adam's notes

Security Information and Event Management (SIEM)

Security Information and Even Management (SIEM) is designed to integrate network and security monitoring through automated collection, aggregation, and analysis of log data and security alerts generated by network hardware and applications.

  • core function
    • aggregate logs from multiple sources
      • includes: Windows, Linux, switches, routers, firewalls, IDS, vuln scanners, malware scanners, and databases
  • performing log aggregation:
    • SIEM has connectors or plug-ins to
      • interpret (parse) data from distinct types of systems
      • account for differences between vendor implementations
    • parsing is usually carried out using regular expressions tailored to each log file format
      • identifies attributes and content that can be mapped to standard fields in SIEM’s reporting and analysis tool
  • another important function
    • normalize data/time zone differences to a single timeline
  • different monitoring and logging products can be integrated with an API
    • makes the functions of a particular product available to scripts
  • reduces the time and manual labor required to monitor, identify, and respond to security events
  • Elastic Security SIEM demo

SIEM Capabilities

  • Aggregation
    • Collect event and log data from multiple disparate systems and provide a single view from which to process all of the collected data
  • Correlation
    • The ability to link events across the entire enterprise architecture to form a more complete picture of important events
  • Alerting
    • SIEM can be configured to
      • perform automated analysis of event data
      • and generate alerts to notify analysts of specific conditions or event types
  • Visibility
    • provides dashboard-style views, enabling a single, simplified view for observing critical activity
  • Compliance
    • facilitates compliance by producing activity reports designed to meet governance and auditing requirements
  • Data retention
    • have the capability to store historical data which is critical for deep event analysis, digital forensics, data retention, and compliance requirements

Agent-Based and Agentless Collection

Collection is the means by which the SIEM ingests security event data from various sources.

  • 3 main types of security data collection:
    • Agent-based
      • installing an agent service on each host
      • As events occur on the host,
        • logging data is filtered, aggregated, and normalized at the host
        • then sent to the SIEM server for analysis and storage
      • common for Windows/Linux/macOS computers
      • agent must run as a process
        • could use from 50–500 MB of RAM
    • Listener/collector
      • A network appliance that gathers or receives log and/or state data from other network systems
      • hosts can be configured to push log changes to the SIEM server
      • process runs on the management server to parse and normalize each log/monitoring source
      • often used to collect logs from switches, routers, and firewalls
      • uses a Syslog variant to forward logs to SIEM
    • Sensor
      • SIEM might collect packet captures and traffic flow data from sniffers

Log Aggregation

Log aggregation refers to normalizing data from different sources so that it is consistent and searchable.

  • distinct from log collection
  • can condense repetitive, individual events to a summary event that counts the number of instances
  • SIEM software features connectors or plug-ins to
    • interpret (or parse) data from distinct types of systems
    • account for differences between vendor implementations
  • each agent, collector, or sensor data source will require its own parser
    • to identify attributes and content that can be mapped to standard fields in the SIEM
  • can normalize date/time zone differences to a single timeline

Alerting and Monitoring Activities

Alerting

  • SIEM can run correlation rules on indicators extracted from data sources to detect events that may be incidents
  • correlation is a function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event
  • correlation rule is a statement that matches certain conditions
    • rules use logical expressions and operators
      • e.g., AND and OR, ==, <, >
  • SIEM is often configured with a threat intelligence feed
    • data points observed in the collected network data can be associated with known threat actor indicators
  • Each alert will be dealt with by the incident response processes

Reporting

Reporting is a managerial control that provides insight into the status of the security system.

  • SIEM assists with reporting activity by exporting summary statistics and graphs
  • Report formats and contents are tailored to meet the needs of different audiences:
    • executive reports
      • high-level summary for decision-makers
      • guides planning and investment
    • manager reports
      • provide detailed information
      • guides day-to-day operational decision-making
    • compliance reports
      • provide info required by a regulator
  • common metric reporting:
    • authentication data
    • hosts with configuration vulnerabilities
    • privileged user account anomalies
    • incident case management statistics
    • trend reporting for key metrics

Archiving

  • SIEM can enact a retention policy so that historical log and network traffic data is kept for a defined period
    • allows for retrospective incident and threat hunting
    • can be a valuable source of forensic evidence
    • meet compliance requirements to hold archives of security information
  • SIEM performance will degrade if an excessive amount of data is kept available for live analysis
  • log rotation scheme can be configured to move outdated information to archive storage

Alert Tuning

Alert tuning is the process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.

  • Alert fatigue refers to when analysts are so consumed with dismissing numerous low-priority alerts that they miss a single high-impact alert that could have prevented a data breach
  • Correlation rules assign a criticality level to each match:
    • log only
      • event is produced and added to the SIEM’s database
      • is not automatically classified
    • alert
      • event is listed on a dashboard or incident handling system for an agent to assess
    • alarm
      • event is automatically classified as critical, and a priority alarm is raised

Techniques to Mange Alert Tuning

  • Refining detection rules and muting alert levels
    • alert can be:
      • muted to log-only status
      • or configured so that it only produces a single notification for every 10 or 100 events
  • Redirecting sudden alert “floods” to a dedicated group
    • Changes in the network can cause a rule to produce far more alerts
    • if confirmed false positive,
      • can be assigned to a dedicated agent or team
  • Redirecting infrastructure-related alerts to a dedicated group
    • Misconfigurations can cause continually high alert volumes
    • managed by an infrastructure team
      • rather than incident response team
  • Continuous monitoring of alert volume and analyst feedback
    • experience of individual analysts can be utilized to
      • reduce alert sensitivity
      • or change the parameters of a given rule
      • or to automate processing of the rule using a SOAR solution
  • Deploying machine learning (ML) analysis
    • ML is able to rapidly analyze the sort of data sets produced by SIEM
    • used to monitor how analysts are responding to alerts,
      • then attempt to automatically tune the ruleset in a way that reduces false negatives without impacting true positives

Graph View

Backlinks