Recognizing the benefit of SIEM technology, and making the decision to implement a SIEM system, are important initial steps for an enterprise that takes security and threat management seriously. SIEM systems can be invaluable for anomaly detection, but the challenge lies in how best to approach SIEM, and how to ensure the implementation supports the best possible coverage, insight and response.
It should be clear that a SIEM's maximum benefit is derived by including as comprehensive a set of security information feeds as possible.
As the security "nerve center" of an organization, a security information and event management (SIEM) implementation, when done well, gives an enterprise a holistic view of the security events that originate from a whole multitude of devices, applications and activities across the enterprise. The advantage of such a view is that correlation of events can be conducted and patterns can be identified in ways not possible without such a consolidation of security information.
By having a unified view of security-related activity on network devices, firewalls, servers, desktops and even applications such as antivirus or transactional systems, a vigorous SIEM integration effort provides security operations teams with a much richer and more accurate knowledge base from which to observe, interpret and react to possible threats to the organization.
The architecture of a SIEM system typically consists of a central processing engine, which is fed by agents or collectors that are distributed throughout the managed environment. A database or storage repository generally holds events, and a console for managing and visualizing event activity is presented. A wide range of SIEM implementations and products is available, but these general characteristics are commonly found in most products.
It should be clear that a SIEM's maximum benefit is derived by including as comprehensive a set of security information feeds as possible. Candidates for inclusion should range broadly from infrastructure devices, to application systems, as well as environmental feeds.
At an infrastructure level, SIEM agents can be placed on servers or desktops, firewalls or IDS/IPS devices to propagate security events from these sources to the SIEM database and processing engine. In some instances syslog events are incorporated by the SIEM, and this is one of the most direct and easy ways of integrating system information.
At an application level, integration options depend on how accessible and map-able application originating events are. With many enterprise applications, especially those custom built in-house, it can be quite tricky to obtain a feed of security-related events that could be integrated into a SIEM for monitoring, analysis or response. More customized activity may be required to include security-related activities from a transactional system or business-specific application than from, for example, antivirus software deployed on a workstation or server. The latter type of software can be helpful in providing an evolving view of how (and where) virus detection is proceeding across an organization. In many instances, antivirus software does ship with its own console and management system that in and of itself provides sufficient reporting, but incorporating antivirus events into the SIEM can add a valuable dimension to the "view" of organizational security, especially when correlated and analyzed with other types of events.
From an environmental perspective, a SIEM can be enriched by having other types of information made available to it. In a process-control environment, this could include temperature, pressure or valve status information. In a building or facilities management scenario, this could include door access events or other traps relating to activities occurring in the environment (position of elevators, air conditioners or fire systems). One of the big areas of development for SIEM is that of cyber-physical systems, and the type of environmental feeds indicated can bridge the IT infrastructure world of an organization with its production systems as well.
From the editor: More on SIEM and threat detection
With the integration options indicated, it is important for an enterprise to first consider which feeds will be prioritized. Most organizations should consider starting with the "pillars" of the IT infrastructure, and also the most mission-critical servers and systems. This would include primary servers, key networking and communications devices (firewalls, routers and the like), key security defenses (intrusion prevention systems) and then looking further to desktops and their applications. Prioritization should be, in a sense, threat driven: the areas where an attack could cause greatest damage should be identified first.
An effective approach can be to identify phases whereby an initial round of integration is implemented (especially where off-the-shelf connectors can be used, as opposed to custom-built connectivity for in-house applications, for example). If there are already connecter elements in the SIEM software (as a mechanism to import events from a particular system), then those feeds would also be easier than complex event formats that may require customisation of the connecters. This is followed by another phase of integration where connectivity and event-format mapping may require more customization and time.
Once the feeds are incorporated and the best possible coverage has been achieved, security operations teams must spend time understanding the event patterns and getting a "feel" for normal activity vs. unusual activity. The beauty of using a SIEM system is that different views and visualizations are generally provided, and combinations of event streams can be overlaid to offer further insight into activity patterns that may seem suspicious. In this way SIEM operators can "zoom in" and get detailed insight into the managed environment.
Naturally, initial analysis will quickly dictate the need for tuning, which often includes the narrowing or broadening of focus. Voluminous event feeds such as antivirus may actually be to filtered out if they are not providing useful information. Pre-processing at nodes and/or servers is done in SIEMs so only some or certain most relevant event types are propagated. A related approach some may consider is integrating the antivirus management system as a consolidated feed into the SIEM. For example, using SNMP messages from the antivirus management system itself, incorporating aggregated and/or interpreted information, may be easier than drawing in raw antivirus system data. This sort of tactic can help to reduce some of the volume that can overwhelm a SIEM (and make it difficult to "find" the relevant activity that is crucial in any anomaly detection effort). The danger of filtering out too much too soon is that it can dilute the insight and effectiveness that can be achieved.
The final question relating to using SIEM for anomaly detection is how to ensure appropriate and necessary response. The intent of the SIEM is that security operations teams can become more proactive and equipped to detect and respond to security threats. Once the SIEM has been implemented and "tuned" to the environment, response and intervention plans should be tested and assessed so that, if necessary, technical or personnel originating actions can be performed quickly and exactly to mitigate a perceived threat. In the best case, early warning and detection of attacks should be possible, but after-the-fact review and analysis can also be highly valuable to understand what may have happened and to implement rules or pattern profiles to ensure such activities (or combinations thereof) do not become a threat to an organization again.
More powerful techniques of anomaly detection and big data-type processing hold the promise of ever more effective SIEM deployments in the future. But by following the SIEM coverage, integration and response recommendations outlined here, organizations become poised to benefit from these new and helpful analysis techniques as they are embraced by SIEM software and service providers.
About the author:
Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa.
This was first published in September 2012