February 26, 2015 By Westley McDuffie 3 min read

Security incident and event management (SIEM) has long been touted as a single “pane” of glass. With all its infinite wisdom, it will reduce the complexities and give you the certainty you seek. Wartime commanders have long wished for a crystal ball to tell them what their adversaries are doing. During my tenure as an analyst, I learned about the Military Decision-Making Process (MDMP) and Intelligence Preparation of the Battlefield (IPB), and I have come to realize that a single pane of glass is more about you than it.

How to Prep the Battlefield

The cyber battlefield is the latest enclave in the combat area, although it is not prone to the same battlefield conditions. U.S. Department of Defense network and security teams already bring the MDMP and IPB to network operations, and those that do not should. Private companies would also benefit from this approach.

The battlefield is your network, and you must know all of it. Not only does this help you purchase the right defenses, but it aids in troubleshooting and can reduce fraud, waste and abuse by aligning expenses where they are needed. If you cannot explain with certainty what is supposed to be on your network, how can you explain what is not supposed to be on your network? You must also understand the modus operandi of your foes. Moving one step forward, can you even say who your foes are? I do not mean this in general terms, since just about everyone is going to face similar foes in the form of hacktivists, nation-state attackers, corporate attackers and insider threats. However, can you name them?

Far too often, we become bogged down with trying to figure out something that happened via TCPDUMP without looking at everything else around it. Bad guys do not ping and run. By bringing to light your foes’ most likely course of action or most dangerous action, you can start to build your intelligence. These tools help analysts defend their kingdoms. Understanding what you are most likely facing will help you reduce your risk, and by combining that with what you are protecting, you begin to produce real intelligence. Also, be sure to include those initial probes you pass off as nothing, since your foes are watching your reaction.

SIEM is a great tool as long as it is in the hands of competent analysts. It is even better with complete IPB. If not, it is just another layer of nonworking complexity in an existing infrastructure that you already do not understand. This leads to more uncertainty. Having the best tool on the planet will do nothing for your posture if you are a complete moron. I said this as I intended. SIEM is a tool. It is not “the” or “a” solution. Protecting the network and its information is the solution. Your course of action is understanding your foes and their intent. For instance, if I asked you to build me a house, and you showed me a hammer and told me it was the solution, you would not build my house. The hammer in your hand is just one tool, not the whole solution. I need to see blueprints, permits and other tools to determine that you understand.

SIEM as a Tool

This tool provides you with the ability to build your solution. That single pane of glass provides nothing more than indicators to what was reported. With millions of events being processed daily, only a handful are actionable. You can craft those indicators to be a series of events, which reduces the amount of time spent digging into individual noisemakers and gives you more time to watch combined events. There is a time and place for items such as TCPDUMP, but if this is your first step, we are in need of a serious discussion.

An individual source of a known bad actor does not consist of something that could be nefarious. By aligning this source with a brute-force password attack, a known user account or the Tor channels being used, it tells me this is more than just a brute-force guessing attack and that the items I’m speaking of may have relationships. Depending on the endpoint receiving the unwanted attention, the adversary could already be layers deep into the network. It is not always what you see that becomes the issue — it’s what you don’t see. SIEM puts this together so that it can be digested and understood.

For the sake of argument, let’s assume all the agents, endpoints and network objects are reporting to your SIEM. It’s great if a consolidation of log files to one central location has been achieved. But now what? It is configured to answer the who, what and how. After the configuration, if you can’t see the who, what and how, what do you see?

One section of data alone does not provide intelligence, nor does two. All the data together does not provide intelligence. That’s data; at most, it’s information. Combine that with what your adversaries are trying to do. Intelligence is thinking about the next step in a series of actions that has yet to be revealed or finding that one item on your battlefield that uncovers potential issues before they happen.

Image Source: iStock

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today