Page 9 - Cyber Warnings
P. 9
Here are 5 common mistakes companies make while planning, deploying and customizing a
SIEM solution, supported with real-life cases from our SIEM consulting practice proving that
merely installing SIEM software isn’t enough to ensure full-fledged threat management.
Mistake 1: Leaving non-customized correlation rules
One of the solution’s main functions is to correlate security events and detect offenses that
threaten a corporate network. Though modern SIEM systems offer out-of-the-box correlation
rules (e.g. in IBM QRadar, over 500 correlation rules are available), they usually cover only the
most typical use cases. Customized correlation rules are indispensable to make the system
work according to a company’s network topology and security policy.
Case 1: A financial organization implemented a SIEM solution as a part of their security strategy
and activated a range of out-of-the box correlation rules. However, there wasn’t a single custom
correlation rule adapted to the company’s domain controller security policy. It meant that the
implemented system didn’t qualify cases of multiple user login failures into offenses, failing to
detect any attempts of brute forcing across the network. SIEM consultants built up a relevant
correlation rule aligned with the existing domain controller policy, which allowed to see the first
results 24 hours later when the SIEM system generated 30+ offenses triggered with
authentication mistakes. Having investigated the detected offenses and their source IPs,
security administrators found out that one of them belonged to a malicious external user
persistently trying random passwords to access one of the employees’ workstations.
Case 2: A SIEM system installed at a bank had no customized correlation rules on the traffic
baseline analysis, therefore it couldn’t detect abnormal network activities and prohibited
communication with important network devices. To fill this gap, the bank turned to SIEM
consultants who fine-tuned a set of flow rules, including a custom correlation rule applied to the
database production server. With new rules in place, just 3 weeks later a SIEM system identified
an abnormal increase in the server traffic by more than 25%, as well as detected a suspicious
IP that wasn’t authorized to communicate with the server. Security administrators were then
able to start investigating the offense.
Mistake 2: Allowing false-positives to flood out the system
With non-customized correlation rules, organizations are not only unable to capture a whole
array of security events, they also risk to overlook real incidents in the mounting pile of false-
positives. This creates unnecessary workload for security administrators and analysts along with
making investigation of security offences cumbersome.
Case 1: A healthcare organization turned to SIEM consultants to fine-tune their SIEM solution.
They discovered that the SIEM solution functioned with out-of-the-box rules activated all at once
without any customization. As a result, the system generated 7,000+ offenses daily. It’s obvious
that such a volume of security incidents was impossible to analyze manually. By updating the
9 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
