The Daily Life of a SIEM: A Use Case Guide

Image

Use Case: Security Event Prioritization

Security analyst Jim Johnson receives hundreds of notifications from different datastreams and can’t read through them all, causing a significant backlog to build up.

Danger:

In order to safeguard organizations against security threats, monitoring data is generated from sources across the IT environment, including networks, applications, devices, user activity logs, different operating systems, databases, firewalls, and network appliances. Most security events from these data sources are completely benign, like a syslog notification that an automated check for updates found that there were no new updates.

However, mixed in with these minutiae are critical security events, which is what Jim is looking for as he combs through these notifications. However, several roadblocks prevent him from efficiently and effectively addressing these issues.

First and foremost, the sheer volume of events makes it impossible for Jim to uncover security events quickly. This backlog can become very dangerous, as true security problems require urgent attention to prevent permanent damage.

Secondly, raw data from all of the numerous assets is not delivered in one common language. Different logs come in different formats, with different types of messages. Security analysts can’t be expected to be experts in every type of language, adding time to the translation process.

Lastly, security issues can easily be missed or mistaken as harmless without additional context from other sources and events. Given how much time it takes to address the volume and interpretation problems, it is nearly impossible to dedicate resources to attempt to manually correlate events.

Remedy:

Event Manager specializes in distinguishing critical events from the noise with real time risk prioritization that can be tailored to suit any organization’s needs. From there, automated escalation ensures that alerts go to the right person to take on investigation and remediation. Additionally, data is normalized, putting events into a common, readable format that doesn’t require additional expertise. This saves analysts time from having to interpret information coming from so many different sources.

Image

Use Case: Detect Any Change to the Security Configuration

Late one evening, a rule in the firewall configuration at Acme, Inc. is modified by an administrator.

Danger:

Security configurations are critical to the safety of any organization. Any change to any part of a security configuration can leave an organization dangerously exposed if done improperly. Misconfiguring a firewall leaves Acme open to any number of attacks and breaches. For this reason, any changes made to a security configuration must typically be reviewed and approved before implementation.

Remedy:

Because of the sensitive nature of security configurations, Event Manager can automatically detect this activity and generate an event. Once elevated to Acme’s security analyst, they would check to make sure a ticket had been filed requesting the change, as security configuration changes would typically require documentation for review. They would also be able to use Event Manager to filter out any other actions of the administrator to ensure there was no other suspicious behavior prior or after the configuration change. After this inquiry is complete, the analyst would be able to assign the case to security specialist for further analysis, with Event Manager providing a full audit trail of the investigation.

Image

Use Case: Monitor Employee Behavior

John Doe has worked for Acme Inc. for two years as a database administrator. Last Friday, John abruptly quit.

Danger:

As a database administrator, John has access to everything in those databases, including user accounts, financial data, and customer information. Additionally, many administrators are given root access, also known as a superuser account. This means that John has access to everything – not just the databases he’s in charge of.

If John is leaving on bad terms, or has other motives for malicious behavior, there’s a chance that he could have abused his privileges by stealing or altering data. Unfortunately, because of John’s status both as an employee and as a database administrator, typical security alerts would not be activated, as all of these activities are permitted for his job role.

Remedy:

As mentioned above, a security alert would not have been necessarily raised since John has permission to access secure data. However, with Event Manager, anything outside of ordinary behavior would have been logged as an event and stored. A security analyst can monitor John’s historical activity to see if he’s been engaging in activity that, while permitted, is not necessary for his job or is suspicious in some other way. The analyst can filter activity by user and check John Doe’s account activity to audit his actions. Event Manager can even filter by the source IP to find out if John used another login from the same workstation—perhaps switching from his own user login of JDoe to that of a root or superuser account.

Additionally, Event Manager can check any recorded events from all accounts for a specific timeframe. The analyst could check all events from the 48-72 hour window before John’s resignation to make sure large amounts of data weren’t deleted, altered, or changed in some other way that would indicate potential espionage.

Image

Use Case: Prevent Users From Having More Than One Active Session

Joe Bloggs, a network administrator, is logged in under the username JBloggs, performing tasks at his workstation at Acme headquarters. JBloggs also appears to be logged in remotely from a location abroad.

Danger:

It is extremely rare for anyone to require more than one active session in order to get their job done. Active sessions from different sources, be it different locations or operating systems, almost always indicates that credentials have been stolen. This is particularly dangerous for an administrator, who has additional privileges that can be used to access, alter, and delete critical data.

Remedy:

Event Manager would create an event the moment a second active session was created for a single user, notifying an analyst with a treatment plan to freeze the account until further analysis can be performed.

From there, the analyst would investigate the actions of the user. In order to differentiate between the two sessions, Event Manager allows you to filter by workstation. That way, the analyst could see the tasks performed by the Acme headquarters workstation and compare them to that of the workstation abroad to assess each session independently.

Image

Use Case: Log All Changes, Additions, or Deletions to Any Account With Root or Administrative Privileges (PCI DSS Requirement)

Alice Johnson, a web administrator, discovers changes were made to the server by a web marketer, Bob Jones.

Danger:

Bob Jones should not have administrative privileges and could have unintentionally caused serious damage. Elevated or privileged access should be limited to only those who need it and understand how it is used. More worrisome is how Bob received these privileges. Mistakes are possible, particularly if there are identical or similar usernames involved. However, the addition of privileges is often indicative of malicious activity.

Once someone has root privileges, they can make any number of changes to the IT environment and have access to confidential data. It’s vital to know not only what someone with administrative privileges is doing, but who granted them that privilege in the first place. This has become so important that it is now a featured requirement of the PCI Data Security Standard, which is particularly concerned with customer data privacy.

Remedy:

The moment Bob received root privileges, Event Manager would have sent an alert to a security analyst notifying them of it, due to the sensitive nature of the activity. The security analyst would be able to track down not only what Bob did with his newfound access, but when, where, and who granted him this access.

Image

Use Case: Multi-Tenancy

Acme has recently acquired an organization that focuses on managing IT services for other companies, including security monitoring.

Danger:

When managing IT services for different companies, using a single instance SIEM solution would require monitoring all the data from every customer under one umbrella and without any segregation. This not only violates best practices, but is also a dangerous security and privacy risk. In order to use a single instance SIEM solution safely, Acme would need to purchase one copy per company they manage. This approach costs not only a significant of money, but also time, due to the upkeep and basic administration of so many individual solutions.

Remedy:

Event Manager multi tenancy capabilities allow for easy management of so many different partitions. Customer accounts are segregated and easily managed through one centralized solution. Acme can rapidly detect and respond to threats, even for substantial, complex networks with high volumes of security events to manage. Acme will also be able to provide ample flexibility for each individual customer, tailoring each instance as needed.

Image

Use Case: Monitor Activity From Third Party Applications for Correlation

A new, credentialed, user account, DbCooper, was created at Acme, Inc. Immediately after creation, the DbCooper account performed several actions within Acme’s financial applications. Five minutes later, the account was then deleted.

Danger:

Since all of this activity is permitted internally, it isn’t indicative of a breach and would not be caught by typical anti-malware. Without constant monitoring, this event could easily fly under the radar and not be caught for weeks or months, if at all. This is particularly unnerving when it comes to financial applications, since both confidential data and significant amounts of money are at risk.

Remedy:

With Event Manager, this event would be caught, escalated, and an analyst would be alerted in real time, allowing Acme to act fast to ensure minimal damage. Event Manager enables third party applications to be integrated into its centralized console, streamlining the monitoring and escalation process. Additionally, it enables an analyst to be able to find correlating events, providing a new angle from which to assess the security picture.

An analyst would be able to see exactly what occurred within the financial application, and if any other suspicious activity took place during that time frame elsewhere in the system. Additionally, the analyst can see who created the new DbCooper account. From there, they could investigate if the DbCooper account, or the user that created it, performed any other suspicious activities.

Image

Use Case: Integration With Network Monitoring

To enhance their business Acme’s IT team has recently introduced several new applications into their environment. Unfortunately, the security team is unaware of these recent additions.

Danger:

Acme, like many other organizations, has new assets set up by members of their IT staff, who are outside of the security team. There is often a long delay between when a new device or application is deployed and when it is integrated into a security monitoring tool. Threat actors can take advantage of this delay and use new data sources to breach an organization unnoticed, gaining access and stealing data before a tool is ever monitored.

Remedy:

Acme’s network monitoring tool, Intermapper, creates a map of their network, displaying all that is occurring on an organization’s network, like performance issues, outages, bandwidth, and any other changes in the network, including the appearance of new devices.

Event Manager can integrate with Intermapper, ensuring the security team will immediately become aware of the presence of a datasource that needs to be monitored for security events. By eliminating the long absence of coverage, potential malicious activity will no longer go unnoticed.