What Types of Attacks Does SIEM Detect?
Security Information and Event Management (SIEM) solutions are known for their ability to provide visibility into IT environments by monitoring data sources for unusual activity and contextualizing them for security insights. According to the 2021 SIEM Report by Cybersecurity Insiders, 76% of cybersecurity professionals surveyed reported that SIEM improved their ability to detect threats. But what types of threats do SIEM solutions detect? Let’s review the top results from the 2021 SIEM Report.
While unauthorized access isn’t a specific type of attack, it is typically indicative that one may be in progress. An external attacker may use something like brute force attack to attempt to crack a user’s password, but a SIEM solution can detect repeated access attempts. Once detected, a SIEM can escalate this information to a security analyst in real time, enabling them to investigate the event and lock the account if there aren’t already built-in parameters limiting the number of login attempts.
There are two types of insider attackers: malicious and accidental. A malicious insider is either an unhappy or opportunistic employee that uses the access they have to steal or sabotage sensitive data. It may also be a former employee who has not yet had their credentials deleted. A SIEM can monitor employee behavior and flag any activity that is unexpected for that particular user or access level. For example, if an ex-employee’s account suddenly became active or if an employee is accessing files or databases they don’t need in order to do their job, these events would immediately be escalated to a security analyst.
Accidental insider attacks are those who unintentionally help an external bad actor to pivot during an attack. For example, if an employee misconfigured a firewall, this would leave an organization more vulnerable to a breach. Since security configurations are so vital, a SIEM can create an event any time a change is made, escalating it to a security analyst to ensure that it was intentional and correctly implemented.
Malware is a broad term that generally includes any type of software that is created to disable or damage computer systems, like viruses, ransomware, worms, trojans, etc. While security logs may send out alerts that could indicate a breach, it could also just as easily be a false alarm. SIEM solutions use event correlation to better determine true infections and potential origin points of attack.
Denial of Service Attacks
A denial-of-service (DoS) attack disrupts the standard operation of a system or device, like a network server. This attack floods the target with traffic, which blockades normal traffic and forces it to deny access. Such attacks typically result in a slowdown of service or a total crash. A SIEM would be able to flag such an abnormal event from web traffic logs, prioritizing the event and sending it to an analyst for further investigation.
Hijacking is when an attacker seizes control of systems, networks, or applications. For example, session hijacking can take place when a threat actor intercepts session tokens to gain access to a user account. SIEM solutions monitor user behavior and can detect suspicious activity, like a user accessing systems they don’t typically use or having more than one active session. Additionally, any changes to root access are logged, so if a threat actor attempted to escalate privileges, a SIEM can escalate this information to the security team.
Advanced Persistent Threats
Advanced Persistent Threats (APTs) are incredibly sophisticated attackers who use a high degree of stealth over a prolonged duration of time in order to compromise and retain access to a system. Because these attacks are so stealthy, they may not trigger alerts in certain parts of the system, or the alerts they do cause are dismissed as benign. Having event correlation in a SIEM solution helps demonstrate a pattern of abnormal behavior, flagging it as a true concern that security analysts should look into.
Web Application Attacks
There are a variety of strategies for attacks on web applications. For example, SQL injection attacks manipulate queries by injecting unauthorized, malicious SQL statements. Typically SQL injections are used to find and read, change, or delete sensitive information they wouldn’t otherwise have access to. SIEM solutions can monitor activity from web applications, and can flag any abnormal activity, and use event correlation to see if any other changes took place during this event.
Phishing uses deceptive emails or other means of communication to get malware past the perimeter or access credentials. These emails often contain malicious links or attachments embedded in emails. Once an attacker has legitimate credentials, they can seemingly login to a system without issue and attempt to escalate their privileges to gain root access and full control of the system. However, SIEM solutions are able to monitor employee behavior. For example, a SIEM could track authentication activities. While an attacker’s credentials may be legitimate, their location or login time may be different. Any unusual authentication attempts would create an event in real time, enabling an analyst to lock out the user pending investigation.
Centralizing Your Security with SIEM
Ultimately, SIEM solutions do more than just monitor your environment for these attacks. They centralize and normalize data streams, streamlining the investigation process for security analysts. By escalating only events that have been prioritized as truly risky, analysts don’t have to waste time looking into benign threats and can reduce dwell times and the risk of damage to the organization.
Want to learn more about SIEM solutions?
Read the 2021 SIEM Report, a comprehensive survey of cybersecurity professionals from Cybersecurity Insiders, focusing on how cybersecurity professionals view and use these security monitoring solutions.