Zero to SIEM in Seconds Part 3: Investigate in Seconds

Investigate in Seconds is Part 3 in the “Zero to SIEM in Seconds” blog series. In Part 1 and 2 of the series we covered Operationalize in Seconds and Detect in Seconds. For operationalizing your SIEM, it must work in complex hybrid-cloud and geographically dispersed locations, automatically ingest and interpret any data source, scale predictably, and lower your management and storage costs. For Improving your Mean-time-to-Detect (MTTD), the SIEM must be able to detect known threats out-of-the-box, identify new variants and unknown threats, and build the entire attack campaign. Forcing security teams to manually figure out which events are relevant or determine if an attack is already underway is simply too late to prevent a breach.

In this third blog in the series, we will focus on what is required to accelerate investigation of various threats in order to gather context, and validate which events are part of an attack campaign. We will also show how important it is to establish risk to the organization. In contrast, this is also where security teams manually attempt to disqualify certain events and build an accurate kill chain to develop targeted and prioritized response.

Correlation of Alerts Does Not Provide Accuracy

Most SIEMs and Security Analytics platforms simply correlate attack stages increasing the level of risk. What this means is that they provide indicators of compromise for each attack stage or whichever data source was used to trigger an event, but it is really up to the analyst to determine if set of alerts is relevant to the attack or not. In that sense, the analyst must not only gather the right context to determine if there is an attack, but also determine if you need to remove any of the correlated events as actually being a false positive.

Most solutions are incapable of doing more than simple correlation of different event triggers. However, what is needed is the ability to chain analytical models together that have not only triggered a specific rule or condition indicating a threat, but also understand the relationships between the events as they formulate an attack chain. This is where model chaining along with link chain analysis can accelerate investigation time by reducing false positives as well as providing context to validate the accuracy of a true positive.

Another unfortunate consequence in validating a true positive is that many analytics on SIEM platforms don’t classify ALL event types that are being received, requiring manual searches.

This clearly slows down the whole investigation process regardless of a vendor’s search capability. Certainly, things like natural language search can help, but search in general becomes more challenging for SIEMs that cannot handle searches across multi-cloud or federated deployments.

Static Correlation Rules and Manual Pipelines Rely on User Intervention

Most SIEMS, regardless of selling or adding rules for threat detection, still require the security team, especially in larger organizations, to customize their detection rules. However, the most useful rules tend to be developed after a breach has been detected by other means and obviously too late – except to detect any follow-on or repeat attacks.

The key is to identify outlier alerts that are atypical or rare or can be classified as more severe. This is where UEBA can be useful to organizations in producing alerts that are not triggered by traditional security analytics. However, as mentioned in Part 2, UEBA that is chained to other analytics and events is how to reduce the noise and pick out and validate an advanced attack.

Rule-based “machine learning” suffers from only being able to identify known threats or previously seen threats. Trained machine learning, where models and associated rules actually adapt over time can help provide better accuracy, including better context for accelerating investigations and reducing manual searches.

Manually Piecing Together Event Context Slows Investigation Time Leading to Delays and Missed Attacks

Most SIEMs will correlate events based on the data sources they understand and are performed by associating IP addresses and timestamps to indicate they may be related. This leads to a lot of effort by the security team to fill in the gaps by looking for additional data sources, logging into those systems, and determining if they could be related. The next step is determining if the correlated events are even related to each other, i.e. part of an attack campaign. This often requires an experienced security analyst, that has “been there and done that” to understand whether the events provided are indeed part of the attack chain or need to be discarded. No one wants to build and execute a response on a system that is unrelated and could cause more business disruption.

While a lot of SIEMs provide a risk score associated with an event, these are fairly useless in most cases. These risk scores are often aggregated and averaged across external threat intelligence, such as a CVE or CVSS score. Those are generic severity scores for a vulnerability or piece of malware. However, is that score legitimate if the score is based on malware that is targeting an iPad used by a remote worker as the only login that lasted for 5 minutes?

Risk scoring that is established based on the associated analytics provides a better picture of the risk to your specific environment based on multiple factors that includes the severity of the vulnerability or malware.

Putting It All Together to Reduce Investigation Time

Going beyond traditional correlation and leveraging link chain analysis is critical to eliminating ambiguity as to whether an event is truly part of an attack campaign. This cross-validation and unification of relevant context provides confirmation of an attack campaign that is necessary to the process of responding to the attack.

In order to accelerate investigation time and remove manual efforts that can slow the validation of the attack, Gurucul Next Generation SIEM offers a solution that goes beyond traditional analytics. Gurucul Next-Gen SIEM provides link chain analysis that cross-validates advanced threats, gathers all the necessary context into a single console, and eliminates the events that are unrelated to the attack.

About The Author

Sanjay RajaSanjay Raja, VP Product Marketing and Solutions, Gurucul

Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.

Learn More About Gurucul Next Generation SIEM

To learn more about how Gurucul Next Gen SIEM can help you reduce investigation time to seconds: