What can go wrong with SIEM correlation rules?

Complex and intelligent, any SIEM system may still pose some challenges in the long run, which are hardly identifiable upfront.

what can go wrong with SIEM correlation rules?

In some cases, it’s down to the SIEM system’s correlation rules. Without these rules, the system mutates into a simple security event logger. If these rules are misconfigured, SIEM system may miss an attack or experience performance problems.

The article discusses four potential problems with correlation rules in the context of IBM® Security QRadar® SIEM.

False positives

Almost any correlation rule can create a false positive (any behavior that is identified as malicious but proves to be not).  For example, a legitimate remote vulnerability scanner belonging to the company may look to the SIEM system as an aggressive attacker, so consequently QRadar will generate an incident. Within a short period of time, a single rule triggering false positives may create hundreds of alerts. In practice, such rules are often disabled, which increases SIEM vulnerability.

Usually, false positive triggering is inherent to the out-of-the-box QRadar SIEM, therefore its configurations should be fine-tuned either in-house or by providers of information security consulting.

Disabled rules

Out-of-the-box QRadar contains around 250 rules. 60% of them get disabled in a default installation because these rules are less likely to be applicable to a customer’s network environment. Sometimes, security administrators switch off rules by mistake, or because they generate a lot of false positives. As a result, while thinking that your SIEM system is a security flagman, in fact, you keep missing threats.

Finally, we shouldn’t ignore the cases when rules are disabled for malicious reasons. Fortunately, such security offences are scarce, since cyber criminals would rather delete event sources.

Insufficient rule customization

For 360° cyber security, every security event should be covered by a set of rules that should comply with the company’s security policy and network peculiarities. Suppose your company decided to do without information security consultant and install an out-of-the-box SIEM software. The system’s correlation rules will be too general and won’t cover all the use cases. To ensure efficient threat detection, one should customize correlation mechanisms. This task may be allocated to a specially assigned security administrator or a proficient information security vendor. Not only will they identify actual threats, but also minimize MTTR (mean time to removal). In this case, your money will be well spent.

Long rule execution

One of the performance issues that your SIEM system may face is time-consuming rule execution. The common reason for that is when security administrators don’t use filtering options to drop any irrelevant data from the event pipeline. As a result, the rule will be applied to every event, which will slow down the security system performance. Timing is everything. Long rule execution entails a major risk of some offences not being detected timely. Furthermore, in a chain of correlation rules, a rule that lags behind will negatively affect the overall time of rule execution.

Fine-tuning is the answer

The problems with SIEM correlation rules stated above have a common solution – fine-tuning.

Security software vendors release more and more robust products, promising that their out-of-the-box solutions will cover all your network security needs. Yet, every network is unique. Choose the SIEM system matching most of your requirements, but take a time to choose the right consultant to tailor it.

About the Author: Dmitry Nikolaenya

SIEM department coordinator with more than 10 years of experience in delivering SIEM solutions for customers in healthcare, banking, financial services, telecommunications and public sector. Today Dmitry is actively working with IBM QRadar, the world’s leading security intelligence platform. As a SIEM expert, Dmitry has also participated in the creation of IBM Security QRadar SIEM tests, a part of IBM Professional Certification Program.