Whether you’re working with a SANS 20 security best practices approach or with an auditor for SOX compliance or QSA for PCI compliance, you’ll implement a logging solution.
Keeping an audit trail of key security events is the only way to understand what “regular” operation is like. Why is this important? Because only when you have this clear, can you start to identify irregular and unusual activities that could be evidence of a security breach. Better yet, once you have that picture of how things should be when everything is normal and safe, an intelligent log analytics system, also known as a SIM or SIEM, can automatically assess events, event volumes, and patterns to judge accordingly. intelligently on your behalf if there is a potential risk. something fishy going on.
Security threat or potential security event? Only with event correlation!
The promise of SIEM systems is that once you’ve installed one of these systems, you can go about your daily business and if a security incident occurs, it will tell you about it and what you need to do to fix it. that.
The last set of ‘must have’ features is correlation, but this has got to be one of the most used and abused tech terms ever!
The concept is simple: isolated events that are potential security incidents (eg ‘IPS Intrusion Detection Event’) are notable but not as critical as seeing a sequence of events all correlated by the same session, eg an IPS Alert, followed by Login Failed, followed by Admin Login Successful.
In reality, these advanced true correlation rules are rarely that effective. Unless you are in a very active security bridging situation, with an enterprise consisting of thousands of devices, the standard single event/single alert operation should work well enough for you.
For example, in the above scenario, it should be the case that you do NOT get many intrusion alerts from your IPS (if you do, you really need to look at your firewall and IPS defenses as they do not provide enough protection). Likewise, if you’re getting failed logins from remote users to critical devices, you should spend your time and effort improving your network design and firewall settings rather than experimenting with “clever” correlation rules. It is the KISS* principle applied to security event management.
As such, when you receive one of the critical IPS alerts, this should be enough to initiate an emergency investigation, rather than waiting to see if the intruder succeeds in brute-forcing one of your hosts (which is why It’s time it’s too late to leave anyway!)
Correlation rules perfected, but the system has already been hacked…
In fact, give this last point more consideration, as this is where security best practices deviate drastically from the discourse of SIEM product managers. Everyone knows that prevention is better than cure, so why is there so much hype around the need for correlated SIEM events? Clearly, the focus should be on protecting our information assets rather than deploying an expensive and complicated device that may or may not sound an alarm when systems are under attack.
Security best practices will tell you to thoroughly implement the basics. The easiest and most available security best practice is to harden systems and then operate a robust change management process.
By removing known vulnerabilities from your systems (primarily configuration-based vulnerabilities but of course software-related security weaknesses as well through patching), you provide a fundamentally well-protected system. Ramp up other defense measures too, like antivirus (flawed as a comprehensive defense system, but still useful against the conventional malware threat), firewalls with IPS, and of course, all backed by logging and data integrity monitoring. files in real time. so if any infiltration occurs, you’ll know right away.
Contemporary SIEM solutions offer many promises as THE intelligent security defense system. However, experience and evidence from a growing number of successful security breaches tell us that there will never be a ‘silver bullet’ to defend our IT infrastructure. Tools and automation can help, of course, but genuine security for systems only comes from operating security best practices with the awareness and discipline to expect the unexpected.
*KISS – Keep It Super Simple