Analytics // Security Monitoring
05:25 PM
Connect Directly

From Catching A Clue To Catching The Attacker: SIEMs Evolve

Security information and event monitoring (SIEM) and log management systems have generally fallen short of detecting attacks in real time. That's changing, say security experts

Security information and event monitoring (SIEM) systems are typically used to create a forensics trail so that evidence of digital intrusions can be investigated after an attack is discovered. Increasingly, however, SIEM and log management systems have the ability to detect attacks in real time, security experts say.

While many security professionals have wished for such capabilities, only recently has the technology caught up with the promise of catching attackers through real-time correlation of disparate networking events, says David Pack, manager of LogRhythm Labs, a maker of SIEM systems. A combination of factors is leading to the evolution of the systems: The technology can better handle the volume of log data generated by corporate systems, the capabilities of the correlation engines have grown, and the researchers developing such systems better understand attack patterns, he says.

"What is going on in the SIEM industry is that it is becoming a real-time monitoring solution -- it's becoming the SIEM 2.0 that it should be," Pack says. "All the framework and pieces are there to turn this into real-time analysis and real-time alarming."

In a presentation at the United Security Summit in San Francisco, Pack spelled out ways that log management systems can use advanced correlation to detect attackers and showed the signs that a typical attacker will leave in the logs. While many security firms focus on detecting attackers' attempts to exploit vulnerabilities and compromise systems, event correlation can put together evidence from other systems to detect an attack.

In a spear-phishing incident, for example, a log trail can show the user's Outlook e-mail client connecting to an Exchange server and downloading a message with a malicious attachment, the user's Adobe Acrobat opening up a PDF file, and, following exploitation, see the client communicating with an unknown Internet address.

"Pretty much every piece of that activity is logged somewhere, often away from where the exploit happened," Pack says. "What is interesting about that is you don't have to worry about whether the exploited vulnerability is known or a zero-day. You only have to worry about how [the attack] is delivered and what happens afterward."

Information security managers are increasingly looking for a greater awareness of what is happening on their networks. In addition, they are being asked to look at a greater variety of threats than in the past, says Mark Seward, senior director of security and compliance for network-intelligence firm Splunk.

"It used to be that I -- as the information security manager -- was only responsible for the information security infrastructure -- listening to it and reacting to it," Seward says. "Now I'm being asked to look at malicious insiders and being asked to look at real-time threats to the business."

[ Any security monitoring system comes with a certain amount of good old-fashioned alerting, but interpreting those alerts in the context of a whole running system is something else entirely. See The Most Expensive Part Of The Monitoring System. ]

Turning networking and physical events that have been logged into intelligence about what is happening on the network is necessary in today's world, Seward says.

In the lion's share of breaches, for example, the attacker leaves traces in the log files. In its latest Data Breach Investigations Report, telecommunications and security provider Verizon found that 86 percent of incidents could have been detected from the events collected in the logs -- if the victim's staff had only been looking.

Part of the problem is that the evidence is lost in the massive volume of log data, which has increased dramatically, says Chris Novak, managing principal with Verizon. In the past, when his investigations team visited a potential client and asked for log data, the company's executives would often give them a blank look, he says. Now, because of compliance regulations, companies are collecting the data, but not generally mining it for useful data on security events.

"Now many of your larger organizations are storing their logs indefinitely," Novak says. "But ... organizations have so much log data that it has created a new problem that they don't know how to mine and search and correlate that data to make it useful, so it just becomes something we store."

With better correlation engines, companies could not only better use the data, but detect attacks in real time. The first step is to create a baseline for the company so that strange behavior can be detected. Then technology providers and their customers can describe complex patterns that may indicate an attack. LogRhythm uses self-contained rules, called rule blocks, to build more complex structures. Some half of the company's technical workers are developing rules and patterns to translate device logs into patterns that can be detected, LogRhythm's Pack says.

"The real-time alerting has been there for simple issues," he says. "But now we are able to do it for complex behavioral patterns."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.