How SIEM Correlation Rules Work

February 20, 2018 | Kim Crawley
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

SIEM is a powerful security tool when deployed properly. Network security appliances like IDS devices, IPS devices, and firewalls generate an awful lot of logs. A well-configured SIEM will alert security administrators to which events and trends they should pay attention to. Otherwise they’ll be too lost in event log noise to be able to effectively handle possible security threats to their network.

One of the key components that a functioning SIEM requires is good and sensible SIEM correlation rules. Let’s learn how SIEM correlation rules work! It’s actually pretty simple and easy to understand.

What is a correlation rule?

The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified.

Here are some examples of SIEM correlation rules which illustrate this concept.

  • Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”).
  • Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”).

The first example could indicate a cyber attacker establishing a DHCP server to acquire malicious access to your network. Any authorized DHCP server would use one of your registered IP addresses!

The second example could indicate a cyber attacker brute-forcing an authentication vector and then successfully acquiring authentication to your network. It could be a possible privilege escalation attack.

Both SIEM correlation rules could be triggered by honest mistakes and simple user errors or technical glitches. But they’re also key indicators of cyber attack and security administrators should check them out right away!

SIEM correlation in a nutshell

Your SIEM will analyze a whole lot of event logs which record endless seemingly mundane activities. They will look mundane to a human being if they just keep reading a list of thousands of events.

Connection established from some IP address and some TCP/IP port to another IP address and TCP/IP port! Some user changed their username on Tuesday and their password on Thursday! Some client machine downloaded 500MB and uploaded 200MB of network traffic one day, then downloaded 3.5GB and uploaded 750MB of network traffic the next day!

Properly designed SIEM correlation rules cut through all of the blah, blah, blah of your network event logs to detect which sequences of events are likely indications of cyber attack. So you should take great care in developing your SIEM correlation rules. SIEM is driven by computers and computers will just execute any instructions you give them. You as the clever human being with an organic brain should come up with practical SIEM correlation rules so your SIEM system can wake you up when there’s a possible cyber attack you should pay attention to.

What is normalization in SIEM?

Various different software, hardware, and networking component vendors use their own event log formats. An event log will have different information fields. A SIEM system will do its best to read the various event log formats in order to make sense of them. If you make Excel spreadsheets, imagine all of the different ways someone could decide what the fields should be in order to organize the same data. Should IP addresses be recorded in column A or column D? Should the IP address column be labeled “IP,” “IP Address,” “IP Addresses,” “Gateway IPs,” or “public IPs?” Should UDP ports get one column and TCP ports get a different column, or should all UDP and TCP ports be in the same column?

Event log normalization is an effort to change event log formats from different vendors and network components so they’re as universal as possible within your network. Obviously, an antivirus event log will look very different from a firewall event log. But if your network has firewalls from more than one vendor, it may be possible to make their event logs the same format.

Event log normalization can make your SIEM and its SIEM correlation rules execute a lot more efficiently. If you can improve event log normalization, your SIEM will be less likely to make mistakes or miss events that a security administrator should be concerned about.

SIEM correlation rule challenges

SIEM correlation rules can generate false positives just like any sort of event monitoring algorithm. Too many false positives can lead to your security administrators wasting their efforts which could be applied to responding to actual threats and attacks. It’s impossible to have zero false positives in a properly working SIEM. When configuring your SIEM correlation rules, you need to strike a balance between reducing false positive alerts and not missing any possible anomalies which could indicate cyber attack.

Some out-of-the-box SIEM correlation rules might not be applicable to your specific network. Deciding which pre-configured rules to disable and which rules should be written from scratch are another challenge.

Improperly filtered SIEM rules can make slow execution time-consuming to your SIEM system. Administrators need to filter the application of rules to determine which data is relevant and which data is irrelevant in your event pipeline.

Another factor is that not all SIEMs are alike. Some have threat intelligence built into the out-of-the-box correlation rules, making them far more valuable.

Kim Crawley

About the Author: Kim Crawley, Guest Blogger
Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.
Read more posts from Kim Crawley ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL