SIEM Log Management Security
The importance of SIEM products or SIEM approaches, which are the shining stars of the cyber security community in recent years, is increasing. Therefore, in parallel SIEM log management is gaining importance day by day.
With the increase in open source or free software and the continuous development of enterprise SIEM software, understanding SIEM is now critical for organizations. First of all, it is worth noting that SIEM is a security approach in line with the security strategies of institutions, different from a product, software or device. SIEMis based on the interpretation of the obtained logs and taking action. Contrary to popular belief, its main purpose is not to collect logs continuously.
As defined, in addition to the healthy interpretation of the logs (logs) obtained in line with the security approaches of the institutions, they should be used correctly in essential situations. How the Log Management should be in the form of essential situations (KVKK) and security situations can be examined under 2 headings.
KVKK, ISO 27001, Log Keeping as per Law No. 5651
against legal obligations SIEM log management and configuration possible. Such flexibility is available in SIEM. Here are some important details on how these processes should be done correctly.
- According to the law numbered 5651, logs in SIEM products should be kept for two years. Organizations that carry out financial activities such as banks and have electronic payment systems should keep logs for three years.
- Obtained log types must comply with ISO 270001 security standards.
- According to the integrity principle, log records should be kept using timestamp.
- Institutions should be followed by logging according to the scope of international standards to which they are subject, such as SOX, HIPAA, PCI DSS.
Log Keeping According to Security Management
SIEM is just one security product It is extremely critical to make regular improvements in log management in order to ensure maximum benefit. Under this heading, it will be mentioned how log management can be shaped in order to use SIEM more effectively. Improvements here are constantly based on the management of logs according to possible attacks.
- In order not to be affected by exposed Zero-Day vulnerabilities, logs should be defined as correlation to SIEM instantly.
- SIEM Hardening should be done at regular intervals. In this way, logs will play a more effective role by gaining an offensive perspective.
- If a cyber intelligence firmware is available, the intelligence information obtained (IOC), SIEM logs should be interpreted and rules should be formed accordingly.
- Attackers can hide themselves by deleting or changing the logs on the system they infiltrated. In order to avoid such situations, the security of the log itself should also be ensured.
- After analyzing the log analysis, the institutions exposed to the attack should make determinations about the attacker(s) and make a log arrangement according to the next attack scenario. The MITER ATT&CK framework should be adhered to, not only for this situation, but also for all improvements.
- Taxonomy structures must be created in SIEM. In other words, logs that may create signs of attack should be interpreted together, attacks should be defined and alarm should be created.
- Password for authentication and logs created by 2FA (dual authentication) must be collected completely so that they can be interpreted.
Briefly; SIEM log management It increases its importance in our lives as a subject that companies start to focus on.