…without the right data and the right focus.
Recently, SIEM has become a buzzword, but it is just a combination of security event management and security information management (the abbreviation stands for security information and event management). In other words: the analysis of logs with a focus on security.
The SIEM products on the market make great promises. But unless you have a network that 100% adheres to the rules and that all of the users and administrators do exactly as they should (spoiler: it is never the case!), you will get bombarded with false positives and alarms.
I have never, in my entire career, seen a network that 100% adheres to the rules. Additionally, many users use the networks for more than they should and/or are allowed to.
The key to being able to analyse logs with a focus on security is to understand everything that is outside of a SIEM product. These include questions such as:
When everything is set up, the fun begins. There will be a period where data must be analysed and whatever is found on the network that is outside of the framework must be eliminated. It includes everything from system accounts that are bombarded with AD (active directory), users who have the Hola VPN, devices that should not be on the network, errors, and time delays that make the Kerberos request not successful. This work can take organisations 3-5 months before you are ready to set up any alarms. Unfortunately, there is no such SIEM product that can complete this process for you and more importantly – you will never finish that process.
SIEM products are nothing in themselves. Unless you want a lot of false–positive alarms, then the analysis of logs with a focus on security requires an expert to connect the alarms and analyses the logs obtained. In other words, we must constantly focus on what is on the network, before we can discover what should not be there.
2×2 ≠ 5751
The point is that we must be able to analyse ourselves to see if there are obvious errors – this requires a knowledge of what is normal. The more we know about the norm, the easier it is to spot abnormalities. Additionally, it is important to gain knowledge about what is possible and needed to get data from all the devices that send their logs. SIEM does not detect mismatched logs or changes in the log structure – you would just get false results.
There are constantly new ways that someone or something can access your data outside all your security perimeters. Therefore, the vulnerabilities/methods used to compromise data must be investigated on an ongoing basis, so that you know exactly which indicators to look for and be alerted to.
Some things cannot be detected with logs, and in those cases other measures must be taken. So far, I have only encountered one SIEM product on the market that had guidelines for what we should look for. I should emphasize that these were guides and something you had to add to the SIEM product yourself. But I will give this product some credit for understanding the SEM part of SIEM.
To be honest, I have never really understood why we are so preoccupied with collecting logs from servers and networking equipment, rather than the clients. Most compromises could be detected with monitoring logs from clients. I am not saying that you should not log from the servers and network equipment, but we should think about where it is smartest to start with the collection of logs if you must prioritise.
The analysis of logs with a focus on security will give any organisation a lot in terms of security, awareness, and understanding of the network. But we need to realise that it requires time and maintenance. There needs to be a lot of input from specialists – both technical and non-technical for implementation. Therefore, I would suggest getting help from experts for the project.
Do you want to see if your organisation is prepared to do the analysis of logs with a focus on security? Write to me at firstname.lastname@example.org and I will give you 5 questions to evaluate this.
Unfortunately, it is not possible to buy a one–size–fits–all solution – sorry about that.
Kenneth is a co-founder of CyberPilot. CyberPilot focuses on helping companies that have already realised that cybersecurity = risk and risk management. We do this by focusing on the initiatives that provide the greatest value. We have already helped many organisations.
Follow us here on the website or on LinkedIn. We regularly provide advice and guidance on how you can also work with cybersecurity with simple steps and how you can make sure to use your resources most efficiently.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.