INTRODUCTION OF SIEM
What is SIEM?
- SIEM stands for Security Information and Event Management system.
- In essence, it is a tool that gathers data from different endpoints and network devices across the network, stores it in one location, and performs correlation on it.
Network Visibility through SIEM:
- It is very important to have better visibility of the activities within the particular network.
- In the above image there is one web server, one data server, and multiple Linux/Windows endpoints make up this simple network where each of them communicates with the help of internet through a router.
- Various log types can be generated by each network component. We have two network log sources:
1. Host-centric Log Sources:
- Host-centric log sources captures logs of events that occur on or about the host.
- In addition to Windows Event Logs, Sysmon, and Osquery, there are several log sources that generate host-centric logs.
2. Network-Centric Log Sources:
- Communication between hosts and the access to the internet generates network-related logs.
- These protocols are VPN, FTP, SSH, HTTP/s, any many more.
Importance of SIEM:
- Ingestion of real-time logs.
- Providing alerts when abnormal activity is detected.
- Monitoring and visibility provided 24/7.
- Early detection of threats to keep you safe.
- Analyzing and visualizing data.
- Can investigate the past incidents.
Log Sources and Log Ingestion:
Windows Machine:
- It records every event, and these can be viewed through Event viewer utility. Each log activity has a unique ID.
- Event viewer is used to view events in a window and through this you can view the logs.
- A SIEM solution monitors all Windows endpoints and forwards logs from all of them for better visibility and monitoring.
Linux Workstation:
- Events, errors, warnings, and all the other associated logs are stored by Linux, and then ingested into SIEM for continuous monitoring. Common locations are:
- /var/log/httpd: This file contains the http request and response and error logs.
- /var/log/cron: Cron jobs events are stored here.
- /var/log/auth.log and /var/log/secure: This file stores authentication logs.
- /var/log/kern: It stores kernel events.
Web Server:
- It is very important to watch the requests and responses which are coming in and out from the webserver because an attacker can try an web attack.
Log Ingestion:
1. Agent/ Forwarder: In these SIEM solutions, an agent (forwarder by Splunk) is installed on the endpoint. It sends all important logs to the SIEM server for analysis.
2. Syslog: Using Syslog, data is sent in real-time from various systems, such as web servers, databases, etc.
3. Manual Upload: Users can ingest offline data for quick analysis with SIEM solutions like Splunk, ELK, etc. After the data is ingested, it is then normalized and made available for analysis.
4. Port-Forwarding: Additionally, SIEM solutions can be set up to listen on a certain port, and when this happens, the data is forwarded to the SIEM instance on that port by the endpoints.
SIEM Capabilities:
- Correlation between events originating from various log sources.
- Ensures that both host- and network-centric actions are visible.
- Permits analysts to research the most recent threats and effective responses.
- Looks for threats that are missed by the established regulations.
SOC Analyst Responsibilities:
- Monitoring and investigating into.
- False positives can be recognised.
- False positives or Tuning Rules that are the source of the noise.
- Compliance and Reporting.
- Locating and addressing network visibility blind spots.
Analysing Logs and Alerts:
Dashboard:
- It is the most important component of SIEM. It displays the information such as:
Alert Highlights
Health Alert
Events Ingested Count
Rules Triggered
List of Failed login attempts
System notifications
Correlation Rules:
- Correlation rules has an very important role in detecting the threats so that analysts can take action on time. These rules are logical expressions which can be triggered.
- An example of correlation rules is if a user gets 5 failed login attempts within 10 seconds then it will raise an alert for multiple failed attempts.
Alert Investigation:
- Dashboards are where analysts spend the most of their time when monitoring SIEM since they provide a very concise summary of all the important network information.
- A rule is tested to determine if the conditions are met when an alert has been triggered, and the events/flows connected to the alert are then analysed.
- The analyst assesses whether it is a True or False positive based on the investigation.
- Following the analysis, some measures are taken, including:
- False alarm is an alert. To prevent similar False Positives from occurring again, the rule may need to be adjusted.
- The true positive is an alert. Perform additional research.
- To inquire about the activity, get in touch with the asset owner.
- The confirmation of suspicious activity Remove the host that is infected.
- Block the IP that is suspicious.