February 26, 2015 By Westley McDuffie 3 min read

Security incident and event management (SIEM) has long been touted as a single “pane” of glass. With all its infinite wisdom, it will reduce the complexities and give you the certainty you seek. Wartime commanders have long wished for a crystal ball to tell them what their adversaries are doing. During my tenure as an analyst, I learned about the Military Decision-Making Process (MDMP) and Intelligence Preparation of the Battlefield (IPB), and I have come to realize that a single pane of glass is more about you than it.

How to Prep the Battlefield

The cyber battlefield is the latest enclave in the combat area, although it is not prone to the same battlefield conditions. U.S. Department of Defense network and security teams already bring the MDMP and IPB to network operations, and those that do not should. Private companies would also benefit from this approach.

The battlefield is your network, and you must know all of it. Not only does this help you purchase the right defenses, but it aids in troubleshooting and can reduce fraud, waste and abuse by aligning expenses where they are needed. If you cannot explain with certainty what is supposed to be on your network, how can you explain what is not supposed to be on your network? You must also understand the modus operandi of your foes. Moving one step forward, can you even say who your foes are? I do not mean this in general terms, since just about everyone is going to face similar foes in the form of hacktivists, nation-state attackers, corporate attackers and insider threats. However, can you name them?

Far too often, we become bogged down with trying to figure out something that happened via TCPDUMP without looking at everything else around it. Bad guys do not ping and run. By bringing to light your foes’ most likely course of action or most dangerous action, you can start to build your intelligence. These tools help analysts defend their kingdoms. Understanding what you are most likely facing will help you reduce your risk, and by combining that with what you are protecting, you begin to produce real intelligence. Also, be sure to include those initial probes you pass off as nothing, since your foes are watching your reaction.

SIEM is a great tool as long as it is in the hands of competent analysts. It is even better with complete IPB. If not, it is just another layer of nonworking complexity in an existing infrastructure that you already do not understand. This leads to more uncertainty. Having the best tool on the planet will do nothing for your posture if you are a complete moron. I said this as I intended. SIEM is a tool. It is not “the” or “a” solution. Protecting the network and its information is the solution. Your course of action is understanding your foes and their intent. For instance, if I asked you to build me a house, and you showed me a hammer and told me it was the solution, you would not build my house. The hammer in your hand is just one tool, not the whole solution. I need to see blueprints, permits and other tools to determine that you understand.

SIEM as a Tool

This tool provides you with the ability to build your solution. That single pane of glass provides nothing more than indicators to what was reported. With millions of events being processed daily, only a handful are actionable. You can craft those indicators to be a series of events, which reduces the amount of time spent digging into individual noisemakers and gives you more time to watch combined events. There is a time and place for items such as TCPDUMP, but if this is your first step, we are in need of a serious discussion.

An individual source of a known bad actor does not consist of something that could be nefarious. By aligning this source with a brute-force password attack, a known user account or the Tor channels being used, it tells me this is more than just a brute-force guessing attack and that the items I’m speaking of may have relationships. Depending on the endpoint receiving the unwanted attention, the adversary could already be layers deep into the network. It is not always what you see that becomes the issue — it’s what you don’t see. SIEM puts this together so that it can be digested and understood.

For the sake of argument, let’s assume all the agents, endpoints and network objects are reporting to your SIEM. It’s great if a consolidation of log files to one central location has been achieved. But now what? It is configured to answer the who, what and how. After the configuration, if you can’t see the who, what and how, what do you see?

One section of data alone does not provide intelligence, nor does two. All the data together does not provide intelligence. That’s data; at most, it’s information. Combine that with what your adversaries are trying to do. Intelligence is thinking about the next step in a series of actions that has yet to be revealed or finding that one item on your battlefield that uncovers potential issues before they happen.

Image Source: iStock

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today