By Joe Magee, Chief Technology Officer, Vigilant, Inc.
May 24, 2013, 11:30 am EST
Security Information and Event Management (SIEM) technology has many benefits for organizations seeking answers to specific questions about their security-related data – but one of the greatest is its ability to correlate real-time event data with periodically updated “referential data” for more informed decision-making.
For years, organizations leveraging referential data in their SIEM implementations have seen significant value over organizations whose SIEM programs are focused on traditional, perimeter-oriented detection alone. By building use cases that enrich real-time log data with business context data, analysts “watching the glass” in an integrated SIEM environment can take more precise action when responding to a system alert.
A key question to ask of your SIEM environment is “Do I have hosts communicating with known malware and botnet infrastructure?” To answer this question, an organization should integrate threat intelligence data into their SIEM (as referential data) along with real-time log data from DNS logs or proxy logs that report on user activity. Once these log sources are integrated into SIEM, an organization can write rules and reports that will send an alert anytime a proxy log – which shows where internal users are browsing on the Internet – matches an IP or domain name within the threat intelligence feed data that sits in the SIEM as a watch list.
This example (Fig. 1) shows a SIEM dashboard integrating the request URL, which reflects where a user’s system visited along with the known malicious IP and domain name from the threat intelligence feed. The “Proxy Connection to known Malicious Domains” alert signifies that a system internal to the organization is connecting outbound to a known malicious entity.
Fig. 1: An integrated SIEM dashboard displays data from the threat intelligence feed and proxy logs to detect a correlated alert with the SIEM.
The likely scenario here is that the affected system was compromised by some form of malware that has gone undetected by the anti-virus system running on the host. In today’s world, this is an all too common occurrence, and one that organizations must battle on a daily basis.
Another important aspect of any successful SIEM program is the response processes and procedures that take place after an alert is fired. To successfully define these processes and procedures, organizations should prioritize correlated events into a set of workflow dashboards that leverage business context integration wherever possible. Examples of business context integration include asset lists, business impact priority scores as well as threat intelligence data. Without proper business context integration, it can be very difficult for an analyst to understand how important an alert is without sufficient information to guide a set of actions. Robust threat intelligence integration empowers analysts to positively identify malicious activity within their environment and immediately triage and respond to the threat.
Although real-time data remains essential within a SIEM infrastructure, it’s the hidden value of integrating referential data sources that can create a more accurate and actionable security monitoring program.
About The Author
Joe Magee is the Chief Technology Officer and co-founder of Vigilant, Inc., a provider of managed security monitoring and threat intelligence services. In this position he oversees research and development for security monitoring solutions, most recently including the development of Vigilant’s Collective Threat Intelligence™ services. He leads in the ongoing evaluation of security technologies and ensures that vigilant offerings continually adapt to the latest threat vectors, developing industry standards, and regulatory requirements. Previously, he was Chief Security Officer at Top Layer Networks and cut his teeth in the high-risk world of on-line trading, serving as information security architect for Datek Online. Magee is an active member of SecurityMetrics.org and other industry organizations that directly contribute to the development of security monitoring best practices and standards. He attended Drexel University, where he studied Commerce & Engineering and Management of Information Systems.
Joe can be reached online at firstname.lastname@example.org and at the company website, http://www.thevigilant.com/.