SIEM 101 – Best Practices for Implementation

Security information and event management (SIEM) is about collecting, detecting, and responding. That is, collecting data into a single pane of glass to provide a complete picture of what’s happening in your network, identify threats, and track responses. Ideally, when well-tuned, this single pane of glass “finds the needles in the haystack.”

The two key goals of any SIEM

Any SIEM should start with these two key goals:

1. 99.9% correlation effectiveness A reduction of events (noise) to alerts (potential threats) of 100,000 to one.
2. Actionable events Each correlated event from a SIEM should be enriched with enough context (for example, threat intelligence lists, identity data, network modeling, vulnerability data, blacklists and whitelists) to be actionable without hours of research in other tools.

What are you protecting? 

The next critical element is understanding what you’re protecting, how to get visibility, and what controls can mitigate or block an attack. About 20 years ago, I started with a CAVE model, just to make it easier to remember.

• Controls What tools do you have that can block or mitigate an attack?
• Assets What are you protecting?
• Visibility What logs/telemetry data are available?
• Enrichment What complementary data can you use to find the needles in the haystack?

It’s all about the data. Which asset (application, system, database…) has the data that matters most to the business? That’s the first log you’ll want. If that asset is not logging access and usage, then turn logging on and collect that data! 

Logging

So, what do you log?

• Moves, Adds, Changes, Deletes and Authentication (MACDA)

You need to answer the question:

• “Who accessed what, when, from where, and what did they do with it?”

You need to enable logging and parse key fields in any given log into indexed labels. Searching by regular expression matches against text in database terms is a full table scan that can take hours, and the volume and velocity of events does not support doing this.

Each device type has critical fields, and it’s a best practice to parse as many fields as possible. That's why we like Google Chronicle's Unified Data Model (UDM) and use it for Resolution Intelligence Cloud.

Key fields include:

Checking the parsing and normalization of logs into indexes that have high-speed search is a critical part of SIEM onboarding and validation.

Threat intelligence

“For every log, there is a complementary log.” 

Any single log is full of both useless and critical events. Noise reduction to .001% output requires both good correlation rules and threat data sets.

Consider the key field in each source, and a complementary log that includes whitelists of safe sources and blacklists of known bad actors. These data sets include IP addresses for firewall logs, URLs for proxy logs, vulnerability data for IDS events, identity access management (IAM) data for application events. Context and known safe and evil are critical to noise reduction and threat detection.

Correlations

Every decent SIEM tool has a correlation rules engine capable of first-level noise reduction. Three simple patterns apply:

1. Everything counts in large amounts Repeat attacks (for example, drops, denies, attempts).
2. Success after fail After a lot of trying, they finally got in.
3. Three strikes, you’re out! Actually, two. If you see any two different repeat attacks, investigate.

For more details, read “Want to Optimize Threat Detection & Response? 5 Patterns versus 500 Rules” or the SANS papers linked below for the core 20 rules you should be running on every SIEM.

Reporting

Any SIEM can provide data to support compliance and audit requirements, but don’t get bogged down in a million reports. Pick a common compliance framework and map one report to the required compliance outputs. Unified Compliance Framework is an early leader that maps standard reports to PCI, NIST, FISMA, GDPR, and more.

On page 2 of the 2016 CIS poster, you can find mapping controls to the compliance framework.

In all too many implementations, organizations only use SIEM for threat detection and compliance reporting. However, when used well, a SIEM can provide oversight for the security tools feeding the data. A bit of log analysis around “volume and variety” each month becomes a continuous feedback loop. For example, “Top 10” reports on what was detected, what was blocked, and what was allowed can help teams decide what to do to prevent future incursions and continually improve the system.

But wait, is Resolution Intelligence Cloud a SIEM?

Resolution Intelligence Cloud™ from Netenrich is a data analytics platform that offers a new way to manage security and digital ops. So, while not a traditional SIEM, it covers substantial SIEM functionality, and Google Chronicle is built in.

In fact, not only does the platform play well with other security and ops tools thanks to its open architecture, but it also offers service-provider scale and speed. With Resolution Intelligence Cloud, you can achieve all the goals I outlined above and more. Unlike most SIEMs, the platform easily handles data at speed and scale while significantly reducing and prioritizing alerts so teams know where to focus their time and efforts.

Learn more from these references

• Critical Security Controls
• MITRE Strategies for a World-Class SOC
• Event Parsing UDM the Gold Standard
• MITRE Top 15 Techniques Used in 90% of Attacks
• Unified Compliance Reporting
• MITRE ATT&CK Categorizing Events

My SIEM reference papers

If you want to read more or dig into details, here are a few papers in the SANS reading room to help.

A Process for Continuous Security Improvement Using Log Analysis

This paper details a repeatable process for continuously improving security and provides an outline of log analysis with case studies and sample output based on actual data. The process is broadly applicable and does not require a SIEM or centralized log management (LM) system, though both do make the process easier.

Successful SIEM and Log Management Strategies for Audit and Compliance

Organizations often spend a great deal of money on LM and SIEM, with disappointing results. Many organizations struggle with “use cases,” and most SIEM vendors fail to provide effective out-of-the-box correlations. What’s more, many also fail in their vision and process, considering SIEM just another tool to be dropped onto the network.

A Compliance Primer for IT Professionals

Regulations abound, and the acronyms are endless. After suffering seemingly endless confusion, I set about in this paper to document the basics of each of the major compliance regulations, to whom they apply, a list of audit frameworks, key IT requirements, and links to best practices and relevant sites. I provided summary tables up front to condense the bulk of the information. 

A Practical Application for SIM/SEM/SIEM Automating Threat Identification

This paper documents key events and correlations for identifying threats in security logs and a process for application in SIEM.