What Can Go Wrong with SIEM Correlation Rules?

Complex and intelligent, any SIEM system may still pose some challenges in the long run, which are hardly identifiable upfront.

In some cases, it’s down to the SIEM system’s correlation rules. Without these rules, the system mutates into a simple security event logger. If these rules are misconfigured, SIEM system may miss an attack or experience performance problems.

The article discusses four potential problems with correlation rules in the context of IBM® Security QRadar® SIEM.

SIEM correlation rules

False positives

Almost any correlation rule can create a false positive (any behavior that is identified as malicious but proves to be not). For example, a legitimate remote vulnerability scanner belonging to the company may look to the SIEM system as an aggressive attacker, so consequently QRadar will generate an incident. Within a short period of time, a single rule triggering false positives may create hundreds of alerts. In practice, such rules are often disabled, which increases SIEM vulnerability.

Usually, false positive triggering is inherent to the out-of-the-box QRadar SIEM, therefore its configurations should be fine-tuned either in-house or by SIEM consultants.

Disabled rules

Out-of-the-box QRadar contains about 250 rules. 60% of them get disabled in a default installation because these rules are less likely to be applicable to a customer’s network environment. Sometimes, security administrators switch off rules by mistake, or because they generate a lot of false positives. As a result, while thinking that your SIEM system is a security flagman, in fact, you keep missing threats.

Finally, we shouldn’t ignore the cases when rules are disabled for malicious reasons. Fortunately, such security offences are scarce, since cybercriminals would rather delete event sources.

Insufficient rule customization

For 360° cybersecurity, every security event should be covered by a set of rules that should comply with the company’s security policy and network peculiarities. Suppose your company decided to do without information security consultant and install an out-of-the-box SIEM software. The system’s correlation rules will be too general and won’t cover all the use cases. To ensure efficient threat detection, one should customize correlation mechanisms. This task may be allocated to a specially assigned security administrator or a proficient information security vendor. Not only will they identify actual threats, but also minimize MTTR (mean time to removal). In this case, your money will be well spent.

Long rule execution

One of the performance issues that your SIEM system may face is time-consuming rule execution. The common reason for that is when security administrators don’t use filtering options to drop any irrelevant data from the event pipeline. As a result, the rule will be applied to every event, which will slow down the security system performance. Timing is everything. Long rule execution entails a major risk of some offences not being detected timely. Furthermore, in a chain of correlation rules, a rule that lags behind will negatively affect the overall time of rule execution.

Fine-tuning is the answer

The problems with SIEM correlation rules stated above have a common solution – fine-tuning.

Security software vendors release more and more robust products, promising that their out-of-the-box solutions will cover all your network security needs. Yet, every network is unique. Choose the SIEM system matching most of your requirements, but take a time to choose the right consultant to tailor it.