The real threat to business is attackers who are highly qualified in the field of information technology and who own various methods of hacking. It is they who are able to implement complex attacks on the IT infrastructure. These can be mass attacks or targeted attacks aimed at a specific company or industry.
The problem is that skilled attackers are able to bypass any security measures. Moreover, as our practice shows, companies often learn about a hack after the consequences have occurred – information was stolen, data was encrypted, the attackers demanded a ransom or, having been in the infrastructure for several months, prepared themselves and at some point withdrew a large amount of money. To solve these problems, you can use managed siem services.
What Problems Does SIEM Solve?
Any stage of the attack should be recorded as an information security incident. The security operations center (SOC) detects incidents in the early stages of an attack. Its tasks include monitoring activity in the IT infrastructure, analyzing events, detecting information security threats, and responding to them. SOC is always based on three components – technology, people, and processes. This article will focus on technology.
Let’s imagine that only reports of information security tools are used to monitor the IT infrastructure and logs are collected on some servers. At the same time, logs and reports are not analyzed constantly, but only when such a need arises. What if a serious attack is already underway within the company’s network? How can I see if a particular host has a remote connection? Or that there is strange activity on the chief accountant’s computer under an account that should only do backups? How to notice that there has been a substitution in the accounting database?
To notice this, you need to collect events from a large number of sources (PCs, servers, databases, business systems, network equipment) or network traffic itself. The more sources, the more chances to detect an attack.
However, such a volume of sources and events causes several problems at once:
- Tracking all event sources individually is difficult.
- Each event source is described in its own language, and you need to understand how to read them correctly.
- Events from different sources can be connected, and you need to be able to arrange them in the correct sequence.
- Logs are periodically deleted, so it is difficult to restore events over a long period of time (for example, a couple of months).
Security information and event management (SIEM) class systems help to solve these problems; they are used to automate the collection of events and identify information security incidents. The SIEM system is a single window for all events from sources that are connected to it. This solves the first problem, as UnderDefense mentiones. Translation of events into one language occurs in the SIEM system through the use of special normalization rules.
To do this, the system must know that it receives events from a specific source, and be able to decompose data into individual cells (this is the time of the event, this is the user, this is the IP address, etc). The information security specialist receives events in a single, understandable format. This is convenient for both manual analysis and automated matching of events.
Why is SOC Associated with SIEM?
SOC is strongly associated with SIEM and this is no coincidence. Although it is theoretically possible to build an SOC without SIEM at all, in practice, this is extremely rare today. In order to implement SIEM and set up high-quality sources of information, you need to actually decide on these sources and understand what correlation rules will be required.
In order to implement SIEM and set up high-quality sources of information, you need to actually decide on these sources and understand what correlation rules will be required. To do this, an inventory of the IT and IS assets of the organization is carried out. As many years of experience show, Vulnerability Management class solutions or, as they are commonly called, vulnerability scanners, are very helpful in inventory issues.
These solutions allow you to quickly collect information about existing infrastructure components and their vulnerabilities, as well as provide the ability to monitor the emergence of new components in the organization’s infrastructure in the future.
Having collected information about all available components, you need to prioritize them according to the degree of criticality. The most critical sources should be connected to SIEM in the first place. Based on a set of critical sources, you should decide on the correlation rules that they will allow you to configure. Connecting other sources and setting up correlation rules for them can be postponed to the second stage.
When connecting sources to SIEM, it is important to understand that not all of them will be able to provide the necessary data for SIEM. This largely depends on the audit level that is configured on the source. For example, there is a well-known problem with connecting databases to SIEM, which is associated with performance degradation. UnderDefense recommends using overlay protections (Database Activity Monitoring/ DAM). These solutions allow you to get more detailed information about each database transaction without compromising its performance. A similar situation can be with other sources.
Another essential SOC tool is the Service Desk system. A number of SIEM manufacturers provide this functionality or support integration with third-party manufacturers. This tool will allow you to meet the deadlines for responding to a particular incident and evaluate the performance of the unit as a whole. If the response time is not observed, then this is an occasion to think about adjusting the processes or changing the interaction pattern within the unit.
The SIEM system acts as a historical base for what is happening in the IT infrastructure. This greatly facilitates the investigation of incidents. In addition, new indicators of compromise (IOC) can be checked on the saved data, and retrospective analysis can be carried out.
Any patterns that can be used to identify malicious activity can serve as indicators, such as the name of the message, attachments, the name of the sender, the hash sum of the file, connection to an external IP address, and a change in the registry. The more detailed the template is described, the more accurate the verification results.