SIEM and Event Correlation

  • Correlating events might yield unexpected conclusions

  • What is a SIEM?

    • Security information and event management

    • Set of tools for :

      • Log and alert storage

      • Log analysis, learning, baselining, patter-matching and deviations

      • Log correlation

      • High level overview of security posture

      • Splunk, ArcSight, ELK Stack, IBM qRadar, Alienvault, Graylog

  • SIEM alerts

    • The SIEM is just another box that generates alerts…

    • False positives, false negative?

  • Alerts should be fired for suspicious events or sets of conditions, also known as a “use case”:

    • The data source

    • The query string

    • Action triggered by the event

  • SIEM Use Case Matching

    • When a matching event is found, a SIEM should capture:

      • When the event started

      • Who was involved

      • What happened

      • Where the event happened

      • Where the event originated

  • SIEM Sources

    • A SIEM can collect data from:

      • Agents on hosts/servers

      • Built-in listeners or collectors (standard syslog, SNMP traps, netflow variants

      • Sensor for network traffic.

  • Normalization

    • Consistency – all events have to look the same

    • Issue: 100s of vendors, appliances, standards, formats..

      • Logs in txt vs binary or CSV vs TSV

      • JSON vs XML

      • Character encoding mismatch

      • Windows vs Linux newlines

      • SNMP MIBs from various vendors

    • Vendor plugins are used for format normalization

    • Timestamp normalization

  • Analysis and Detection

    • Rule-matching

      • If-then-else static approach

      • Fast

      • Useless for unknown threats

    • Heuristic rule matching

      • A more “permissive” if-then-else

      • Heuristics > fuzzy matching > machine learning

      • Approach based on constantly refining rules

    • Behavioral analysis

      • Build a baseline, define how normal looks like

      • Statistical model, requires human intervention for fine tuning

    • Anomaly analysis

      • Look for a well-known expected outcome

      • Example: RFC deviations

    • Trend analysis

      • Look at historical patterns

      • Based on predictions, but they must be trusted

  • SIEM Rules

    • Start from a predefined set of rules

    • Customization is required to match each environment

    • Rule: Statement that matches conditions by:

      • Numerical values

      • String comparison

      • Set membership

      • Unified AND/OR operations

    • Sometimes similar to database (SQL) queries

    • String searching – filtering text information in logs

    • Regular expressions

      • GREP supports regex.

      • Cut can help filter

      • Sort

      • Piping chains commands.

        • Grep | cut | sort

      • Head – first 10 lines

      • Tail – Last 10 lines

      • Gawk – for extracting info

    • Wmic on windows

    • Powershell: Get-EventLog

PreviousLog Analysis & Continuous Security MonitoringNextMalware Analysis

Last updated