SIEM for IT and IB

    With the advent of the first means of information protection, the first pressing questions arose: how to find out that the erected barricades work and protect? How to respond to alerts faster? how to understand what threats were prevented? You can find out whether our firewall works by performing ICMP ping: if the rules in the ACL (access control list) work, then there should not be any responses containing echo reply. You can view the event log through the device’s console by parsing hundreds or thousands of lines manually and trying to see a reflected or detected threat.

    Time is money

    There are a lot of event logs received from active protection tools alone, not to mention critical servers, databases, and applications. Using these logs, you can identify unauthorized access attempts, network attacks, anomalies leading to disruption of business continuity or security policies. To open the event log, you need to perform a sequence of actions that take time: launch the application, connect to the console, display a list of events and examine it. Even if we assume that one employee is only responsible for controlling the anti-virus software (suppose that there is a centralized management console), installing updates and IPS (suppose there are no more than 2–4), viewing events from these sources and analyzing problems for the last day it will take him about an hour. Note the human factor: an officer may be overloaded with other matters, may be sick or on vacation, distracted from work, or perform it for pro forma. Now count how many man-hours are needed to analyze event logs on critical assets at least once a day? Consider in your calculations the wages of a qualified employee who is able to identify threats in these event logs, consider the time required to connect to the SZI in your branch via slow communication channels. Expensive? Yes, it turns out a round sum, calling it to the management, you will most likely be exposed from the office. to analyze event logs on critical assets at least once a day? Consider in your calculations the wages of a qualified employee who is able to identify threats in these event logs, consider the time required to connect to the SZI in your branch via slow communication channels. Expensive? Yes, it turns out a round sum, calling it to the management, you will most likely be exposed from the office. to analyze event logs on critical assets at least once a day? Consider in your calculations the wages of a qualified employee who is able to identify threats in these event logs, consider the time required to connect to the SZI in your branch via slow communication channels. Expensive? Yes, it turns out a round sum, calling it to the management, you will most likely be exposed from the office.

    So, you have installed the security features, configured them, they work - what else do you need? SIEM replaces more than a dozen people, works efficiently and will not ask for a pay increase.

    Business protection

    The main objective of information security is to protect the business and the continuity of business processes. What is needed for this? The business processes are described, the assets are determined, their audit is carried out (including scans and pentests), a model of the intruder is drawn up, risks are studied, a plan to minimize them is drawn up. What measures are taken to minimize risk? Policies are created, user training is conducted, information protection tools are installed, configurations are changed, updates are installed ... We did all this and left it at that? until the next PDCA cycle?

    Keep a finger on the pulse

    The principle of "set and forget" in the IB is not applicable. There is no absolute protection, and the most unlikely risks can come with a business halt and huge financial losses. Any software and hardware may stop working or be configured incorrectly - and skip the threat. Have you seen the control panel in modern airplanes? All important indicators are put together in compliance with ergonomics and priority. The pilot and his assistant cannot help but see the violation of a critical indicator. So in SIEM: in case of any deviation from the baseline or policies (aircraft course) or an asset’s malfunction as a result of failures or threats (equipment malfunctions), pilot operators will be immediately notified.

    Why immediately and what will happen in an hour? Viruses spread in a matter of seconds, attackers have automated systems for analyzing and exploiting vulnerabilities. The event of a raid RAID array in a system that is in commercial operation will not be interesting for you tomorrow, because part of the data (or even all) will be lost. The more quickly you are informed, the faster you take measures, the less financial losses your business will suffer. It’s good if the incident didn’t have any consequences (returning to the planes: “Vasya, take a look! Yesterday we flew from Paris to Moscow in one engine!”).

    Preventive Protection Does Not Exist

    If we install centralized antivirus software, you need to make sure that it is installed everywhere, configured correctly, and works with current databases. How? Using event logs.

    What for? Imagine that you automated the installation of corporate antivirus software and updating databases. You audit the event log every two to three days, but there was a failure, the service does not start in the OS on the workstation in the warehouse and it is infected with a virus that spreads across the network. It’s absolutely not a fact that, for example, autorun is prohibited on all servers, all patches are installed: in real life, this almost never happens. An automatically placed Trojan using a vulnerability with autorun and distribution over the network or a falsified shortcut on a network share leads to the collapse of the entire company. While you are going to analyze what happened in an emergency mode, the business will most likely be idle, and the authorities will be nervous and indignant. The financial assessment of losses from the downtime of an enterprise is easy to do independently the benefit is not so difficult. In addition, such failures tend to negatively affect bonuses and salaries.

    Controlled threat, accepted risk

    In practice, there are times when security runs counter to business. There are situations when it is impossible to install an update to close the vulnerability (there are a lot of reasons: certification, instability, “not tested”, conflict with other software), or, for example, it is impossible to prohibit RPC, because the business application will stop working. The cost of eliminating the threat may exceed the potential loss, so the risk is “accepted”. However, we can control such risks using SIEM, respond to incidents, returning at the end of the year the funds allocated to cover operational risks back to the budget. Naturally, in this case there can be no question of the operator viewing the firewall logs without automatically analyzing and recording incidents as a way of controlling risks.

    No reason - everyone is to blame

    You have probably come across cases when there is no data to solve the incident: there is no information about the exact time and place of occurrence (we do not count calls from users), about what preceded the incident; and we cannot answer the main questions - why the incident occurred and who is to blame. No, this is not necessary in order to punish the perpetrators (although this is also sometimes necessary). The main thing that needs to be clarified based on the results of the incident is what to do to prevent the incident from recurring. Moreover, just logging into the OS (Windows event log or syslog) may not be enough.

    I'm not god, I'm just a system administrator

    In a mature, branched infrastructure, administrative rights are delegated to a fairly wide circle of employees. Naturally, all these employees undergo security checks, and we trust them. But in practice, human psychology often affects: an employee who crashed the database, RAID, brought a virus on a personal flash drive, because of which the business process “stood up”, and, in fear of dismissal and a fine, cornered — sweeps traces, deleting or forging magazines events. If these magazines are not collected on time, then business will be harmed in the form of financial losses and a damaged reputation. Event logs collected on time and consolidated in the repository will help you make the right decision on the outcome of the incident. It will not be possible to discreetly delete data (events and incidents) from SIEM: there are entries in the system log, integrity control is carried out. Evidence in the form of event logs in SIEM systems will help your organization in resolving court matters.

    Who knows what this script is? ..

    Of course, you can build log management and some kind of event management on the "self-written" scenarios. Collect logs through syslog or open source software. You can arrange everything on PowerShell, batch files, sh-scripts, and report incidents by e-mail. How convenient and cheap!

    Yes, this is acceptable for small businesses. Let's get back to our example with an airplane. We will mentally remove all the indicators from the dashboard (or erase their names), and we will send the error messages to the pilot via SMS and e-mail ... How quickly will the pilot get tired of poking his phone in his pocket and sorting out incoming letters?

    SIEM systems have the function of self-diagnosis and monitoring the operation of components. These are not “batch files” scattered here and there, the integrity and performance of which is very difficult to control. When using disparate scenarios, it will be practically impossible to protect yourself from spoofing content or viewing the administrative account in unencrypted form. Unlike SIEM: it is a comprehensive system that reports on the continuity of event collection, on failures in the operation of its components, on access to system functions, etc.

    Protect Not Only Critical Assets

    Imagine that you have protected critical (in your opinion) assets, for example, a business application or a database. Everything is fine, money was spent to the best of our ability, we saved on the lack of SZI for workstations and two-factor authorization for mobile users. Users are “jammed” by group policies. They just didn’t take into account that the door with the lock standing in the middle of the field is absolutely ineffective. Attackers will get a user and administrative account from unprotected workstations or from mobile devices and with absolutely legitimate requests to your superprotected database “pull out” everything that is possible. Destructive actions have long been out of fashion. You will learn about the leak of information from the news - and be surprised: after all, all your servers were reliably protected! This is an example of a typical APT attack.. Running processes, new libraries in the OS, new services, open ports and connections, privilege escalation - all this can be seen in the event logs on workstations that were not, in your opinion, critical assets ...

    Protection should be comprehensive. The proof of this is the incidents with Bit9 and RSA, which for some reason did not put the protection they developed on their own workstations.


    Security tools are usually signature-based, that is, they are created based on an analysis of already known threats (viruses, network attacks, even dictionaries in DLP). You can identify new threats only with the use of complex correlation algorithms (about RBR correlation - see the article on our blog- there can be no question) based on millions of events and indicators, as well as baseline analysis. The human brain is not always able to comprehensively analyze such a volume of data. However, the abstraction of representations in SIEM systems facilitates the timely detection of threats by operators. The system does all the preliminary calculations and displays the indicators. At a minimum, for example, based on the analysis of baseline, the system reports new DynDNS traffic, indicating that 10 failed login attempts from various assets on behalf of the domain administrator were recorded. Typically, a system is able to report a trojan or brute force (depending on the composition of the correlation rules and the capabilities of a particular system). The use of more complex correlation algorithms will allow you to find out the cause of the incident (for example, to identify the modem’s connection as a result of which there was infection with a trojan and brute force). A person cannot afford to independently carry out such an analysis based on millions of textual events. The ability to customize visualization panels is useful both for individual employees and for the operation of the SOC (security operation center), as well as IT and technical support departments.


    A number of regional, international, national, and industry standards contain requirements for organizing the process of managing journals. All SIEM systems have templates that meet international standards, and the ability to add their own templates to generate a compliance report on the collection and storage of events. In the case of a home-made system, you will have to spend considerable resources to make such templates in the format of reports or an interface for the auditor.


    Incorrect response to incidents is comparable to incorrect traffic light behavior. IS and IT departments will be unable to solve the primary tasks of ensuring business processes. SIEM has the minimum necessary tools for organizing the incident registration process (or has the ability to integrate with the support service), which helps to control incident resolution and accumulate a knowledge base. SIEM has the ability to integrate and prioritize incidents depending on their impact on business processes, the value of the asset and the threat of the threat. In some systems, integration with risk management systems is possible.

    There is a misconception that SIEM produces a large number of incidents to which the IS division simply does not have time to respond. You need to understand that SIEM is not an out-of-the-box solution and, as in the case of DLP systems, it requires the correct implementation, integration with event sources, an individual approach to the active set of rules and correlation algorithms. A flexible exception system and the correct SIEM configuration guarantee you an emphasis only on critical events - without flooding.

    Share events

    SIEM is a system not only for information security. Errors and failures in operating systems, network equipment, software - IT department staff can get information about everything from SIEM. The IT department also wants to learn about incidents not by the users’ calls, but in advance (especially since, like IS incidents, IT incidents can be prevented).

    SIEM is not a very simple solution for the magazine management process, and is also quite expensive to implement in small and medium-sized businesses. For its operation, you need to have at least one qualified employee who will provide control over the continuity of event collection, manage correlation rules, adjust and update them with new threats and in accordance with changes in the infrastructure. Setting SIEM as a “black box” with activation of all the predefined correlation rules without proper monitoring and control will result in a waste of budget.

    Upon successful implementation, you will receive:

    • correlation and assessment of the impact of IT and information security events and processes on business;
    • SOC with real-time analysis of the situation in the infrastructure;
    • automation of processes for detecting threats and anomalies;
    • automation of incident registration and control processes;
    • audit of policies and standards of compliance, control and reporting;
    • documented correct response to emerging IS and IT threats in real time with prioritization depending on the impact of threats on business processes;
    • the possibility of investigating incidents and anomalies, including those that occurred a long time ago;
    • evidence base for litigation;
    • reporting and indicators (KPI, ROI, event management, vulnerability management).

    I gave just a few examples of how SIEM will help your business in ensuring continuity, increasing efficiency, solving problems and incidents. You can still write a lot about automation, reaction (scenarios), prevention of incidents and their investigation. I will try to talk about this in the following publications. Separately, we consider an extremely important point that worries many: how to use SIEM to track the impact of IT and information security events on a business.

    See you! Waiting for your questions and comments.

    Author: Olesya Shelestova ( oshelestova ), a research center Positive Research.

    Also popular now: