With the world going digital and cyberattacks turning feral, effective cyberdefense is critical for paving the way to safety. Whether it's the safety of an organization's data or its reputation, the right cyberdefense techniques protect it all. But to do that, it is essential for security solutions, including SIEM, to upgrade to be on par with or even superior to the increasingly sophisticated cyberattacks.

You may now be thinking, "What is SIEM, and why is everyone so excited about it?" Well, sit back and relax, and I will tell you all you need to know. SIEM, commonly pronounced "sim," stands for security information and event management. SIEM is a centralized and robust cybersecurity solution that collects, aggregates, normalizes, categorizes, and analyzes log data. It then checks the log data against predefined rules and threat intelligence platforms (TIPs) to detect anomalies. It also alerts security analysts to any potential threats or risks to the organization's network.

Monitoring, detecting, and responding to any threats or potential threats are the core responsibilities of any organization's security operations center (SOC), and SIEM is regarded as the heart of every SOC. Before SIEM came into existence, SOCs depended on security information management (SIM) and then security event management (SEM). SIM, which was also referred to as log management, involved collecting log files and storing them in a central repository for later analysis. On the other hand, SEM involved monitoring, collecting, and processing data in real time. SIEM is an enhanced combination of both these approaches.

Capabilities

The core capabilities of a SIEM solution include log collection, log aggregation, parsing, normalization, categorization, log enrichment, analyses (including correlation rules, incident detection, and incident response), indexing, and storage. So, without any further ado, let's take a look at what these mean.

Log collection

Log collection, as the name suggests, is the collection of log data from various sources in an organization's network. You should know that integrating the logs and deploying your SIEM solution are not easy tasks. Use a tiered approach for integrating your logs; the order in which you integrate them will depend on your organization's important use cases. Here's a popular way of sequencing log collection in SIEM:

  • Network firewall logs
  • Security device logs (intrusion detection system and intrusion prevention system logs)
  • Servers, Windows, and Linux logs
  • Web proxy logs
  • Endpoint security logs
  • Web server and web application logs
  • Database logs
  • Application logs

At each step of your integration, ensure that you do enough testing to know that your logs are being properly integrated into the SIEM solution.

Also note that the method of log collection can either be agent-based or agentless. Agent-based collection involves an agent, such as Windows Server, NXLog, or OSSEC, collecting, parsing, and forwarding the log data from each device to the SIEM server. Agentless collection involves the devices, such as the switches, WMI Provider Host, and cloud environments (APIs), sending the logs to the servers.

Log aggregation

In this process, relevant information is extracted from the collected log data and stored in a format that is easily readable, searchable, and explorable by your SIEM solution. The most common way for sourcing logs is the syslog format, which is a standard logging protocol that can be easily queried by the solution. Most SIEM solutions these days are prebuilt to understand the syslog format. Once the syslogs and other logs are brought into your SIEM, log aggregation is done to extract meaningful information.

Parsing

To understand parsing, you need to know that even in unstructured log data, there will still be patterns that might appear at different intervals. A parser, which is a software component, takes unstructured log data in a specific format and converts it to readable, relevant, and structured data. You can use multiple parsers for different systems, depending on the volume of data.

Normalization

This process involves merging different events with different data, reducing the volume of log data to a minimum with common event attributes (such as common field names or values), and putting it in a format that your SIEM solution understands.

Categorization

This involves sorting the data and assigning it categories based on things like events (such as local operation, remote operation, system-generated events, or authentication-based events) and whether a reboot was required.

Log enrichment

This refers to the addition of other essential details, such as geolocation, email address, and the OS used, to the raw log data to make it more relevant and meaningful.

Analyses

A SIEM solution will continuously monitor and analyze the data it receives to look for signs of abnormalities, vulnerabilities, and threats that could compromise your organization's network security and result in data breaches. Depending on the SIEM solution you use, the capabilities will differ. In the case of traditional SIEM, your solution will detect and alert you to threats based only on predefined rules, whereas an AI-integrated SIEM solution will also be able to detect and alert you to anomalies in user behavior and even help prevent zero-day attacks.

In order to better identify events and detect threats, data analysis is done with the help of a correlation engine, a TIP, and, in the case of AI-integrated SIEM, user and entity behavior analytics (UEBA). You need to know what these are to understand how they protect your organization's network security.

  • Correlation engine: This is a core feature found in all SIEM solutions. A correlation engine identifies threats and alerts security analysts based on preset or custom correlation rules. For example, you can set rules to alert the security analyst if there is an abnormal spike in the number of file extension changes and to alert the system administrator if a person has eight consecutive login failures in one minute, and the solution will perform those actions accordingly.
  • TIP: This is an important feature that helps identify and protect against a majority of the known and identified threats to an organization's security. You can say that a TIP powers the intelligence of a SIEM solution in general. A TIP provides threat feeds that supply essential information, such as indicators of compromise, the details of a known attacker's capabilities, and the source and destination IP addresses. You can integrate threat feeds into your solution through an API, or your solution can have its own TIP, or it can connect to a separate TIP powered by different feeds.
  • UEBA: UEBA employs AI and ML techniques to detect insider threats. UEBA does this by constantly monitoring and analyzing every user's behavior, and if there is any deviation from normal, it records it, assigns a risk score, and alerts a security analyst. The analyst can then determine if it's an isolated event or part of a bigger attack and respond accordingly.

Indexing

An index is created based on log data with common attributes for faster and more effective querying or exploration by a security analyst. For example, when an analyst wants to find out what processes were run by a particular user, they can query or navigate through the index and get the results instantly.

Storage

Depending on the compliance mandates your organization has to adhere to, your organization's internal policies, your need for historical data, and your security use cases, the data from logs can be stored for the amount of time you require.

Based on the capabilities your SIEM solution possesses, you can alert your security team to any security events, threats, and vulnerabilities or you can automate the response workflows. And with that, folks, theory class is officially over. From here on out, we will be looking into the benefits of SIEM with real-life examples of where your SIEM solution can come in handy and insights into what could make it even better.

Benefits

You might have already deduced most of the benefits that SIEM could confer on your organization. I will only expand on them a little more to ensure clarity. If your SIEM solution has ML capabilities, then it may provide benefits such as better threat detection and mitigation, faster incident response, more efficient compliance management, and more effective threat hunting.

When it comes to threat detection, an AI-integrated SIEM solution with its innate ability to learn can even identify previously unknown vulnerabilities (i.e., zero-day vulnerabilities) and blind spots that are bound to become problems when your organization scales up. AI can also prioritize alerts based on the order of criticality, which will not only save time for security analysts but also ensure faster incident response and better data security and recovery. This will reduce the incidence of false positives, thus enabling your analysts to focus on the threats that do require their attention.

Organizations are also required to comply with regulations such as HIPAA, GDPR, SOX, and PCI DSS. For this, they need to meet several criteria involving the continuous monitoring of log data, network traffic, threats and vulnerabilities, unauthorized activities, employee access to data, and changes to credentials and data policies. Your SIEM solution can achieve all of this and generate specific audit reports to help you meet the requirements.

Cyberattacks

To help you understand why your organization requires a SIEM solution, I am going to give some examples of real-life cybercrimes and show how your organization could fall prey to them if it leaves its data unsecured.

1. Florida Orthopaedic Institute

On April 9, 2020, Florida Orthopaedic Institute (FOI), one of the largest orthopaedic providers in the state, discovered that it had become a victim of ransomware when its staff was unable to access patients' files, which had been encrypted by hackers. FOI hired third-party forensic experts to aid its investigation. On May 6, the experts determined that the attackers had accessed and potentially exfiltrated sensitive data, including the names, dates of birth, social security numbers, diagnosis codes, payer identification numbers, payment amounts, physician locations, and insurance plan identification numbers of about 640,000 patients!

While FOI was able to recover the data, that does not negate the fact that the PII of its customers had fallen into the wrong hands. In acknowledgment, FOI offered complimentary credit monitoring and identity theft protection to its affected customers for a period of one year. This, however, has not prevented it from being sued for negligence and failure to protect patients' health information; it now faces a class action lawsuit for this incident.

2. Nippon Telegraph and Telephone

On May 7, 2020, Japan's largest telecommunications company, Nippon Telegraph and Telephone (NTT), suffered a breach in its production server in Singapore. The hackers used this entry point as a stepping stone to gain access to a cloud server located in Japan. The hackers then moved laterally to an internal server before finally gaining access to the Active Directory (AD) server.

The hackers uploaded the data stolen from the AD server to a remote server. NTT detected the attack on May 11 and immediately took steps to mitigate it. However, by then it was discovered that the hackers had stolen the data of as many as 621 of its customers.

These are just two examples of how cyberattacks could not only cost you money but also your reputation. There are many different ways for cybercriminals to attack organizations, but phishing, malware, and ransomware are the most common.

Integrations

Now you know why you need a SIEM solution. But if your organization is huge and has a corresponding SOC, and your security analysts are drowning under a flood of threats and security alerts in addition to their own day-to-day responsibilities, then integrating security orchestration, automation, and response (SOAR) with your SIEM solution might be the way to go.

Like SIEM, SOAR is also a trending topic in cybersecurity. Initially, technicians believed that SOAR could replace SIEM, but now experts agree that integrating SIEM and SOAR platforms together will enhance the security of organizations and the efficiency of SOCs.

SOAR shares some similarities with SIEM but provides faster incident detection and response. This is due to its ability to automate responses based on events and suggest recommendations to analysts based on threat intelligence. Once an analyst selects the best course of action, SOAR will automatically carry it out and quickly contain the threat.

SOAR offers a central location for research, investigations, and intelligence. It can standardize best practices and also reduce repetitive tasks and thus human error. The best part about SOAR is that it can be integrated with your SIEM and TIP. As ideal as this sounds, before you make a decision to implement SOAR, you should consider factors such as your SOC's actual needs, the complexity of SOAR's configuration, and the huge implementation costs you will incur.

You should know that SIEM is also going to be a significant investment for your organization, both in terms of money and data security. If you are looking for a SIEM solution that can strengthen your organization's data security, then check out ManageEngine Log360, one of the most popular SIEM solutions. Choose wisely and secure your data extensively, or else the consequences might be ghastly. Thanks for reading, folks!

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
  •  
  •  
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks

     
     

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.