Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

SIEM Security Primer: Evolution and Next Generation Capabilities

A SIEMis a tool that allows you to monitor network traffic and provide real-time analysis of security alerts generated by your applications. SIEMs often struggle. That's why I created this primer. Here, we explain why SIEM products are essential for detecting advanced attacks, explain SIEM terminology, and introduce leading SIEM tools and solutions.

What you will learn in this article:
  • What is SIEM Security
  • SIEMs and their capabilities
  • Evolution of SIEM Security
  • Importance of SIEM
  • SIEM value
  • UEBA and SOAR in modern SIEM security
  • SIEM software evaluation
  • 3 Best Practices for SIEM Implementation
  • Example of next-gen SIEM with UEBA and SOAR embedded

What is SIEM Security

SIEM (Security Information and Event Management) systems are the cornerstone of most security processes in modern Security Operations Centers (SOCs). A SIEM saves security analysts the effort of monitoring a variety of disparate systems and putting together large amounts of log data to create a coherent image.

SIEM security is about integrating SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems. SIEMs also ingest and analyze log and event data to generate alerts on activities identified as potential security incidents.

Figure 1: SIEM structure and SIEM security

SIEMs and their capabilities

Security Information and Event Management (SIEM) solutions are tools you can use to centralize alerting, logging and compliance. SIEM tools can correlate the data they collect to reveal the context of alerts and events across multiple systems.

SIEM tools collect and aggregate logs, reports and alerts from any security tool or security solution. Then present this information in a centralized location. This improves visibility and speeds up incident analysis and response.

SIEM solutions work according to a three-step cycle.

  • Data collection: Collect data logs from devices, applications, systems and existing security tools.
  • Data integration: SIEM solutions normalize and categorize this data for analysis. Classifications include who the user is, what credentials they used, what systems they accessed, and what processes they ran.
  • Data Analysis: Analyze classified data and compare against rules (definition of acceptable behavior). Alert your security team when an event is deemed suspicious.

Evolution of SIEM Security

Analysts point to three generations of SIEM security capabilities and technologies.

  • The first generation SIEM was introduced in 2005 to integrate previously separate log and event management systems. However, they were limited in the amount of data they could process and the sophistication of the alerts and visualizations they could generate.
  • Second-generation SIEMs have improved capabilities for handling big data, or large amounts of log history. This generation of SIEMs has been able to correlate historical log data with real-time events and data from threat intelligence feeds.
  • The third generation SIEM is a concept proposed by Gartner in 2017 that combines traditional SIEM capabilities with two new technologies. The first is UEBA (User and Entity Behavior Analytics). This feature uses machine learning to define criteria for user and IT system behavior and identify anomalies. Next is SOAR (Security Orchestration, Automation, and Response). This feature helps analysts quickly analyze incidents and enables security tools to automatically respond to incidents.

Over the past two decades, SIEMs have proven themselves to be a powerful and effective infrastructure for security teams. But it also comes with a harsh reputation: expensive, difficult to implement and use, and difficult to scale. As a result, SIEMs were initially only considered by large, well-skilled security companies.

A new generation of SIEM addresses the aforementioned challenges by being easier to deploy and use, requiring less compute resources and leveraging lower cost storage. SIEM security solutions are also offered as a service in the cloud, with various deployment options offered by MSSPs (Managed Security Service Providers) that balance cost and ease of implementation.

Importance of SIEM

Businesses use SIEM technology to:

  • Log management and retention
  • Continuous security monitoring and incident response
  • case management
  • Policy enforcement and response to violations
  • Compliance with government requirements such as HIPAA, PII, NERC, SOX, COBIT 5, PCI, FISMA

In addition to these purposes, why is the existence of a SIEM important? Personnel receiving security breaches want to be prepared with an answer when asked to explain what happened.

Many companies also implement SIEMs to protect sensitive data while preserving evidence of the protection process. A failed audit can have devastating consequences, including employee termination, loss of business, and hefty fines.

SIEM value

Correlating security events

A SIEM aggregates and analyzes all the data from log management functions looking for signs of threat intrusion or data compromise. For example, login failures are generally not a concern. However, a single user's failed logins on multiple applications across the IT environment may indicate a threat. The relationships between data in each application can only be understood through the capabilities of SIEM.

threat intelligence

Among the SIEM's capabilities is the connection to threat intelligence feeds. This includes feeds from third parties and solution providers. Each independent feed typically holds its own threat data. Leveraging information from many feeds ensures optimal use of the solution.

security alert

Your SIEM should keep your security team up-to-date on potential threats via dashboard updates, text alerts, email alerts, and more. Without up-to-date information, your security team may miss threats and allow them to reside on your servers.

The value of next-generation SIEM solutions

SIEM is now an established technology, but next-generation SIEMs have new capabilities:

UEBA (User and Entity Behavior Analytics): Modern SIEMs go beyond correlation, leveraging machine learning and AI techniques to identify and explore normal and abnormal human behavior. . This insight allows companies to uncover malicious activity, insider fraud and impersonation.

Security Orchestration, Automation, and Response (SOAR): Next-generation SIEMs come with automated incident response systems. For example, it can identify ransomware alerts and, in response, automatically perform containment steps before hackers encrypt data on affected systems.

UEBA in modern SIEM security

UEBA (User and Entity Behavior Analysis) is an emerging area of security solutions that can identify behavioral criteria and uncover anomalous behavior that could indicate a security incident. UEBA can detect security incidents that tools that rely on pre-defined patterns and static correlation rules can't find. Third-generation SIEM solutions have UEBA capabilities built-in.

Common use cases for SIEMs incorporating UEBA technology include:

  • Malicious insider: When a user account holder with privileged access to an IT system misuses the account for their own gain. Insider attacks can be devastating and invisible to most security tools. UEBA allows you to define baselines for each user's behavior and detect suspicious events that may indicate malicious intent.
  • Compromised Insider: When an attacker gains control of a user account to reconnoiter, plan an attack, or conduct an actual attack on an organization's systems. UEBA can identify unusual user behavior and alert security personnel.
  • Prioritization of Incidents and Alerts (Alert Triage): Alert fatigue is a problem because SIEM security alerts place a heavy burden on security analysts. UEBA can ease the burden of prioritizing alerts. To do this, UEBA combines alerts and signals from many tools, ranks alerts and incidents according to the amount of anomalous behavior (risk score), and layers a layer of contextual data about the organization (services accessing sensitive data). and user accounts).
  • Data Loss Prevention (DLP): DLP tools such as traditional SIEM generate a large number of alerts for all anomalous events related to an organization's sensitive data. UEBA tools can prioritize and refine DLP alerts by calculating a risk score using data from multiple tools to indicate events that represent anomalous behavior. UEBA also allows DLP alerts to be placed on the incident timeline. This helps in incident verification and investigation.

SOAR in modern SIEM security

Security Orchestration, Automation, and Response (SOAR) systems, another emerging technology embedded in third-generation SIEM solutions,have the following key capabilities:

  • Orchestration: SOAR's integration with other security solutions enables these solutions to capture data and act proactively. For example, you can investigate whether an email sender has a bad reputation by using DNS tools to see where the message came from.
  • Automation: Users can define security playbooks using SOAR. This is a response manual that codes the workflow for security operations. When a known type of security incident occurs, playbooks can be enabled to automatically take mitigation actions. For example, it can scan files identified as malware and perform destructive actions in the Box.
  • Incident management and collaboration: When a SIEM generates a security alert, the SIEM's SOAR component adds contextual information and evidence to help analysts investigate the problem, and organizes this information into an incident timeline for easy understanding. I can. Analysts can also collaborate with each other to add additional insights and data they discover during research.

SIEM software evaluation

We recommend the following stages when evaluating a SIEM solution:

1. Next-generation SIEM features

3rd generation SIEM security solutions deliver the greatest value and have the lowest implementation and operating costs. Check if your solution has the following features:

  • UEBA: advanced analytics to determine abnormal behavior
  • SOAR: Incident Response Automation and Orchestration
  • Dashboards and visualizations
  • Flexible search, query and data exploration
  • Long-term data retention and unlimited scalability
  • Threat hunting interface

2. Comparing Open Source SIEM vs Commercial SIEM, In-House SIEM vs Hosted SIEM

Consider which type of SIEM security solution is best for your organization.

  • Open Source vs. Commercial: Open source tools have a lower initial cost, but higher ongoing maintenance costs and limited functionality.
  • Build and buy: Some organizations develop SIEM solutions using open source tools such as the ELK stack (Elasticsearch, Logstash, Kibana). This method is costly to implement, maintain, tune, and integrate security content. This is because ELK is primarily a log management infrastructure, not a security system.
  • In-house and managed: Choose from four deployment models. (1) Hosted in-house and managed in-house (traditional model), (2) Cloud-hosted and managed by in-house security staff, (3) Hosted in-house but managed by in-house security staff and MSSP (Managed Security Service Provider) (4) Local security management using SIEM as an in-cloud service

3. Evaluation of TCO (Total Cost of Ownership)

A SIEM is a complex security infrastructure that can be costly to procure and operate. In general, SIEMs are concerned with the following budget items:

  • CAPEX (capital expenditure) budget items: licenses, development, training, hardware, storage.
  • OPEX budget items: security analyst reviewing SIEM alerts, IT maintenance, integration with new IT systems, storage costs.

Here are some tips for accurately estimating the TCO of your SIEM implementation.

  • Licensing: Check licensing models for available SIEM solutions. It is typically licensed based on the amount and speed of data ingested. Latecomers in the market may also offer user-based pricing that lowers licensing costs.
  • Hardware Cost and Scale: Calculate the number of events per day using the normal event load and peak event load estimates. The volume of events will determine the number and type of servers required for the SIEM deployment (for in-house deployments).
  • In-House Analysts: The biggest operating cost of a SIEM is analyst time. Determine if you have experienced personnel to review and investigate SIEM alerts, and if not, consider outsourcing to an MSSP.

SIEM implementation best practices

1. Know your data and know how to use it

This includes understanding the size, behavior, frequency and type of log data prior to deployment. You need to know what data is available, where it comes from (systems, switches, routers, etc.) and how it is transferred.

Also clarify the reasons for implementing the SIEM system and the purpose of the project. Is your SIEM strategy aimed at supporting day-to-day operations? Security measures or keeping logs to spot threats? Or is it about compliance?

2. Define the rules required for compliance

Discover which industry standards and regulations apply and how a SIEM can help with compliance audits and reporting. Define baseline correlation rules to capture basic compliance requirements, but don't stop there. Leveraging next-gen SIEM technology, especially UEBA, will improve threat detection and facilitate ongoing maintenance.

3. Enforce correlation rules with UEBA

Traditional SIEM correlation rules only search for what humans tell them to search. Defining rules that capture basic attack scenarios is important, but in today's security environment, rules alone are insufficient to capture all relevant threats. Additionally, correlation rules generate a large number of false positives, which is a burden for security analysts.

We recommend defining correlation rules to monitor for too many false positives. If there are many false positives, consider removing the rule and using UEBA to define a baseline of behavior for relevant system operations and identify anomalies that deviate significantly from that baseline. . For security scenarios that aren't easily defined by rules, like insider threats, use UEBA from the start.

Example of next-gen SIEM with UEBA and SOAR embedded

Exabeamis a 3rd generation SIEM platform that is easy to implement and easy to use. It comes with advanced features according to the revised Gartner SIEM model.

  • Advanced Analytics and Forensics: Threat identification with behavioral analysis based on machine learning, identification of suspicious individuals with dynamic grouping of peers and entities, lateral movement detection.
  • Data exploration, reporting and retention: Flat rate, unlimited log data retention leveraging the latest data lake technology. Context-aware log analysis helps security analysts quickly find the data they need.
  • Threat Hunting: A mouse-driven threat hunting interface enables analysts to proactively search and discover threats. Build rules and queries using natural language without SQL or NLP (Natural Language Processing).
  • Incident Response and SOC Automation: A centralized approach to incident response allows you to collect data from hundreds of different tools and orchestrate responses into different types of incidents via security playbooks. Exabeam can automate investigation, containment and mitigation workflows.

Figure 2: Exabeam malware playbook

ORION CASSETTO

ORION CASSETTO
Exabeam, Inc. Director, Product Marketing

Click here for the list of articles

Inquiry/Document request

In charge of Macnica Exabeam Co., Ltd.

inquiry Document request

Mon-Fri 8:45-17:30