SIEM in the Age of Digital Transformation, Part 2

Featured article by Dr. Partha Bhattacharya, Chief Technology Officer at AccelOps

In the first of this two-part series, we examined the current SIEM market and factors to consider before selecting a SIEM solution for your network. The second article focuses on what it means to have cybersecurity through visibility, as well as how advanced threat detection, threat intelligence integration and other elements can spell success or disaster for your SIEM strategy.

Integrating Threat Intelligence

Because of its promise to connect external threat sources directly to the SIEM software, threat intelligence is a huge catchphrase right now in the industry. Many solutions claim this capability but are only able to download the malware IP address, whereas best practices recommend the ability to download more contextual information such as the malware domain, malware IP, malware hash, Tor networks and VPN proxies. Important components of threat intelligence integration include:

– Ability to schedule the downloading of threat intelligence

– Available APIs for integrating any external threat intelligence source – whether paid or free

– Capability to run queries and rule matches at high speed of event rate without losing efficiency

Holistic Support

To conduct comprehensive root cause analysis, full visibility of all network-attached devices and assets is needed. This goes beyond switches, routers and firewalls. However, some SIEM solutions stop with log analysis only. Holistic support should cover:

– Network security devices and applications

– Servers for all applications

– All network, storage and environmental devices

– User-facing applications and cloud applications

– Performance monitoring

– Configuration change monitoring

– Infrastructure services, cloud infrastructure (IaaS, PaaS) and virtualization infrastructure

Compliance and Log Management

There’s seemingly no end to the list of regulations to keep up with: NERC, FISMA, ISO, PCI, HIPAA, SOX, GLBA, GPG13 and SANS Critical Controls, to name a few. To remain compliant with audit requirements, organizations need evidence of their performance against standards. The reports need to be comprehensive enough to handle any tough questions that audits might pose related to various compliance specifications. While many vendors claim to provide reporting capabilities, many require prolonged and costly Professional Services engagements. Your SIEM solution should provide these reporting capabilities, out-of-the-box and standard. At the very minimum, make sure the solution you choose can:

– Detect unauthorized network device and application configuration changes and correlate with security issues

– Detect rogue devices in the network

– Recursively drill down using filters to find a specific event or an end point

– Detect standard vendor-defined passwords by matching with extendable password library

Cross-correlation to Detect Threats

Behavioral attack patterns show up in log sources—network flow, the firewall log, the DNS log, Web proxy logs and so on—and a SIEM solution should provide the ability to detect patterns within those log sources. Once that baseline criterion is met, though, capabilities can vary wildly. Consider the importance of cross-correlation with:

– Availability monitoring and performance monitoring correlated with device log data, in real time

– Statistical anomaly detection

– Threats over time matched against watch lists

Managing Notifications and Incidents

Plowing through the notification and alert storm can have negative impacts on the IT team’s productivity. Many SIEM solutions today purport to alleviate this burden, but do they hit the mark? Features that will truly help in this area include:

– The ability to trigger a remediation script when an incident occurs

– A policy-based incident notification framework

– Real-time, self-learning CMDB with interdependency mapping

– Built-in support for common third-party ticketing systems

Monitoring for Availability and Performance

It’s critical to have the ability for early detection of availability and performance issues because they often precede full-scale security issues. These capabilities will help meet that goal:

– The ability to correlate availability monitoring with log analysis and security monitoring

– Hardware and environmental monitoring

– A maintenance calendar for accommodating maintenance windows so that they do not trigger alerts and alarms unnecessarily

Metrics at the system level are needed, and it’s critical to have virtualization monitoring for prevalent VMware and HyperV environments at the guest, host, resource pool and cluster levels. Other aspects of performance monitoring to consider are:

– Flow analysis and application performance

– Storage usage and performance monitoring

– Microsoft Active Directory and Exchange via WMI and Powershell

– The ability to add custom metrics

– VoIP infrastructure via IPSLA, SNMP and CDR/CMR

Monitoring for Configuration Changes

Unauthorized changes often lead to security issues. Collecting network configuration files that can be stored in a versioned repository is essential. Make sure your SIEM solution is able to:

– Detect windows registry changes, as well as changes from an approved configuration file

– Collect currently installed software versions and store it in a versioned repository

– Detect attempted and actual changes in network configuration and installed software

Greater Visibility, Greater Security

Networks are faced with a non-stop barrage of attacks, so it makes sense that the SIEM market is hot; it’s a trend that is only going to increase. Be wary of SIEM vendors who are quick to make claims they cannot deliver. The best way to be sure is to clearly define and prioritize your organization’s needs, your IT department’s needs, your own needs and then use those to clearly define and prioritize your SIEM requirements. Your prioritized requirements will help you to narrow down the SIEM vendors who appear to meet those requirements, and then ask each to provide a proof of concept demonstration to allow you to perform a side-by-side, true apples-to-apples comparison of their respective feature sets.

In addition, steer clear of SIEM solutions that are married to hardware appliances. This set-up may work initially, but the appliances will not be able to process new and larger sources of data as SIEM software upgrades occur. Using a solution that is appliance-based makes scaling harder and creates greater management complexity. Fortunately, there are alternatives today in the form of software-based, virtual appliance solutions. They are built with scaling in mind and work in physical, virtual and cloud environments alike. This is what will provide the visibility you need to keep your entire network secure.

About the author:

Dr. Partha Bhattacharya is co-founder, chief technology officer and vice president of engineering at AccelOps. He has more than 20 years of experience in networking, security, database, system architecture and software development. Before AccelOps, he founded Protego Networks, where as CTO he created the award-winning MARS security appliance product line. After Protego’s acquisition by Cisco Systems, he led the Cisco team that extended the product’s capabilities to satisfy a global market. Before Protego, Partha was architect and technical lead at Cisco in charge of implementing the company’s security management infrastructure in the PIX, IOS, firewall, VPN, router and IDS products. Partha holds 15 patents and is the recipient of two IBM Outstanding Innovation Awards and a fellowship from the University of Maryland Systems Research Center. He holds a Ph.D. in electrical engineering from the University of Maryland.