Introduction
Whether you’re working with a SANS 20 security best practice approach or with an auditor for SOX compliance or QSA for PCI compliance, you’ll implement a logging solution.
Keeping an audit trail of key security events is the only way to understand what “regular” operation is like. Why is this important? Because only when you are clear about this can you begin to identify irregular and unusual activities that could be evidence of a security breach. Better yet, once you have that picture of how things should be when everything is normal and safe, an intelligent log analytics system, also known as a SIM or SIEM, can automatically evaluate events, event volumes, and patterns to make intelligent judgments on your behalf if there is potentially something suspicious.
Security threat or potential security event? Only with event correlation!
The promise of SIEM systems is that once you have one of these systems installed, you can go about your day to day work, and if any security incidents occur, it will tell you about it and what you need to do to fix it.
The last set of ‘must have’ features is correlation, but this has got to be one of the most used and abused tech terms ever!
The concept is simple: isolated events that are potential security incidents (eg ‘IPS Intrusion Detection Event’) are notable but not nearly as critical as seeing a sequence of events all correlated by the same session, eg an IPS alert, followed by a failed login, followed by a successful admin login.
In reality, these true and advanced correlation rules are rarely that effective. Unless you are in a very active security bridging situation, with an enterprise consisting of thousands of devices, the standard single event/single alert operation should work well enough for you.
For example, in the scenario above, it should be the case that you do NOT have many intrusion alerts from your IPS (if you do, you really need to look at your firewall and IPS defenses, as they do not provide enough protection). Similarly, if you’re getting failed remote user logins to critical devices, you should spend your time and effort on better network design and firewall configuration rather than experimenting with ‘smart’ correlation rules. It is the KISS* principle applied to the management of security events.
As such, when you receive one of the critical alerts from the IPS, this should be enough to launch an emergency investigation, rather than waiting until you see if the intruder succeeds in brute-forcing a login to one of your hosts (at which point it’s too late to get out anyway!)
Perfected correlation rules, but the system has already been hacked…
In fact, consider this last point more, as this is where security best practices deviate dramatically from the discourse of SIEM product managers. Everyone knows that prevention is better than cure, so why is there so much hype around the need for correlated SIEM events? Surely the focus should be on protecting our information assets rather than deploying an expensive and complicated device that may or may not sound an alarm when systems are under attack.
Security best practices will tell you to implement, thoroughly, the basics. The easiest and most available security best practice is to harden systems and then operate a robust change management process.
By removing known vulnerabilities from your systems (mainly configuration-based vulnerabilities but of course software-related security weaknesses through patching as well), you provide a fundamentally well-protected system. Increase other defense measures as well, such as antivirus (flawed as a comprehensive defense system, but still useful against the conventional malware threat), firewall with IPS, and of course, all backed by real-time file integrity monitoring and logging, so if any infiltration occurs, you’ll know immediately.
Conclusion
Contemporary SIEM solutions offer much promise as THE intelligent security defense system. However, experience and evidence from an increasing number of successful security breaches tell us that there will never be a ‘magic bullet’ to defend our IT infrastructure. Tools and automation can help, of course, but genuine security for systems only comes from operational security best practices with the awareness and discipline to expect the unexpected.
*KISS – Keep it Super Simple