In Part 1 of this series, we discussed what a SIEM actually is. In Part 2, we discussed what kind of logs you need for an effective SIEM implementation.
So life should be grand, right? Nope, the big problem is that most systems’ log files don’t contain entries that say, “Help! Help! I’m being attacked!” They don’t say “Help! Help! I’m being broken into with a compromised account!” They say something like “Successful Login from Authenticated User.” A skilled human can read those log files and see the sequence of events and figure out the machine is being compromised, especially when they cross-reference them with logs from other systems.
A well-tuned SIEM that is integrated with log providers such as network IDS, host IDS, FIM, behavioral monitoring and vulnerability assessment can figure this out too. Unfortunately, there is a lot of effort to get a SIEM to that point without a unified security management approach. Most small and medium businesses simply cannot afford the old-fashioned SIEM approach.
I’d Like a Second Opinion
No single security control is perfect. Security practitioners are constantly talking about “False Positives” and the “Tuning” that is required to keep security controls from driving them crazy with alarms. When something malicious actually does happen, there will usually be more than one record of it happening. For example, if “Web proxy detected possible Malware from a site was downloaded to a host. Antivirus on that host also reports “malware was detected and removed” – we can absolutely confirm that this site is serving malware.
SIEM is the recording device for the systems that form your information infrastructure. SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. Event Correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure, and create a starting point for human analysis into a sea of log data. But remember: any SIEM is only as good as the data you put into it.
A unified approach to security management includes SIEM capabilities, but also includes many of those data sources as part of the core product. Having them Integrated ahead of time is particularly convenient – especially for small and medium businesses that do not typically have a large and expert security organization.
For example, AlienVault’s Unified Security Management offering (and the open source SIEM offering, OSSIM) includes quite a few essential security capabilities, including asset discovery, vulnerability assessment, threat detection, behavioral monitoring and security intelligence. So USM includes network IDS as part of threat detection capability. Let’s explore some of the advantages of this integrated capability as an example.
Signature “hits” from the built-in IDS generate SIEM events, just like log events from system logs. They are normalized into source and destination, protocol, and so on, and can be searched, and pivoted on, just as with any regular SIEM event.
Correlation, Cross-Correlation
Just as log correlation can be used to identify particular sequences of log events from devices, the events from the IDS can be factored into those sequences too. This comparison between network-level and host-level events can automatically perform some of the initial validation that would normally need to be performed by an analyst manually.
For example, the IDS may show an attack attempt, but on its own may have no way to validate that it was successful. A host’s logs may show a new administrative user being added, but the IDS has no way to determine if this was done maliciously. However, taking into account the sequence of the IDS alarm, followed almost immediately by the creation of an admin account – is a sequence of events that literally shouts “successful attack.” Without unified security management, it would require a human to figure this out.
Similarly, cross-device correlation between an event detected (such as an attack on a host) and a state ( such as known-vulnerable) is pretty good to know. In this case, the IDS is cross correlated with the vulnerability assessment capability in USM, and this can be correlated into an alarm.
IDS signatures are an indicator of an attack, not an infallible identifier of attacks. Analysts must examine the traffic that triggered the signature and validate malicious intent before proceeding with any further investigation. With a traditional SIEM, this often requires logging into the IDS management interface to cross-reference and locate the event in the SIEM with the event details in the IDS. Traditional SIEMs are entirely too much work for the typical small or medium business.
Policies in AlienVault USM are a set of rules for how to escalate events in the SIEM to human attention. Policy has two components – conditions and actions. Action is conditional: USM allows that conditions be used to determine what should be done with an event – perhaps routing the ticket to different people groups and other destinations.
In addition, asset discovery and management information in USM is particularly helpful, such as “Alerts from this group of hosts go to these analysts.” And “after this time of day, send emergency alerts to the on-call team instead.”
Knowledge about what to do when under attack
The dynamic incident response guidance in USM includes details about the victim host, such as owner, network segment and installed software. It also indicates the network protocol in use and specific risks associated with that protocol. When there's communication with an external host, it indicates information on exploits it has executed in the past. This guidance provides information on command and control traffic, which is always important. Most importantly, the guidance provides specific actions you need to take for further investigation and threat containment - and why you should take them.
USM is a smarter approach than traditional SIEM
As you can see, the USM approach gets you to value faster than a traditional SIEM approach, as the built-in essential security capabilities of asset discovery, vulnerability assessment, threat detection, behavioral monitoring and security intelligence are integrated and tuned “out of the box.” In this blog, we focused on the advantages of the built-in IDS. Of course, there’s a lot more of USM to explore. You can download a free 30 day trial here.
