Which sources should be controlled by the SIEM system first of all?

22.02.2023

In order to be efficient, the SIEM system should be connected to all data sources, distributed within the IT infrastructure. It’s just like in case with the video surveillance: if you want to obtain the full picture of what is actually happening within the perimeter, you need to install cameras in all rooms.

But this is, of course, the perfect scenario, in real life it’s often impossible to connect all data sources to the SIEM-system. In such case it is required to deal with the most critical ones first of all.

Make sure that connectors for these sources are available in the SIEM system “out-of-the-box”.

1. EventLog connector (which controls MS infrastructure: Active Directory, Exchange) reads Microsoft SQL server logs and gathers data from any applications, which can save data in the EventLog format.

It is of crucial importance to control Active Directory (AD) security events, because it is the source of information which contains data on: 

• Logs into the system (who, when and where exactly logged)
• Granting of access rights and accounts blocking
• Changes made to group policies
• External devices connection

Control of Active Directory enables to detect attempts to brute force passwords or accounts, as well as their simultaneous usage on different PCs. In most companies this is the basic principle of monitoring users’ work process in accounts.

Thus, control of AD provides IT and IS specialists with useful data on such issues as:

• Temporarily AD access rights granting
• Temporarily adding of an account to a group
• Usage of a single account on a few PCs 
• Event log cleaning by a user 
• Outdated accounts

2. Connectors for email servers

The practice of usage a single email by a few employees simultaneously is widely spread in numerous organizations. Besides, some employees get access to other employees email as the result of some business process changes in an organization.

Email owner change may be both legitimate or illicit. If it is illicit then it threatens the organization. When choosing a SIEM tool it is crucial to take into consideration that the system should control the email data source – it’s workability in general and access to mailboxes and to data, kept in them.

A few examples of what is required to control: 

• Third-party access to an email
• Change of an email owner 
• Granting of access to an email

3. Connectors for Database Management System (DBMS)

Databases always contain confidential data. That is why it is crucial to monitor administrators’ activities on the DBMS level with the help of a SIEM system. 

Thus, information security expert will not miss changes done to database, which may turn out to be illicit:

• Changes of password and account by database administrator
• Temporary addition of user to role members
• Temporary access granting to a database object

4. Syslog connectors

In case monitoring of network equipment, servers or detached Linux OS operated PCs is required, then the SIEM-system should support reception of security logs over Syslog. Any Linux OS supports it, what’s more, this support is implemented both at the level of the OS itself and at the level of applications, which work in this environment. With the help of Syslog connector, it is possible to monitor:

• Operation system events
• User level events
• System daemons events
• Login/logout, accounts

5. Connectors for control of virtualized environment

Network hardware is usually connected via Syslog too. However, server structures and data are kept with the help of various virtualization environments. In case they are used in critical processes, they should be connected to the SIEM system – from time to time tools for virtualization may turn out to be the only solution for IT-system workability retrieve.

For instance, if VMware, which is used for critical resources deployment fails, the whole company’s business activities slow down.

The list of what is strictly required to be controlled: 

• VMview/VMware log in and log out events 
• Wrong passwords 
• Deleting of snapshots

6. Connectors for firewalls and complex network security devices

In the current circumstances, when a step change is taking place in the amount of cyber-attacks, targeting network hardware it is of crucial importance to connect it to the SIEM system. However, each company has its own set of network equipment. 

That is why when choosing a SIEM-system it is important to make sure that the particular vendor’s solution is capable of control of the required set of equipment. It is possible to capture attacks just in time according to the following rules: 

• Events of local/prohibited/allowed traffic routing
• Changes done to firewall configuration
• VPN-connections and data collection and control equipment’s events

All in all, in order not to fool yourself when choosing connectors and benefit as much as possible from a SIEM solution implementation, it is required to answer the following questions: 

• Which data sources are there?
• Which data sources should be controlled first of all?
• If the migration to other data sources will take place, will the SIEM system support them as well?

What’s more, during the test term it is very useful to maximize the SIEM system load. This means, that it is much more beneficial to run the system not on a demo-stand or in an isolated network segment, but in a loaded work infrastructure instead. Such method for choosing a solution reveals, whether the SIEM system tested suits your organization’s requirements or not; it also makes sure that you won’t face a situation when something does not work appropriately in the real-life circumstances.
 

Risk assessment review