Guidelines to measure the maturity level of SIEM
Currently, the great challenge for companies that have a SIEM is to keep up with the new trends that are added modularly to this technology while looking at the process of continuous improvement of existing items. It is at this crossroads that many companies are and pay specialized consulting companies to measure the maturity of SIEM and apply a set of best practices. In this article, each one will be discussed and explained.
Before listing each of the points, it is always important to remember that SIEM, in addition to being used to understand cybersecurity risks, must also be supported and guided by the company’s business processes.
review of the solution’s architecture and design.
is the main item in the siem structure, in this stage several aspects are defined, such as deciding for an environment on-premises (all in one or not) or in the cloud, network design and its distributed systems, dimensioning, and expansion, high availability, and disaster recovery.
Important items are also discussed, such as capacity, implementation of mechanisms that can prevent actions to change the integrity of the log, the definition of which log sources will be used (firewalls, dns, proxy, active directory and endpoint logs in general such as antivirus, dlp, and others ), the definition of critical business assets and risk matrix.
With this it is possible to identify the offenders of the siem, for example: ingesting only events and logs from on-premises technologies and ignoring logs of the technologies that are hosted in the cloud or for reasons of technical unfeasibility (integrations via unsupported scripts, no APIs for integrations and etc) or high cost (structures in the amazon cloud that need to pay for the CloudWatch and CloudTrail functionalities to send their logs) and mention also for the other internal structure data repositories such as datalake (to support bigdata).
it is necessary that SIEM has firewall rules released to communicate with all hosts that have been defined as relevant in the architecture design.
it is important to have an SMTP account on behalf of siem to send notifications and alerts of automated tasks
SIEM is not a black box that can never be opened, you must manage it like any other important asset in the network; there are important details that need to be taken into consideration about the configuration for example:
- use a unique network interface to send backup files over the network;
- the administration tools used should only be those approved by the manufacturer of the application and the operating system;
- definition of the hardware capacity baseline;
- monitoring of CPU, disk, memory and network connections;
- review of scheduled tasks (ensure that there is no coincidence of time between tasks and that long tasks are scheduled outside business hours).
ensure that SIEM is able to download your application updates.
Backup and archiving
backup of siem must follow the company’s backup policy and of course, it should not store the backup in itself;
The archiving of event data and logs must follow the rules of the company for regulatory and legal reasons such as retention time, integrity, encryption, secure storage inside or outside SIEM.
most SIEMs support this functionality at no additional cost, but you need to be aware of multi-tenant support; because there are SIEM that support multiple domains but the machine learning functionality does not. A good example of this limitation is mss providers that offer siem but do not support machine learning.
using artificial intelligence is a great resource to increase the maturity of the siem because of several factors such as using unstructured data to correlate local threats, performing predictive analyzes, improving the automated response to incidents more accurately and quickly, increasing the reduction of false positives and etc; and as with machine learning, you need to pay attention to the issue of multitenant support.
The presence of the UEBA functionality raises the SIEM score because it is a resource that enhances the identification of security incidents based on the behavior of the user and entities, in general, this functionality is free and needs to be enabled. If the sending of logs and events are configured correctly, it is possible to monitor real-time trends in behavior and mitigate potential security incidents, detecting backdoors, botnets, and internal fraud. Depending on the manufacturer, UEBA may not support multitenant.
Business and compliance rules and reporting
what’s the advantage of having a SIEM that only supports technological requirements and does not generate added value to the business? The SIEM should work in collaboration with internal departments generating information for executive presentations and to support decision making generating ROI; a good example of this is using siem to collect information and generate anti-fraud rules such as detecting cardholder fraud and also support internal and external audits by generating compliance reports for auditors.
The SIEM database, like any other, needs maintenance and must comply with security and performance procedures, such as encrypting the database, verifying the health and storage of partitions and tables, applying available patches, versioning, catalog table data and the retention period for querying events.
is a set of information that categorizes assets and classifies them into groups helping to monitor the network, such as CMDB (Configuration Management Database) of notebooks and servers, the list of critical business assets and other relevant assets (such as DNS, DHCP, firewall, routers and etc.), internal networks and their scopes (exclusion interval, reservation).
The more granular the information, the more assertive the classification of the event will be.
Access credentials are an important point because SIEM is also an asset that must be audited. He must comply with the company’s access control policy in addition it must also remove standard accounts, create individual accounts for analysts based on RBAC (role-based access controls), if possible with single sign-on or password vault technology.
By enabling audit trails within SIEM, it is possible to guarantee that users’ identities and actions will be recorded, especially in relation to the use of credentials that have administrative privileges.
People and processes
even with the fix of all technical problems it is necessary to keep in mind that people and processes must also be aligned. It is necessary to define management strategies for the team, such as defining the roles and responsibilities of the members, providing adequate training, defining goals for career development; it is also essential to write and publish policies for the security operations and, technical procedures (knowledge base registration, creation of playbooks, operational technical manuals, detection processes, investigation and screening of alerts, etc) to support the routine of the security department.
There are many SIEM that do not use network flow, but using this feature it is possible to improve the visibility and monitoring of the network, such as detecting lateral movements and others; however, before enabling network flow capture, it is necessary to conduct a feasibility and capacity study of the network equipment responsible for sending this data; there are cases in which enabling flow send can affect the performance of the equipment and the entire network (or a segment of it) may be compromised by capacity degradation.
life cycle of events and rules
for the correlation of logs to be efficient, a periodic maintenance process is necessary, there are several ways to achieve this objective and one of them is to apply the continuous improvement model through the PDCA cycle, so that small problem is identified before affecting the performance of the system, customizations of the rules and the health of the connectors.
Below are some tasks that can help identify problems:
- review of rules with errors and disabled status;
- identify inactive and disabled log sources;
- identification of the assets with the highest rate of events and which have no enabled rules;
- adjust rules with excessive partial matches;
- check critical business assets that do not emit events;
- in the case of SIEM based on licensing per event, review which events are the biggest offenders to the consumption of licensing;
- use regex + event context to fill in blank or unknown fields;
NOTE: security feeds are also considered informational events, an important detail is that they need to have the necessary releases to search for new data on the internet.
the task of collecting logs also needs a process of continuous improvement and periodic reviews. There are scenarios in which the collected logs need to be stored for audit purposes but do not need to be correlated or processed, for these cases, it is possible to bypass and send the data directly to the safe storage location.
the following are some examples that can assist in the review:
- sending alerts to the security team when a log source stops working;
- filter the relevant logs and events on the endpoint connectors to decrease the SIEM processing load;
- evaluation of the performance of the endpoint connectors, such as cache capacity in case the sending of logs temporarily fails, bandwidth used, etc.
a relevant point is to integrate SIEM into the incident management process, it is also important to have a ticket system that can support the opening of cases (if possible that the tickets have event logs and safe storage for the safekeeping of evidence ) based on criticality levels and send requests to the responsible teams.
orchestration and automation (SOAR)
SIEM tools have a minimum level of automation, but if that basic level is not enough, it is necessary to raise the level and deploy a SOAR (security orchestration automation and response) tool. With it, it is possible to simplify the routine of the security operation, automating on a large scale and improving with detail levels the efficiency of the incident response processes, from screening, qualification, thorough investigation to the resolution of the case.
Threat intelligence is another feature whose presence raises the maturity of SIEM, but threat intelligence is not just about correlating IOCs, malware fingerprints, the reputation of malicious IPs/domains, and botnets; it requires proper settings to receive relevant information from feeds from trusted sources. One of the problems when using the feed is to install it and wait for it to do the rest of the service, this is wrong because the threat intelligence feed is not able to understand contexts and scenarios or prioritize requests; only a well-trained team can identify malicious events and making a decision.
With the correct use of threat intelligence, it is possible to support the threat hunting team, and based on cyber threat indicators make recommendations, preventing data leakage or attacks; and another benefit is that the feed is a smart way to enrich the cyber threat dashboard in real-time.
nowadays SIEMs support vulnerability management and some have their own vulnerability scan engine but it is also possible to use third-party tools to do this scan. With this, it is possible to schedule periodic scans in a group of assets or specific and individual scans, and with the result to correlate the assets and vulnerabilities found with a risk matrix, generating alerts and notifications for the responsible teams so that apply the fix.
In this way, it is possible to automate the vulnerability management workflow and its steps (identification, analysis, prioritization, mitigation, correction, and reporting).
SIEMs that are currently available are able to assist forensic analysis, detecting, identifying, and collecting evidence more quickly, storing in a secure tamper-proof location ensuring data integrity, generate reports, and a more assertive chain of custody.
it is also worth mentioning that nowadays there are products capable of identifying an attack, reassembling packages for an entire session, and reconstructing a leaked document.
SIEM has been used over the years to support and assist in the correction of privacy law issues, but SIEM also needs to comply with privacy requirements. There is a possibility that some of the information collected by SIEM has PII (Personally Identifiable Information) data and even though privacy laws have articles that allow log file retention, it is essential that the legal department engages to review what data can and cannot be stored and in exceptional cases apply special techniques to obfuscate non-compliant personal information.
By Anderson Sales
São Paulo, Brazil