tag:blogger.com,1999:blog-4088979.post6492765369945754483..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Security Event Correlation: Looking Back, Part 3Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-51804683230641203622008-11-03T08:51:00.000-05:002008-11-03T08:51:00.000-05:00It's probably worth differentiating a SIEM from th...It's probably worth differentiating a SIEM from the concept of "correlation." Nobody would argue that an organization with hundreds or thousands of event sources needs some place to dump them all, normalize them, and start to deal with them. As "Anonymous@10:55" said, there's value in simply being able to apply basic rules across a variety of normalized log types. In this sense, I think a SIEM is a necessary component of a SOC... Most of these SIEMs will of course feature correlation, the value of which remains to be proven. We shouldn't rule SIEMs as guilty by association merely because they have features of dubious value.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-3393889831387635832008-10-28T17:29:00.000-04:002008-10-28T17:29:00.000-04:00I always find it amusing when SIEM vendors talk ab...I always find it amusing when SIEM vendors talk about their GUI rule builders that allow non-technical people to write rules. <BR/><BR/>IMO Correlation outside of a few thousand very large companies that ca afford armies of people that understand in depth the attack surface and can tune and maintain the rule sets is a pipe dream. <BR/><BR/>SIEM is very good in the compliance case, good for analytics and resonable for automating a few hundred basic conditions -- like 50 failed logins from a single IP but beyond that the complexity of correlation far exceeds the benefit.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-87489398179367680302008-10-28T07:35:00.000-04:002008-10-28T07:35:00.000-04:00It reminds me when one one my (former)colleagues c...It reminds me when one one my (former)colleagues complained about the fact that the SIEM was showing a way too many "red lights". The consultant in charge w the SIEM had a very blunt answer: "You need to put some intelligence into this devices". The SIEM does not know if an SQL XP Command is comming from a DBA computer or from DMZ. A human needs to feed this information into the SIEM. <BR/><BR/>Richard is right, he is not saying that a SIEM is bad, but rather it is just not correctly understood. I can see this at my managers, who do not know what is a Win Null Session, but play all day long with terms such as: "deep" and "end-to-end" correlation.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84685493101386104202008-10-27T22:55:00.000-04:002008-10-27T22:55:00.000-04:00Anonymous @3:04 PMThe first scenarios are all very...Anonymous @3:04 PM<BR/><BR/>The first scenarios are all very basic scenarios that any SIEM can handle.<BR/><BR/>Anonymous @4:07 PM<BR/><BR/>Practically every SIEM nowadays integrates vulnerability data and allows for asset categorization (depending on business value)<BR/><BR/>I'm not saying that SIEMs are the solution to everything, I'm just interested in how you deal with the above scenarios without a SIEM across all the different devices, etc.<BR/><BR/>One of the key benefits of the SIEM is that although the above correlation is very simple (and you should be able to do some more sophisticated correlations), you can apply them regardless of the device (eg. syslog, Windows events, Checkpoint firewall, whatever IPS you have, etc.)<BR/><BR/>PS. I'm currently in the evaluation stage but have run some PoCsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-8621997441917115202008-10-27T16:07:00.000-04:002008-10-27T16:07:00.000-04:0080% of the SIEM were purchased for compliance reas...80% of the SIEM were purchased for compliance reasons. ;)<BR/>Probably the other 20% were purchased to help SOC/IDS/IPS. And the point is this: if a company cannot manage to figure out an IDS, how does it think that it can figure out a SIEM? <BR/>A SIEM without network and asset modeling and categorization, and w/o vulnerability data is going to produce even more false positives than a misconfigured IDS. <BR/><BR/>I am wondering when McAfee is going to buy Arcsight. ;)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-73957129277986141332008-10-27T15:04:00.000-04:002008-10-27T15:04:00.000-04:00I am sorry, but these "scenarios" feel like they a...I am sorry, but these "scenarios" feel like they are coming right off the marketing glossies, written by someone who SOLD, but never USED a SIEM....Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49827500810840117942008-10-26T14:29:00.000-04:002008-10-26T14:29:00.000-04:00Hi Richard,How about three very simple scenarios t...Hi Richard,<BR/><BR/>How about three very simple scenarios that show that a SIEM might be useful?<BR/><BR/>Scenario 1:<BR/><BR/>* Your IDS pickups a buffer overflow attack to a Windows machine (at this point, you're not sure if the exploit was successful or not)<BR/>* Your Windows machine forwards a Windows event that indicates an admin account was added<BR/>* Your certainty goes up to 99% that the machine has been compromised<BR/><BR/>Scenario 2:<BR/><BR/>* A lot of failed logins followed by a successful login, all from the same IP.<BR/>* The above is definitely worth investigating if it's past a certain threshold. An admin looking through the logs might not notice this if there are other events between the logs. Of course, you might be able to detect this using something like swatch, but can swatch understand the un-normalized logins from 100s of different devices?<BR/><BR/>Scenario 3:<BR/><BR/>* A low and slow brute-force password attack on a key server.<BR/>* There's a good chance that you wouldn't notice it unless a SIEM started elevating it's importance and you could take action before the attacker guessed the right-password.<BR/><BR/>There are other useful scenarios. I think the problem isn't so much that the SIEM isn't worthwhile, it's just that you should understand the rules that it's applying and perhaps write your own to get more our of it.<BR/><BR/>HTHAnonymousnoreply@blogger.com