Hacking, Hacking Tools

Security Information and Event Management (SIEM) – A Detailed Explanation

Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In agent-based approach, a log pushing agent in installed in the client machine from which the logs are collected.

Then this agent is configured to forward logs into the solution. In the later type, the client system sends logs on it’s own using a service like Syslog or Windows Event Collector service etc.

There are also specific applications & devices which can be integrated through a series of vendor specific procedures.

Well, now you know that the logs from different devices are being forwarded into the SIEM. Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs.

Analyzing the logs, it will be clear that a number of connection failures are occurring to different ports in regular intervals.

Seeing packet information if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals. That concludes that somebody initiated an SYN scan against our asset.

The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce same results.

The Path to SIEM Success

The path to SIEM success looks something like this:

  • Collect logs from standard security sources.
  • Enrich logs with supplemental data.
  • Global Threat Intelligence (Black Lists).
  • Human Resource / Internet Download Management.
  • Correlate — finding the proverbial needles in the log haystacks.
  • Investigate — follow up and fix.
  • The document — Standard Operating Procedures, Service Level Agreements, Trouble Tickets.
  • Incorporate — Build white lists, new content.

Top 10 Use Cases for SIEM

With the growing use of SIEM solutions, business houses are keen on solving a number security and business use cases seen during their day-to-day operations. In this post, we will go through the top 10 use cases with an overview of how you can use  to detect any such behavior in your infrastructure

The following are the top 10 use cases:

1. Authentication Activities

Abnormal authentication attempts, off hour authentication attempts etc, using data from Windows, Unix and any other authentication application.

2. Shared Accounts

Multiple sources(internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc.

3. Session Activities

Session duration, inactive sessions etc, using login session related data specifically from Windows server.

4. Connections Details

Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, connection made to bad destinations etc, using data from firewalls, network devices or flow data. External sources can further be enriched to discover the domain name, country and geographical details.

5. Abnormal Administrative Behavior

Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc, using data from AD account management related activities.

6. Information Theft

Data exfiltration attempts, information leakage through emails etc, using data from mail servers, file sharing applications etc.

7. Vulnerability Scanning and Correlation

Identification and correlation of security vulnerabilities detected by applications like Qualys against other suspicious events.

8. Statistical Analysis

Statistical analysis can be done to study the nature of data. Functions like average, median, quantile, quartile etc can be used for the purpose. Numerical data from all kind of sources can be used to monitor relations like ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.

9. Intrusion Detection and Infections

This can be done by using data from IDS/IPS, antivirus, anti-malware applications etc.

10. System Change Activities

This can be done by using data for changes in configurations, audit configuration changes, policy changes, policy violations etc.

Critical Controls and SIEM

Critical Control 1: Inventory of Authorized and Unauthorized Devices

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 2: Inventory of Authorized and Unauthorized Software

SIEM should be used as the inventory database of authorized software
products for correlation with network and application activity.

Critical Control 3: Secure Conjurations for Hardware and Software on Laptops, Workstations, and Servers

Known vulnerabilities are still a leading avenue for successful exploits. If an automated
device scanning tool discovers a mis configured network system during a Common
Configuration Enumeration (CCE) scan, that misconfiguration should be reported to the
SIEM as a central source for these alerts. This helps with troubleshooting incidents as
well as improving overall security posture.

Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers,and Switches

Any misconfiguration on network devices should also be reported to the SIEM for consolidated analysis

Critical Control 5: Boundary Defense

Network rule violations, like CCE discoveries, should also be reported to one central
source (a SIEM) for correlation with authorized inventory data stored in the SIEM

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Control 6 is basically a control about SIEMs, which are a leading means for collecting
and centralizing critical log data; in fact, there is even a subcontrol for analysis that
studies SIEM specifically. SIEMs are the core analysis engine that can analyze log events
as they occur.

Critical Control 7: Application Software Security

Like CCE scan results, vulnerabilities that are discovered in software applications should
also be reported to a central source where these vulnerabilities can be correlated with
other events concerning a particular system. SIEMs are a good place to store these scan
results and correlate the information with network data, captured through logs, to
determine whether vulnerabilities are being exploited in real time.

Critical Control 8: Controlled Use of Administrative Privileges

When the principles of this control are not met (such as an administrator running a
web browser or unnecessary use of administrator accounts), SIEM can correlate access
logs to detect the violation and generate an alert.

Critical Control 9: Controlled Access Based on Need to Know

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 10: Continuous Critical Control

SIEM can correlate vulnerability context with actual system activity to determine
whether vulnerabilities are being exploited.

Source : GBHackers

Previous ArticleNext Article

Founder and Editor-in-Chief of ‘Professional Hackers India’. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.