In the first part of this four-part series, we covered the need for SIEM solutions and explained the fundamentals. Then, in the second part, we covered different types of SIEM solutions out there. In the third part, we will be covering main capabilities of SIEM. When deciding on what specific solution to acquire, these aspects should be definitely considered.
Log collection and processing
Log data is a fundamental requirement for SIEM solutions. It is crucial for the functioning of a SIEM solution that log sources are correctly configured. After configuration, a security team needs to ensure that its SIEM solution is processing and archiving log data as intended. As log data arrives at a SIEM solution in real-time, it parses and normalizes log data for fruitful analysis. Normalization of data is necessary because various devices from different vendors have their log data format. For example, the log data format of vendor’s A firewall will be different from that of vendor B’s firewall.
Good SIEM solutions come with the inbuilt capability to ingest any log data format without any obstacles. Some vendors provide additional support to their clients for configuring data sources not supported by their solution. As a SIEM solution starts functioning, log data continues to get aggregated. An ideal SIEM solution should support log archival with decent compression ration and efficient encryption techniques. This helps in secure storage of log data in compressed format. Vendors have started using big data technology to support this requirement.
Have an internal SOC, but not enough qualified staff to triage SOC alerts? Leave the heavy work to LIFARS, your trusted cybersecurity advisors with our Managed Incident Response.
Searching and reporting
Organizations cannot sit back and relax, thinking that their IT infrastructure is absolutely secure. They need to adopt reactive and proactive security measures to achieve the best level of security possible. Proactive measures include the availability of advanced analytics and threat intelligence capabilities. On the other hand, searching and reporting features form the core of an organization’s reactive defense.
Many surveys have found different average times taken by organizations to detect a data breach. While there is a slight variation, it is safe to say that this average time is substantially higher. An organization should take the minimum time possible to detect a security incident. A SIEM solution helps in achieving this goal with inbuilt analytical and correlation capabilities. These capabilities allow a SIEM solution to identify attack pattern swiftly, assets affected, and potential impact.
Many regulations and standards now require organizations to report and document the mitigation of security incidents. An ideal SIEM solution should facilitate easy investigation with the help of detailed reports and data visualizations. Reporting capabilities of a SIEM solution must help an organization in fulfilling its compliance requirements.
Real-time monitoring and threat identification
To mitigate a security incident, a primary requirement is to detect an incident. A SIEM solution should allow your security team to analyze and respond to security incidents in real-time. For supporting real-time monitoring, SIEM solutions rely on event response system, correlation engine, and analytical techniques. A SIEM solution comes with predefined rules to detect already known indicators of compromise (IOCs) and their behavior. However, it must allow customization of existing rules and addition of new rules to suit organization-specific security needs. As you start getting familiar with security incidents, you can fine-tune alert rules to minimize the probability of false positives.
LIFARS developed an IoC Checker tool, that scans for indicators of compromise in your infrastructure. Check it out on our GitHub!
Event correlation supports real-time monitoring by establishing a relation between discrete anomalies. It needs contextual information about an organization’s IT infrastructure, such as devices, users, applications, and other systems. Threat intelligence feeds and access privileges information further enhance the accuracy of event correlation. Analytical features of a SIEM solution should include a graphical user interface for accessing dashboards and reports, along with an ability to trigger alerts. These dashboards and reports should have filters available for customized results.
End-to-end incident management
Detecting a security incident is just one component of incident management. The incident management process includes:
- Detecting a security event
- Analyzing the detected event
- Verifying whether it is false positive
- Assigning an individual or a group of individuals for resolution
- Taking steps to mitigate the incident
- Implementing the required measures for preventing similar incidents from happening in the future
An ideal SIEM solution will help your security team in managing incidents, right from detection to mitigation. Next-generation SIEM solutions can further allow your team to automate incident response workflows.
Security systems across the globe identify millions of threats every day. Many organizations provide a threat intelligence feed which consists of information such as URLs, domains, IP addresses, etc. that are malicious in nature. Threat intelligence (TI) feeds provide your organization with information about bad attack vectors that may attack your systems. Considering that TI feeds contain information from reliable sources, a SIEM solution becomes capable of identifying security incidents that were previously unknown to an organization. An ideal SIEM solution would be able to:
- Support TI feeds from open-source as well as commercial service providers;
- Utilize TI feeds in threat identification and event correlation; and
- Allow an organization to add custom/in-house threat information.
User and Entity Behavior Analytics (UEBA)
UEBA creates a baseline of regular activity within an organization’s network infrastructure. The accuracy of this baseline may fluctuate during the initial days of a SIEM solution. After a sufficient amount of data is fed, it spots deviation from baseline activities and flags them for investigation. Although UEBA is a recent addition to the ideal capabilities of a SIEM solution, it supports an organization’s proactive approach by predicting potential attacks. UEBA uses machine learning techniques to create a user activity baseline over a while. Some SIEM solutions also provide a risk score to each user in your network, depending on their activity.
An organization should not select a SIEM solution because it merely requires some of its capabilities. The ideal goal should be maximum utilization of their SIEM solution’s capabilities. Organizations should also note that the accuracy of a SIEM solution evolves over a period. To learn more about how to select a SIEM vendor, stay tuned for the fourth and last part of this series.
Definition of Security Information and Event Management (Gartner)
Data Breach Response Times: Trends and Tips (Varonis)