Discover how you can use a next gen SIEM to ensure compliance, protect your data and prevent or mitigate attacks.
A next generation Security incident and Event Management (SIEM) allows security analysts to collect and store unlimited data, investigate and detect threats, and respond automatically. Boasting unlimited log collection and storage and rapid processing that can deliver real-time response, a next generation SIEM is infinitely scalable while being dextrous enough to meet numerous demands. Let’s take a look at how the technology can be used to meet different security objectives.
Complying with industry standards
Industry regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) seek to secure user data by standardising how it is collected, used and stored. They can be highly prescriptive and failure to comply can result in punitive fines and reputational damage. GDPR, for example, states that explicit consent must be obtained before collecting personal data and protection put in place to safeguard it. Any data violations must be disclosed within 72 hours, so the organisation needs to detect and respond quickly.
Using a next gen SIEM makes it easy to detect attempts at unauthorised access to personal data. By setting parameters such as the number of log-in attempts and grouping this with the username and user IP address, the attacker’s activities can be correlated and access attempts revealed when these parameters are exceeded, triggering an alert.
Organisations accepting payment cards must follow the PCI DSS which requires them to monitor access to network sources and card owner data, create consistent secure audit trails and regularly test systems and processes. Here the SIEM can be used to detect not just access attempts but other indicators of compromise (IoC) such as compromised users, the escalation of privileges, malware traffic, data leakage, the ciphering of data (usually synonymous with ransomware) and lateral movements in keeping with the lateral threat detection rules identified within the Mitre Att&ck framework.
A SIEM can also help the business take a more proactive security stance because it constantly monitors the network. Consequently, it can be used to prevent data exfiltration by monitoring e-mails, DNS inquiries, file access demands, and illegal port connections as well as the traffic passing through the command and control server, high levels of which can be indicative of malware on a compromised user account.
Behaviour analysis can be used to flag unusual activity such as access attempted outside of office hours or the encryption of data which would suggest a ransomware attack or escalated authority over critical systems. Crucially, a next gen SIEM is able to correlate seemingly unrelated incidents to determine whether these are part of a bigger picture, such as the insertion of a USB stick, a change in process information, use of personal e-mail services, cloud storage services or high data throughput the Internet and local network, which together could be indicative of data exfiltration.
The next gen SIEM can also deal with unauthorised access to shared folders held on the Windows file server. Detailed authorisation reports reveal whether a user has extreme authorisation levels that may cause them to become an insider threat but keeping tabs on these reports in large organisations can prove challenging. A proactive and continuous solution can monitor access by correlating access control logs and process creation logs, and using behavioural analysis can determine whether a user is acting suspiciously, is an attacker or a victim before flagging remedial actions to the security or IT team.
Ultimately, the attacker will seek to gain privileged user credentials, giving them administrative control, root privileges or access to accounts with upgraded privileges. Key to protecting this access is locking down data coming from credential servers or from index servers such as Active Directory (AD) or LDAP and this can be achieved by configuring these systems and right sizing access. But changes overtime such as the upgrade of user credentials or creation of new users can lead to misconfigurations and security gaps.
The SIEM can help the business keep on top of configuration issues by periodically reviewing privileges and license allocations and monitoring privileged user access to files and databases. The total number of incidents that occur over privileged user accounts within a set time are shown on dashboards, together with account names, account categories, departments, and other relevant information, which when correlated indicate what normal account usage looks like. This benchmark can then be used to define unusual or unexpected activity.
Preventing and mitigating attacks
Where a next gen SIEM really comes into its own in its ability to automate and rapidly act upon IoCs. The SIEM monitors attack indicators and vectors by means of pre-defined correlation rules and cyber threat intelligence the results of which are then shared via dashboards, alerts, and reports. It can effectively mitigate against insider threats, malware, brute force and zero-day attacks, detecting and stymying the progress of these attacks, but it can also be used to address more advanced attacks such as:
- Malicious PowerShell attacks make use of the same Windows command line tool used by systems administrators and because these don’t record to disk they are typically overlooked by anti-virus or intrusion prevention systems (IPS). That makes these attacks difficult to detect but the SIEM can capture activities carried out within PowerShell by analysing data from the PowerShell control logs, process creation logs, and endpoint detection and response (EDR) logs and flagging suspicious activity to the relevant team.
- Superman VPN users exploit the web-based virtual private networks (SSL VPNs) used by employees to remotely connect to corporate networks. What tends to give them away is their ability to access data sources at seemingly lightning speed despite supposedly being at a faraway location, hence the ‘superman’ moniker.
A next gen SIEM can monitor the logs on the VPN condenser and detect the user and IP address behind each new connection request. Using previous connection requests from the same user, the SIEM can check the time and the IP address of access requests and verify the geolocation to determine if the access request is genuine.
- Lateral attacks see an attacker continue to search and exploit systems by escalating their access privileges once they have breached a network’s defences. The longer the attacker can remain undiscovered, the greater their chances of gaining access to sensitive data or critical systems.
The SIEM collates audit logs, process formation logs, Firewall, IDS/IPS, and EDR logs and will look for tells such as unsuccessful log-in attempts on disabled accounts, unusual activities based on the time of day or day of the week, access requests to servers, file shares, applications or other sources, abnormal application use or access to data storage. By doing so, it can quickly identify those users seeking to increase their access privileges to obtain access.
A next generation SIEM can provide the business with the means to meet compliance obligations, safeguard data and defend against attacks through continuous monitoring, the correlation of log data from numerous sources, and automated incident response, on time incident notification and automated remediation.
The 4Data Logsign next gen SIEM provides all of these capabilities and more. Based on a cluster infrastructure which uses the Hadoop Big Data software ensuring scalability, the Logsign SIEM offers continuous monitoring, real-time data enrichment with real-time threat intelligence and limitless data collection from every source and environment.
Rapid drill-down full-text data search ensures you can find what you need, while correlated and enriched data accelerate incident response, and threat hunting enables you to discover hidden threats, anomalies or IOCs using the Mitre Att&ck framework. With over 400 plug-ins, the platform also integrates easily with third party security solutions including Checkpoint, Fortigate and Palo Alto, ensuring you can escalate defence.