Introduction

Whether you are working from a SANS 20 security best practices approach or working with an auditor for SOX or QSA compliance for PCI compliance, you will implement a log solution.

Keeping an audit trail of key security events is the only way to understand what “normal” operation looks like. Why is this important? Because it’s only when you’re clear on this that you can begin to identify irregular and unusual activities that could be evidence of a security breach. Better yet, once you have that picture of how things should be when everything is normal and safe, an intelligent log analysis system, also known as SIM or SIEM, can automatically evaluate events, event volumes, and patterns to intelligently judge on your behalf if there is potential. something suspicious is happening.

Security threat or possible security event? Only with event correlation!

The promise of SIEM systems is that once you have one of these systems installed, you will be able to continue your day-to-day work, and if a security incident occurs, it will inform you about it and what to do to take care of it. that.

The last set of ‘must have’ features is correlation, but this must be one of the most used and abused tech terms ever!

The concept is straightforward: isolated events that are possible security incidents (for example ‘IPS Intrusion Detected Event’) are notable but not as critical as seeing a sequence of events, all correlated by the same session, for example an Alert IPS, followed by a failed login, followed by a successful administrator login.

In reality, these advanced true correlation rules are rarely that effective. Unless you are in a very active security bridge situation, with a business comprising thousands of devices, the standard single event / single alert operation should work well enough for you.

For example, in the above scenario, it should be the case that you do NOT have a lot of intrusion alerts from your IPS (if you do, you really need to look at your firewall and IPS defenses as they don’t provide enough protection). Likewise, if you get failed remote user logins to critical devices, you should spend your time and effort on better network design and firewall configuration rather than experimenting with ‘smart and smart’ correlation rules. It is the KISS * principle applied to security event management.

As such, when you receive one of the critical alerts from the IPS, this should be enough to initiate an emergency investigation, rather than waiting until you see if the intruder succeeds in brutally forcing a login on one of your hosts (for which it’s too late to leave anyway!)

Correlation rules were refined, but the system has already been hacked …

In fact, consider this last point further, as this is where security best practices drastically deviate from the discourse of SIEM product managers. Everyone knows that prevention is better than cure, so why is there so much excitement around the need for correlated SIEM events? Clearly, the focus should be on protecting our information assets rather than implementing an expensive and complicated device that may or may not sound an alarm when systems are under attack.

Security best practices will tell you to implement the basics thoroughly. The easiest and most available security best practice is to harden systems and then operate a robust change management process.

By removing known vulnerabilities from your systems (mainly configuration-based vulnerabilities but of course software-related security weaknesses also through patching), you provide a fundamentally well-protected system. It also incorporates other defense measures, such as antivirus (flawed as a comprehensive defense system, but still useful against the main malware threat), firewall with IPS, and of course all backed by file integrity monitoring and logging in real time. so that, if there is any infiltration, you will find out immediately.

Conclution

Contemporary SIEM solutions offer many promises like THE intelligent security defense system. However, experience and evidence of an increasing number of successful security breaches tell us that there will never be a “silver bullet” to defend our IT infrastructure. Tools and automation can help, of course, but genuine security for systems only comes from operational security best practices with the awareness and discipline to expect the unexpected.

* KISS – Keep it super simple

Leave a comment

Your email address will not be published. Required fields are marked *