Ensuring the ongoing integrity of an enterprise information technology environment is a formidable task, and one that requires every advantage a delivery management team can harness. Security information and event management, or SIEM, can create a significant advantage in providing enterprises with a comprehensive, coordinated view of the security status of their environment. The challenge in security is always to remain one step ahead of those who may try to compromise the integrity in some way. Implemented properly, SIEM technology can be a powerful technique for obtaining advantage over individuals or technologies with malicious intent.
The opportunity of SIEM is to establish a centralized, coordinated view of security-related information and events. The underlying principle is that such inputs are produced in multiple locations, but without seeing “the big picture,” it may not be obvious that trends or patterns are occurring. By establishing a collector network, the security-related events from end-user devices, servers, network equipment -- and even specialized security equipment like firewalls, antivirus or intrusion prevention systems -- can be gathered and inspected.
In this article, we examine how a SIEM system works and what types of events can be integrated, including new data sources such as fraud detection systems and network access control technologies that haven’t always been in scope for a SIEM deployment. We also look at the process for detecting actual security threats or incidents and steps organizations can take to develop a SIEM capability.
As indicated, the opportunity of SIEM is that information from diverse sources and systems can be collected. Often the volumes are very high and the SIEM system needs to ensure it is capable of handling the events without becoming overwhelmed. SIEM systems are typically constructed in a hierarchical manner so collection can be done at multiple levels. Some sort of agent is often deployed in multiple locations, communicating back to a central SIEM management node at which detailed analysis takes place.
In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced. The danger, of course, is that relevant events may be filtered out too soon, so a balance is required and this is the challenge of SIEM designers and implementers. At the central node, analysis techniques are applied to interrogate, aggregate and correlate the incoming information. The better the analysis techniques, the more value can be derived from the SIEM environment.
FEEDING THE SIEM
Depending on the level at which security-related information and events are collected, a SIEM can be quite versatile. Traditionally, it is the infrastructure-related events that are collected by SIEM systems. The operating systems running on end-user devices and servers can forward information like logins (successful or not, user information, administrator logins, Kerberos events etc.), antivirus system alerts (successful/unsuccessful updates, repairs, infection details, etc.), and communication subsystem information (port connection attempts, blocked connections, IP address information, etc). Additional information from network devices such as routers, firewalls, and intrusion prevention systems can also be forwarded to a SIEM to provide information relating to these aspects of the infrastructure, too.
To be able to identify anomalous events, it’s important the SIEM can also build a profile of the system under normal event conditions. For this reason, items such as successful system logins are also typically recorded to establish a norm against which abnormal logins can be detected. Rich events relating to access of the network can also be integrated in environments where network access control (NAC) is enabled. It may be possible to pick up patterns of denied access, or to detect patterns of network access by virtue of the NAC mechanisms of checking credentials, device addresses etc. to prevent unauthorized devices from connecting to an enterprise LAN.
Sometimes it is also useful to have knowledge of other system information, such as processor or memory utilization to determine whether there is an unexpected change in the status of a system. For this reason, it is useful to have other contextual information available for the SIEM management team. While we are suggesting that SIEM has a special focus and separateness, it’s often this kind of system information that exhibits the effect of an incident. So SIEM should also be viewed as part of an overall, comprehensive systems management approach.
When talking about the business impact of security incidents and where the real damage occurs, corporations often say the transactional level is the most dangerous. Fraudulent transactions can result in direct costs for organizations, and this can come at a very high price. An opportunity for SIEM systems is to collect information that is above the infrastructure level and which derives from application and business systems. Being able to intercept a transaction where an approver is the same person as the requestor, or where other separation-of-duty requirements are compromised, could be of high relevance to an organisation. The difficulty with application generated events is they tend to be non-standard, whereas a whole population of operating system devices generate events of similar format and semantics [meaning]. Although application events may require some work to integrate and interpret, this is effort well spent in terms of taking the SIEM from the engine room to a system that also incorporates business process information.
As a final word on the type of events a SIEM should aim to incorporate, it’s also necessary to interpret system or application events in the context of external events. Unusual behavior patterns may be detected by security staff, based on SIEM alerts, but these could relate to system modifications in change control windows (with, for example, more privileged logins than usual), the time of day or seasonal variations such as increased trading volumes from a Black Friday or pre-Christmas rush.
DETECTING THREATS WITH SIEM SYSTEMS
From the multitude of security information presented, SIEM systems have to make sense of the feeds received and determine whether alarms need to be raised, operators need to intervene or if warnings should be provided. The task is a bit like finding a needle in a haystack. Overall though, the accuracy aspect of a SIEM should be to reduce false positives, whereby patterns that don’t relate to an attack or malicious behavior are reported as such.
At the most basic level, static rules can be configured in SIEM systems and, based on logical expression evaluations, these will either be activated or not. A similar approach is to configure thresholds, whereby identification of certain numbers of events (or some combination of event types) will result in a flagging of this occurrence.
Much of the focus of future SIEM work is on moving from static detection techniques to dynamic ones that are capable of identifying behaviors not seen before. The latter type of system uses techniques such as anomaly detection based on artificial intelligence. Through employing techniques of finding anomalous points or anomalous series, depending on the types of data, statistical or time series analysis can be performed to find deviations from a norm. Experimental systems based on such techniques are showing promise, and such learning type systems will increasingly be incorporated in commercial systems too.
In addition to techniques that can detect anomalies and outliers, security vendors, managed service providers, researchers, and universities are working to enhance prediction of attack situations. Through various attack modelling techniques, systems can compare incoming events with certain patterns and determine whether an attack pattern is being observed. This is particularly powerful, specifically for dealing with zero-day type attacks. Responses to incidents can be characterized as reactive or proactive, but identifying attacks in advance can be challenging. Where attack patterns have been seen before these can be incorporated into rule-bases or correlation engines. In this way, rules can be changed to add or adapt a static/threshold response. Post-event analysis can help to prevent future occurrences.
As a final word on detection, it is important to recognize that the SIEM system needs to form part of an overall security process. It is arguably just as important to have appropriate interfaces, channels, alerts and inspection capabilities available to SIEM operators, as it is to have the relevant security source information and events collected by the SIEM.
DEVELOPING A SIEM CAPABILITY
In terms of establishing a SIEM capability, an organization may either do this directly through its IT function or retain a service provider to perform this service along with other systems or security services. Various products are available from major vendors and there also are open source options such as Alien Vault.
A project to establish SIEM functionality requires the incorporation of many heterogeneous devices. In some cases, SNMP information feeds may exist, in other cases syslog information is derived and fed to the analysis engine. Overall, though, a careful mapping of events, incorporating all operating systems and devices needs to take place. This should be done with a dedicated, external team. In one large SIEM deployment studied, there were significant delays because the same team running day-to-day security also tried to build the SIEM capability.
When collecting and scrutinizing events via a SIEM deployment, other problems in the IT environment may surface. For example, inconsistent configuration can lead to one device generating huge volumes of event information, in contrast to other devices emitting very little (or no) information. This can lead to an anomaly based system flagging this difference immediately. To counter this, servers and domain controllers can be configured for how “verbose” they are with their logging information. The establishment of a SIEM environment has the additional benefit of creating a real bottom-up view of an environment, and for giving security operation center teams a feel for the norms that should be seen. Documentation and mapping of security events are other useful by-products of a SIEM deployment.
LOOKING AHEAD: FUTURE OF SIEM
The future of SIEM systems is promising, especially with additional detection techniques being developed and incorporated into SIEM analysis engines.
The evolution to an “Internet of things” means many more devices will be IP enabled, and it will become increasingly difficult to manage and ensure the operation of all these components without SIEM techniques. Trends with cyber-physical systems make the stakes even higher, in that connected vehicles, energy grids, health systems, or manufacturing environments create the potential for life-threatening impact of security attacks. For this reason, another avenue of exploration for SIEM systems is to make them more tightly coupled with the architectures of the environments they are supporting. For example, various smart grid and smart car architectures make use of a systems bus for intercommunication and connection of supporting modules. Building SIEM-type capabilities into these environments directly could be a promising (and reassuring) approach to complement the technology advances in these environments with strong supporting security monitoring modules. As systems evolve, and attack scenarios are considered, misuse cases can be developed. We also need to understand misuse cases better to assist designers of future SIEM-supporting technologies to make analysis approaches as effective as possible.
Other emerging trends include experimentation with cloud-based delivery of SIEM services. While there is debate on the security of cloud services in general, SIEM-based cloud systems may still have some concerns to alleviate before becoming widely accepted.
The security of the SIEM system itself is something that also needs to be considered. An attacker may have reason for wanting to modify or block messages within the SIEM. The integrity of the SIEM system itself is critical: If the security monitoring system can be undermined, then system management can be compromised. Researchers are trying to develop resilient collector agents (with smart routing) that could prevent parts of an SIEM from becoming partitioned.
Overall, SIEM is a technology and approach that can provide powerful insights, through separating and focusing on security information and events. Organizations should work towards developing a SIEM service that is distinct from the normal management and monitoring activities that track availability, performance, capacity, etc. within an IT environment. In combination with a security operations center type approach, the SIEM will help an organization consider patterns that may suggest or reflect a security incident. Advances in analysis and correlation techniques provided in SIEM tools will assist operational staff to interpret the large volumes of information even better, and SIEM will increasingly play an important role in helping retain the advantage of safe, secure systems of integrity -- despite those who may try to undermine the intended operation in some way.
About the author:
Andrew Hutchison is an information security practitioner with a combination of technical and business experience obtained over the last 20 years. He has experience in the deployment and operation of SIEM systems in a managed service provider environment. He currently participates in several international security projects aimed at improving security attack detection through advanced techniques. Send comments on this article to firstname.lastname@example.org.