Network security is a game of cat and mouse. The mouse knows lots of places to hide. It comes out now and then, eating things and making places dirty, then it goes back into hiding. Unless the cat knows all the places to look and figures out the mouse’s tactics, the mouse will keep doing damage and never be seen.
Suppose the cat could track every mouse hole, every crack under the door, every trail of crumbs. Then it could catch the rodent quickly and make sure there aren’t any more lurking around. It’s a rare cat who’s that thorough, but software exists to do the same for malware. Its trails are system and application logs. It connects the paths to find out how the “mouse” is getting from its lair to the pantry and where it’s hiding.
The “cat” that does this is called SIEM. What does SIEM stand for? Security information and event management. It brings together information from many sources in the network, letting it build a picture of what threats are present, what attacks have happened, and what is affected. This lets system security personnel eradicate threats completely and find everything that needs remediation.
Many online attacks are crude and simple, but the most dangerous ones follow a detailed strategy. They go through multiple stages to establish themselves thoroughly before causing serious harm. The earlier they are caught, the less damage they do. They try to establish multiple footholds so that they can come back if they’re just partially removed. A sophisticated threat will go through these steps:
A complete set of logs will include evidence of all or most of this process, showing how the attack began and how it has progressed. However, the evidence is scattered. SIEM software analyzes the logs to correlate the information and build a complete picture. It can identify an attack in progress before it reaches the critical servers and compromises critical information. Automated processes or administrator action can remove the hostile code with a minimum of disruption.
The number of information sources is too large to correlate manually, even with text search tools. A small SIEM system may use hundreds of sources. A large one gets into the thousands, with many of them generating multiple log entries per second. The software uses advanced algorithms to find abnormal and suspicious patterns in the mass of log data. It eliminates the cases with a low likelihood of risk and reports the ones with clear indications of hostile activity.
A SIEM security system monitors log activity 24 hours a day, issuing alerts and triggering remedial action when necessary. It produces periodic reports that are useful for the evaluation and planning of network security. Its main purposes are the following:
Not every organization needs SIEM. It requires significant time and resources, and your security needs have to justify the effort. A business that has just a website, email, and user files can get by with simpler security measures. One that uses SaaS cloud services for its business needs already benefits from the cloud provider’s security systems.
The use of SIEM is justified when an organization stores and processes confidential information, and especially when it has to meet regulatory requirements and standards to stay in business. Confidential information is a broader concept than credit card and government ID numbers. A breach that exposes large numbers of names, addresses, and telephone numbers is a serious matter even if nothing more sensitive is at risk.
A business that keeps large quantities of personal information needs to take its security very seriously. One that includes European Union citizens could be subject to GDPR penalties. The cost of not protecting information is only going to increase. Having SIEM protection is insurance against expensive security disasters and fines.
There are many ways that SIEM guards against threats. Any given organization will give some of them high priority. A skilled team of analysts can get the most value out of it. These are some of the ways SIEM protects a network:
There is a lot more to SIEM than installing the software and letting it run. It needs access to all relevant logs and the ability to parse them. The preparation process will take weeks or months, and it shouldn’t be rushed excessively.
The first step is to create an inventory of logs that contain SIEM-relevant information. The applicable sources can include any or all of these:
Some potential information sources may not have logging turned on. Logs may be set to log at the Debug level, generating a flood of uninteresting information, or at the Severe or Error level, potentially missing important data. Reviewing and adjusting the logging parameters of every source will help SIEM to get all the information it needs without being overwhelmed.
The inventory should determine what data formats the logs use and whether a software agent will be needed to access them. SIEM performs data normalization and can deal with logs in many formats. Even so, using well-known formats will make the integration of logs easier and less prone to dropped information. Non-standard logs require custom parsers. Logging systems that use the SYSLOG protocol make the job easier.
The plan should identify the most important use cases. There are many ways to use SIEM, but knowing the highest priorities helps in planning. The list could include items like these:
Listing the top use cases will help in choosing relevant logs and selecting a SIEM tool. The next step will be to look at the available services and picking the one which is best suited for the organization’s goals.
As you may have gathered, working with SIEM isn’t simple. By its nature, it can’t be plug-and-play. You have to do considerable preparatory work to establish your needs and make the system useful. For the ongoing management tasks, though, you have a range of options.
SIEM can be set up as an on-premises system, a self-managed cloud service, or a managed service from an MSSP. The first two options give the greatest amount of direct control, but they require a large amount of ongoing effort by expert analysts. When the software issues an alert, what kind of action is necessary? Can it safely be set aside without immediate action? Are drastic steps, such as taking affected systems offline or disabling accounts, necessary? Aside from simple, easily fixed cases, SIEM can’t make the decision by itself.
A security operations center (SOC) provides the expertise to analyze and act on SIEM’s information. It contributes a sense of how less quantifiable measures fit in. Factors such as what accounts are involved, recent events elsewhere in the industry, threats that are on the rise, and the likelihood of harm play a role in the decisions the SOC team makes.
Regular IT people can manage SIEM software, but they won’t have the same finely developed sense of how to respond to each alert. They may go after the wrong targets and then slack off when they notice they aren’t finding actual threats.
The need for specialized skills makes the option of SIEM as a service attractive to many businesses. A managed service lets security specialists handle the day-to-day operations. BitLyft offers SIEMaaS in a range of configurations to fit each customer’s security needs.
Some companies claim to offer “SIEM as a service” when what they really offer is a cloud-based system which the customer manages. Make sure you know what you’re getting when choosing among security services.
What are the best SIEM tools? Many options are available. A number of SIEM open source tools are available for free, including Graylog, Elastic, Apache Metron, and OSSEC. They offer a high level of control and customization. Free, open-source software isn’t necessarily less capable than commercial software; it just doesn’t come with support. You need to purchase support or provide your own.
Commercial SIEM vendors offer updates and support. In most cases, cloud and on-premises options are available. Leading platforms include LogRhythm, Splunk, Graylog, Securonix, and IBM QRadar. Each one has its own philosophy, with different tradeoffs among cost, power, and ease of use. The server running the software needs to be powerful enough to handle huge amounts of log data.
Underestimating the commitment that self-managed SIEM requires is a serious mistake. The system generates large amounts of data, and its storage capacity should be in the tens of terabytes. A cloud system that isn’t properly constrained can run up unexpectedly high storage bills.
The system needs to be tuned periodically to focus on the highest-risk scenarios and reduce the number of false positives. Handling the task poorly could suppress reporting of significant threats.
SIEM as a Service uses one of these tools while handling the management for you. You still need to create a log inventory and make them available to the service, but the ongoing work burden is less, and regular IT people can handle the communication with the SOC. The service will not only provide alerts as threats arise, it will deliver information that helps to identify and strengthen the network’s weak points.
BitLyft carries security automation to the next level with Security Orchestration, Automation, and Response (SOAR). This set of technologies coordinates SIEM with other software tools to create automatic responses to security incidents.
Orchestration is SOAR’s most distinctive feature. It allows the creation of automated processes bringing together tools that weren’t designed to work together. It can, for example, use SIEM results to tighten authentication requirements or modify firewall behavior, cutting off an attack before it has any permanent effects. A SIEM result can trigger a malware removal process or server quarantine procedure, stopping the exfiltration of data.
SOAR reduces the amount of human effort needed to keep systems secure. Administrators have more time to look at threats that an automated response can’t handle. They’re less likely to overlook important issues.
Orchestration makes sure a threat is fully countered. Without the use of all available tools, administrators might remove the active part of a threat but leave behind hidden code that will re-install the malware payload and resume the attack.
BitLyft’s combination of SIEM, SOAR, and an experienced SOC team means an in-depth defense against both known and new threats, greatly reducing the odds of an expensive data breach.
You may have been running an in-house SIEM system and finding that you can’t keep up with its requirements. With an overly strained support team, it could be missing important information or generating too much irrelevant information.
You may have been running a log analysis system assembled from system tools. It provides some useful information, but it isn’t up to correlating all the available information and producing useful intelligence. It’s trying to find needles in haystacks with limited success.
Or you may be working with an MSP that includes SIEM as part of its security services but doesn’t have the expertise to get the full value from it. An MSP is spread out over many support tasks and can’t focus its full efforts on cybersecurity the way a managed security services provider (MSSP) can. SIEM managed by an MSSP with an experienced SOC team will find security issues more reliably and provide expert advice on how to deal with them.
Not all SIEM systems are equal. You may be using a service with outdated capabilities and limited ability to correlate logs and discover threats. To get the latest capabilities, you might have to switch providers.
The process of migration may seem daunting, and it certainly isn’t trivial. The first step is to review your log inventory and use cases. You’re making a fresh start, and you want to give the new service every advantage. Your old service could be missing important logs. Your primary use cases may have changed. Bring your information up to date before making the switch. A full review is better than a hasty change.
To obtain the SIEM security you need, you should talk to an expert. We’ll be glad to set up a consultation with no obligation, so you can learn about all of BitLyft’s managed security options.