Magic out of the box – Does it apply to SIEM solutions?

How do you know if it’s time to migrate to another SIEM solution? This question pops in the minds of security officers when the efficiency of their current out-of-the-box SIEM system doesn’t make up for the money spent. Most SIEM product users don’t consider information security consulting helpful in upgrading their SIEM solution and opt for replacing the systems altogether. To cap it all, in pursuit of new customers SIEM vendors keep twisting the knife, pushing forward their “unique”, “superb” or even “magic” out-of-the-box SIEM system that will ensure 100% network security once for all. Naturally, your current SIEM software fades in comparison with the new arrivals to the market.

Magic out of the box - Does it apply to SIEM solutions?

Yet, don’t jump to conclusions and brand your SIEM solution “inefficient”. It may rise like a phoenix from the ashes if properly customized, and this does take a bit of consultants’ work.

The checklist: Don’t ditch your SIEM system if…

Use the following checklist to find out whether you should replace your current SIEM software with a new one.

  • All main log sources are connected

Don’t underestimate the power of log sources. They give answers to important questions: Who is attacking? How are they doing it? The more log sources are connected to your SIEM software, the more information from your system you get. No out-of-the-box SIEM solution sees all the key elements of your network, so it can’t ensure that all vital log sources are connected.

Here’s the list of critical areas for log source monitoring:

  • Authentication systems

Authentication systems register every authentication attempt, providing details on the source, user name, authentication success or failure, date and time. Without this information, there are chances to miss a potential hacker who has logged into your network without being noticed.

  • Edge firewalls

Logs from edge firewalls provide information on whether network traffic is allowed or blocked, which helps to spot the intention to send malicious traffic.

  • DNS, DHCP servers

If a SIEM system doesn’t get logs from a DNS server, it won’t be able to track users’ requests to external hosts. Consequently, it won’t understand what IP addresses are featured in the requests and miss ill-reputed IPs.

If a SIEM system doesn’t get any logs from the DHCP server, security administrators won’t receive any information about the system or the user who gets a dynamic IP.

  • Websites hosted on your company’s local server

If your company hosts its own website in local network/ DMZ which can be accessed from the Internet, hackers may detect vulnerabilities there and attack it. Collecting the website access logs will help to detect such attacks as SQL injection, cross-site scripting (XSS) and brute-force.

  • All DMZ services

Logs from DMZ resources allow to spot hacking attempts on public-facing services in this buffer zone. Thus, even if DMZ services are compromised, your trusted network will remain protected due to its complete isolation from threats.

  • All events are parsed

Successful event parsing ensures that a SIEM system understands and is able to categorize events. For example, IBM® Security QRadar® SIEM system parses events with the help of Device Support Modules (DSMs). Due to various reasons, there’s a chance of improper parsing or mapping of events with out-of-the-box DSM modules. As a result, important events remain unparsed and go to the “stored” category, as it can’t be used by correlation rules for offense detection. To solve this problem, information security consultants create parsing enhancements (LSE) for out-of-the-box DSMs and custom LSX/DSM QRadar integrations for unsupported DSMs.

  • All performance issues are addressed

These are the common reasons for poor SIEM system performance:

  •  EPS license limit excess

Raw events are processed by SIEM systems according to the EPS license. If the number of events exceeds the license limit, QRadar will drop those events categorizing them as “stored”.

  • Inefficient regex

Regex (regular expressions) "extract" information from the log by using match groups. Without optimization, regular expressions become inefficient and slow down the performance of your SIEM system.

  • Ineffective reports

Due to the number and variety of events logged, a SIEM system report may be based on excessive data, which is rather ineffective. It’s recommended to limit the scope of search by excluding all mundane events and those covered by other reports.

  • Ineffective correlation rules

Correlation rule execution may be time-consuming, and degraded performance can lead to detection issues. Information security consultants are the ones to set the correlation rules tailored to your SIEM platform and ensure filtering options are in place.

  • Non-indexed fields

Indexes are used to quickly locate data without having to search every row in a database table every time it is accessed. In case your search and report database contains non-indexed fields, event processing for reports can take too much time.

  • Custom correlation rules are created

The number of correlation rules in out-of-the-box SIEM solutions is always limited and, therefore, insufficient for covering all threat cases. Find out more about the ways to customize correlation rules in our article.

  • APT is taken into account

Being good at collecting, analyzing and reporting on log entries, out-of-the-box SIEM systems aren’t designed for protection against APT. The reason is that such SIEM systems monitor networks based on a limited range of correlation rules. Fine-tuning your SIEM solution includes developing custom correlation rules to add another layer of defense. Moreover, experienced SIEM consultants will boost the capabilities of any SIEM system to spot malware infections and spear phishing, scan network activities, detect attackers’ lateral movement and sensitive data exfiltration.

Is magic possible?

Definitely, it is. But don’t expect it from an out-of-the-box SIEM system. It is information security consultants who create a personalized SIEM solution tailored specifically to your network. Migrating to another out-of-the-box SIEM platform won’t fix all your security issues anyway, and you will likely continue your quest for the “magic out of the box”. Don’t get trapped into this vicious circle.

Do you want to keep your business data safe? We offer information security consulting services that address security challenges of any complexity.

About the Author: Dmitry Nikolaenya

SIEM department coordinator with more than 10 years of experience in delivering SIEM solutions for customers in healthcare, banking, financial services, telecommunications and public sector. Today Dmitry is actively working with IBM QRadar, the world’s leading security intelligence platform. As a SIEM expert, Dmitry has also participated in the creation of IBM Security QRadar SIEM tests, a part of IBM Professional Certification Program.