What is SIEM?
SIEM (Security Information Event Management) systems, which can store the log (daily) records produced by systems, network devices, security products (IDS, IPS, Firewall, etc.) and applications, make associations (correlation) among incoming records and make inquiries within these log records. security products that provide
The features that a standard SIEM product should have can be listed as follows.
- Log collection and storage
- aggregation
- normalization
- correlation
- Prioritization
- Alarm, report, dashboard
- Incident Response
In summary, it will collect and store the log records, if there are the same log records, show them as a single event, then bring the log records into a format that can be read and understood by people, then categorize them, establish a relationship between many incoming events, and generate alarms and dashboards accordingly. After all these processes, it prioritizes and gives information about which event is more important than others.
There are currently many SIEM products on the market. The most purchased ones are IBM QRadar, Splunk, HP Arcsight, McAfee, etc.
What is Correlation?
The definition of a good SIEM product may vary for everyone. While some define the best seller as the best SIEM product, others may measure it based on correlation capabilities. While many factors influence the selection of a SIEM solution, the greatest strength of a SIEM product comes from its correlation capabilities.
In its simplest definition, correlation can be defined as associating and analyzing log records obtained from different products with events occurring at different times. Some of the simplest examples and events we hear frequently can be as follows:
- Port scan detection
- Failed login request X times within 5 minutes
- DDoS Attack detection
- HTTP flood attack detection
The list can be extended with similar examples, but it is not possible to call them exactly correlations, they are more called alarms, because a correlation can be like this,
- After a user is created, warn if the same user is deleted within 15 minutes.
- Warn if the same user logs in unsuccessfully 3 times within 10 minutes without any successful logins in between.
These are examples of correlation rules. Of course, it is not possible to interpret a SIEM solution as good or bad by referencing such rules, but the second scenario is a difficult rule for products without a correlation engine, because there is a condition called "No success in between".
So what should be considered when choosing a SIEM solution?
Things to Consider When Choosing a SIEM Solution
a correct one SIEM The solution may vary depending on the business's security policies, budget and other factors. However, there must be certain features that a SIEM solution must offer. We can list these features as follows.
Scalability
A SIEM solution should be scalable to large, medium, small or any organization.
Log Format Compatibility
There are many different log formats available to feed the SIEM solution to be used. The outputs produced by the products are directly proportional to the data you have given, so the data of your organization should be well known. Many SIEM products support dozens of different log formats.
correlation
It was stated that correlation has a great place in SIEM solutions. When creating rules, they are not created in equal scenarios, and it may not be so easy to find a solution that supports use cases of both simple and advanced rules. For this reason, detailed analysis may be required to determine correlation abilities. A SIEM product is as powerful as the variety of correlations it contains and its ability to detect previously unseen ones.
Forensic Abilities
According to the most recent study report by the Ponemon Institute on behalf of IBM, the average time an attacker is active on your network is 280 days. For this reason, keeping diary records for at least 280 days can provide many conveniences for future analysis. In retrospective log records, the most commonly used hash (MD5, SHA1, SHA256) values should be calculated and evidence should be provided. For this reason, SIEM solutions have advantages and disadvantages.
Dashboards
Log records from different sources are located on different dashboards. It allows you to see summary data and events taking place within the institution, with graphs and tables. Many of these dashboards come predefined and can be customized as desired in the future. Dashboards are a good way to track log records in real time across the organization's inventory. These can be simple to configure and user-friendly.
Incident Response
The SIEM solution used must actively respond to suspicious activities or attacks. These interventions may sometimes be blocking a suspicious IP address, or sometimes they may include logging out, ending the process, etc. interventions can occur.
Reporting
Reporting infrastructure is another factor in choosing a modern SIEM solution. It is an advantage that the predefined reporting infrastructure is user-friendly and provides results quickly.
Performance
Another topic that affects SIEM product choice is performance. The resources needed by the product can be listed as (RAM, CPU, DISK). The performance of the product here may be important for evaluation.
One SIEM There are common mistakes made when purchasing a solution. The rest of the article continues with a list of mistakes made.
Mistakes Made in Choosing a SIEM Solution
- Buying the product for only one purpose and thinking that we have a SIEM product to get rid of audits.
- Buying a well-known brand and leaving the SIEM to work on its own (Set/Forget)
- Lack of technical evaluations.
- Not saying there are SIEM correlations and not adding to them.
- Buying the product based on recommendations.