the oven. Unless you fine tune your SIEM properly, the flood of alerts is out there.
REMEMBER, When something malicious actually does happen, there will usually be more than one record of it happening. Let's take this simple example...
If your “Web proxy" detected possible Malware from a site was downloaded to a host. Antivirus on that host also reports “malware was detected and removed” – you can absolutely confirm that this website is serving malware.
Your SIEM operates as a kind of some converging device where all the logs from all other things come together to give you a more complete context of what is happening and where.
SIEM provides your analysts access to information from these systems which are part of your infrastructure, without giving them access to the systems themselves.
Then, the 'Event Correlation' functionality of SIEM allows you to encode security knowledge into automated searches across events and asset information, to alert on things happening within your infrastructure. Thus, it creates a starting point for human analysis into a sea of log data.
But remember: any SIEM is only as good as the data you put into it.
That's why a quality SIEM includes quite a few essential security capabilities, including asset discovery, vulnerability assessment, threat detection, behavioral monitoring and security intelligence...
-
Event Correlation (Network Level events & Host-Level events)
Just as log correlation can be used to identify particular sequences of log events from devices, the events from the IDS can be factored into those sequences too. This comparison between network-level and host-level events can automatically perform some of the initial validation that would normally need to be performed by an analyst manually.
For example, the IDS may show an attack attempt, but on its own may have no way to validate that it was successful. A host’s logs may show a new administrative user being added, but the IDS has no way to determine if this was done maliciously. However, taking into account the sequence of the IDS alarm, followed almost immediately by the creation of an admin account – is a sequence of events that literally shouts “successful attack.” Without unified security management, it would require a human to figure this out.
-
Cross Correlation of events (Across Devices) is equally important.
Consider data moving between systems where it would not normally move, or accounts logging on at unusual times or from unusual places – these may not generate specific security alerts, but can be much more easily spotted and flagged by a log correlation solution that sees everything in your environment.
IDS signatures are an indicator of an attack, not an infallible identifier of attacks. Your analysts must examine the traffic that triggered the signature and validate malicious intent before proceeding with any further investigation. With a traditional SIEM, this often requires logging into the IDS management interface to cross-reference and locate the event in the SIEM with the event details in the IDS. Traditional SIEMs are entirely too much work for the typical small or medium business.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM