Cyber attacks and network breaches can bring even the largest organizations to their knees. Recently, of course, we had the attack, which not only highlighted the dire consequences of security vulnerabilities, but also reiterated the need for cutting edge security software.
In my view, security administrators have the hardest job there is—when things are running smoothly they’re almost taken for granted, whereas when things go wrong they enter the spotlight. It‘s a daily battle between security administrators and hackers in today’s IT landscape, and preventive security solutions aren’t going to be enough to secure your organization.
In this four-part blog series, my aim is to educate you on a must-have security solution in any enterprise: SIEM (security information and event management). We will look at the fundamental concepts of SIEM and hopefully give you an idea on how to go about evaluating a SIEM solution.
Broadly speaking, SIEM (pronounced “sim,” though I prefer saying “S-I-E-M”) involves collecting and analyzing security information from your entire network to give you a clear picture of what’s going on, and alerting you about security events of interest. This first part of the series is all about the basics.
Log management and SIEM
Log management centralizes the collection of log data from different systems in your organization, and it’s the basis of SIEM. So a SIEM solution taps the power of machine-generated log data to do its thing. As an IT pro, you know how powerful log data is. Logs are all–powerful; logs know it all. The invaluable details contained in log messages can help secure your network. But there‘s a catch. Here‘s what a log message might look like:
id=firewall sn=C0EAE47EE4D8 time=”2016-03-28 10:55:47″ fw=188.8.131.52 pri=1 c=512 m=522 msg=”Malformed or unhandled IP packet dropped” sess=None n=47144 src=10.5.41.240:0:X0 dst=10.5.112.107:0:X0:03S-LDSRV3
This log message tells us that a connection was denied by the firewall. And if you get several such logs from your firewall for denied connections from the same source within a short period of time, a potential attack could be underway on your network.
Identifying such events can be challenging because the log messages—although typically human-readable—are too dense to parse. Not only that, but there might be variations in the log format from vendor to vendor for the same device type. A SonicWall log, as you may have seen, won’t look like a Juniper device log.
More importantly, once you collect and centralize the logs in your organization, you can’t possibly analyze log data in your organization manually. This is because log data can be massive. Firewalls, intrusion detection systems, and intrusion prevention systems, for instance, can have EPS (events per second) in the thousands and effortlessly generate terabytes of log data, making it virtually impossible to handle without a SIEM solution.
So, how do we get started?
You need to do two things. First, you need to tell the device which events should generate log entries. You obviously don’t want a log entry for every single routine event that occurs in your network—that would only increase the size of your log data.
For example, in your Windows machines, you can configure what is known as the local (or group) policy. For your Unix machines and network devices, you need to configure the Syslog service. And the same idea extends to applications as well.
It is important here to optimally configure the audit policy or logging service after analyzing your requirements because you want logs for the right set of events. Great! Now your devices are going to log events that concern you.
Second, you need a solution that collects all these log messages into a central location, which is what your SIEM tool does. We need this aggregation to give more context to security log data. This is because each individual security solution only gives a limited view of what is going on in your network, and centralizing log data from different sources provides deeper insights into network activity.
The SIEM solution uses this information to empower you with audit reports, which we will look at in the next post in this series. Your SIEM solution will also correlate events in real time to alert you about suspicious events, and also empower you with a log search engine for conducting a forensic investigation in the event of a security incident. We will be looking into this more in upcoming posts. Stay tuned!