Cyber attacks are rapidly growing and increasing in this modern digital world, giving hackers a lot of space to gain an advantage over an organization’s data & information. In the last 5 years, adversaries have been updating their tactics, techniques, and procedures (TTPs). Also, there are several cyber incidents that lead to the breaching of company data and staying undetected for months and years without proper security controls.
In addition, organizations with zero knowledge of these types of cyber-attacks give attackers a room full of options. With the rise in various types of cyber attacks, organizations have started investing in or implementing security controls. SIEM is one of the best & strongest detective security controls that gets alert and knows and gives an idea on how to protect the organization against cyber attacks.
What is SIEM (Security Information and Event Management)?
SIEM is the abbreviation of Security Information and Event Management. In the early 2000s, SIEM comprised minimum features limited to Log collection and Aggregation. Over the years, SIEM has developed and expanded its capabilities to Long term storage, Log Analysis, Log Correlation, Log Management, Reporting, Integrating threat intelligence feeds and other open-source feeds, etc. Also, SIEM has advanced functionalities like User behavior analytics and Machine learning models to enhance detection methods and correlations.
SIEM is a technology where events from end devices (Windows Machines, Linux Machines, Firewalls, Servers, Email Gateways, Databases, Applications, etc.) are monitored 24/7 in real-time for early detection of attacks & breaches by collecting, storing, investigating, and reporting the security incidents. The main objective of SIEM is to detect security incidents at the initial stage and act quickly to protect against attacks in the future. Learn basic of cyber security with Cyber Security Certification courses online and boost your career in cyber security domain.
How Does SIEM Work?
SIEM will fetch logs from the log sources which are integrated with the solution. Logs will be maintained on the SIEM platform as per the retention period configured, say 6 months or 1 year. Till that time, logs will be there on the SIEM platform. When the log crosses the retention period, log entry will be removed from SIEM platform. All the collected logs will be normalized by the platform which will convert log format to user readable format. With the normalized logs, users will be able to have a detailed view over the entire organization.
SIEM platform can be deployed in On-premises and as well as in Cloud environment. Logs which are collected from the log sources will be enriched based upon geolocation, source or destination network and with the threat intelligence feeds information. To make the analyst job easier, SIEM has the feature to write custom use cases to concentrate on cyber attacks scenarios like Brute Force Attacks, Password Spray Attacks, Malicious Firewall Inbound and Outbound Communications, Communications happening on non-Business hours, User Login events from same username but from different source IP’s, Privilege escalations, Data transfer outside the organization etc.
SIEM Architecture Components
Main components of SIEM Architecture are mentioned below:
- Log / Data Collection
- Normalization of Logs
- Log Correlation
- Reporting and Dashboard
- Alerting Console
- Threat Intelligence
- Log Backup and Storage
1. Log / Data Collection
The primary and most needed component for any SIEM tool is the Log Collection component. This component will only collect all the logs from the end devices using different sets of protocols. Log collection protocol will differ based on the device type. For example: Windows based log collection will be happening on WinCollect Protocol, Syslog Protocol, MSRPC Protocol.
Linux Based log collection will be happening on Syslog Protocol etc. For all these types of protocols, corresponding ports need to be allowed on the network front. So, you must coordinate with your network team to open the respective ports from the end device to Log Collector Component and Vice Versa for establishing communication between them.
2. Normalization of Logs
Logs which are received from the integrated log sources will be in raw event format (i.e.: Machine Readable format). To make human readable or understandable format, logs must be normalized. So, this component plays a major role in SIEM architecture.
3. Log Correlation
The importance of SIEM Tool is not only collecting the logs from various devices, but also more important to correlate the logs from all the devices and organized in a manner where the information is shown clearly. For Example: user “Hari” information should be crosschecked with the logs from Firewall, Active Directory, Antivirus, etc. so that we get a holistic view on the user’s activity.
4. Reporting and Dashboard
SIEM Tools has inbuilt reports and dashboards with reference to compliance and audit perspectives. But to make analyst job much easier, SIEM Tool has capabilities to prepare reports and dashboards according to user’s preference. Analysts will have cent percent control over the dashboard and report creation. Reports can also be scheduled based upon Daily / Weekly / Monthly requests. SIEM dashboards will make the job simple for security analysts to notify the attacks in graphical or table format.
5. Alerting Console
SIEM solutions perform both log collection and log correlation in real time. The alerting console will trigger an alert if any malicious or suspicious activity is detected across the use case written in SIEM solution. These alerts in SIEM are often referred to as “Offenses”. Once the offenses are triggered in SIEM tools, Analyst people will start their investigation process and determine whether the triggered offense is a False positive or True positive. Also, we can send these alerts via email or notify the concerned team in the alerting console component. The triggered offenses can also be segregated based on Categories, Magnitude, and Priorities.
6. Threat Intelligence
TI Feeds help to identify the reputation of IP’s, URL’s, Hash Values whether it is malicious or not, based upon that we would be able to correlate with the logs in SIEM and identify the security incident. Also, these TI feeds are often used in SIEM to protect the organization from cyber threats. SIEM has options to integrate TI feeds which are paid versions and as well as from Open-Source STIX / TAXII Formats.
7. Log Backup and Storage
This component is also a crucial component, where the backup and storage will be decided based upon system specifications that are allocated during the SIEM deployment phase. For Example: if 500 GB of storage is provided for SIEM tool, we can retain the log retention for 6 months. Backing up of logs can be done in online & offline mode. Normal backup retention for SIEM configuration files is 7 days.
Security Information and Event Management Implementation Best Practices
1. Satisfy Pre-requirements
Before Implementing any SIEM Tools or Technology, first, identify the reason for SIEM implementation and note down its pros and cons. Also, make a checklist which covers the objectives of the project, gathering required information and Initial setup plan, things required for deployment, Integration plan and Approach, Log Validation and Reception, Use case creations, Knowledge base and Documentation, Project sign off.
2. Start with Critical Devices Onboarding
When implementing SIEM solution across the organization, always start with onboarding critical devices like Firewall, Anti-virus solutions, Email gateway, Office 365, Domain Controller, DNS Server, DHCP and Exchange Server, Proxy / Load Balancer etc., to have insights on the events happening on these devices. By doing so, we would be able to act quickly through these devices when we come across any major security incidents.
3. Prepare HLD and LLD Documents
Try to prepare HLD (High Level Design) and LLD (Low Level Design) documents which will have all the details about SIEM implementation starting from the Document purpose, Intended Audience, Document Scope, Assumptions and Caveats, Related Documents. HLD should cover Reference architecture, Key features decision matrix, Technology overview, SIEM main features, SIEM components and functions, Log collection mechanisms used.
LLD should cover OS / VM requirements, Software details, Network IP addressing requirements, Log collection methods and protocols used, Firewall policy requirements, Internal communication firewall permit policy, SIEM components firewall permit policy, External communication firewall permit policy, Activities with impact and Risk review. Documents should end with Reporting structure, Monitoring scope, Backup and Storage configuration, Failover details etc.
4. Knowledge Transition of SIEM
SIEM Technology is something where you need to know about SIEM Tool as to how it works, what are its capabilities, SIEM architecture deployed, Log sources integrated, how to handle offenses, how to navigate in SIEM platform for performing log analysis, how to perform threat hunting using SIEM Tools. Once you engage in daily BAU activities, you will get familiarized with platform navigations and other configurations.
Also, SOC People should know what is happening in the cyber world and what are the recent attacks that happened, how the attackers are performing attacks, what kind of tools they are using to penetrate, and much more. SOC analysts won’t know the difference between a normal genuine event and a security incident if the basic knowledge or understanding is not in place.
5. SIEM Alerts Fine Tuning
While implementing SIEM Solution to any IT organization, Onboarding data sources with SIEM is proportionally equivalent to Use case creations for all the onboarded data sources. In order to avoid false positive alerts, alerts should be regularly handled and identify which source, destination, region, network, ports can be whitelisted. While working on Alerts fine tuning, remember that “you should not compromise the Use case logic that is built” or “your fine tuning should not make true positive alerts invisible”.
Also, SIEM alerts fine tuning is not a one-time process, this is an iterative process and SOC team should prepare detailed document on “how to handle alerts, what are the details that needs to be checked, how to prepare incident reporting template, how to raise ticket for the identified security incident, to whom we should send the security incident, and so on”.
Automate SIEM process using Machine learning and Artificial intelligence, using Security Orchestration, Automation, and Response (SOAR) capabilities. Automation process will help you concentrate on threat hunting process and save analyst time in finding the zero-day attacks rather than focusing on closing the false positive alerts daily and periodically.
Benefits of SIEM
- Provides real-time visibility across the entire organization.
- Centralized log management solution.
- Identifying True Positive / True Negative / False Positive / False Negative alerts.
- Helps in reducing dwell time.
- Helps in achieving SLA (Response Time and Resolution Time).
- Develop Customized Dashboards and Reports.
- Can be mapped to Cyber Kill Chain or MITRE ATT&CK Framework.
- Can be integrated with Ticketing Tool for tracking purposes.
- Supports SOAR Integration.
- Threat intelligence feeds can be added.
- SIEM logs will be useful when performing forensic investigations.
- If SIEM, EDR, NDR, XDR, SOAR Technologies are available in the cyber market, SIEM is like the heart of the cyber market.
Limitations of Security Information and Event Management
SIEM Deployment Time
Implementing SIEM tool for an organization be it small or big, approximately 90 days will be required for onboarding all the devices of an organization, creating custom parsers if any non-supported devices are integrated, implementing Use cases for all the devices, basic configuration of SIEM platforms etc.
SIEM Deployment will require a huge cost when you think from Management perspective because of its functions and importance. Also, cost will increase based on the licenses and tenure of contract which you opted for.
Handling False Positive and Noise Events
SIEM tools work based upon the rules which you deploy. If the rule is not properly configured or the required whitelisting is not performed at the initial level, then you will be hit with offense storm full of false positives which will make your job more difficult. Analysts will not know what genuine and false alerts are. They will be focused more on reducing only false positive alerts rather than finding true positive alerts. In such a case, high severity security incidents will be left undetected or missed when enormous amount of false positive alerts are handled.
When a team is built to handle SIEM technology, proper process and documentation should be kept in place. The processes that are being talked about here are SOP’s on Offense handling, Incident reporting, SLA calculation metrics, Weekly and Monthly data preparation, Threat hunting procedure, SOC operational guidelines and procedure, SOC maturity model, Team’s career development plan, Time and Efforts calculations etc. Without these processes, SIEM or SOC process will not function in an efficient way. Also, security analysts should have basic certifications like Certified Ethical Hacker Certification.
Below SIEM Tools are used the most by the IT organizations:
- IBM QRadar
- Splunk Enterprise
- Micro Focus ArcSight
- McAfee Enterprise Security Manager
- Elastic (ELK) Stack
- AlienVault USM
- Sumo logic Continuous Intelligence Platform
- RSA NetWitness Platform
- LogPoint – SIEM
- SolarWinds Security Event Manager (SEM)
- Exabeam Fusion
- Securonix Next-Gen SIEM
How to Choose the Right SIEM Product?
If you or your organization has decided to implement SIEM solution, it is very important to consider the below points:
- All the devices across organizations can be onboarded to SIEM
- SIEM vendor support for any platform related issues
- Log management and Incident management
- Supporting of threat intelligence feeds (Custom & Open-Source)
- Reporting and Dashboard feature
- Forensics capabilities
- Automated response capabilities
- Supporting of security auditing and compliances
- Cost Effective
- License Factor based upon events per second or flows per minute
- High availability or disaster recovery model functionalities
- User friendly GUI console
Future of SIEM
The future of SIEM not only depends upon SIEM functionalities but looking forward to deploying SIEM across cloud environments which will pave way to many organizations. The Next-Gen SIEMs will focus on detecting advanced threats by reducing response time. Also, the cost and complexity of native SIEM tools will be reduced to cover small and new IT companies. Next-Gen SIEM IEM tools' implementation time will be less when compared to Native SIEM solutions. In the coming days, SOAR Tools could replace SIEM tools, and SOC L1 analysts work will be fully automated. The future of SIEM will be an evolution, not a revolution.
In this article, we learned about SIEM technology and its pros and cons. When it comes to security perspective, all IT companies need to invest their money in SIEM solutions like they invest in recruiting employees. The importance of SIEM is not known to everyone, but with the increase in cyber attacks, the demand for SIEM has leveled up and people will get more familiarized with SIEM terms. Enroll in KnowledgeHut’s Cyber Security Certification courses online for more insights into the necessary skills required to get into the field of cyber security.