SIEMs have gained importance to a great extent in the cybersecurity world. The process of incident response, forensics and many other functionalities have been made easier to access on a single platform. Some applications that has been highlighted in this page. This include Security Monitoring, Forensics, Incident Response,Compliance Reporting and Auditing.
• SIEMs help with real-time monitoring of organizational systems for security incidents.
• A SIEM has a unique perspective on security incidents, because it has access to multiple data sources – for example, it can combine alerts from an IDS with information from an antivirus product. It helps security teams identify security incidents that no individual security tool can see, and help them focus on alerts from security tools that have special significance
Advanced Threat Detection
• SIEMs can help detect, mitigate and prevent advanced threats, including:
• Malicious insiders – a SIEM can use browser forensics, network data, authentication, and other data to identify insiders planning or carrying out an attack
• Data exfiltration (sensitive data illicitly transferred outside the organization) – a SIEM can pick up data transfers that are abnormal in their size, frequency or payload
• Outside entities, including Advanced Persistent Threats (APTs) – a SIEM can detect early warning signals indicating that an outside entity is carrying out a focused attack or long-term campaign against the organization
Forensics and Incident Response
• SIEMs can help security analysts realize that a security incident is taking place, triage the event and define immediate steps for remediation.
• Even if an incident is known to security staff, it takes time to collect data to fully understand the attack and stop it – SIEM can automatically collect this data and significantly reduce response time. When security staff discovers a historic breach or security incident that needs to be investigated, SIEMs provide rich forensic data to help uncover the kill chain, threat actors and mitigation.
Compliance Reporting and Auditing
• SIEMs can help organizations prove to auditors and regulators that they have the proper safeguards in place and that security incidents are known and contained.
• Many early adopters of SIEMs used it for this purpose – aggregating log data from across the organization and presenting it in audit-ready format. Modern SIEMs automatically provide the monitoring and reporting necessary to meet standards like HIPAA, PCI/DSS, SOX, FERPA, and HITECH.
These days, organizations believe in protecting their network end to end, i.e. right from their network perimeter with devices like firewall, Network Intrusion Prevention System (NIPS), till the endpoints hosts with security features like antivirus and Host Intrusion Prevention System (HIPS), but most organizations collect reports of security incidents from these security products in a standalone mode, which brings problem like false positives, etc.
Correlation logic is the backbone of every SIEM solution, and correlation is more effective when it is built over the output from disparate log sources. For example, an organization can correlate various security events like unusual port activities in firewall, suspicious DNS requests, warnings from Web Application firewall and IDS/IPS, threats recognized from antivirus, HIPS, etc. to detect a potential threat. Organizations can make following sub-use case under this category.
- Unusual network traffic spikes to and from sources.
- Endpoints with maximum number of malware threats.
- Top trends of malware observed; detected, prevented, mitigated.
- Brute force pattern check on Bastion host.
Detection of Anomalous Ports, Services and Unpatched Hosts/Network Devices
Hosts or network devices usually get exploited because they often left unhardened, unpatched. Organizations first must develop a baseline hardening guideline that includes rules for all required ports and services rules as per business needs, in addition to best practices like “default deny-all”.
For example, to check for the services being started, systems logs from event-viewer must be fed into the SIEM solution, and a corresponding correlation search must be created against the source name of “Service Control Manager” to detect what anomalous services got started or stopped.
Organizations can also check out for vulnerable ports. Services can be exposed by deploying a vulnerability manager and running a regular scan on the network. The report can be fed into the SIEM solution to get a more comprehensive report encompassing risk rate of the machines in the network. Some use cases that an organization can build from reports are:
- Top vulnerabilities detected in network.
- Most vulnerable hosts in the network with highest vulnerabilities.
Another important aspect that an organization should constantly monitor as part of the SIEM process is that all clients or endpoints are properly patched with software updates and feed the client patch status information into the SIEM solution. There are various ways an organization can plan out for this check.
- Organizations can plan out to check the patch–related status by deploying a Vulnerability Manager and running a regular scan to check out for unpatched endpoints.
- Organizations can deploy a “centralized update manager” like WSUS and feed the results of the updated status of endpoints into the SIEM solution or can feed the logs of the manager endpoint deployed on endpoints directly into SIEM to detect all unpatched endpoints in the network.
2020 Gartner Magic Quadrant For SIEM – Reference
Top 10 SIEM use cases to implement – Reference
10 SIEM Use Cases in a Modern Threat Landscape – Reference
Top 6 SIEM Use Cases – Reference