admin- Posted on
SIEM Plus Correlation = Security?
Introduction
Whether or not you might be working from a SANS 20 Safety Finest Practices strategy, or working with an auditor for SOX compliance or QSA for PCI compliance, you’ll be implementing a logging answer.
Retaining an audit path of key safety occasions is the one method to perceive what ‘common’ operation appears like. Why is that this necessary? As a result of it is just when you’ve got this clear that you could start to determine irregular and strange exercise which could possibly be proof of a safety breach. Higher nonetheless, upon getting that image of how issues needs to be when all the things is regular and safe, an clever log evaluation system, aka SIM or SIEM, can robotically assess occasions, occasion volumes and patterns to intelligently decide in your behalf if there may be doubtlessly one thing fishy occurring.
Safety Risk or Potential Safety Occasion? Solely with Occasion Correlation!
The promise of SIEM techniques is that upon getting put in one among these techniques, you will get on together with your day job and if any safety incident happens, it is going to let you recognize about it and what it’s worthwhile to do to be able to handle it.
The newest ‘will need to have’ characteristic set is correlation, however this have to be some of the over used and abused know-how time period ever!
The idea is simple: remoted occasions that are potential safety incidents (for instance, ‘IPS Intrusion Detected occasion’) are notable however not as important as seeing a sequence of occasions, all correlated by the identical session, for instance, an IPS Alert, adopted by Failed Logon, adopted by a Profitable Admin Logon.
In actuality, these superior, true correlation guidelines are not often that efficient. Except you might be in a really energetic safety bridge state of affairs, with an enterprise comprising 1000’s of units, normal single occasion/single alert operation ought to work properly sufficient for you.
For instance, within the situation above, it needs to be the case that you just DON’T have many intrusion alerts out of your IPS (if you happen to do, you really want to take a look at your firewalling and IPS defenses as they are not offering sufficient safety). Likewise in case you are getting any failed logins from distant customers to important units, it’s best to put your effort and time into a greater community design and firewall configuration as an alternative of experimenting with ‘intelligent, intelligent’ correlation guidelines. It is the KISS* precept utilized to safety occasion administration.
As such, whenever you do get one of many important alerts from the IPS, this needs to be sufficient to provoke an emergency investigation, quite than ready till you see whether or not the intruder is profitable at brute forcing a logon to one among your hosts (by which era it’s too late to go off any manner!)
Correlation guidelines perfected – however the system has already been hacked…
The truth is, think about this final level additional, as it’s the place safety greatest practices deviate sharply from the SIEM Product Managers pitch. Everybody is aware of that prevention is best than treatment, so why is there a lot hype surrounding the necessity for correlated SIEM occasions? Absolutely the main focus needs to be on defending our Info Belongings quite than implementing an costly and sophisticated equipment which can or might not sound an alarm when techniques are underneath assault?
Safety Finest Practices will let you know that you have to implement – totally – the fundamentals. The simplest and most obtainable safety greatest apply is to harden techniques, then function a sturdy change administration course of.
By eliminating recognized vulnerabilities out of your techniques (primarily configuration-based vulnerabilities however, after all, software-related safety weaknesses too by way of patching) you present a essentially well-protected system. Layer up different protection measures too, similar to anti-virus (flawed as a complete protection system, however nonetheless helpful in opposition to the mainstream malware menace), firewalling with IPS, and naturally, all underpinned by real-time file integrity monitoring and logging, in order that if any infiltration does happen, you’re going to get to find out about it instantly.
Conclusion
Modern SIEM options provide a lot promise as THE clever safety protection system. Nevertheless, expertise and the proof of ever-increasing numbers of profitable safety breaches inform us that there’s by no means going to be a ‘silver bullet’ for defending our IT infrastructure. Instruments and automation will help after all, however real safety for techniques solely comes from working safety greatest practices with the mandatory consciousness and self-discipline to anticipate the sudden.
*KISS – Hold It Tremendous Easy