The Endless Quest for Certainty Through SIEM

February 26, 2015
| |
3 min read

Security incident and event management (SIEM) has long been touted as a single “pane” of glass. With all its infinite wisdom, it will reduce the complexities and give you the certainty you seek. Wartime commanders have long wished for a crystal ball to tell them what their adversaries are doing. During my tenure as an analyst, I learned about the Military Decision-Making Process (MDMP) and Intelligence Preparation of the Battlefield (IPB), and I have come to realize that a single pane of glass is more about you than it.

How to Prep the Battlefield

The cyber battlefield is the latest enclave in the combat area, although it is not prone to the same battlefield conditions. U.S. Department of Defense network and security teams already bring the MDMP and IPB to network operations, and those that do not should. Private companies would also benefit from this approach.

The battlefield is your network, and you must know all of it. Not only does this help you purchase the right defenses, but it aids in troubleshooting and can reduce fraud, waste and abuse by aligning expenses where they are needed. If you cannot explain with certainty what is supposed to be on your network, how can you explain what is not supposed to be on your network? You must also understand the modus operandi of your foes. Moving one step forward, can you even say who your foes are? I do not mean this in general terms, since just about everyone is going to face similar foes in the form of hacktivists, nation-state attackers, corporate attackers and insider threats. However, can you name them?

Far too often, we become bogged down with trying to figure out something that happened via TCPDUMP without looking at everything else around it. Bad guys do not ping and run. By bringing to light your foes’ most likely course of action or most dangerous action, you can start to build your intelligence. These tools help analysts defend their kingdoms. Understanding what you are most likely facing will help you reduce your risk, and by combining that with what you are protecting, you begin to produce real intelligence. Also, be sure to include those initial probes you pass off as nothing, since your foes are watching your reaction.

SIEM is a great tool as long as it is in the hands of competent analysts. It is even better with complete IPB. If not, it is just another layer of nonworking complexity in an existing infrastructure that you already do not understand. This leads to more uncertainty. Having the best tool on the planet will do nothing for your posture if you are a complete moron. I said this as I intended. SIEM is a tool. It is not “the” or “a” solution. Protecting the network and its information is the solution. Your course of action is understanding your foes and their intent. For instance, if I asked you to build me a house, and you showed me a hammer and told me it was the solution, you would not build my house. The hammer in your hand is just one tool, not the whole solution. I need to see blueprints, permits and other tools to determine that you understand.

SIEM as a Tool

This tool provides you with the ability to build your solution. That single pane of glass provides nothing more than indicators to what was reported. With millions of events being processed daily, only a handful are actionable. You can craft those indicators to be a series of events, which reduces the amount of time spent digging into individual noisemakers and gives you more time to watch combined events. There is a time and place for items such as TCPDUMP, but if this is your first step, we are in need of a serious discussion.

An individual source of a known bad actor does not consist of something that could be nefarious. By aligning this source with a brute-force password attack, a known user account or the Tor channels being used, it tells me this is more than just a brute-force guessing attack and that the items I’m speaking of may have relationships. Depending on the endpoint receiving the unwanted attention, the adversary could already be layers deep into the network. It is not always what you see that becomes the issue — it’s what you don’t see. SIEM puts this together so that it can be digested and understood.

For the sake of argument, let’s assume all the agents, endpoints and network objects are reporting to your SIEM. It’s great if a consolidation of log files to one central location has been achieved. But now what? It is configured to answer the who, what and how. After the configuration, if you can’t see the who, what and how, what do you see?

One section of data alone does not provide intelligence, nor does two. All the data together does not provide intelligence. That’s data; at most, it’s information. Combine that with what your adversaries are trying to do. Intelligence is thinking about the next step in a series of actions that has yet to be revealed or finding that one item on your battlefield that uncovers potential issues before they happen.

Image Source: iStock

Westley McDuffie
Security Evangelist, IBM

Westley McDuffie has over 20 years' experience in Military-oriented analysis, network infrastructure and information security, mixed in with 10 years of clas...
read more