How to Monitor Suspicious Network Activity with SIEM
Network security is a game of cat and mouse. The mouse knows lots of places to hide. It comes out now and then, eating things and making places dirty, then it goes back into hiding. Unless the cat knows all the places to look and figures out the mouse’s tactics, the mouse will keep doing damage and never be seen.
Suppose the cat could track every mouse hole, every crack under the door, every trail of crumbs. Then it could catch the rodent quickly and make sure there aren’t any more lurking around. It’s a rare cat who’s that thorough, but software exists to do the same for malware. Its trails are system and application logs. It connects the paths to find out how the “mouse” is getting from its lair to the pantry and where it’s hiding.
The “cat” that does this is called SIEM. What does SIEM stand for? Security information and event management. It brings together information from many sources in the network, letting it build a picture of what threats are present, what attacks have happened, and what is affected. This lets system security personnel eradicate threats completely and find everything that needs remediation.
How SIEM addresses all aspects of an attack
Many online attacks are crude and simple, but the most dangerous ones follow a detailed strategy. They go through multiple stages to establish themselves thoroughly before causing serious harm. The earlier they are caught, the less damage they do. They try to establish multiple footholds so that they can come back if they’re just partially removed. A sophisticated threat will go through these steps:
- Reconnaissance: The attacker’s system looks for weaknesses, such as software vulnerabilities, unprotected ports, and poorly secured accounts. It collects email addresses for spamming.
- Gaining access: The attacker obtains access using phishing messages or server bugs. The initial approach may involve uploading a file or getting a user to download malicious code.
- Installing malware: The first step is usually a bootstrap loader, which downloads and installs the payload. The loader may then remove itself to avoid detection.
- Lateral movement: The malware finds its way from the initial point of infection, such as a user workstation or PoS terminal, to the servers which hold valuable information.
- Exfiltration or modification: After these steps, the malware goes to work, sending confidential information to the attacker or modifying databases and websites.
A complete set of logs will include evidence of all or most of this process, showing how the attack began and how it has progressed. However, the evidence is scattered. SIEM software analyzes the logs to correlate the information and build a complete picture. It can identify an attack in progress before it reaches the critical servers and compromises critical information. Automated processes or administrator action can remove the hostile code with a minimum of disruption.
The number of information sources is too large to correlate manually, even with text search tools. A small SIEM system may use hundreds of sources. A large one gets into the thousands, with many of them generating multiple log entries per second. The software uses advanced algorithms to find abnormal and suspicious patterns in the mass of log data. It eliminates the cases with a low likelihood of risk and reports the ones with clear indications of hostile activity.
The functions of SIEM
A SIEM security system monitors log activity 24 hours a day, issuing alerts and triggering remedial action when necessary. It produces periodic reports that are useful for the evaluation and planning of network security. Its main purposes are the following:
- Incident detection. When log activity indicates hostile action, SIEM collects all the related information and assembles it into a coherent account of a security incident. It provides a description in depth of the incident, going beyond the obvious symptoms to their underlying cause and path of attack.
- Incident management. The detection of an incident may trigger an alert for administrators, launch an automatic response, or both. SIEM allows a quicker response, with more information to work from, compared with acting only after the symptoms are obvious.
- Compliance with regulations and standards. Industry standards and government regulations in certain businesses require documented procedures to minimize the chance of losing information integrity and confidentiality. A properly managed SIEM setup is an excellent way to demonstrate compliance.
Not every organization needs SIEM. It requires significant time and resources, and your security needs have to justify the effort. A business that has just a website, email, and user files can get by with simpler security measures. One that uses SaaS cloud services for its business needs already benefits from the cloud provider’s security systems.
The use of SIEM is justified when an organization stores and processes confidential information, and especially when it has to meet regulatory requirements and standards to stay in business. Confidential information is a broader concept than credit card and government ID numbers. A breach that exposes large numbers of names, addresses, and telephone numbers is a serious matter even if nothing more sensitive is at risk.
A business that keeps large quantities of personal information needs to take its security very seriously. One that includes European Union citizens could be subject to GDPR penalties. The cost of not protecting information is only going to increase. Having SIEM protection is insurance against expensive security disasters and fines.
There are many ways that SIEM guards against threats. Any given organization will give some of them high priority. A skilled team of analysts can get the most value out of it. These are some of the ways SIEM protects a network:
- Catching unauthorized access. Unauthorized use of an account generally goes with abnormal behavior, such as logging in from a remote location, connecting outside of working hours, and performing unusual tasks involving sensitive data.
- Recognizing brute-force attacks. An attempt to log in by repeatedly guessing common or default passwords leaves obvious signs in the access logs. Catching the attempt allows countermeasures such as locking out the offending IP address.
- Discovering malware. Hostile action on an infected system can take many forms, including data exfiltration, file encryption (ransomware), alteration of a website, and so on. The information for spotting the intrusion may come from any of the logs SIEM collects.
- Identifying hostile probes. Catching intrusion attempts early gives the best chance of stopping them without disruption. Web application firewalls catch these attempts, and SIEM can weave their traces into a pattern.
- Spotting insider threats. An employee bribed to perform espionage or an account whose credentials have been stolen can grab proprietary information. The patterns of action will be different from normal use of the account.
Preparing for SIEM
There is a lot more to SIEM than installing the software and letting it run. It needs access to all relevant logs and the ability to parse them. The preparation process will take weeks or months, and it shouldn’t be rushed excessively.
The first step is to create an inventory of logs that contain SIEM-relevant information. The applicable sources can include any or all of these:
- Network devices such as switches, firewalls, and routers
- Business applications and databases
- Cloud services
Some potential information sources may not have logging turned on. Logs may be set to log at the Debug level, generating a flood of uninteresting information, or at the Severe or Error level, potentially missing important data. Reviewing and adjusting the logging parameters of every source will help SIEM to get all the information it needs without being overwhelmed.
The inventory should determine what data formats the logs use and whether a software agent will be needed to access them. SIEM performs data normalization and can deal with logs in many formats. Even so, using well-known formats will make the integration of logs easier and less prone to dropped information. Non-standard logs require custom parsers. Logging systems that use the SYSLOG protocol make the job easier.
The plan should identify the most important use cases. There are many ways to use SIEM, but knowing the highest priorities helps in planning. The list could include items like these:
- Regulatory compliance
- Prevention of exfiltration of confidential data
- Detection of malicious insider activity
- Maintaining account security
- Protection against phishing exploits
- Maintaining website integrity and uptime
Listing the top use cases will help in choosing relevant logs and selecting a SIEM system. The next step will be to look at the available services and picking the one which is best suited for the organization’s goals.
Dealing with the complexity of SIEM
As you may have gathered, working with SIEM isn’t simple. By its nature, it can’t be plug-and-play. You have to do considerable preparatory work to establish your needs and make the system useful. For the ongoing management tasks, though, you have a range of options.
SIEM can be set up as an on-premises system, a self-managed cloud service, or a managed service from an MSSP. The first two options give the greatest amount of direct control, but they require a large amount of ongoing effort by expert analysts. When the software issues an alert, what kind of action is necessary? Can it safely be set aside without immediate action? Are drastic steps, such as taking affected systems offline or disabling accounts, necessary? Aside from simple, easily fixed cases, SIEM can’t make the decision by itself.
A security operations center (SOC) provides the expertise to analyze and act on SIEM’s information. It contributes a sense of how less quantifiable measures fit in. Factors such as what accounts are involved, recent events elsewhere in the industry, threats that are on the rise, and the likelihood of harm play a role in the decisions the SOC team makes.
Regular IT people can manage SIEM software, but they won’t have the same finely developed sense of how to respond to each alert. They may go after the wrong targets and then slack off when they notice they aren’t finding actual threats.
The need for specialized skills makes the option of SIEM as a service attractive to many businesses. A managed service lets security specialists handle the day-to-day operations. BitLyft offers SIEMaaS in a range of configurations to fit each customer’s security needs.
Some companies claim to offer “SIEM as a service” when what they really offer is a cloud-based system which the customer manages. Make sure you know what you’re getting when choosing among security services.
What are the best SIEM tools? Many options are available. A number of SIEM open source tools are available for free, including Graylog, Elastic, Apache Metron, and OSSEC. They offer a high level of control and customization. Free, open-source software isn’t necessarily less capable than commercial software; it just doesn’t come with support. You need to purchase support or provide your own.
Commercial SIEM vendors offer updates and support. In most cases, cloud and on-premises options are available. Leading platforms include LogRhythm, Splunk, Graylog, Securonix, and IBM QRadar. Each one has its own philosophy, with different tradeoffs among cost, power, and ease of use. The server running the software needs to be powerful enough to handle huge amounts of log data.
Underestimating the commitment that self-managed SIEM requires is a serious mistake. The system generates large amounts of data, and its storage capacity should be in the tens of terabytes. A cloud system that isn’t properly constrained can run up unexpectedly high storage bills.
The system needs to be tuned periodically to focus on the highest-risk scenarios and reduce the number of false positives. Handling the task poorly could suppress reporting of significant threats.
SIEM as a Service uses one of these tools while handling the management for you. You still need to create a log inventory and make them available to the service, but the ongoing work burden is less, and regular IT people can handle the communication with the SOC. The service will not only provide alerts as threats arise, it will deliver information that helps to identify and strengthen the network’s weak points.
SIEM and SOAR
BitLyft carries automated security to the next level with Security Orchestration, Automation, and Response (SOAR). This set of technologies coordinates SIEM with other software tools to create automatic responses to security incidents.
Orchestration is SOAR’s most distinctive feature. It allows the creation of automated processes bringing together tools that weren’t designed to work together. It can, for example, use SIEM results to tighten authentication requirements or modify firewall behavior, cutting off an attack before it has any permanent effects. A SIEM result can trigger a malware removal process or server quarantine procedure, stopping the exfiltration of data.
SOAR reduces the amount of human effort needed to keep systems secure. Administrators have more time to look at threats that an automated response can’t handle. They’re less likely to overlook important issues.
Orchestration makes sure a threat is fully countered. Without the use of all available tools, administrators might remove the active part of a threat but leave behind hidden code that will re-install the malware payload and resume the attack.
BitLyft’s combination of SIEM, SOAR, and an experienced SOC team means an in-depth defense against both known and new threats, greatly reducing the odds of an expensive data breach.
You may have been running an in-house SIEM system and finding that you can’t keep up with its requirements. With an overly strained support team, it could be missing important information or generating too much irrelevant information.
You may have been running a log analysis system assembled from system tools. It provides some useful information, but it isn’t up to correlating all the available information and producing useful intelligence. It’s trying to find needles in haystacks with limited success.
Or you may be working with an MSP that includes SIEM as part of its security services but doesn’t have the expertise to get the full value from it. An MSP is spread out over many support tasks and can’t focus its full efforts on cybersecurity the way a managed security services provider (MSSP) can. SIEM managed by an MSSP with an experienced SOC team will find security issues more reliably and provide expert advice on how to deal with them.
Not all SIEM systems are equal. You may be using a service with outdated capabilities and limited ability to correlate logs and discover threats. To get the latest capabilities, you might have to switch providers.
The process of migration may seem daunting, and it certainly isn’t trivial. The first step is to review your log inventory and use cases. You’re making a fresh start, and you want to give the new service every advantage. Your old service could be missing important logs. Your primary use cases may have changed. Bring your information up to date before making the switch. A full review is better than a hasty change.
To obtain the SIEM security you need, you should talk to an expert. We’ll be glad to set up a consultation with no obligation, so you can learn about all of BitLyft’s managed security options.