How to surf the flow of information security events: use SIEM system correctly

26.02.2021

Back to blog list

Security Information and Event Management works on the principle of video surveillance.  Cameras stand for connectors that collect data from hardware and software, whereas the object of the surveillance is an IT infrastructure featuring PCs, network devices, and servers. When configured properly, SIEM simplifies the monitoring of information security. How to organize the work, what to control first, and how to respond to incidents? - we will answer these questions using the example of SearchInform SIEM*.

 

To meet the needs of a specific customer, most of the SIEM programs require serious reconfiguration. SearchInform SIEM is a pleasant exception. The software can be installed from a single file in a few clicks, and then you just proceed to the settings. 

Distribute rights

The system allows simultaneous work of up to several departments. E.g. IT and Security Departments, each has its own work tasks. 

SearchInform SIEM enables rights distribution among internal users and tracks their operations in the system. This option will come in handy for managers to supervise their employee’s critical actions, such as changing the security policy or changing the password to the confidential database.


 
Configuring access rights in SIEM depending on the user's role.


Activate connectors

The most popular connectors are available by default. They receive data from:

•    OS (Windows, Linux);
•    antivirus software (Kaspersky, McAfee);
•    mail servers (Exchange, Domino);
•    equipment (Fortigate, PaloAlto, Cisco);
•    databases (PostgreSQL, MS SQL); 
•    virtual environments (VMware);
•    Business Software (DLP, 1C);
•    Syslog, etc.

It is rational to add all connectors at once. A connector with no data sources consumes almost no server power. However, if a new source appears in the network (for example, the CheckPoint firewall), it can be connected in just a couple of clicks, without additional manipulations and installations.  


 
SearchInform SIEM connectors


Collect data

When you add connectors the system starts working immediately. Prior to this, the system is just a running engine that needs to be installed under the hood of the car. Otherwise, SIEM is just “spinning its wheels”. If we take a video surveillance system metaphor - you need to turn on the cameras that are already there.

To analyze and create reports, the program needs logs from various software and hardware sources. There are three data collection scenarios depending on source functionality:

•    direct connection to the source;
•    automated data sending from the source to the server;
•    agent assisted collection. 

This allows for efficient use of each data source. 


 
Activating Domino connector


Each connected data source adds a stream of events for SIEM system to process in accordance with security policies. By default the system has more than 300 policies.

Connectors work on the principle of dynamic collection, and start to analyze the events right after you activate them. Moreover, the system automatically collects the events 7 days prior to connection. The user can adjust this figure, with the reservation that not all data sources store logs for more than a week.

Devices with no pre-installed connectors can be also connected to SIEM. Most data sources support standard logging protocols (event log or syslog).  However, if your company uses a tailor-made software, SearchInform SIEM is also able to analyze the events. 


See the problem

After installing and connecting the sources, experts recommend to wait for the first monitoring results for at least one day, and if the company is large – for two or three. This time is necessary for SIEM to analyze past events via dynamic and passive data collection sources. 

Then, the system provides a manager with an insightful picture of a company’s infrastructure. To make it clear, a manager opens Incident map, which displays all PCs and users in the system. It is possible to find vulnerabilities by filtering out computers that had, for example, more than 10,000 incidents per day.


 
Incident Map


Another option for monitoring is the Incidents tab. Here, events are sorted according to the selected period (e.g. yesterday, a week ago). The top right corner of the tile shows the number of unseen incidents, and the left corner shows the total number of incidents per policy. If you need more details, you can click on the policy tile and open the incident descriptions in the table format.


 
Incidents tab


It is also convenient to use a dashboard with editable widgets (there are 12 templates in the system). You can select the reporting period, frequency of updates, the data source, connectors, policies, and/or users to analyze. Here you can also choose graphical representation: pie chart, graph, histogram, etc. 


 Dashboard with widgets


Adjust policies

To study events and incidents by specific policies, it is convenient to use the Rules tab. 

Example. Multiple responses under the "One account on multiple PCs" rule (AD. Usernames and passwords), alarm that the same user logged in under their account from several workstations. In fact, it could be a system administrator, who updated the antivirus in the Accounting Department or set up access to the printer for the entire sales department.

Detailed elaboration on rules helps to avoid false responses. For example, for this policy you can add accounts of IT specialists to the Exclusion lists.


 
Creating Exclusion lists


Event analysis, as well as smart system configuration significantly reduces the number of incidents within 1-2 weeks. As a result, the most serious violations are clearly visible and never lost in the flow of statistical events and false-positive responses. Also, it facilitates highlighting the problematic area that requires close monitoring. 

SIEM can be compared to a new car, which drives error-free with factory settings. However, to make this ride safe and comfortable, first it is necessary to adjust a seat back and the mirrors. 

For this purpose, the system allows for creating new rules based on existing ones. For critical violations (e.g. accountant password hacking), it is also possible to configure email or Telegram notifications. 

Example. An international company divided the control over the infrastructure into "sections". Some rules have been reconfigured for the branches: "Statistics of logons to Chicago system", " Statistics… Moscow", " Statistics… London."  The risk manager receives a separate alarm list, and can quickly respond to the incident in a particular office.  

 

Enable cross-correlation

Cross-correlation rules compare events from different sources, thereby SIEM detects incidents in a flow of ordinary events. Since each company is unique, by default cross-correlation rules are not configured.  

Important: it is not advisable to configure cross-correlation rules right away, since the elaborated scheme may never work. For example, it is difficult to predict that one day a vindictive employee will log in to the accountant's PC (incident 1), then - to the 1C application (incident 2), find out the salary of the manager and colleagues, and then start clearing the action log (incident 3). 

As you use SIEM, you should identify suspicious events, and then combine the rules for them into logical chains. 

Example. To protect against viruses that employees may intentionally or accidentally bring to the company on a USB flash drive, you can set up the "Viruses on USB" cross-correlation rule. It includes two events: 1. "Connecting a USB device to a working PC" (data source – DLP; by the way, DLP integrates with SIEM seamlessly). 2. "Virus detection" (data source – antivirus).

 

Conduct daily monitoring

 When SIEM configured properly, it takes a specialist just around 20-30 minutes a day to check it. Each event can be studied separately with the help of Incidents, Dashboard, and Rules tabs.  

Example. Having used the system for three weeks, the risk manager noticed that the number of events for the "Erroneous password entry" rule does not exceed 10 per day. The sudden increase of the figure indicates a serious problem, which requires an investigation.
Likewise, if  "Other Syslog Events" rule records on average 1000 events per day, and one day there are none - most likely the system failed to connect data sources. Alternatively, it could be a hardware failure, network malfunction, or a change in the firewall settings that started blocking messages.

Events and incidents for a separate rule are displayed in a table-format. To quickly identify critical violations, we recommend you to group events by the fields. 

For example, in "Logon statistics" rule, it is possible to use "Status" field, which will divide the events into two or three groups: "Logon was successful", "Username does not exist", "Correct username, but incorrect password".


 
Grouping events on the Rules tab


Respond to incidents and conduct investigations

SIEM allows to track the violation step by step. You can apply the following scheme:


1. Detect a violation.
2. Determine the nodes and/or users affected by the incident.
3. React to the event (report the incident to the responsible employee, conduct an explanatory conversation with the culprit, reconfigure access rights, delete the malicious file from all compromised PCs, etc.).
4. Specify the security policy, perhaps – configure cross-correlation rule. 

Employees of different specializations can work in the system simultaneously, so it is important to keep in touch with colleagues. For example, if a risk manager sees a response for the "VMware Server Hardware" rule that reports server overheating, they need to notify the IT specialist. If someone has deleted six accounts, the first step is to contact the system administrator (or in some cases, their supervisor). Most likely it were accounts of dismissed employees. However, it could also be sysadmin revenge.  

That is, the employee responsible for SIEM system should be attentive. SearchInform SIEM records, analyzes, and presents information in a convenient format, or sends notifications. The system also does not interfere with business processes. For example, if a user failed to enter the password for a number of times, the system does not block the account, since it can permanently stop the work of the employee or even an entire department. 

The main purpose of SIEM is to conduct comprehensive monitoring, which assists the work of the risk monitoring department. All data is collected automatically and is available in a single interface.

Integration with DLP expands the system's capabilities. For example, as the result of this integration, SearchInform SIEM will be able to show the name, size and extension of the document copied to the USB, as well as the account under which it was made, and the movement of this file. SIEM interface won’t let you view the document contents, whereas switching to DLP enables you to see more information about the file.

Example. Some companies allow for opening and installing files from USB. Such user operations should be monitored. The incidents may vary from a harmless game launch to much more serious ones, such as a keylogger run, a password cracker program, or a live version of the OS. The pre-installed "File execution from a removable device" rule helps to detect the incident. If your company happens to have SearchInform DLP, you will be pleased to know that SIEM requires no additional configurations since the products are 100% compatible. 

 

 

A month after the implementation, the system reveals the state of affairs in the company's infrastructure, enabling specialists to see vulnerabilities, improve the protection of individual nodes, and restore order in access rights. Therefore, you can take a free 30-day trial of SearchInform SIEM. 

I WANT TO TRY IT

*For informational purposes only. Part of the described functionality of SearchInform SIEM is under revision. The project for the system capabilities expansion is being implemented in the format of co-financing based on the vendor's own funds and the Russian fund of information technology development grant. 


 


Risk management Internal threat Devices