When I came first in contact with a SIEM, namely the SOC-Product from Computer Associates about 2004, my colleagues and I said “Wow, that’s the way to go !”. With log-file collection, correlation and the way how it was visualized it would definitely help customers to analyze their data better and faster, to detect attacks. Anyway at this time we had less log-sources, no BYOD and so on.
But I had my concerns that if too many log files were collected by the system, it will become a huge installation and will lose its capabilities. But at this time we did not had soo many log-sources and the first proof of concepts were quite promising.
Eight years (2012) later I was sitting at a multinational logistic company in Germany and tried to analyze events, which were coming from many, many sources. I had to analyze 2 million already normalized, correlated events, compared with use cases and filtered to my view. Analyzing 2m Events per hour is too much for a human brain and the chance that attacks or users misbehavior is overseen is pretty high. I quit after a short while, because on top of that, the outsourced IT could not answer my questions regarding i.e. IP-Numbers and their locations, users etc. in a timely manner. A week to get a response was simply too long and made this kind of attack-defense a joke.
Let me blame the sales and marketing-guys first. They were selling SIEM’s as the holy grail solution for Security, promising that man-power can be reduced, when attacks happen, you basically see the ID, eMail and mobile number of the attacker on the screen and you are able to react in no time with excellent results.
Next let’s blame the server and storage manufacturers (aka the giants). As the SIEM software companies were standalone and not part of an IT-Giant, hardware and storage was bought from these giants.
The giants recognized that and bought these SIEM companies as they saw the potential to sell again and again more computing power and storage to the same customer. At the same time they could sell “professional” services also to them. A basically never-ending source of income and profit for the giants.
If the “professional” service would really be professional and honest, it would have told the customer, that monitoring each and every log-file makes no sense for reliable results. But profit is more interesting than a happy customer. To hopefully get the mess under control, many customers are still expanding their SIEM infrastructure frequently, buy expensive consulting and hope for the best.
Another aspect is that the needed use-cases are not so easy to create and needs specific expert knowledge, which only a few engineers have. Also they have to be constantly modified and updated to catch new attack vectors and strategies. As a consequence the SIEM does not deliver what was promised.
As a result, the IT-Security departments run a multimillion euro worth SIEM infrastructure which delivers too many information (instead of alarms) which only an expensive team of experts can decipher and on top of that companies can not get enough of the right experts.
Hunting attackers by analyzing events with a SIEM is similar TO being thirsty and trying to drink from a fire-engine hose under full pressure.
Now lets blame the head of the security department. Who the hell has told him that all log-files have to be collected and processed by the SIEM? Ah, the sales and presales guys (to sell more hardware and storage, simply upselling), ok, Mr. Head of security, you’ve been badly tricked, sorry for the blame. Lets look at your log-files:
Let’s make it short: Identify those log-sources that are noisy and/or have many false positives and actually do not help to find an attacker and don’t feed them into the SIEM. Feed only log files which are meaningful and not noisy i.e. the IOC violations the firewall has detected or the security log of your AD domain, the AV-logs and so on.
What to do with these log-sources, I have to be compliant, rules and regulations apply and I have revisions. Sure you have and I did not say “do not collect” the data from these sources. Because of revisions and so on or forensic investigations you should collect them, BUT DO NOT PROCESS THEM IN THE SIEM !! Store the data in a Syslog Server with decent storage, back up the data before the retention period overwrites the already collected data and store the backup-media in your external fault.
Result: You have a sales guy from the giant with sudden depressions, your budget makes a deep breath, your boss likes you more and the analysts love you as they become now a much clearer picture of what is going on without all the noise.
Now, lets change the strategy of monitoring. Most companies look at their outer perimeter and expect that an attacker (hacker with extensive experience, I mean the real geek) hacks through all your perimeters.
Gentlemen, the war has changed! Attackers are “self-employed” individuals, which make similar cost and benefit analysis as you do. They also go for the low hanging fruits first and this is social engineering and reconnaissance of targets and victims. (See my article “how I overtake your company” in this blog) and guess what, they work like good project-managers and build a project plan, how to do it and which tools to use to be successful.
This means also, that your defense strategy is outdated. The attackers are targeting human victims and their endpoints to access data in the company. They want to stay as long as possible in your organization to harvest as much information as possible (in terms of espionage), or disrupt your operations (ransom ware), or to lay an Easter-egg (sleeper-malware for later destruction) or many Easter-eggs.
This “else” are two things, a) an endpoint protection which show endpoint anomalies on a central console in real time and b) an APT- plus DLP- (Data Leakage Prevention) Solution with sensors spread all over your internal infrastructure and DMZ. This solution must also provide a real time console for anomalies in the data flow of your network, capable of interrupting specific traffic on the fly (in or out).
Both solutions use IOC (Indicators of compromise) and other Cyber threat feeds from the manufacturers and other sources. From analyzing data in transit and learning algorithms and artificial intelligence they are creating base lining of the communication behavior of the network and the endpoint for anomaly detection.
I have worked with both (APT/DLP and Endpoint protection), and the results were astonishingly correct. DLP needs maybe some fine-tuning and/or worst case that you mark your documents to their confidentiality level, but than you can see quickly when data leaves your premises.
Of course these independent solutions can send their data to the SIEM, but I promise you, your analysts will love the consoles as they are, because the data is so meaningful that they often do not need the SIEM any more.
Following my advice you have now the SIEM as detector, plus two real time (or to be correct very near real time) consoles where you can really detect attacks. The results are happy analysts, a more effective cyber security and a higher detection rate which protects your company or organization much better.
And to make it even better, some of the endpoint solutions allow from the console to interrupt the processes of the attacker, can create a forensic image of the hard disk and memory and later re-image the endpoint to its original state without malware on it.
Because the results are so clear from these solutions, that in many cases cyber-security becomes measurable, you can say at the end of the month, “we have eliminated xxx APT attacks, removed yyy malwares and prevented zzz times, that data leaves the company or organization.
From now on you are catching up with the attackers and can stop their projects on the fly in much, much shorter time.