Successful implementation of SIEM. Part 2
I continue my article on the implementation and use of SIEM ( part 1 ). As I promised, in the second part I will talk about the correlation and visualization of events. I will talk about the main misconceptions of the leadership regarding understanding what correlation is, I will discuss what is really important and what is not so, I will give examples of effective and ineffective correlation of events.
Correlation within SIEM - comparison of information from different events for the purpose of subsequent response. Response methods - create a new event, send a notification to the administrator by e-mail or to the console, execute a script, create a case inside SIEM, write information to a sheet (list).
Visualization - displaying information from various events in the form of graphs, charts, lists in real time or for a certain period of time.
In my work, I encountered a number of misconceptions on the part of colleagues and management in the understanding that there is a correlation. First, correlation is a comparison of events required from different sources of events. This is absolutely wrong, because we can have events of different types from one source, which also need to be matched, as an example of an event from a firewall, which is also a VPN gateway and an intrusion prevention system or events from web servers with different methods. The second big misconception - correlation is carried out on the fly, i.e. the time of occurrence of the event is small. The third misconception is that correlation is only needed to identify incidents. The fourth error is that everything can and should be responded to in writing.
The main misconception about visualization is that it is only needed to show beautiful pictures to management.
So, why is correlation really needed, what are its main principles? The main thing is the enrichment of interesting events with additional information. As an example, we have the bare IP addresses of the sources that the DHCP server distributed to our clients and we see calls from this address on the firewall to the botnet servers, but there is no information about the username, it’s boring to climb the DHCP server for a long time, I want to know right away Username.
To do this, we take the logs from the workstation in order to understand which user or machine name the IP address was assigned, which was caught in an attempt to connect to the botnet and already in the correlated event we see complete information about who did it. This is an example of effective correlation.
An example of an ineffective correlation is, first of all, the correlation of events that will often trigger and will not carry any useful information, for example, events about blocking / detecting attacks on IPS together with the event about allowing the rule to fire on the firewall. This rule will be ineffective due to the fact that there will be a huge amount of spam, while, as a rule, IDS / IPS do not differ in the accuracy of their signatures, which means that they give a large number of false positives. The main criterion for ineffective correlation is spam by non-informative events (notifications).
Another big headache in working with SIEM is to determine what is important and what is not. Often this choice will be purely individual, but I allow myself to highlight the main points. As we recall, the main threats to information security are violation of integrity, accessibility and confidentiality. At the same time, if a violation of confidentiality for most carries reputational risks in the long run for loss of income, then a violation of integrity and accessibility strikes here and now.
Based on this logic, it is important to quickly respond to the following events: DDoS attacks that we can monitor by analyzing the events of firewalls, routers, switches, netflow, collecting hardware status events from IT monitoring systems (zabbix, nagios and others), host infection viruses, brute force attacks from the Internet to equipment on the perimeter of the network, server malfunctions (stopping, starting services, changing user rights, potentially dangerous admin commands), it is not clear why the ports that opened (events from scanners), vza using unprotected-interaction protocols (monitored by Ports tftp, telnet, etc. events on the firewall) to stop sending and blocked logs.
It is also very effective to actively use third-party scripts that will notify users of certain events that their account is blocked due to a violation of IS policy regarding VPN, etc., i.e. routine tasks that are often done manually and where the cost of error is not very high.
Why is visualization effective? Visualization is a very effective tool, primarily for analyzing a large number of logs of the same type, in which statistics should be observed. I will give examples. A good visualization case is the integration of IDS / IPS, ITU, netflow operations with GoogleMaps, namely the visualization of where and where (if the infrastructure is distributed) we have the most requests, signature operations, traffic, and you can always configure it so that with more requests, the picture changed. For example, a small round - this is from 1 to 100 requests per hour, the average up to 1000, etc. ...
Somehow I could not write a lot about the principles of good correlation without reference to internal processes, so part three will be together with the second.
So, meet part three.
Key processes that can be simplified and solved with SIEM.
1. Inventory and vulnerability management.
I believe that this is one of the key processes in building information security systems of any organization, let’s say so - this is step 1.
How is it implemented - sending scan results to SIEM, compiling NAT translations from ITU logs or netflow logs, downloading information from various directories (AD, Sharepoint, etc.) and maintaining a list of assets with categorization. Scanning can be done with self-written scripts, vulnerability scanners and network scanners.
Advantages - all the necessary information in one place and it is convenient to work with it, build reports, visualize and compare.
You can add an additional script here or write a rule that will allow integration with the incident management system to subsequently close vulnerabilities or security problems by administrators.
2. Network perimeter control
Visualization of the operation of ITU, IDS / IPS, DNS rules, control of access to C&C servers, etc. ... These cases should be monitored by an information security analyst during the day and there should be a reaction and proactive analysis of the incident.
For such cases, it is a bad idea to set up alert notifications. For them, the most effective daily analysis in real time.
On the way out of the analysis of such cases, we increase the efficiency of all protective equipment by developing recommendations during the analysis of logs. We can understand what the remedy responds to and whether we need it, make a list of ITU rules that most often work, and which did not work at all, and optimize the work of ITU as a whole. We can find infected hosts that the antivirus did not catch.
3. Compliance
With the help of SIEM, non-compliance with security standards for the settings of operating systems, network equipment, VPN access, i.e. any config that you can parse and send for analysis. We can say that in general, any modern scanner can do this, but there will be a bit of cunning, they often have excessive functionality and poorly cope with this function and use a script that will pull out the necessary settings and send it to SIEM for analysis. Further in SIEM it is possible to visualize and notify which servers, server groups do not correspond to certain checks.
4. Protection against attacks from the Internet.
The most topical and requiring a sufficiently long analysis to understand what it is - these are DDoS attacks, and they have the property of seriously disabling the system. Analysis of ITU logs, web servers, DNS, netflow will allow you to see a sharp change in the number of source addresses and the type of traffic that they send, which can signal the beginning of a DDoS attack, which will reduce the reaction time to it.
5. Control of sending logs.
This is one of the most important things to do with SIEM. Effectively maintain a list of sources that send the last 2 hours and notify the expiration of the lifetime of the entries in the list. It is also effective to watch which logs did not go through ITU by their logs.
Now let's talk a little about frames.
As practice shows, in terms of working with SIEM, there are two large areas - the operation and development of the first, and the second direct monitoring and work with the console, i.e. processing.
Different people should be engaged in these directions, combination is impossible.
What does exploitation and development include? First of all, maintaining SIEM itself, communicating with technical support, etc. ... The second important task is the creation and development of existing tools for collecting logs and correlation rules, their testing and commissioning, writing documentation on working with these rules and scenarios .
The processing part includes setting up monitoring of new servers, responding to events, analyzing logs through visualization tools, setting up new visualization tools, and generating requests for writing new correlation rules.
It is important to understand that combining these two roles will lead to loss of effectiveness of the entire installation. Too different roles that require different personal qualities from the employee, which are incompatible in one person.
Instead of a conclusion, I want to say that the implementation of SIEM is advisable in large companies that have a sufficient budget for maintaining a staff of high-level specialists who are a key link here, as well as the availability of funds for the purchase of expensive software exhaust, which will be noticeable in a few years. The notorious correlation of events, which is always advertised so much, is also more relevant for large companies with a large number of servers and network equipment. Most small companies will have to do with the usual log management, which can be wonderfully implemented using open-source solutions and WebUI security tools, as well as reports that can be generated by various scanners.
Correlation within SIEM - comparison of information from different events for the purpose of subsequent response. Response methods - create a new event, send a notification to the administrator by e-mail or to the console, execute a script, create a case inside SIEM, write information to a sheet (list).
Visualization - displaying information from various events in the form of graphs, charts, lists in real time or for a certain period of time.
In my work, I encountered a number of misconceptions on the part of colleagues and management in the understanding that there is a correlation. First, correlation is a comparison of events required from different sources of events. This is absolutely wrong, because we can have events of different types from one source, which also need to be matched, as an example of an event from a firewall, which is also a VPN gateway and an intrusion prevention system or events from web servers with different methods. The second big misconception - correlation is carried out on the fly, i.e. the time of occurrence of the event is small. The third misconception is that correlation is only needed to identify incidents. The fourth error is that everything can and should be responded to in writing.
The main misconception about visualization is that it is only needed to show beautiful pictures to management.
So, why is correlation really needed, what are its main principles? The main thing is the enrichment of interesting events with additional information. As an example, we have the bare IP addresses of the sources that the DHCP server distributed to our clients and we see calls from this address on the firewall to the botnet servers, but there is no information about the username, it’s boring to climb the DHCP server for a long time, I want to know right away Username.
To do this, we take the logs from the workstation in order to understand which user or machine name the IP address was assigned, which was caught in an attempt to connect to the botnet and already in the correlated event we see complete information about who did it. This is an example of effective correlation.
An example of an ineffective correlation is, first of all, the correlation of events that will often trigger and will not carry any useful information, for example, events about blocking / detecting attacks on IPS together with the event about allowing the rule to fire on the firewall. This rule will be ineffective due to the fact that there will be a huge amount of spam, while, as a rule, IDS / IPS do not differ in the accuracy of their signatures, which means that they give a large number of false positives. The main criterion for ineffective correlation is spam by non-informative events (notifications).
Another big headache in working with SIEM is to determine what is important and what is not. Often this choice will be purely individual, but I allow myself to highlight the main points. As we recall, the main threats to information security are violation of integrity, accessibility and confidentiality. At the same time, if a violation of confidentiality for most carries reputational risks in the long run for loss of income, then a violation of integrity and accessibility strikes here and now.
Based on this logic, it is important to quickly respond to the following events: DDoS attacks that we can monitor by analyzing the events of firewalls, routers, switches, netflow, collecting hardware status events from IT monitoring systems (zabbix, nagios and others), host infection viruses, brute force attacks from the Internet to equipment on the perimeter of the network, server malfunctions (stopping, starting services, changing user rights, potentially dangerous admin commands), it is not clear why the ports that opened (events from scanners), vza using unprotected-interaction protocols (monitored by Ports tftp, telnet, etc. events on the firewall) to stop sending and blocked logs.
It is also very effective to actively use third-party scripts that will notify users of certain events that their account is blocked due to a violation of IS policy regarding VPN, etc., i.e. routine tasks that are often done manually and where the cost of error is not very high.
Why is visualization effective? Visualization is a very effective tool, primarily for analyzing a large number of logs of the same type, in which statistics should be observed. I will give examples. A good visualization case is the integration of IDS / IPS, ITU, netflow operations with GoogleMaps, namely the visualization of where and where (if the infrastructure is distributed) we have the most requests, signature operations, traffic, and you can always configure it so that with more requests, the picture changed. For example, a small round - this is from 1 to 100 requests per hour, the average up to 1000, etc. ...
Somehow I could not write a lot about the principles of good correlation without reference to internal processes, so part three will be together with the second.
So, meet part three.
Key processes that can be simplified and solved with SIEM.
1. Inventory and vulnerability management.
I believe that this is one of the key processes in building information security systems of any organization, let’s say so - this is step 1.
How is it implemented - sending scan results to SIEM, compiling NAT translations from ITU logs or netflow logs, downloading information from various directories (AD, Sharepoint, etc.) and maintaining a list of assets with categorization. Scanning can be done with self-written scripts, vulnerability scanners and network scanners.
Advantages - all the necessary information in one place and it is convenient to work with it, build reports, visualize and compare.
You can add an additional script here or write a rule that will allow integration with the incident management system to subsequently close vulnerabilities or security problems by administrators.
2. Network perimeter control
Visualization of the operation of ITU, IDS / IPS, DNS rules, control of access to C&C servers, etc. ... These cases should be monitored by an information security analyst during the day and there should be a reaction and proactive analysis of the incident.
For such cases, it is a bad idea to set up alert notifications. For them, the most effective daily analysis in real time.
On the way out of the analysis of such cases, we increase the efficiency of all protective equipment by developing recommendations during the analysis of logs. We can understand what the remedy responds to and whether we need it, make a list of ITU rules that most often work, and which did not work at all, and optimize the work of ITU as a whole. We can find infected hosts that the antivirus did not catch.
3. Compliance
With the help of SIEM, non-compliance with security standards for the settings of operating systems, network equipment, VPN access, i.e. any config that you can parse and send for analysis. We can say that in general, any modern scanner can do this, but there will be a bit of cunning, they often have excessive functionality and poorly cope with this function and use a script that will pull out the necessary settings and send it to SIEM for analysis. Further in SIEM it is possible to visualize and notify which servers, server groups do not correspond to certain checks.
4. Protection against attacks from the Internet.
The most topical and requiring a sufficiently long analysis to understand what it is - these are DDoS attacks, and they have the property of seriously disabling the system. Analysis of ITU logs, web servers, DNS, netflow will allow you to see a sharp change in the number of source addresses and the type of traffic that they send, which can signal the beginning of a DDoS attack, which will reduce the reaction time to it.
5. Control of sending logs.
This is one of the most important things to do with SIEM. Effectively maintain a list of sources that send the last 2 hours and notify the expiration of the lifetime of the entries in the list. It is also effective to watch which logs did not go through ITU by their logs.
Now let's talk a little about frames.
As practice shows, in terms of working with SIEM, there are two large areas - the operation and development of the first, and the second direct monitoring and work with the console, i.e. processing.
Different people should be engaged in these directions, combination is impossible.
What does exploitation and development include? First of all, maintaining SIEM itself, communicating with technical support, etc. ... The second important task is the creation and development of existing tools for collecting logs and correlation rules, their testing and commissioning, writing documentation on working with these rules and scenarios .
The processing part includes setting up monitoring of new servers, responding to events, analyzing logs through visualization tools, setting up new visualization tools, and generating requests for writing new correlation rules.
It is important to understand that combining these two roles will lead to loss of effectiveness of the entire installation. Too different roles that require different personal qualities from the employee, which are incompatible in one person.
Instead of a conclusion, I want to say that the implementation of SIEM is advisable in large companies that have a sufficient budget for maintaining a staff of high-level specialists who are a key link here, as well as the availability of funds for the purchase of expensive software exhaust, which will be noticeable in a few years. The notorious correlation of events, which is always advertised so much, is also more relevant for large companies with a large number of servers and network equipment. Most small companies will have to do with the usual log management, which can be wonderfully implemented using open-source solutions and WebUI security tools, as well as reports that can be generated by various scanners.