SIEM Plus Correlation = Security?


Whether you're working out of a SANS 20 Security Best Practices strategy, or operating with an auditor for SOX compliance or QSA for PCI compliance, then you'll be employing a logging alternative.
Maintaining an audit trail of key safety events is the only way to comprehend what'routine' operation resembles. Why is this significant? As it's only once you have this apparent which you could start to determine irregular and irregular activity that could be signs of a security violation. Better yet, when you've got that image of how things ought to be if everything is secure and normal, a smart log evaluation method, aka SIM or SIEM, may automatically evaluate events, occasion volumes and routines to judge your behalf when there's possibly something fishy happening.
Safety Threat or Possible Security Event?
The guarantee of SIEM systems is that when you've installed these systems, you can get on with your day job and when any safety incident happens, it is going to allow you to know about it and also everything you want to do so as to look after it.
The latest'must have' attribute set is significance, but this has to be among the most popular and abused technologies term ever!
The idea is simple: isolated events that are possible security events (by way of instance,'IPS Intrusion Detected occasion') are noteworthy but less crucial as viewing a series of events, all connected by precisely the exact same session, as an instance, an IPS Alert, followed by Failed Logon, followed with a Powerful Admin Logon.
Actually, these innovative, authentic correlation rules are seldom that successful. If you're not in a really busy security bridge scenario, with a business containing thousands of apparatus, regular single event/single alert operation ought to function well enough for you.
By way of instance, in the situation above, it ought to be the case you do N'T have many intrusion alarms from your IPS (in case you do, then you actually must check over your firewalling and IPS defenses since they are not providing enough security ). Similarly if you're receiving any unsuccessful logins from remote users to crucial apparatus, you need to place your time and effort into a much better network layout and firewall setup rather than experimenting with'smart, clever' significance principles. It is the KISS* principle employed to safety event management.
Therefore, if you do get any of those crucial alerts from the IPS, then this should be sufficient to initiate a crisis evaluation, instead of waiting till you determine if the intruder is effective at forcing a logon to your hosts (in which time it's too late to go off any manner!)
Correlation rules perfected - however, that the machine has already been hacked...
Actually, think about this last step further, as it's where safety best practices deviate sharply from the SIEM Product Managers pitch. Everybody knows that prevention is far better than cure, so why is there a lot of hype surrounding the demand for connected SIEM occasions? Certainly the focus must be on protecting our Info Assets instead of executing a costly and complex appliance that might or might not sound an alarm when programs are under assault?
Safety Best Practices will inform you that you have to implement - entirely - the fundamentals. The simplest and most accessible security best practice would be to harden systems, then run a strong change management procedure.
By removing known vulnerabilities out of the systems (mostly configuration-based vulnerabilities however, needless to say, software-related security flaws also through patching) you supply a essentially well-protected system. Layer up other protection measures also, like anti virus (faulty as a thorough defense system, but nevertheless useful from the mainstream malware hazard ), firewalling using IPS, and naturally, all underpinned by real-time document integrity monitoring and logging, to ensure when any infiltration does happen, you'll be able to know about it instantly.
Contemporary SIEM solutions provide much promise as THE smart security protection system. But, the proof of ever-increasing quantities of effective security breaches inform us that there's never likely to become a'silver bullet' for protecting our IT infrastructure. Automation and tools can help naturally, but real security for systems just comes from working security best practices with the required knowledge and subject to expect the unexpected.

*KISS - Keep It Super Simple