The Hardening of the Core (Part 1) - Security information and event management

by [Published on 11 Dec. 2013 / Last Updated on 11 Dec. 2013]

This article will focus on the importance of SIEM and why it is needed to achieve a higher level of security posture whilst hardening the core.

If you would like to read the next part in this article series please go to The Hardening of the Core (Part 2) - Network Access Control.

SIEM aids security professionals in the correlation and real-time analysis of security alerts generated by network devices, hardware and software. Typically this element is something that less mature IT departments have to ignore but it forms part of the maturity model which most mature organizations have adopted or are adopting, and is found in optimized well-run IT operations. This article will focus on the importance of SIEM and why it is needed to achieve a higher level of security posture whilst hardening the core.

How can you manage something you are not monitoring?

Introduction

Security information and event management (SIEM) combines the functions of security information management (SIM) and security event (SEM) into one management system. The biggest driving force for SIEM adoption for most organisations is the real-time detection and response to threats; however this is only one small piece of the SIEM puzzle. SIEM is far more advantageous and should be seen as an important part of an organisations route to a secure IT operation, combating issues surrounding potential security threats, compliance and risk management challenges especially in today’s larger and continually growing organisation that is more dispersed, multifaceted and demanding to manage.

SIEM, SIM and SEM

The classification of SIM, SEM and SIEM are occasionally morphing, there is no solidity when it comes to their definitive characteristics. This being said, organisations are often confronted with the challenge of clearly identifying their unique requirements before specifying and adopting these systems. The real challenge is there is so much data to troll through that the mere task is overwhelming for even the well-resourced IT department or internal Security department.

What are the differences between the solutions?

SIM general functions:

  • log management and reporting for security events through collection, analysis of data
  • record keeping
  • compliance reporting to maintain regulatory compliance advantages
  • compliance management through policies
  • analysis of security threats and threat management
  • forensics

SEM general functions:

  • real time monitoring for security events
  • threat monitoring and identification
  • support the organisation or IT representative with identifying and responding to security threats with immediacy by event correlation (covering multiple devices and locations) and incident response

SIEM:

The more multifaceted user environment has steered toward the SIEM solution, a solution that combines the functions of both SIM and SEM to cover the imprecise requirements of organisations. The SIEM solution alleviates the need for the organisation to clarify specific requirements as they are combined in a singular solution.

The importance of SIEM

  • Compliance

The need for compliance is a fundamental significance within industry. All organisations must ensure that they are complying with one or more regulations. The challenges of accomplishing and then maintaining the compliance is formidable to most. With SIEM compliance requirements can be addressed. By adopting SIEM, large volumes of event data can be collected and a wide scope of analysis reporting can be deployed.

  • Operation Support

Operations are often fragmented among different groups and support teams. When problems occur this makes it more challenging to share and collect data and collaborate. SIEM has the capability of collecting information from unrelated systems; brings it together for easy viewing and collaboration.

  • Threat Detection

Attack trajectories are ever changing and organisations remain vulnerable to many forms of attack. Other commonly used deterrents/solutions i.e. Firewalls and antivirus work to detect malicious activity at various points within the IT infrastructure. SIEM is capable of zero day threat detection unlike the other solutions, detecting attacks exploiting unknown vulnerabilities. In conjunction with commonly used solutions, SIEM improves security through the detection of threats that may make their way past traditional defences.

  • Forensic Investigation

With the increased proliferation of devices and applications, the complex environment and abundance of data from multiple sources without a working SIEM solution this process is daunting. SIEM allows for prompt, comprehensive forensic investigations that are admissible in court. SIEM allows for storing and protecting of logs and also provides the tools to efficiently traverse and correlate data across the IT infrastructure for detecting security, operational and compliance issues.

  • Log management and reporting

SIEM allows for cost effective instant access to present log data, and retrieval of older or archived data, indexing of data, storage and reporting. Large amounts of data can be managed. The system also has alerting and correlation capabilities as well as audit support for compliance reporting (covering user and resource access reporting).

Ensuring your SIEM system is working optimally

SIEM solutions are complex products and mostly take some effort to get working at optimal performance. In their design they are able to collect log and event data from multiple devices, apply procedures for real time correlation and direct alerts for discovered events, all simultaneously - there is a lot going on.

SIEM is not without its challenges. Organisations are often frustrated with SIEM systems' effectiveness in their default configurations, yet never devote the time required to obtain the worth that SIEM can deliver. Initial deployment is the easy part however reaching the point at which SIEM is capable of delivering clear and substantial results requires your time and hard work. The organisation will need to spend time mapping the relationships between events and risks and creating the required logs, rules and correlations.

Areas that could be affecting SIEM performance:

  • Data collection, it’s important that a balance be found of data collection, storage and analysis
  • Volumes of data in some organisations are extremely high and with limited resources it makes data management overwhelming
  • Continual changing of user behavior i.e. social media, mobile devices and mobile computing
  • Increase of devices and applications in the workplace
  • Management of the monitoring system
  • Increased complexity of security threats
  • Inability to interpret the data

Steps towards achieving better performance

  1. Secure a SIEM team
    Your monitoring is comparative to the quality of the team the organisation has assigned to the SIEM system. It’s important that the team responsible for managing, monitoring, configuring and extracting the required information from the logs is knowledgeable.
  2. Establish an effective monitoring program
  • Identify exposure and have a good understanding of your vulnerabilities and areas of security weakness
  • It helps to focus on the results or information you are trying to retrieve
  • Identify which systems or components to monitor in order of priority. By devising a list, the assets can be monitored according to areas of high risk taking precedence.
  • Consider integrating the SIEM into applications
  • Realise that some applications don’t generate log data that can be incorporated in the SIEM, this will save you a lot of hassle later on
  • Identify which events the organization should be alerted about and what information is required to be known with regards to the assets
  • If you are not finding all the information you require it’s essential that adjustments are made to the system through changing the logging levels or installing additional systems to provide the information you need
  • Ensure you collect data from a range of groups that may benefit from the collected log data
  1. Configuring your SIEM
  • Choose the first asset on the list to use as the initial setup component; the initial configuring will be the most cumbersome. To configure the asset/group correctly you will need a good understanding of the requirements, the components and the events of that particular group
  • Develop the policies/rules
  • Be prepared for false positives
  • By using a group with clear compliance requirements for the initial configuration the process will be a lot easier
  • Determine the events that will indicate noncompliance and breach of policy
  • Be open minded enough to construct a route whereby new SIEM capabilities could be added if necessary at a later stage
  1. Analysis
  • Analyse the systems associated with the asset
  • Systematically extract information form logs, event streams and systems to detect any security threats according to the events previously determined as non-compliant or a breach of security
  • Referential data is as important as the real time data. Data such as asset lists, vulnerability scan results and threat intelligence data. This data is important when it comes to prioritizing events and can save time during investigation
  • Place emphasis on correlation capabilities as this can help associate events that are not usually perceived by people
  • Once the SIEM has been implemented, the data that is being collected should be assessed periodically.

One question my security team is often asked is, do we need to do this ourselves and is this something we need? If you read the above I think you will agree, if you’re not monitoring you’re not managing and that there is a lot more to SIEM than meets the eye. If you’re not ready to take this responsibility but you still think you should be investing in SIEM maybe the option is to work with experts that can help to implement or run the solution on your behalf. Starting is the hardest part, my advice is that the sooner you monitor the sooner you have visibility of what you didn’t know, of what’s happening on your systems and network.

Conclusion

The decision to deploy SIEM depends on a number of factors, including business requirements, the available support personnel, network architecture, the maintenance window and bandwidth. To achieve the most of the SIEM technology, considerable initial effort would need to be applied. The SIEM system is as valuable as the effort put into understanding and using the system and without the effort of configuration it is merely a log manager. SIEM technology with its ability to automate log monitoring, pattern recognition, alerting, forensics and correlation it is the way to a well-run and mature IT operation.

If you would like to read the next part in this article series please go to The Hardening of the Core (Part 2) - Network Access Control.

Featured Links