SIEM-Incorporating Incident Response into Network Security

Security Information and Event Management - Network Security

Hey There,

The task of Threat Analysis, documentation, and identification, on multiple devices, connected to a network, is by means, very tiresome. Imagine threat analysts having to go through devices (IoT, BYOD), etc, which do not fit the security policies in place.

It requires an extensive need of tools, frameworks, precautions, which can consume valuable time, while the threat actor manning those devices initiates an attack.

Introduction

Security Information and Event Management (SIEM), is an application of Network Security, implemented on an organization’s connectivity framework, that provides real-time threat alerts to threat analysts when a suspicious device has connected to the organization’s network. The analysts can then snuff out the danger, from the network, using the appropriate tools. It takes the help of trends, observed from historical records (device logs), which can be used as part of the identification of threats. Its Event Management System improves investigative efficiency and reduces time wasted on false positives.

Automation is crucial in today’s world, making its presence known in a variety of industrial fields. Naturally, its need became paramount in the world of Cyber Security, taking steps in the incident response and initial device scanning processes. Automation also made its way to SIEM.

How does SIEM conclude whether a device poses a risk or not?

SIEM’s have inbuilt threat intelligence services, that perform analytical tests on a device and then check its logs for further suspicious activity. Indicators of Compromise are also watched out for. If the device poses no risk, it is given the all-clear. Devices can range from physical to virtual ones connected to a cloud.

The device logs and security alerts are then stored on a centralized server, for reference, in case of a breach.

If the worst-case scenario happens, the device is flagged, threat alerts are sounded out in real-time, and steps are taken to eliminate the threat source.

SIEM possesses analytic tools, such as User Entity Behaviour Analytics (UBEA), that help shed light on user anomaly and suspicious behavior of users. Users are not necessarily confined to humans, but consider machines too. This is especially useful, in the case of Insider Threats. Threats/User Anomaly Observed:-

• Brute Force attacks

• DDOS Attacks

• File System Attacks

Prioritization and Importance

When realization dawned, that information, in any form could be valuable and could be used for good or bad intentions, it gave rise to a few standard data regulations frameworks, that we are aware of, namely GDPR, HIPAA, PCI-DSS, etc.

Implementing SIEM, could ensure the secure management of databases, containing information, provide access control to concerned personnel and provide real-time alerts for breaches and other incidents

SIEM Framework

Initially, Organizations do not side with regulatory compliance. Such ignorance was constantly targeted with cyber attacks, along with data breaches. On top of the pile, they had to pay up fines for not following compliance rules.

Imagine valuable data of individuals being stolen, which contains identifiable info, sensitive information, and a lot more. A lot of trust is placed by individuals, upon an entity to store their data. The least that could be done is to follow the standard rules in place. Infamous examples are the TJX data breach of 2007 (PCI-DSS) and the WellPoint data breach of 2010 (HIPAA).

Eventually, entities started realizing its need, for the current scenario and though it has not led to decreased rates of leaking information, it has put a structured security framework in its place, with policies and standards to be adhered to. Security reports are generated for the organization, helping to meet compliance and keeping track of logged security events.

Advantages of SIEM

• Automated Threat Detection and timely alerts

• Increased Efficiency

• Cost-effective

• Intelligent, in terms of classification of threats.

Disadvantages of SIEM

• Initially, configuring and setting up SIEM, on each endpoint of the network, was a tedious task. Simply put, a skilled workforce needs to be available, to do the work.

• Manually sifting through each device’s log records. Pretty time-consuming.

NOTE: This was prevalent in the yesteryear SIEM implementation models

Component for Network Security

SIEM simplifies integration and deployment, by the use of a real-time, asset discovery and device configuration engine. It can manage an inventory of devices connected to the network, forming a topology and relationships between devices. This correlation between endpoints find application in forensic investigations and reconnaissance

The records compiled in the centralized server, act as a reference, in detecting new attack patterns and indicators of compromise, which are identified and can be prevented from the next attack instance.

Conclusion

In conclusion, the emergence of next-generation SIEM software, such as FireEye and FortiSIEM are more advanced than their legacy counterparts and help sustain the need for Network Security defense.

For those who missed my previous piece on the unraveling of the Markovian Parallax Denigrate mystery, you can view it here

Thank you, for spending your precious time, digesting this article and I mean it

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!