As its name suggests, the main function of a SIEM is Event management. The SIEM solution once implemented completely & effectively will have complete visibility over an organization’s network.
This helps administrators, SIEM operators to monitor network activity in their infrastructure. But interestingly, one can categorize various assets(network devices & services) so that the monitoring ability of the SIEM can be tweaked to a large extent. The SIEM tool can generate alerts & incidents based on specific co-relation rules. For eg: If a Port Scan is initiated against a system, the SIEM generates a Port Scan Alert with all details like Source & Destination, port numbers etc. This helps the organization to find incidents or hacking attempts in near-Real Time.
How the SIEM works?
You may have noticed the word “Co-Relation” in the previous paragraph. Yes, for the question How the SIEM works, the one-stop answer is a co-relation. But not that alone of course. Basically, a SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets.
With the collected data(mainly logs, packets), the tool provides an insight into the happenings of the network. It provides data on each event occurring in the network and thus acts as a complete centralized security monitoring system.
In addition to this, the SIEM tool can be configured to detect specific incident. For example, a user is trying to log in to an AD server. For first 3 times the authentication failed and the 4th time it succeeded.
Now, this is an incident to look up on. There are many possibilities. Maybe a person is trying to guess the password of another user and got it right, which is a breach. Or maybe if the user forgot his password but got it right at the end and so on. This is where co-relation comes in.
For such a case, a co-relation rule can be made in such a way that, If an authentication failure event is happening 3 times consecutively followed by a success in a specific time period, then alert pops up. This can be further investigated further by analyzing the logs from respective machines. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by specific application or scenario.”
How logs reach the SIEM?
Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In agent-based approach, a log pushing agent is installed in the client machine from which the logs are collected. Then this agent is configured to forward logs into the solution. In the latter type, the client system sends logs on its own using a service like syslog or Windows Event Collector service etc. There are also specific applications & devices which can be integrated through a series of vendor specific procedures.
How exactly would the SIEM raise an alert?
Well, now you know that the logs from different devices are being forwarded into the SIEM. Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs. Analysing the logs, it will be clear that a number of connection failures are occurring at different ports in regular intervals.
Seeing packet information if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals. That concludes that somebody initiated an SYN scan against our asset. The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce same results.
The Business impact of SIEM Solution
This is one of the topics for which long-standing discussions were conducted & still now a complete & clear solution has not yet arrived. The question is “Why to spend a huge amount of money for something which returns nothing ?” Well, what do you think about it? Does SIEM solution give you something? Well yes! Nowadays SIEM solutions are evolving in a way, not only to protect an IT-Infrastructure but also to identify the business risks rising from the IT-Infrastructure.
Even there is a separate strategy know as GRC, the IT-Governance Risk & Compliance. This integrates & relates technological aspects of IT-security(like DOS attacks) using SIEM solutions with the business aspect(the asset being attacked & approximate loss, reporting to asset manager). Such strategies bring different departments & professionals(like SOC Operators/Managers, CISO, Financial Consultants, CXOs etc) under one dashboard. This is done by integrating different solutions together. For eg: The Alerts & incidents from SIEM is forwarded BPM(Business Process Management) solution by the CISO identifying & co-relating the technical and business impacts. Consider a simple scenario, lets’ take the same DDOs attack against an e-banking website(webserver).
The solution first identifies the attack and the Operators/Analysts report it to their manager/CISOs. The managers & CISOs dig more technical info on the nature of the attack(specs like Source country, no of sessions etc). Based on this they identify how much loss would it be if the webserver would be down for specific time(say 30mins).
Now they report the technical details, suggestions, and steps to initiate to the firewall/IDS-IPS & webserver teams. Then they report to the Senior Management & Financial Managers about the loss they would have to suffer if action is not taken.
If management is satisfied, they take a decision & give approval to the Firewall/IDS-IPS & webserver teams to take action. They would take action and the webserver would have downtime for some 5 mins only. So the webserver resources are saved but ultimately money is also saved & customer satisfaction is sustained.
So the point here is nowadays, SIEM solutions can adapt according to the way you want. This whole process described can be automated by integrating different solutions. The above scenario is only a simple case but the approach is same in all situations. At the end of the day, money is what matters, but sadly nobody still recognise the financial impact of IT-Security.
SIEM & Compliance
Apart from alerting and incident response, SIEM helps an organization in Compliance & Regulatory matters too. For all major compliance like ISO 27001, HIPAA, PCI, log retention is an important criteria. For example, in ISO27001 there is a control for Logging & Monitoring(A – 12.4), which suggests that all Event Logs, user activities, security events should be logged an archived with a proper time-stamp
The logs should also be protected from unauthorized access, tampering etc. There is a list of controls to be in place in order to be properly compliant. Here SIEM can help. As said earlier, the siem tool collects logs from different devices and keeps them in its reserves.
So it can act as a centralized log collecting server. Plus, the tool keeps all the logs with proper time-stamps, and archives it to it’s bulk storage with no loss of integrity. So this helps with the controls in various standards.
To wrap up, there are a whole lot of benefits by implementing a SIEM solution in an Enterprise. But sadly many organizations consider the SIEM a waste of money.
But, it is because they are not realizing the fact that SIEM can not only protect your network & assets but also your business. Plus nowadays, you can integrate almost anything into the SIEM tool like servers, custom applications, network devices, end-user devices, smartphones, management & collaboration solutions etc. This gives the concerned personnel, a clear view of the insights of their own organization.
They can have an overview of their own system and they can keep on changing for better results. Even some siems have malware analysis capabilities, vulnerability assessment functionalities which makes it a centralized security server providing multiple functions simultaneously.