You are on page 1of 12

SECURITY

DISASTER RECOVERY/COMPLIANCE

BI/APPLICATIONS

DATA CENTER MANAGEMENT

STORAGE ARCHITECTURE

NETWORKING

HEALTH IT

APPLICATION DEVELOPMENT

CLOUD

VIRTUALIZATION

TechGuide

1
2

EDITORS NOTE

Making Your SIEM System


the Best It Can Be
A security information and event management (SIEM) system can be
a great weapon to wield against security attacks, but only if its well
tuned and well managed.

RETHINK SIEM
FOR ACCELERATED
DECISION MAKING

USE SIEM TECHNOLOGY TO


IDENTIFY UNAUTHORIZED
ACCESS

SIEM BEST PRACTICES

EDITORS NOTE

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

How to Make Your SIEM System Sing


Attacks on enterprise systems are coming fast and furioushardly news to InfoSec
pros. What is new is how the second-generation SIEM systems can alert IT departments to
the source and nature of incoming attacks. This
TechGuide is your handy source on how to get
the most out of your SIEM system.
In the opening chapter, Mike Cobb explores
the promise of second-gen SIEM systems. In
the current threat environment, a well-oiled
SIEM system is crucial. The newest SIEMs increase the scope and scale of the data available
to InfoSec pros for analysis. But information is
not enough, Cobb explains; internal policies and
procedures must be in place to speed response
time to increase enterprise data security.
Anton Chuvakin builds upon Cobbs article
and reviews the most common attack methods
enterprises must be attuned to. For example,
he identifies loginsnot just failed logins but
successful ones tooas keys to identifying

2 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

malicious activities. The newest SIEM systems


can be set to alert pros to these events but, as
Chuvakin emphasizes, human analysis of reports is also crucial. The best SIEM system still
needs a skilled security pro at the wheel.
Mike Rothman expands on this point in our
closing chapter, with a focus on SIEM best
practices. He covers what to collect with your
SIEM, how to analyze it and then how to respond. For instance, he suggests you put on
the black hat and think hard about how youd
penetrate your system, and then use those insights to plan your next security steps.
An InfoSec pros work is never done. The
most effective system requires continual finetuning. But the advice in this TechGuide will
help your SIEM management process run more
smoothly and effectively. n
Brenda L. Horrigan
Associate Managing Editor, Security Media Group

2
RETHINK

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

Rethinking SIEM for Accelerated Decision Making


Enterprises need dynamic, intelligence-
driven defenses to effectively identify malicious behaviors not seen before; these anomalies ultimately enable the plethora of dangerous
zero-day attacks that wreak havoc on a daily
basis. A key component of enterprise defenses
is a security information and event management (SIEM) product. SIEM provides a central
repository for collecting and monitoring network activity.
Unfortunately, painful implementations and
overselling by vendors has left SIEM with a
sullied reputation. Meanwhile, many SIEMs
have been deployed solely to meet compliancereporting requirements, with few organizations
actually making full use of the technologys
event-correlation capabilities.
A second generation of SIEM products,
however, may change that. Advanced security
analytics and increased scope and scale of data
collection mean a greater number of diverse

3 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

events can be put into context to find unusual


activities in real time.
Enterprises create colossal amounts of data:
email, documents, social media interactions,
audio, network traffic, clickstreams, and logs of
files being accessed, registry changes made, and
processes started and stopped. System information, such as processor and memory utilization, can also be useful for spotting unexpected
changes in the status of a system. The sheer
volume of data to be handled makes scalability,
powerful analytical tools and support for heterogeneous event sources the most important
capabilities when assessing next-generation
SIEM products, particularly when it comes to
time-sensitive processes such as fraud detection. Tools for visualizing and exploring this
data are another key feature, along with actionable intelligence based on business context, so
threats posing the greatest risk can be easily
found and prioritized.

2
RETHINK

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

To make full use of all this data, and increase


detection rates by uncovering clues hidden
deep in an organizations data, a SIEM needs
to make use of adaptive intelligence; in other
words, it must learn whats normal in order to
recognize whats abnormal, because abnormal
events are a strong indicator of an advanced
threat or breach. It also has to be able to iden-

A SIEM must learn whats


normal in order to recognize whats
abnormal, because abnormal
events are a strong indicator of
an advanced threat or breach.
tify an attack pattern, even if it is spread out
over a period of time. Setting up SIEM rules
is an iterative process, but products that allow
the simultaneous use of rule-based and ruleless correlation can reduce initial configuration
times, automate parts of the login and authentication monitoring process, and reduce the
number of false positives. While self-learning
algorithms are still in their infancy, real-time

4 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

identity correlation using fuzzy logic, behavior analysis, clustering algorithms and policy
rules are close to providing true signature-less
detection to prevent unauthorized access and
pick out abnormal activity at the user, account
and resource levels.
Incorporating external threat intelligence
feeds from the global security community can
further clarify whats normal or acceptable by
not limiting analysis to just the data one organization creates. Look for feeds that are flexible, easy to deploy, and that existing security
monitoring products can use effectively. Realtime analysis of both structured and unstructured data is essential.
Enterprises with data in the cloud should
look for service providers that make SIEM
data available for collection by an on-premises
SIEM. This enables a unified view of both cloud
and on-premises environments as long as the
SIEM can handle the providers data, which may
be in different formats. In Platform as a Service
environments there is the option of installing
monitoring agents to push traffic and logs to
an in-house server for processing, while some
SIEM tools can make use of specific Software as

2
RETHINK

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

a Service application program interfaces to collect logs from public cloud services so events
across multiple platforms can be correlated to
produce dashboard views and audit reports that
combine both internal and cloud-based applications. Network bandwidth, latency and datatransfer costs can, however, impede timely
interruption of malicious activity.
Dashboard views of the information collected
and analyzed are an important feature, as are
reports that include effective countermeasures
so administrators can see where attention is
needed most. Do not overlook the importance
of being able to export information in different
ways; stakeholders want information about security risks pertinent to their interests and at a
level that they can understand so as to fully appreciate the relevance. This will make discussions easier and more quickly lead to the most
appropriate course of action.
Accelerated decision-making is not solely
about feeding a SIEM more and more information and tuning it to be able spot incidents
faster; security teams must be able to react and
respond faster, too. Incident response teams
need to be familiar with the types of warnings

5 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

and alerts a SIEM produces and have welltested procedures in place that they can follow.
This not only ensures the right people know
the right actions to take, but also that those efforts are coordinated.
Security teams need to have the resources required to handle and respond to the additional
alerts and warnings a well-tuned SIEM will
generate. Taking the time to fully inventory and
classify data assets will enable a SIEM to better
prioritize threats. An asset discovery and profiling tool, sometimes included within a SIEM,
will reduce the time spent categorizing network
assets and also pick up configuration drift, and
hardware and software changes.
Good security is a continuous process and
a well-resourced and configured SIEM can
provide constant awareness of the state of security, vulnerabilities and threats, and thus
support those teams managing and protecting
information systems running core mission and
business functions. If the teams have ample
resources and well-tested procedures to follow,
overall enterprise information security will improve. Thats a worthwhile objective any day.
Mike Cobb

3
REVIEW

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

Use SIEM Technology to Identify


Unauthorized Access Attempts
Many organizations have information
systems with password authentication exposed to the Internet. Recent research indicates
that default credential abuse, guessed passwords and brute-force attacks remain some of
the most common methods for compromising
organizational networks. Security information
and event management (SIEM) technology
can help organizations prevent costly data
theft due to guessed passwords or misused
credentials. Every organization, and especially
those with Internet-facing IT assets that
support password authentication (such as
VPN devices, Web servers, SSH and other
remote access technologies) should leverage
their SIEM to help prevent unauthorized
access.
A successful login should never, ever be
equated with authorized access in this day
and age of stolen passwords.
Automatic login tracking can help reveal

6 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

malicious activities from insiders and outsiders. SIEM is uniquely suited to automate
this massive task. SIEM technology can
aggregate and analyze successful and failed
logging records from multiple systems to
determine when attackers take over account
credentials.
The data SIEM needs to monitor unauthorized access attempts is relatively straightforward. Logs from all platforms that include
authentication records need to be collected.
It is important to collect both successful and
failed login records from all systems, devices
and applications. Failed logins indicate that
security systems are doing their job, and of
course the successful logins reveal that somebody now has access to your systems. A successful login should never, ever be equated
with authorized access in this day and age
of stolen passwords and fast CPUs to crack the
encrypted password files.

3
REVIEW

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

CORRELATION AND ALERTING

A SIEM correlation rule can be used to automate parts of the system login and authentication monitoring process. Here are examples of
correlation rules that will enable effective access monitoring:

Top

systems with login failures

Login

failure/success ratio trend

Login

failure trend

Users
Single

system attack when the attacker


tries all credentials on one system

string of several login failures


immediately followed by a success

Authentication

sweep attack (trying


the same credential on all systems)

Successful

login at unusual times


(for the user or for the system)

Successful

login from unusual locations


(for the user or for the system)

VIEWS AND REPORTS

Common reports and dashboard views useful


for this use case include the following:

7 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

that failed to login across


multiple systems

Note that reports do not replace alerting,


whether based on rules or baselines. In many
cases, the malicious activity is discovered
when a human reviews the report and notices
something new, unusual or suspicious. The
frequency of report review varies from daily
(which is idealand also prescribed by
some external mandates, such as PCI DSS)
to weekly or even monthly. As long as your
organization is satisfied with the detection
gap (i.e., time between the incident and it
being noticed during report review), the frequency is acceptable.
SIEM technology can collect data automatically and issue alerts when attackers
guess the passwords. However, the organization must ensure the SIEM supports effective

3
REVIEW

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access

incident-response processes and procedures


(which, by the way, implies that they should actually exist!), through both alerting for manual

A robust understanding of
normal log baselines and typical
activitieswhich requires not
just SIEM technology but also
a skilled SIEM operatorwill
be extremely helpful.
analysis and remediation and in some cases automated response, such as through integration
with a DLP or other firewall or data exfiltration
product. A robust understanding of normal log

SIEM Best
Practices

8 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

baselines and typical activitieswhich requires


not just SIEM technology but also a skilled
SIEM operatorwill be extremely helpful as
well. In addition to deploying SIEM technology, collecting logs, running reports and using
correlation to trigger alerts, operational procedures need to be in place to have an effective
server access monitoring process. For example,
what happens when systems administrator
notices that the user logs in from two places
at once. Does the admin have the power to
terminate sessions, disable accounts, communicate with the users manager and take other
actions? Operational procedures make these
actions repeatable, fast and effective, and also
enable ongoing tracking and improvement.
Anton Chuvakin

4
RESPOND

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

SIEM Best Practices for Advanced Attack Detection


Security information and event management (SIEM) has been a much-maligned
technology through the years. Between complaints of complexity and an excessive requirement for professional services, many
enterprises have been disappointed by their
experience implementing SIEM for security
monitoring.
That was then, and this is now. To be fair,
technology is no longer the reason why enterprises struggle to succeed with their SIEM
implementations. The leading SIEM platforms
have undergone a brain transplant, migrating to purpose-built data stores that provide
adequate performance and scale. System connectors and log aggregators, once clunky and
unreliable, are now more effective, making data
collection relatively straightforward.
But there is still a rub with SIEM, and any
technology that relies on a rules-based policy.
The SIEM mustknow what its looking for. The

9 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

magic SIEM box wont auto-magically identify


an attack that takes advantage of a new method
or vulnerability few if any have ever seen before.
To be clear, SIEM still plays an important
role in attack detection. But for it to succeed
in detecting both known and unknown attack
types, an organization must build a set of policies to look for attack conditions and indicators
in its environment, and consistently monitor
for those conditions.
So how do you go about building these policies? And waiting for a unicorn to deliver them
to your mailroom isnt really a realistic alternative. Lets map out a fairly simple process to
build effective SIEM policies.

COLLECT EVERYTHING (WITHIN REASON)

Without having sufficient data collected, there


isnt much for the SIEM to analyze. So the first
step is to collect the right data. What does that

4
RESPOND

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

mean? Start with the obviously stuff, like network, security and server device logs. This data
is plentiful and easy to get. Next, climb the
stack and start pulling logs from the application
infrastructure (databases, applications). SIEM
ninjas also pull in various other data sources,
including identity data, network flows, vulnerability scan results, and configuration data
When it comes to SIEM systems, the more
data the better. Collect everything, if you can.If
its necessary to prioritize data collection, look
at collecting data from the most important
technology assets, namely devices in protected
environments and those handling regulated
data. Also pay attention to those systems that
handle critical intellectual property.

determine the rules that should be defined first.


In modeling the process start with an important asset. Put yourself in the role of the adversary, and try to monitor something you would
want to steal.
Model

the threat: If you were the attacker,


how would you break in and steal the data?
Model the attack and then enumerate that
vector within the SIEM tool. Dont forget
about exfiltration because that provides another opportunity to detect the attack before
the data is gone. Go into this process with realistic expectations becausethe threat model
wont be right. It wont be complete or even
comprehensive. The important thing is simply to start the threat modeling process, and
this is as good a place as any.

BUILDING THE RULES

Setting up a SIEM rule base is an iterative process. That means it happens relatively slowly
and needs to be refined and retuned over time.
A lot of folks get analysis paralysis when
starting the process because there are millions
of possible rules that can be set up. I advocate
thinking about clear and present danger to

1 0 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

Refine

the rules: Launch the attack against


yourself. There are a ton of readily available
tools to hack your environment, so use them.
Then monitor what your SIEM does. Does it
fire the right alert, and does it do so when it
needs to? Does the alert provide sufficient
information to assist a responder in figuring

4
RESPOND

out what happened and triaging the situation? If not, go back to step one and refine the
rules until it does.
Optimize

Home
Editors Note
Rethink SIEM
For Accelerated
Decision Making
Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

the thresholds: Over time, it will


become increasingly clear whether the SIEM
alerts occur too often, or not often enough.
From there, tune the thresholds appropriately.
This is always a balance; if the thresholds are
too tight, noise is minimized, but its easier
to miss an attack. And vice versa, if alerts occur too often.

Wash,

rinse, repeat: Once the initial set of


rules for that specific attack is implemented
and optimized, move onto the next attack
vector, and so forth, repeating the process
when modeling each threat.

By the way, this process is never done. There


are always new attacks to model and new indicators to monitor. Its always important to
follow the security news to find out what kind
of attacks are in vogue. Recent threat research
reports like Mandiant Corp.s APT1 report now
include clear indicators that every organization

1 1 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E

can (and should) look for using its SIEM.


Armed with threat intelligence and a comprehensive data collection environment, there are
no more excuses: its time to start looking for
the advanced attacks that continue to emerge.
Also keep in mind that as time goes on, it will
be necessary to add new data types to the SIEM,
which will require revisiting all the SIEM rules.
For instance, network packet traffic, if captured
and sent to the SIEM, will provide a wealth of
new information that can be mined. How will
being able to look at the actual network traffic
affect how the process of looking for a certain
attack? What other rules can be added to detect
the attack faster? These arent trivial questions;
looking at the SIEM rules every time a data
source is added (or taken away, for that matter)
can make the difference in how quickly an attack is detected, or if its detected at all.
The most important aspect of the process
is consistency. SIEM is not a set it and forget
it technology. It requires significant care and
feedinga not just now, but the entirety of its
operational life. If you have any illusions otherwise, youll find yourself horribly disappointed.
Mike Rothman

ABOUT
THE
AUTHORS

Home

MIKE COBB, CISSP-ISSAP, is a renowned security

author with more than 20 years of experience in the


IT industry. He has a passion for making IT security
best practices easier to understand and achievable.
His website www.hairyitdog.com offers free security
posters to raise employee awareness of the importance
of safeguarding company and client data and of
following good practices.
ANTON CHUVAKIN, Ph.D., is

Use SIEM
Technology
To Identify
Unauthorized
Access
SIEM Best
Practices

Robert Richardson | Editorial Director


Eric Parizo | Executive Editor

Editors Note
Rethink SIEM
For Accelerated
Decision Making

Making Your SIEM System the Best It Can Be


is a Security Media Group e-publication.

a research director at Gartner


in the Gartner for Technical Professionals security and
risk management strategies group. He is an author of
the books Security Warrior, Log Management and PCI
Compliance. Follow him on Twitter @anton_chuvakin.
MIKE ROTHMAN is

president of Securosis, an independent


information security research and consulting firm.
Hes spent more than 15 years as an end-user advocate
for global enterprises and medium-sized businesses.
Rothman has held executive-level positions with
CipherTrust and TruSecure, and was a founder of
SHYM Technology.

Kathleen Richards | Features Editor


Kara Gattine | Senior Managing Editor
Brenda L. Horrigan | Associate Managing Editor
Brandan Blevins | Associate Editor
Sharon Shea | Assistant Editor
Linda Koury | Director of Online Design
Neva Maniscalco | Graphic Designer
Doug Olender | Vice President/Group Publisher
dolender@techtarget.com
TechTarget
275 Grove Street, Newton, MA 02466
www.techtarget.com
2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the
publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
professionals. More than 100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.

1 2 M A K I N G YO U R S I E M SYS T E M T H E B E S T I T C A N B E