SIEM: You’re Doing it Wrong

Security Information and Event Management (SIEM) is not specifically mentioned in the CompTIA Security+ Exam Objectives. However, the implementations of a network’s security infrastructure that feed SIEM are specifically mentioned in CompTIA Security+ Exam Objective 1.0 “Network Security”. Where SIEM fits into the security construct is serving as an aggregation for all SYSLOG traffic coming from any configured device(s). Intrusion Detection and Prevention, Firewalls, Domain Controllers, Core Switches,  VPN concentrators and many other devices have the capability to feed the SIEM construct. With that being said, SIEM is passive and relies solely on the input of those configured devices as well as their verbosity settings. SIEM does offer near-real time alerts and provides a single touch point for monitoring analysts and contracted security service providers. The reason I use the words “near-real time” and not “real-time” is because I personally believe this to be a misnomer. Everyone is looking for that magical blinking red light and alarm to sound to signify an attack in progress. Anything that requires a threshold of the rule-set and notifications to be sent to a monitoring analyst is not real-time. In-fact, nothing could be more reactionary. So SIEM, by its design, is passive but that should not take away from the capability SIEM provides.

Where most people get SIEM wrong is because of the belief that it is an active protection system. That is what an intrusion detection or prevention system and firewall are used for. Now it is not unfair to say that SIEM is not capable of protecting a network. If configured properly to receive logs from a web filter or domain controller it could be used to identify traffic to malicious hosts or to alert when a user has downloaded a non-permitted executable file. From that point a network admin can isolate the system and prevent malware from spreading or reconfigure existing security systems to prohibit future activities that triggered the SIEM alert notification. The important take away is that the SIEM device is not going to do that for you. Also, remember the input based function of SIEM. If the device isn’t monitored, the verbosity setting not set quite right, or a threat agent circumvents a firewall or other protective measure than the SIEM will not see it and thus, not generate the notification. SIEM is also not intelligent and cannot make up for shortcomings in configuration. If the rules and thresholds are not set to see X but instead only Y and Z than anything falling under the X category will go unnoticed.

We have to remember that security should be addressed in layers. A single firewall may provide adequate protection for a network but it will not nearly be as effective as a network protected by a firewall and an intrusion detection or prevention system. Those security mechanisms are great but monitoring all of those systems is nearly impossible. SIEM provides the bridge between systems to provide a single reference point for situational awareness and intelligence for the admin team. SIEM also adds the layer of situational awareness to overall systemic behavior of the network as well. Where threats are not detected SIEM can also provide insight and generate notifications of application or system crashes. And that is something firewalls and other security devices fail. It also does really well in forensic analysis of events leading up to a suspected breech or incident. Instead of querying logs from 5 different sources, the SIEM can be the proverbial one-stop-shop for an investigation. Despite the shortcomings, SIEM is a must-have for any network but SIEM cannot and should not be implemented without due expectation management. For more information on SIEM you can research any of the SIEM products on the market; Splunk, Tripwire, NetIQ, and Arcsight are but a few. There will be some differences in capability between these and some may even have enhanced features to remedy the identified shortcomings above but those are usually much more expensive and those advanced features are not organically SIEM but instead advanced security utilities infused with SIEM capability.