Prospects of SIEM
Prospects of SIEM
Note: The terms used in the article are related to Arcsight SIEM (for other SIEM, terms might change but the concept will remain almost the same)
As we, all know that the SIEM technology is growing day by day and many organizations have adopted it for monitoring and compliance purpose. SIEM (Security Information and Event Management) is a technology that has the capability to collect the logs, analyze it, store it, correlate it, and give some meaningful output.
Some of us have the illusion about SIEM’s effectiveness and we might have heard that SIEM can detect the attacks. Here, I want to make some clarification, SIEM does not have the capability to detect the attacks but it has the capability to detect the behavior of the attacks.
How SIEM will detect the behavior of the attack and what it can do when it detects such behavior?
SIEM has a correlation engine which processes the events and looks for the events of interest, if such events are detected it will generate a new correlation event and will perform actions like notifying the users through SMS, Email and also performs some more actions as defined.
What are events of interest?
For Correlation Engine, events of interest are the events for which rules have been created. What is a rule? Rule is nothing but a set of building blocks that have conditions, if met, will detect the behavior of attacks or any other security Incident, or any unauthorized access or any compliance or/and operational related events. If events of interest observed, SIEM has the capability to notify the users (through Email, SMS) those are defined in rule action along with many other capabilities like to generate a new event, adding/removing data from resources (like Active list, session list – used to store data), creating a new case (is like ticketing tool used to track incident).
Let me explain the whole thing by giving the simple example and we will get to know how SIEM will detect the behavior of attacks at different stages.
If I want to divide the attacks into different stages, I will divide it into three stages:
- Reconnaissance (Scanning),
- Exploitation (Exploit the discover vulnerability)
- Communication to Command and Control (CC) server (Data Exfiltration)
Here I will explain how SIEM can detect the attacks at different stages. In first stage, attacker will aim to get the information of target network infrastructure (like live host, open ports, running services, OS, etc). Let us take an example; attackers have started Reconnaissance by doing ping sweep and Port Scanning. To detect the same, we will create the rule to generate the alert in SIEM that if firewall observes the ping request to multiple destinations from same source (number of destinations depends on the organization definition of ping sweep). We can also add the Source/Attacker address and Destination/Target address to Active Lists (resource in SIEM, used to store the data) and Active Lists data can be referred in another rules.
Also for Port Scanning, we can create rule to detect if firewall observes the traffic from same source to same destination at multiple destination ports and generate the alert (here we can refer Active List by creating the rule to add destination that had replied to the ping request i.e. attackers is carrying out port scanning on live host that were detected in ping sweep).
If the attacker succeeds to identify the open ports and running services, attackers will list out the vulnerability present in the same and will exploit the vulnerability. IPS has the capability to detect the exploit. Rule can be created if the IPS observe the exploit used against the vulnerable destination (here also we can refer the active list that has the list of vulnerable hosts or list of hosts detected by attacker during scanning).
Now, if attacker succeeds in exploiting the vulnerability and is able to execute some malicious code or able to install malware, the infected host will communicate with the CC server. Rule can be created to detect the traffic from infected host to CC server or any abnormal traffic generated from infected host to unknown destination or CC server.
The above example is only an overview how SIEM can detect attacks at different stages. We can also create the rules more specific to monitor the abnormal activity, internal and external threat, compliance related events, audit events of devices, and many others.
SIEM is not limited to this, but it has the capability to collects the data from the Vulnerability assessment tools, imports it in the assets data, and prioritizes the event to and from the assets accordingly. It can also be integrated with third party ticketing tool to send the event data to it and to track the incident. It can be also integrated with pattern discovery, which will help to generate the pattern of the events/traffic received from different assets on minutes, hourly, daily, weekly basis and compare it with normal pattern to detect any abnormal pattern. Pattern discovery will help to detect the slow attacks, smart attacks and the zero day attacks.
Vijay lalwani– Security Analyst at Paladion Network