Recent research indicates that up to 70 or 80% of SIEM deployments are driven by PCI DSS or other regulations. The following table shows a few example regulations that affect SIEM and log management.
While it is desirable for the organization to come up with their own requirements for a SIEM and their own use cases, here are the most common SIEM use cases that are addressed by today’s SIEM tools and that are successfully implemented at many organizations.
Compliance and Beyond
The easiest way to expand the use of log management or SIEM tools beyond compliance is to actually start using them for compliance, but using them well. Based on this and other examples from the author’s recent consulting practice, we can formulate the following success criteria for moving beyond compliance.
First, the path to effective operational use of SIEM tools starts from operationalizing compliance practices. Few people remember that PCI DSS prescribes a large set of periodic tasks, from annual to daily (log review being the most well-known example of a daily practice).
Second, an incident response capability must exist – the personnel operating the SIEM tool should know what to do if a high risk alert is triggered. This is due to the fact that the easiest and most common security use for log management and SIEM tools is related to incident response and forensics.
Third, a certain degree of security practice maturity has to exist if an organization falls under the mistaken perception that buying the tool is enough to make them compliant, the tool likely will become “shelf-ware”. SIEM operators have to follow a particular workflow to accomplish their goals.
Fourth, the concept of monitoring – whether for regular availability or threats – should exist. Simply buying a tool that is capable of enabling such monitoring does not create a monitoring capability. Such capability combines skilled personnel and effective SIEM tools. Fortunately, most organizations have monitoring tools for operational visibility uptime monitoring. Full Security Operations Center (SOC) is not required; however, the organization must have or start to build security monitoring capabilities such as dedicating a person or team to ongoing periodic security monitoring.
Fifth, an organization must be able to integrate data sources as well as asset data sources into their SIEM tool. This will enables them to review alerts and then respond to them in the context of their organization. Feeding the SIEM tool with logs, vulnerability scan data, asset information, and security configuration management information will enable it to perform its mission with high efficiency and thus solve more business problems. The organization must also accept the responsibility for tuning and customizing their deployed SIEM tool.
Server user activity monitoring
Organizations that deploy thousands of servers with various operating systems, such as Linux, Solaris, or Windows have a challenge tracking who is logging in to all those servers. While centrally collecting all the login and other authentication logs from thousands of servers presents a challenge, intelligently analyzing all the authentication data is even more difficult.
Typically, a company would like to know whether people who are accessing the servers are doing it legitimately and with business purpose in mind. Also, organizations would like to know whether anybody is trying to compromise a server by trying multiple usernames and passwords, possibly in an automated fashion.
Being able to know that access by a particular user to a particular server is suspicious or malicious allows companies to detect possible hacking and insider abuse incidents at an early stage, before most of the damage is done.
Tracking user actions across disparate systems
Security incident response, compliance as well as Human Resources (HR) requirements call for investigating user activities across multiple information systems. Log management and SIEM tools are ideal for that since they contain traces of user behavior across possibly every system in the organization.
Recently, investigation of insider fraud cases has increased the need for efficient, quick and comprehensive user activity investigation across servers, network access devices and applications. In addition to this, individual user activity monitoring can be used when suspicion exists that the user is “up to no good.”
Comprehensive firewall monitoring
Since the early days of SIEM technology, firewall log data has been considered as one of the most useful and commonly collected information sources.
Apart from allowing and denying connections to and from the network, firewalls allow recording or logging of every single connection denied or allowed by the firewall. An example would be connections from the outside world to the DMZ Web server, or connections by users inside the company to their favorite social media Web site.
Analysis of such logs is extremely useful for security, compliance and even operational purposes such as network management, bandwidth management, etc.
It is well-known that signature based antivirus technologies are losing their efficiency as a primary weapon in the war against malicious software. Detection and clean rates have been dropping dramatically over the last few years.
To detect modern commercial malware, desktop and gateway anti-virus tools need to be reinforced with network traffic analysis and log analysis. In addition, scenarios where anti-virus technology detects the threat but is unable to delete it are not uncommon. Using SIEM for detecting and highlighting such situations is within the capabilities of most organizations.
Another useful scenario for malicious software analysis using SIEM presents itself during a major malware outbreak. In this case, using correlation technology allows organizations to track which systems are infected and spread malware. Detecting systems that attempt to connect to other systems in order to spread malware presents one of the effective ways to curb the outbreak.
Finally, as botnets and other modern commercial malware become even bigger threats, SIEM presents the way to analyze diverse sources of information thus making it possible to detect advanced malicious software missed by antivirus solutions.
Web server attack detection
Web application attacks have increased in recent years by a huge margin. Research indicates that a majority of Fortune 1000 companies’ Websites are vulnerable to various Web application attacks, from cross site scripting to SQL injection as well as business logic flaws. Also it was discovered that the vast majority of credit card data theft occurs through Web attacks, at least as one of the stages that leads to data theft.
What makes Web application attacks so prominent is a multitude of factors. Web servers are always exposed to the Internet in order to engage in e-commerce and partne transactions. Many Web applications – including those that handle regulated data – are written by companies internally or by outsourced developers. This prevents an organization from patching it when the vulnerability is discovered since development of such security patch requires cooperation from the application developers.
In light of this, Web site security monitoring and reporting presents a critical requirement that is also increasing in importance. SIEM allows organizations to collect and analyze Web server logs in order to detect possible Web site compromise, thus saving the company from direct losses and embarrassment.
Incident response enablement
SIEM and log management tools that can collect massive volumes of diverse log data without issues are hugely valuable for incident response. Having a single repository for all activity records, audit logs, alerts and other log types allows incident responders to quickly assess what was going on during an incident and what led to a compromise or insider abuse. Incident response is the only unavoidable part of information security.