In parts 1 and 2 of this blog series, we went over SIEM and its role in performing a thorough audit of your network. Now that we’ve got the basics out of the way, it’s time to get into the tough stuff: mitigating security threats. After all, it’s 2017 and cyber threats are rampant. You need to be in a position to combat security threats in order to secure your enterprise.
First, it‘s important to understand how attackers are able to carry out attacks. Attackers exploit vulnerabilities in your network to try and breach your security, so the first step in threat mitigation is detecting and sealing these security flaws. Not an easy task, but a SIEM tool can lend a hand.
The second thing to understand about attacks is that they usually follow a pattern, meaning you can associate a set of events with a particular type of attack. For example, a brute force attack, wherein an attacker tries to force their way into your network, will have several failed logons as the hacker tries to guess a password. When it comes to ransomware, you’re going to see process creations and key changes on affected systems, as well as (several) file modifications. A SIEM tool’s correlation and alerting functionality can help you identify and mitigate these kinds of security threats.
Correlating events occurring in your network
We‘ve talked about “context“ in the first two parts of this blog series. Event correlation means associating or linking different events occurring in your network. This is needed because an individual event occurring in your network may not make much sense on its own.
For example, in a password attack, an attacker might try to create a backdoor account in order to breach or even take down your network. It may include a chain of events starting with several failed logons, followed by a successful one, followed by the creation of a new privileged account (or an escalation of privileges). Now, repeated failed logons and privileged account creations are of course things you would want to track as an administrator, but independently they don’t give you the attack information you need in order to respond. This is the problem that the correlation engine sets out to solve so that you can instantly discover threats and potential attacks on your network. The correlation engine of your SIEM tool can detect the entire pattern of the attack as it occurs.
All this means nothing without alerting
The most important feature of a SIEM solution is alerts. Being alerted when security events of interest occur in your network is the end goal of SIEM deployment.
Imagine a DoS attack was underway and you received a real-time alert for several requests from the same source. A SIEM solution can not only alert you to this, but can also empower you to proactively mitigate threats by automatically running a custom script once the alert criteria is triggered.
It’s not just about deploying a SIEM solution though, it’s also about properly managing alerts. If you get thousands of alerts in your mailbox every hour, there’s a good chance you could miss an alert that‘s actually important. For example, some alerts aren’t as critical as others and can be viewed in an audit report if necessary, whereas others—such as those for ransomware—require immediate attention. Choosing and configuring the right alerts for IOCs (indicators of compromise) in your SIEM tool and prioritizing them based on the threat they pose is vital to reducing the incident response time.
Threat intelligence matters too!
It’s important to integrate your SIEM tool with threat intelligence feeds as well. If your SIEM tool is integrated with a threat feed, it ensures you stay “threat smart,” so you’re instantly altered as soon as any known malicious source tries to interact with one of your systems. Correlation, alerting, and threat intelligence come together to put your security operations center in a position to keep the bad guys out.
Stay tuned for part 4, the final installment of this blog series, where we‘ll look at using log archival and log search in the event of a forensic investigation.