Management, compliance & auditing

What Is SIEM?

Jatin Jain
November 24, 2015 by
Jatin Jain

A SIEM (security information and event management) is a software solution that normalizes, filters, correlates, assembles, and centrally manages other operational events to monitor, alert on, respond to, analyze, audit, and manage security and compliance pertinent information. SIEM systems provide fundamental security operations like other product categories. Their functions and delivery mechanisms, hardware appliances, virtual appliances, and services vary by vendor. They provide more efficient and useful analysis capabilities for information security professionals and their organizations.

SIEMs collect and centrally manage records of network, application, device, security, and user activity from different infrastructure sources. The most common form of event log data is an audit file generated by a system, commonly captured via syslog protocol. Manually reviewing a large number of diverse log sources has been proven ineffective, slow, conducive to error, and frustrating to security personnel.

In addition, at some point, a given log file may be overwritten with newer data, whereby previous audit information will be lost.

It is important to know that what device sources in your operating environment must be supported and how your environment will support a SIEM's mean to receive or pull in necessary event log data. For example, if a device's event log function is activated, some SIEMs may require the use of agents or credentialed means of access to obtain event log data. SIEM vendors publish the devices, support and provide updates to maintain and expand device support.

Identification of problems, attacks, and violations for which SIEMs serve an action (typically called an incident). An incident is an event or occurrence that satisfies a rule and condition, or multiple rules and conditions. Rules can also be statistically derived event thresholds. The capacity for real-time correlation is determined by two factors: (1) the amount of events per second and (2) the breadth of attributes and logic that can applied by the SIEM's rule engine.

SIEMs also help in identifying a company's specific issues or scenarios of interest, extending operating controls, and communicating at different level of severity. An event will have a corresponding severity as reported by device within the event log. It can be automatically adjusted by the SIEM, based on the rule-rule logic or rule customization. A SIEM alert will also provide underlying event triggers for further investigation. In addition, SIEMs also offers different event consolidation, alert suppression, and case management capabilities to facilitate incident response.

The pre-defined reports can be through various search or report constructs. It also provides query functionality, real time and historical. Both produce custom reports search, report generation and audit dashboards will vary. SIEMs map pre-defined rules and reports to accuracy standards and management frameworks for accuracy monitoring and documentation such as SOX, HIPAA, COBIT, PCI DSS, and ITIL.

Professionals can apply the following top 10 best SIEM practices

  1. Requirements—Establish key monitoring and reporting requirements prior to deployment, which includes objectives, targets, compliance controls, implementation and workflow.
  2. Implementation—Determine the system's scopes, infrastructure audit targets, necessary credentials, and verbosity.
  3. Compliance—Includes management of audit data accessibility, retention, integrity, evidentiary requisites, and disposal.
  4. Access control—Monitor and report on key status, transgression, and anomalous access to critical resources.
  5. Perimeter defenses—Monitor and report on key status, attacks, and configuration changes associated with perimeter defenses.
  6. Resource integrity—Monitor and report on key status, backup processes, configuration changes, threats, and vulnerabilities affecting network system resources integrity and availability.
  7. Intrusion detection—Monitor, respond and report on key status, notifications and incidents with regards to intrusion detection, system threats
  8. Malware defense—Monitor and report on key status, violation, issues, threats, and activity supporting malware controls.
  9. Application defenses—Monitor and report on key status, configuration changes, issues, violation and anomalous activity with regard to the web, database, and other application defenses.
  10. Acceptable use—Monitor and report on key status and issues violation activity regarding the acceptable use of resources and information.

Monitoring and Reporting Requirements

Overview and highlight processes

SIEM results greatly affect the human factor, people, and processes. The human factor involves education, accountability, and process commitment. Advance planning includes objectives, source targets, and attributes that are to be monitored, notification, internal and external requirements, and data retention requirements. EPS varies among all devices depending upon vendor. EPS calculation can be accomplished by gathering sample data from live device via temporary logging server. SIEM aggregates and manages data used in forensic investigation and determined by: 1. How data is stored; 2. storage capacity; 3. processing capacity. SIEM implementation is crucial because an organization can ensure greater success and less cost for improvement.

Recommended

  • Project achievement, objectives, requirements, and responsibilities.
  • Input and output verification.
  • Analysis of reports, data, operators.
  • Monitoring incident response and auditing procedures.

Deployment and Infrastructure Activation

Overview and highlight processes

The best means for achieving SIEM implementation success is via phases rather than through an "all at once" approach. It can break a great extent of projects into smaller phases: initial installation, replacement, and expansion. The implementation and maintenance of SIEM will be easier if the document and management process is better. Many SIEMs can automatically know the event log data via syslog SNMP community strings.

  • Maintaining source data, delivery of event and log data.
  • SIEM deployment maintenance.
  • Refining system to serve ongoing needs.
  • Deployment and contrivance.
  • Mechanisms of delivery: software, hardware, and virtual appliances.
  • Important operating equipments.
  • Installation and scope of coverage.
  • Basic facilities, responsibilities, support, and training.

Recommended

  • Percent of deployment, event log complete to project scope.
  • Expected ratio of monitored device by category, by implementation phase, node, or identifying device.
  • Data retention capacity, log, and event volume.
  • Report generation execution.

Compliance and Audit Data Requirement

An overview and highlight process is the best way is to establish data of compliance requisites and an SIEM proof point, such as PCI DSS. Most governance, risk, compliance (GRC) methods tend to monitor policies by monitoring infrastructure control supporting compliance mandates and also monitoring directory services to address privilege. Compliance reports should be refined for analysis by internal and external auditors and CIO or CSO. One service organization adhere to SOX, HIPAA, and COBIT to retain one year of event log data, while another service organization must address ISO, NIST, and DCID and retain for five years of event log data.

Recommended

  • Number of actual recommended assets.
  • Daily alerts and monthly reports.
  • Top compliance issues by category and severity.
  • Open to close ratio issued by month and quarter.
  • Current log volume by week, month, and device type.

Access Controls

Access controls are required to protect information assets, personal identifiable information, financial information, and proprietary business information. They can define users and groups, and audit functions with multiple directory service. SIEM can easily bring authentication, authorization, and accounting mechanisms. Operators can create specific policies that proactively identify threats and violations.

Recommended

  • Access failure by antecedent logical grouping.
  • Access login success and failure by user, system, time, and device class.
  • Multiple logons from different geographical locations.
  • Privileged user access by access failure, by critical resource, by method, by various locations, and by time.
  • Only trusted service account by day, domain, and volume.
  • Remote access login success and failure by user, by time, and by device class.

Boundary Defenses

Overview and highlight processes

DMZ (demilitarized zone) serves as a checkpoint between the company's private network and public network, preventing internal users from accessing network. There are multiple boundaries or perimeters of organization between users and systems, business partners and extranets. It also provides network flow information, which contains details of source and destination addresses, ports, and amount of data. Virtualization adds potential challenges for dynamic VM movement. Case management tracks who and how specific incidents were investigated and resolved.

Recommended

  • Access failure by source and destination.
  • DMZ connection with external sources by system, user, bandwidth, and time.
  • Perimeter attacks by category, dropped traffic from DMZ, and FW.
  • Blocked internalexternal by port and destination.
  • Daily or weekly alerts on top 10 connections from site.
  • Top bandwidth by protocol, connection, source, and destination.
  • Failure by FW, VPN, and domain.
  • Wireless network access by location, user, and failed attempts.

Network and System Resource Integrity

Overview and highlight processes

To assure and maintain operating integrity patch details, an application to configure a vulnerability system is required and is necessary to inform budget, procurement, and capacity planning decisions. Change management processes are required for compliance, such as PCI, DSS, COBIT, ISO 27001 and ITIL. SIEM can provide various monitoring, alerting, and reporting devices for maintenance of infrastructure integrity through direct or data integration. Virtualization software brings tremendous benefits and greatly intensifies data center management by many hierarchies of magnitude. The occurrence of a problem, its location, cause, and trigger for the change, impact of VM resources, and hardware issues become difficult to manage. Ongoing ability to identify persistent hackers' attempts to identify and exploit is also necessary and uses patch management VM solutions.

Recommended

  • Critical system changes per user and device class it services.
  • System's outside configuration by criticality, class, ratio, and trend.
  • Attacks by vulnerable system, inbound and outbound connections by system, user, bandwidth, and time; actual and suspect systems with peer-to-peer software.
  • Top system issues by incident category, system restarts, DNS faults, and configuration changes.
  • Excessive VM movements, non-compliant VM movements, and high resource utilization by VM.
  • Failed backup services by system, by time, and by business.

Network and Host Defenses

Overview and highlight processes

To prevent and identify unwanted communications, known attacks, and malicious activity, a combined intrusion prevention system and intrusion detection system works well. It also includes anti-malware capability and many other security mechanisms. The detection method depends on known patterns of network-based attacks, such as worms, spyware, and peer-to-peer port scanning. It can also use protocol and application context to detect zero-day threats and blended threats. SIEMs include aggregate IDSIPS alerts and false positive filter management. In some cases, a detection of an attack by an IDSIPS generates false alerts.

Recommended

  • IPS/IDS events classified as incidents per month by network and service.
  • Incidents by source, destination, and attacks identified and resolved.
  • Unauthorized and suspicious network traffic by source, destination, and type.
  • Communication by source, destination, and type.
  • Attack investigation open and closed ratio and wireless IDS alerts.

Malware control

Overview and highlight processes

Malware controls are needed for additional threats, scope of infection, power supply and gaps, and to identify mitigating and measuring viruses, root kits, botnets, spam, and e-mail communication. One important practice is to enable operators to focus on detection only of malware issues and threats and also facilitate processes to identify infected systems by correlating DNS requests, port scanning, and warnings from IDS/IPS.

Recommended

  • Top reported malware threats, antivirus trends, and spam trends.
  • Malware attack sources by prior vulnerability issues.
  • Top systems with multiple infections.
  • Anomalous network activity and irregular web communications.

Application Defenses

Overview and highlight processes

Safeguard is the first defense application. It includes maintaining overall platform security and non-security configuration, network interface, and OS. The use of web applications has grown due to the increase of web and mobile applications. SIEM can correlate vulnerability and attack events from application firewalls. Databases are not attack-proof and also require security measures. Additional database security includes firewall technology, combination of data base-centric configuration, and auditing mechanisms. The focus of an application can be prioritized for mission-critical/high-risk, depending upon the sheer number.

Recommended

  • Web application attacks per server, remediated by type, source, and destination.
  • Database and web platform configuration changes.
  • Anomalous application platform.
  • Database application security issues, queries, and inserts created.
  • Top critical SQL commands.
  • Top and unusual web and database application access.

Acceptable Use

Overview and highlight processes

In this article, the reader came to know how to use and where to use SIEM to protect corporate assets and information. It is advised to assure that there is no individual privacy at risk, the duty of care, reporting, and notification of user activity is understood and addressed. SIEM serves to fortify AUP policy to identify internal threats, material violations, and fraud. To detect fraud requires analyzing statistical profiles.

Recommended

  • Top unwanted websites visited by user.
  • Systems with blacklisted software.
  • Consultant network resources.
  • Top traffic by application, user, and to and from geographic locations.
  • Administrative access to critical systems and resource access failures.
  • Use of terminated accounts and unusual access using service accounts.
  • Unencrypted transmission of sensitive data.
Jatin Jain
Jatin Jain

With versatile experience in Information Security domain, he has successfully proven himself in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking and also acted as corporate trainer. Have served different government and private organization and provided best security services. Also he has been awarded from world's best organization like Face book, Apple, etc for providing best security support to them. He included his name in worldwide recognized various hall of fame as well as written article for famous PenTest, Hackin9 Magazine.