How to surf the flow of information security events: use SIEM system correctly
26.02.2021Back to blog list
Security Information and Event Management works on the principle of video surveillance. Cameras stand for connectors that collect data from hardware and software, whereas the object of the surveillance is an IT infrastructure featuring PCs, network devices, and servers. When configured properly, SIEM simplifies the monitoring of information security. How to organize the work, what to control first, and how to respond to incidents? - we will answer these questions using the example of SearchInform SIEM*.
To meet the needs of a specific customer, most of the SIEM programs require serious reconfiguration. SearchInform SIEM is a pleasant exception. The software can be installed from a single file in a few clicks, and then you just proceed to the settings.
The system allows simultaneous work of up to several departments. E.g. IT and Security Departments, each has its own work tasks.
SearchInform SIEM enables rights distribution among internal users and tracks their operations in the system. This option will come in handy for managers to supervise their employee’s critical actions, such as changing the security policy or changing the password to the confidential database.
Configuring access rights in SIEM depending on the user's role.
The most popular connectors are available by default. They receive data from:
• OS (Windows, Linux);
• antivirus software (Kaspersky, McAfee);
• mail servers (Exchange, Domino);
• equipment (Fortigate, PaloAlto, Cisco);
• databases (PostgreSQL, MS SQL);
• virtual environments (VMware);
• Business Software (DLP, 1C);
• Syslog, etc.
It is rational to add all connectors at once. A connector with no data sources consumes almost no server power. However, if a new source appears in the network (for example, the CheckPoint firewall), it can be connected in just a couple of clicks, without additional manipulations and installations.
SearchInform SIEM connectors
When you add connectors the system starts working immediately. Prior to this, the system is just a running engine that needs to be installed under the hood of the car. Otherwise, SIEM is just “spinning its wheels”. If we take a video surveillance system metaphor - you need to turn on the cameras that are already there.
To analyze and create reports, the program needs logs from various software and hardware sources. There are three data collection scenarios depending on source functionality:
• direct connection to the source;
• automated data sending from the source to the server;
• agent assisted collection.
This allows for efficient use of each data source.
Activating Domino connector
Each connected data source adds a stream of events for SIEM system to process in accordance with security policies. By default the system has more than 300 policies.
Connectors work on the principle of dynamic collection, and start to analyze the events right after you activate them. Moreover, the system automatically collects the events 7 days prior to connection. The user can adjust this figure, with the reservation that not all data sources store logs for more than a week.
Devices with no pre-installed connectors can be also connected to SIEM. Most data sources support standard logging protocols (event log or syslog). However, if your company uses a tailor-made software, SearchInform SIEM is also able to analyze the events.
See the problem
After installing and connecting the sources, experts recommend to wait for the first monitoring results for at least one day, and if the company is large – for two or three. This time is necessary for SIEM to analyze past events via dynamic and passive data collection sources.
Then, the system provides a manager with an insightful picture of a company’s infrastructure. To make it clear, a manager opens Incident map, which displays all PCs and users in the system. It is possible to find vulnerabilities by filtering out computers that had, for example, more than 10,000 incidents per day.
Another option for monitoring is the Incidents tab. Here, events are sorted according to the selected period (e.g. yesterday, a week ago). The top right corner of the tile shows the number of unseen incidents, and the left corner shows the total number of incidents per policy. If you need more details, you can click on the policy tile and open the incident descriptions in the table format.
It is also convenient to use a dashboard with editable widgets (there are 12 templates in the system). You can select the reporting period, frequency of updates, the data source, connectors, policies, and/or users to analyze. Here you can also choose graphical representation: pie chart, graph, histogram, etc.
Dashboard with widgets
To study events and incidents by specific policies, it is convenient to use the Rules tab.
Detailed elaboration on rules helps to avoid false responses. For example, for this policy you can add accounts of IT specialists to the Exclusion lists.
Creating Exclusion lists
Event analysis, as well as smart system configuration significantly reduces the number of incidents within 1-2 weeks. As a result, the most serious violations are clearly visible and never lost in the flow of statistical events and false-positive responses. Also, it facilitates highlighting the problematic area that requires close monitoring.
SIEM can be compared to a new car, which drives error-free with factory settings. However, to make this ride safe and comfortable, first it is necessary to adjust a seat back and the mirrors.
For this purpose, the system allows for creating new rules based on existing ones. For critical violations (e.g. accountant password hacking), it is also possible to configure email or Telegram notifications.
Cross-correlation rules compare events from different sources, thereby SIEM detects incidents in a flow of ordinary events. Since each company is unique, by default cross-correlation rules are not configured.
Important: it is not advisable to configure cross-correlation rules right away, since the elaborated scheme may never work. For example, it is difficult to predict that one day a vindictive employee will log in to the accountant's PC (incident 1), then - to the 1C application (incident 2), find out the salary of the manager and colleagues, and then start clearing the action log (incident 3).
As you use SIEM, you should identify suspicious events, and then combine the rules for them into logical chains.
Conduct daily monitoring
When SIEM configured properly, it takes a specialist just around 20-30 minutes a day to check it. Each event can be studied separately with the help of Incidents, Dashboard, and Rules tabs.
Events and incidents for a separate rule are displayed in a table-format. To quickly identify critical violations, we recommend you to group events by the fields.
For example, in "Logon statistics" rule, it is possible to use "Status" field, which will divide the events into two or three groups: "Logon was successful", "Username does not exist", "Correct username, but incorrect password".
Grouping events on the Rules tab
Respond to incidents and conduct investigations
SIEM allows to track the violation step by step. You can apply the following scheme:
1. Detect a violation.
2. Determine the nodes and/or users affected by the incident.
3. React to the event (report the incident to the responsible employee, conduct an explanatory conversation with the culprit, reconfigure access rights, delete the malicious file from all compromised PCs, etc.).
4. Specify the security policy, perhaps – configure cross-correlation rule.
Employees of different specializations can work in the system simultaneously, so it is important to keep in touch with colleagues. For example, if a risk manager sees a response for the "VMware Server Hardware" rule that reports server overheating, they need to notify the IT specialist. If someone has deleted six accounts, the first step is to contact the system administrator (or in some cases, their supervisor). Most likely it were accounts of dismissed employees. However, it could also be sysadmin revenge.
That is, the employee responsible for SIEM system should be attentive. SearchInform SIEM records, analyzes, and presents information in a convenient format, or sends notifications. The system also does not interfere with business processes. For example, if a user failed to enter the password for a number of times, the system does not block the account, since it can permanently stop the work of the employee or even an entire department.
The main purpose of SIEM is to conduct comprehensive monitoring, which assists the work of the risk monitoring department. All data is collected automatically and is available in a single interface.
Integration with DLP expands the system's capabilities. For example, as the result of this integration, SearchInform SIEM will be able to show the name, size and extension of the document copied to the USB, as well as the account under which it was made, and the movement of this file. SIEM interface won’t let you view the document contents, whereas switching to DLP enables you to see more information about the file.
*For informational purposes only. Part of the described functionality of SearchInform SIEM is under revision. The project for the system capabilities expansion is being implemented in the format of co-financing based on the vendor's own funds and the Russian fund of information technology development grant.