Monitoring SIEM Analisi dati Giacomo Lanzi

SIEM monitoring: best practices

Estimated reading time: 6 minutes

As the cybersecurity threat landscape becomes increasingly sophisticated, service providers, such as SOD, need to take additional precautions to protect their customers’ networks. An information management system and monitoring SIEM is an excellent choice in this respect.

This system, in fact, helps mitigate cybersecurity threats from two different angles, all from a single interface . The SIEM monitoring system collects information from multiple sources: network data, threat information feeds, compliance regulations, firewalls, etc. Next, uses that data to power features designed to help IT administrators respond to threat events in real time.

SIEM monitoring Data collection

Advantages of SIEM monitoring

In contrast to individual security control systems such as asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from various systems – even very and offering unprecedented visibility into events occurring in the system.

SIEM is not a threat detection system in and of itself, but enhances the security tools already in use by providing real-time insights to work from . In particular, SOD uses a Next Gen SIEM in a SOAR ( Security Orchestration, Automation and Response ) which also includes advanced behavioral analysis tools ( UEBA ).

If you put high-quality log files into a SIEM tool, you receive high-quality insights into network security . This information can help improve network security protocols.

Unfortunately, many administrators treat SIEM implementation as a solution to be set up and then forgotten. To experience the full benefits of managing information and security events , you need to implement a set of best practices to optimize your solution, starting with security logging.

The logs of a SIEM

How does security monitoring fit into SIEM implementation best practices ? If you look at the SIEM in its main components, it is a log management system .

All the information that a SIEM tool collects is in the form of logs, or records of events occurring within an organization’s IT infrastructure and network.

Examples of logs collected by SIEM include, but are not limited to: Firewalls, routers, wireless access points, vulnerability reports, partner information, antivirus and antimalware.

However, as SIEM tools have a very broad reach and constantly collect log data from all parts of the system, can be a bit complicated and impractical to implement . SIEM best practices help avoid pain points along the line of operation. This way you use SIEM as effectively as possible right from the start.

SIEM monitoring Data analysis

Best practice

1. Start calmly

The most common mistake made in implementing SIEM monitoring is trying to do too much too soon . Before you even start looking for a SIEM solution, in fact, it is best to define the scope of your SIEM implementation and think about what you want SIEM to do for your network and infrastructure.

We start by isolating the objectives , taking stock of existing security protocols and brainstorming how these protocols fit into the future SIEM implementation. You can also segment anything you want to monitor into groups and define how you want to monitor them. This helps ensure that you have a clear plan for logging.

Once an initial planning has taken place, the SIEM system does not yet have to be implemented across the entire IT infrastructure. It is better to proceed piecemeal.

You should then test the SIEM monitoring solution on a small section of the system to see how it works. Only then are key security vulnerabilities identified that should be addressed immediately and proceed with implementation in subsequent segments.

Setting up SIEM monitoring step by step, rather than running everything right away, will help ensure that logging works in harmony with the rest of the IT section .

2. Think about the requirements

SIEM monitoring can help the company demonstrate compliance with security regulations and audits, but only by knowing what these standards are in advance . Before committing to a SIEM system, you create a list of HIPAA, GDPR, HITECH and any other IT regulations that you need to comply with. The list is then used to compare the required regulations with the solutions that are put into practice.

Not only does this narrow down the list of standards, it will force you to consider how much log data you actually need. Keeping the correct amount to be compliant, also aligns with best practices of SIEM logging and monitoring .

Obviously, the solutions and protocols to follow are not the same for everyone and need to be adapted according to the position of the individual company. For this particular aspect, SOD can help your company both in gathering the information necessary to identify which standards to follow, and in the standards verification once implemented.

3. Fix the correlations

SIEM correlation streamlines its implementation, allowing you to configure the system according to the specific needs of their customers. SIEM works by collecting data from multiple sources and then filtering, analyzing and correlating it to determine if it deserves to be reported as a security alert.

For this it is essential to correlate the rules and set alarm thresholds based on the type of data and their origin . It is important to remember, in fact, that SIEM is designed to find connections between events that would not otherwise be related to each other.

Setting up a SIEM monitoring system is a delicate but fundamental operation to improve the security system for a particular company.

4. Collect data efficiently

Through a SIEM monitoring system it is possible to collect such an amount of data that it could become complicated to manage. It becomes important to choose in a balanced way which data to use in order to optimize the right amount without losing the advantage of having the entire system under control .

Among the data that it is better not to leave out are: Successful permissions and failed attempts, changes to user privileges, application errors and performance problems, opt-in and in general all the actions made by users with administrative privileges.

The following are excluded: information whose collection is illegal, banking information or credit card data, encryption keys, passwords and personal data .

5. Have a plan in case of a detected threat

Choosing the right SIEM solution and employing logging best practices is only part of the job. You need to have an action plan in case of cyber threat .

For the company that relies on a MSSP as SOD, this means making sure that monitoring is only the first part of the service provided. Ideally, SIEM monitoring is the first piece of a well-designed SOAR that puts in place professional operators, alert notifications and a recovery plan in accordance with the type of data put at risk .

In this respect, the SOC as a Service we offer covers most of the eventualities.

SIEM monitoring Data analysis

Conclusions

Monitoring is a fundamental part of the corporate security system and a SIEM is one of the ways to put it into practice. However, we must not stop at the collection of information, we must know how to treat, enrich and analyze it.

SOD offers comprehensive services that implement SIEM monitoring systems. The implementation obviously implies a “calibration” of the systems and of the correlations between the data in order to always offer the most suitable solution.

If you would like more information about our products, do not hesitate to contact us, we will be happy to answer your questions.

Useful links:

ICT Monitoring Service

Next Generation SIEM: where are we?

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading:

RSS Full Disclosure

  • CFP ZeroNights 2021 April 10, 2021
    Posted by CFP ZeroNights on Apr 09ZeroNights 2021 CFP is OPEN: Offensive and defensive research (15/30/45min). Submit your talk! # About conference Place: Saint-Petersburg, Russia Date: 30 June Timeslots: 15/30/45 min Site: https://zeronights.org # CFP Timeline CFP start: 1 March CFP end: 15 May CFP page: https://01x.cfp.zeronights.ru/zn2021/ # Conditions: A speaker may deliver either a […]
  • Backdoor.Win32.Small.n / Unauthenticated Remote Command Execution (SYSTEM) April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/fb24c3509180f463c9deaf2ee6705062.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Small.n Vulnerability: Unauthenticated Remote Command Execution (SYSTEM) Description: The backdoor malware listens on TCP Port 1337, upon successful connection we get handed a remote shell from the infected host with SYSTEM...
  • [SYSS-2020-032] Open Redirect in Tableau Server (CVE-2021-1629) April 8, 2021
    Posted by Vladimir Bostanov on Apr 08Advisory ID: SYSS-2020-032 Product: Tableau Server Manufacturer: Tableau Software, LLC, a Salesforce Company Affected Version(s): 2019.4-2019.4.17, 2020.1-2020.1.13, 2020.2-2020.2.10, 2020.3-2020.3.6, 2020.4-2020.4.2 Tested Version(s): 2020.2.1 (20202.20.0525.1210) 64-bit Windows Vulnerability Type: URL Redirection to Untrusted Site (CWE-601) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2020-07-29 Solution Date:...
  • Backdoor.Win32.Hupigon.das / Unauthenticated Open Proxy April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/7afe56286039faf56d4184c476683340.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hupigon.das Vulnerability: Unauthenticated Open Proxy Description: The malware drops an hidden executable named "winserv.com" under Windows dir, which accepts TCP connections on port 8080. Afterwards, it connects to a...
  • Trojan.Win32.Hotkeychick.d / Insecure Permissions April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/aff493ed1f98ed05c360b462192d2853.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Hotkeychick.d Vulnerability: Insecure Permissions Description: creates an insecure dir named "Sniperscan" under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can rename the...
  • Trojan-Downloader.Win32.Genome.qiw / Insecure Permissions April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/5cddc4647fb1c59f5dc7f414ada7fad4.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Downloader.Win32.Genome.qiw Vulnerability: Insecure Permissions Description: Genome.qiw creates an insecure dir named "tmp" under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can...
  • Trojan-Downloader.Win32.Genome.omht / Insecure Permissions April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/01055838361f534ab596b56a19c70fef.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan-Downloader.Win32.Genome.omht Vulnerability: Insecure Permissions Description: Genome.omht creates an insecure dir named "wjmd97" under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can...
  • Trojan.Win32.Hosts2.yqf / Insecure Permissions April 8, 2021
    Posted by malvuln on Apr 08Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/274a6e846c5a4a2b3281198556e5568b.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Hosts2.yqf Vulnerability: Insecure Permissions Description: Hosts2.yqf creates an insecure dir named "mlekaocYUmaae" under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can...
  • usd20210005: Privileged File Write in Check Point Identity Agent < R81.018.0000 April 8, 2021
    Posted by Responsible Disclosure via Fulldisclosure on Apr 08### Advisory: Privileged File Write Description =========== The Check Point Identity Agent allows low privileged users to write files to protected locations of the file system. Details ======= Advisory ID: usd-2021-0005 Product: Check Point Identity Agent Affected Version: < R81.018.0000 Vulnerability Type: Symlink Vulnerability Security Risk: High […]
  • CVE-2021-26709 - Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem April 8, 2021
    Posted by Gabriele Gristina on Apr 08Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem ======== < Table of Contents > ========================================= 0. Overview 1. Details 2. Solution 3. Disclosure Timeline 4. Thanks & Acknowledgements 5. References 6. Credits 7. Legal Notices ======== < 0. Overview > =============================================== Release Date: 7 March 2021 Revision: […]

Customers

Newsletter