Security Information and Event Management (SIEM)
Security Information and Event Management provides real-time monitoring and analysis of security events. SIEM gives security operation center a complete view to detect, investigate and take targeted action against attacks and attackers. A SIEM tool is used to log security data and generate reports for compliance purposes. It also does the long term storage of events and supports analysis and storage of data.
What is an Event?
Before knowing about SIEM and RSA Security Analytics it is very necessary to understand about an event. An event is a record indicating activities occurring on the organization’s network/system. Events are widely classified to application, network, and systems.
In recent years there is a marginal increase in issues related to IT Security, Attackers using advanced techniques to intrude/impact IT applications /Infra.
Security professionals are facing challenges even after having multiple preventive tools like IPS, firewall, WAF, content filtering. Having these tools in the network is not enough there has to be some mechanism which will ensure that all security alarms generated by these tools are analyzed and investigated. Considering a large number of events and multiple tools it is imperative to have some tools which will give you centralized view and correlate these events.
SIEM software and solutions allow organizations to meet these requirements without manually reviewing the millions of log events. SIEM gives a centralized view for management and monitoring. The main aim of SIEM is not just to collect the data but to get the security value out of it which can be done with proper analyst and analytics. Federal regulations are in place requiring organizations to maintain, backup and analyze log data from their environment. Log retention is essential being evidence for forensic investigation and is also a compliance requirement. SIEM plays a major role to adhere these requirements.
Aggregation is the ability to get a complete picture of the information by analyzing several types of records at once. In SIEM events are being collected from different sources such as workstations, windows servers, network devices, databases, applications, etc. providing the ability to consolidate monitored data to help miss of crucial events.
Correlation is the act of linking multiple events together to detect a strange behavior. It is the association of different but related events to provide broader context than a single event can provide. The true value of logs is in correlation. For example, there would be a simple alert for a user account created and for user account deleted. But user account created and deleted within one hour is a correlation as it links the event creation and deletion. Here the job of the analyst would be to check in any activity is performed by a user in between user created and deleted.
- Real-Time Monitoring
Real-time monitoring is done of security alerts generated by network hardware and applications. In real-time monitoring, a security analyst reviews the overall processes and functions performed on the data in real-time. This can happen with reviewing of logs, graphical charts or dashboards.
SIEM facilitates generation of scheduled and ad-hoc based reports as per the needs and requirements of security officers and stakeholders. Reports are produced and reviewed daily, weekly or on demand as needed. A generic SIEM report consists of incidents, incident response, alerts, incident trends and EPS.
- Incident Management
An incident is an unplanned event in an information system that disrupts or reduces the quality of service. Incident management involves returning service to normal quickly after taking corrective action. The key is to successful incident management is to have a process. SIEM does supports Incident management lifecycle by providing evidence and helps to investigate the root cause.
Why is it Failing?
A SIEM should alert if any risky activity is going on in its infrastructure/ environment and as soon as it is alerted a security analyst should look for measures to eradicate the attacker or to limit the loss. The main reason of why SIEM is failing is because of lack of skilled Security Professionals to run a Security Operation Center. Also, there is a lethargic approach towards monitoring and log management. Proactive monitoring is a must for the team running SIEM tool. Also, all critical event sources must be integrated with SIEM. The more log sources that are integrated more can be accomplished with SIEM.
- Log Sources:
Defining EOI (the event of interest) is very crucial as that is the basic building block for effective SIEM implementation. Organizations should consider below events sources for SIEM integration.
Below are a few best practice event sources
- Firewalls, Routers, and Switches
- Domain Controllers
- Application Servers
- Alerting and Reporting
Create appropriate reports and alerts to monitor. The reports should be reviewed and validated on a regular basis. Best correlation rules must be in place as it’s the correlation rule that helps you locate the interesting places in your logs.
- Privilege Access Monitoring
- User Activity
- Service Activity
- Intrusion Attempts
- Scanning Attempts
- Policy Violation
An important part of the SIEM is the dashboard that it is working and showing correct and real-time information. It provides an overview of events and alerts. It is easier to respond or analyze events by viewing them on the dashboard. It helps a security analyst understand what is happening on the system and then he could dig deep by investigating. It gives a snapshot to the higher management.
The reason why logging is happening is to follow certain regulation’s compliance. SIEM does the gathering and reporting of audit/compliance data. Retention is keeping the data i.e. log for a certain time. Long/short term storage of data is done for audit/compliance. If an attack has happened in the past and detected now it can be tracked with the help of the logs that are being retained
That’s it for this Post, In my next post I will be sharing Basic Knowledge about the SIEM product RSA Security Analytics.