Cybersecurity issues are becoming a day-to-day battle for your business. Cyber attacks are growing in prominence every day — and debilitating businesses overnight. New attack vectors and vulnerabilities are constantly being discovered. The Global Risks Report 2018 has ranked cyber attacks third in its top ten risks in terms of likelihood, saying that “Cybersecurity risks are growing, both in their prevalence and in their disruptive potential.”
Traditional analytics technique used to detect security incidents
Analytics is a rising force that is helping security analysts do much more with log and event data. The traditional analytics technique is limited to manually defining correlation rules. These rules specify a sequence of events that indicates an anomaly which could represent a security threat, vulnerability or active security incident. These rules correlate incoming events based on previously defined relationships. Some of the instances of correlation rules are to alert if:
- A user fails more than five login attempts on the same system within an hour.
- A large number of failed login attempts is followed by one successful login attempt.
- More than ten files of specific types are copied to USB drivers or sent as email attachments to non-company domains.
- A user switches from their normal account to a privileged one and performs an abnormal data transfer to or from an external service.
- A user accesses a shared file system from a new location for the first time.
- A user logs in at 3:00 AM and makes repeated attempts to connect to a production database as an administrator.
What can go wrong with correlation rules?
Almost any correlation rule can create a false positive which is any behavior that is identified as malicious but proves to be not. Correlation rules are based on inflexible, predefined rules which leads to alert fatigue. Sometimes, security analysts switch off rules by mistake as they generate a lot of false positives. As a result, you keep missing threats. Also, these rules are too generic and won’t cover all the use cases.
Now let’s move on to the scenarios such as a new attack type is attempted that no one had created a rule for and an unknown malware type infects your systems. Conventional systems based on correlation rules find it difficult to detect unknown threats.
How does SIEM help safeguard your business from security threats?
Security Information and Event Management (SIEM) technology has been around for more than a decade, cementing its role as a key component of any security strategy in today’s threat environment. SIEM helps you connect the dots and provide a holistic view of what is happening across your network, allowing you to act quickly and mitigate threats faster. The idea behind SIEM is to serve as a centralized means of quickly correlating data from disparate sources into easily trackable security incidents.
Implementing SIEM helps you gain insight into security activities and events across network devices, servers and workstations. Let’s have a look at how you can use SIEM to ward off threats.
Aggregating and consolidating data
Logs are now increasingly being used for threat diagnosis and mitigation. A SIEM system cuts through the noise generated by massive volumes of log data to show you actual and potential threats that your Security Operations Center (SOC) team can then investigate and triage. It detects unusual activity in your organization, reduces the risk of breaches and keeps both business resources and personal data secure. Having all the data on a common platform facilitates event correlation and data analysis. This centralized collection of security information helps you detect suspicious behavior and problems before they can cause damage.
An automated watchdog
A SIEM platform serves as an excellent, automated watchdog to detect when processes or their results go out of spec. Compliance is the primary reason to install a SIEM solution. Compliance teams need to know what constitutes a threat, report on what should be done to address a threat (and how long that will take), and document the actions taken to address a threat. Compliance with legal regulations and standards helps to monitor policy management of your business.
Analyzing historical data and patterns
Another key aspect of SIEM is the ability to analyze historical event data. SIEM encompasses the ability to access years’ worth of data to quickly pinpoint patterns and anomalies while maintaining real-time analysis without any performance degradation. The key purpose of SIEM is to respond to information security threats rapidly and effectively. A SIEM platform carries out thorough historical analysis and continuous monitoring of all ongoing events. This monitoring helps you find patterns, and to filter and analyze all the data that comprises the context of a cyber attack. SIEM offers an effective and efficient means to monitor your network around the clock.
Improving incident response efficiency
Your security team investigates an incident to determine what happened, which data and systems were impacted, who perpetrated the attack, and what corrective action is necessary to clean up the damage and prevent similar attacks in the future. Now that the issue has been identified and analysts have been alerted, what’s next? How well your organization responds to an incident will determine the outcome. SIEM helps security analysts with the next steps: incident containment, escalation (if necessary), mitigation and scanning for vulnerabilities.
Preventing advanced persistent threats
An Advanced Persistent Threat (APT) is a sophisticated attack that targets a specific data set or infrastructure to elude detection. A SIEM system collects and stores threat event data, produces alerts and reports, correlates events and produces real-time alerts. More and more organizations are turning to SIEM systems to combat APTs and other attacks. Timely analysis of log information and user behavior can help cut off APTs before they explode into massive data breaches. If you have a data-critical business and you want to protect that data from insidious APTs, a SIEM can provide that protection.
Insight into phishing attacks
Most successful security breaches are the result of phishing attacks, which are based on social engineering. One of the biggest challenges for your security team is to quickly and effectively detect these attacks, and then efficiently investigate and respond to prevent damage. SIEM gives you insight into suspicious activity and attack attempts. It helps your SOC team continually assess your organization’s security posture and identify areas of focus to fortify defenses.
Detecting zero-day attacks
It is likely that a majority of the existing solutions within your IT infrastructure are not equipped to detect zero-day attacks. A SIEM platform can detect activity associated with an attack, rather than relying on detecting the attack itself. For instance, a PDF exploit might cause Adobe Reader’s process to crash; at the same time, a new process launches, either listening for an incoming network connection or initiating an outbound connection to the attacker. Many SIEM solutions offer enhanced endpoint monitoring capabilities that keep track of processes and network connections. They can detect attacks by correlating process and network activity from hosts on the network. While conventional solutions do what they do well, a SIEM solution provides a safety net to catch malicious activities that would slip through traditional defenses.
Next Gen SIEM uses Advanced Threat analytics with ML
The definition of SIEM is changing with evolving capabilities. A new generation of SIEM tools bolsters top-down monitoring of network activity with analytics techniques that help spot security incidents as soon as they occur. Next generation SIEM emerged as the maturation of security analytics techniques.You need a Next Gen SIEM that can also alarm on unknown threats as well in order to reduce the data breach risks.
Machine learning (ML) techniques help security systems identify patterns and threats with no prior definitions or rules and with much higher accuracy. Next Gen SIEMs leverage machine learning to go beyond correlation rules and provide:
Complex threat detection
Modern attacks are often comprised of several types of events, each of which might be painless on its own. Advanced data analytics look at data for multiple events over a historic timeline and capture suspicious activity. Insider threat detection Next Gen SIEMs can identify that a person or system resource is behaving abnormally. They connect the dots between a misbehaving user account and other data points, to discover a malicious insider, or compromise of an insider account.
ML based intrusion detection
Security analysts use machine learning to build an effective intrusion detection capability. They select the right features to create the most effective data set with which they can train the machine to distinguish between normal and malicious traffic. They can also identify patterns in network traffic or access control that are similar to historic intrusions or attacks.
ML based malware detection
Machine learning tool can protect your system by flagging incoming malicious files, and preventing malicious files from affecting your computer. It lets you intelligently analyze binaries transmitted by email or downloaded, even if not flagged by antivirus, to understand if it is a mild program or more likely to be a malicious program.
Network anomaly detection
Machine learning techniques enable the development of anomaly detection algorithms that are non-parametric, adaptive to changes in the characteristics of normal behavior in the relevant network, and portable across applications. You can create a model of network traffic to intelligently identify anomalies in traffic.
Detect anomalies in personnel and device behavior
You can create a model of “normal behavior” for a person, a device or group of devices on the network, and intelligently identify anomalies, even ones that were not predefined as rules.
Why choose DNIF to protect your business from cyber threats?
Just as the threat landscape is rapidly evolving, global security operations have shifted beyond basic SIEM capabilities. In order to keep pace with the amount of data and threats in today’s complex and hybrid IT environments, you need a modular and open architecture that provides you with the speed and scalability to quickly detect and address sophisticated attacks.
DNIF is a Next Gen SIEM platform that comes with advanced built-in analytics capabilities which helps SOC analysts perform the task of detecting and mitigating advanced threats. Building on the ability of security log data to record intrusions within microseconds, DNIF gives you a way to isolate and analyze recorded incidents, so that your security team can quickly learn what the threat is and what to do about it.
Hunting unknown threats
SIEM needs to be the foundation and core of your security operations strategy, providing you with the flexibility to collect and normalize the data from many security tools and data lakes across multiple vendors. Your strategy must strike a balance between detecting known threats in real time with SIEM while supporting advanced investigation and incident response processes to identify and act against the more dangerous unknowns in your enterprise.
Conclusion
A properly configured and monitored SIEM platform enables your security analysts to identify attacks before or as they happen, which in turn allows for faster reactions. SIEM solutions take on the burden of collecting and aggregating all the relevant data. This helps your analysts quickly spot suspicious behavior that requires further investigation, or an attack in progress that needs to be stopped. We believe that modern security operations begin with a scalable, open SIEM platform with integrated analytics, providing the oversight needed to respond to both known and unknown threats in real time.
