SIEM – A Beginner’s Guide
What is a SIEM ?
SIEM when expanded becomes Security Information Event
Management. As it’s name suggests, the main function of a SIEM is
Event management. The SIEM solution once implemented completely &
effectively, will have complete visibility over an organization’s
network. This helps administrators, SIEM operators to monitor network
activity in their infrastructure. But interestingly, one can categorize
various assets(network devices & services) so that the monitoring
ability of the SIEM can be tweaked to a large extent. The SIEM tool can
generate alerts & incidents based on specific co-relation rules. For
eg: If a Port Scan is initiated against a system, the SIEM generates a
Port Scan Alert with all details like Source & Destination, port
numbers etc. This helps the organization to find incidents or hacking
attempts in near-Real Time.
How the SIEM works ?
You may have noticed the word “Co-Relation” in the
previous paragraph.Yes, for the question How the SIEM works, the one
stop answer is co-relation. But not that alone of course. Basically a
SIEM tool collects logs from devices present in the Organization’s
infrastructure. Some solutions also collect netflow and even raw
packets. With the collected data(mainly logs, packets), the tool
provides an insight into the happenings of the network. It provides data
on each event occurring in the network and thus acts as a complete
centralized security monitoring system. In addition to this, the SIEM
tool can be configured to detect specific incident. For example, a user
is trying to log in to an AD server. For first 3 times the
authentication failed and the 4th time it succeeded. Now this is an
incident to look up on. There are many possibilities. Maybe a person is
trying to guess the password of another user and got it right, which is a
breach. Or maybe if the user forgot his password but got it right at
the end and so on. This is where co-relation comes in. For such a case, a
co-relation rule can be made in such a way that, If an authentication
failure event is happening 3 times consecutively followed by a success
in a specific time period, then alert pops up. This can be further
investigated further by analyzing the logs from respective machines. So
my definition of co-relation is : “ It is the rule which aggregates
events into an incident which is defined by specific application or
scenario.”
How logs reach the SIEM ?
Logs are fetched to the SIEM in two different ways.
Agent based & Non-Agent based. In agent based approach, a log
pushing agent in installed in the client machine from which the logs are
collected. Then this agent is configured to forward logs into the
solution. In the later type, the client system, sends logs on it’s own
using a service like syslog or Windows Event Collector service etc.
There are also specific applications & devices which can be
integrated through a series of vendor specific procedures.
How exactly would the SIEM raise an alert ?
Well, now you know that the logs from different
devices are being forwarded into the SIEM. Take an example: A port scan
is initiated against a specific machine. In such a case, the machine
would generate lot of unusual logs. Analysing the logs, it will be clear
that a number of connection failures are occurring to different ports
in regular intervals. Seeing packet information if possible, we can
detect the SYN requests being sent from the same IP to the same IP but
to different ports in regular intervals. That concludes that somebody
initiated a SYN scan against our asset. The SIEM automates this process
and raises alerts. Different solutions do this in different ways but
produce same results.
The Business impact of SIEM Solution
This is one of the topics for which long standing
discussions were conducted & still now a complete & clear
solution has not yet arrived. The question is “Why to spend huge amount
of money for something which returns nothing ?” Well what do you think
about it ? Does SIEM solution give you something ? Well yes ! Nowadays
SIEM solutions are evolving in a way, not only to protect an
IT-Infrastructure but also to identify the business risks rising from
the IT-Infrastructure. Even there is a separate strategy know as GRC,
the IT-Governance Risk & Compliance. This integrates & relates
technological aspects of IT-security(like DOS attacks) using SIEM
solutions with the business aspect(the asset being attacked &
approximate loss, reporting to asset manager). Such strategies bring
different departments & professionals(like SOC
Operators/Managers,CISO, Financial Consultants, CXOs etc) under one
dashboard. This is done by integrating different solutions together. For
eg: The Alerts & incidents from SIEM is forwarded BPM(Business
Process Management) solution by the CISO identifying & co-relating
the technical and business impacts. Consider a simple scenario, lets’
take the same DDOs attack against an e-banking website(webserver). The
solution first identifies the attack and the Operators/Analysts report
it to their manager/CISOs. The managers & CISOs dig more technical
info on the nature of attack(specs like Source country, no of sessions
etc). Based on this they identify how much loss would it be if the
webserver would be down for specific time(say 30mins). Now they report
the technical details,suggestions and steps to initiate to the
firewall/IDS-IPS & webserver teams. Then they report to the Senior
Management & Financial Managers about the loss they would have to
suffer if action is not taken. If management is satisfied, they take a
decision & give approval to the Firewall/IDS-IPS & webserver
teams to take action. They would take action and the webserver would
have downtime for some 5 mins only. So the webserver resources are saved
but ultimately money is also saved & customer satisfaction is
sustained. So the point here is nowadays, SIEM solutions can adapt
according to the way you want. This whole process described can be
automated by integrating different solutions. The above scenario is only
a simple case but the approach is same in all situations. At the end of
the day, money is what matters, but sadly nobody still recognise the
financial impact of IT-Security.
SIEM & Compliance
Apart from alerting and incident response, SIEM helps
an organization in Compliance & Regulatory matters too. For all
major compliance like ISO 27001, HIPAA, PCI, log retention is an
important criteria. For example in ISO27001 there is a control for
Logging & Monitoring(A – 12.4), which suggests that, all Event Logs,
user activities, security events should be logged an archived with
proper time-stamp. The logs should also be protected from unauthorized
access, tampering etc. There is a list of controls to be in place in
order to be properly compliant. Here SIEM can help. As said earlier, the
siem tool collects logs from different devices and keeps them in it’s
reserves. So it can act as a centralized log collecting server. Plus,
the tool keeps all the logs with proper time-stamps, and archives it to
it’s bulk storage with no loss of integrity. So this helps with the
controls in various standards.
Conclusion
To wrap up, there are a whole lot of benefits by
implementing a SIEM solution in an Enterprise. But sadly many
organizations consider the SIEM a waste of money. But, it is because
they are not realizing the fact that SIEM can not only protect your
network & assets but also your business. Plus nowadays, you can
integrate almost anything to the SIEM tool like servers, custom
applications, network devices, end-user devices, smartphones, management
& collaboration solutions etc. This gives the concerned personnel, a
clear view into the insights of their own organization. They can have
an overview of their own system and they can keep on changing for better
results. Even some siems have malware analysis capabilities,
vulnerability assessment functionalities which makes it a centralised
security server providing multiple functions simultaneously.
Very Nice explanation . As a engineer working on SIEM tool i request more SIEM tutorials from you.
ReplyDelete