If you are reading this article, you are probably aware that Security Incident and Event Management solutions, or SIEMs, are powerful systems that allow IT professionals to gather and analyze activity in a company’s infrastructure through the collection and correlation of logs.
Though SIEM solutions have a significant amount of built-in content in the form of alerts, rules, reports and dashboards, a successful implementation requires custom, adapted content in order to properly fit a given environment.
The means for facilitating this involves the creation of a strong use case development process – the points below are intended to serve as a framework for use case creation around the following core concepts.
The Big 3
SIEMs, as their name implies, are more commonly associated with security events. However, these systems can be utilized in responding to a broad range of activity beyond the scope of IT security. Most use cases fall into one of three major categories: Security, Operations and Compliance.
- Malware – Malware has become an unavoidable evil that every environment will interact with at some point. Luckily, enterprise antivirus solutions have comprehensive logging capability and, when integrated with the SIEM, allow incident response to be efficient and effective.
It is generally best to have multiple rules that target differing levels of malicious activity based on what warrants the fastest response. A Trojan detected and blocked on a single workstation may be less of a priority than five occurrences of the same malware detected across multiple hosts.
This information can be easily correlated to other potential indicators of compromise, such as web requests to malicious sites, to help determine if a host has in-fact been compromised.
- Network Intrusions – Network Intrusion activity can be one of the more difficult risks to respond to, and generally requires the integration of expensive network appliances that analyze inbound and outbound traffic for known malicious signatures (IDS/IPS).
Many intrusions rely on an internal endpoint existing within a network to reach out and download some type of malicious data. More targeted attacks may initiate directly from a remote source to publicly facing systems in hopes to exploit vulnerabilities by bypassing authentication and running malicious code.
Breaking these two methods of attack up and correlating other events can narrow down the scope to what warrants response and what is just noise. Correlating web requests to suspicious websites with attack signature events during similar time frames may help indicate a passive threat that should be considered for blocking at the web gateway or firewall.
Multiple detections from a single source to a DMZ node may indicate a specific attacker that may present an ongoing threat. Anomalous activity occurring shortly after an exploit attempt, such as a scan initiated be the impacted node, a large file transfer, or an authentication event, can be a clear indication of a breach that likely requires immediate response.
- Outages – Security incidents certainly get the media’s attention and are often considered very severe but many overlook the severity of an operation outage. On a given day, it is more likely that a server or service will shut down unexpectedly than the network be breached by a hacker, making it a very real threat if the wrong system goes down.
A popular example would be if a web server for a retail company went down, preventing customers from making orders. Downtime is proportional to money lost, so it is always a good idea to have some form of availability monitoring on critical systems.
Alerting and responding to these outages quickly can mean the difference between a pat on the back or an updated resume. For SIEMs that may not have a good monitoring component, simply alerting on instances where logs have gone fifteen minutes without being received from a specific nodes is a good alternative.
- Performance – Along with monitoring outages, it is also important to track the performance of critical nodes.Many outages occur due to maximum utilization of resources, such as disk space, CPU and memory.
Noticing high utilization issues before they become a serious problem is generally the ideal approach. It can be difficult to explain why no one noticed that a network share had been above 95 percent utilization for weeks prior to it maxing out and corrupting the volume.
Generally, alerting on hard drive space reaching a threshold between 85-95 percent, and memory or CPU running at over 90 percent for an extended time frame is wise, but it is important to prioritize alerting based on the priority of the node being monitored to prevent an incident response team from being flooded with alerts.
- Log Collection – Compliance has quickly become one of the most painful headaches for IT Administrators over the past few years. Compliance audits can be a nightmare if caught unprepared but luckily, SIEM vendors have made huge strides to make it easier to monitor and maintain compliance for most major standards, including PCI, ISO, HIPAA and more.
There are many use cases that could be mentioned related to this concept, but this is actually one of the only areas we do not need to think of content on our own. Industry standard guidelines are generally well documented, so the “use cases” are basically given to you.
Though most of the work may be done for us, it is critical to confirm that data is being collected and retained for all in-scope nodes. Alerting on log source failures and inactivity can often be overlooked, but can easily be the reason for a failed audit.
SIEM solutions and use cases are critical components within an organization’s security environment and operations that allow organizations to become consumers of more intelligent security alerts, anomalies, and better detection of possible threats. I hope that this article provides value and insight during your endeavor to build and optimize your security environment.
About the Author: Mason Vensland graduated from Old Dominion University with a degree in Criminal Justice and Computer Science. He began his IT career working in Systems Administration and Support, then transitioned to Information Security in 2014. He moved from Virginia to Florida to join ReliaQuest in 2015 with a background in Security Operations and Digital Forensics.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock