Vulnerabilities / Threats
7/18/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

SIEM Training Needs a Better Focus on the Human Factor

The problem with security information and event management systems isn't the solutions themselves but the training that people receive.

Logging solutions — or, more specifically, security information and event management (SIEM) solutions — have a bad reputation. Many implementations involve large sums of money and the promise to catch unauthorized and malicious activity. Fast forward a year or two into the deployment and often you will find upset senior management, exhausted security teams, and few detection capabilities. It isn't unheard of for organizations to swap SIEM systems every couple of years, similar to how organizations treat antivirus software.

The problem isn't with any specific SIEM solution. Instead, it's a lack of focus on people and processes. Well-trained staff can implement a strong detection platform regardless of SIEM product. This doesn't mean that all SIEM solutions are equal but, rather, that there is too much focus on products and not enough on people. Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn't enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.

By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they're important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform? I would argue that people who know why to use a SIEM system and what to use it for will have a much easier time figuring out how to get a SIEM platform to do what they need it to do.

The PowerShell Problem
Consider an example to illustrate this problem: PowerShell. PowerShell is a thing of beauty, allowing users to automate tasks and do things they otherwise couldn't. However, it's an attacker favorite to use against us. Many modern attacks use PowerShell to evade antivirus systems, whitelisting products, and other security technologies. Yet with a tactical SIEM architecture and proper logging, catching unauthorized PowerShell use can be simple. A properly trained individual can quickly use a SIEM platform to identify things such as:

  • PowerShell being invoked from a command line with a long length
  • PowerShell using base64 encoding
  • PowerShell making calls to external systems
  • A system performing large amounts of PowerShell calls
  • A system invoking PowerShell outside powershell.exe by using Sysmon DLL monitoring in conjunction with the specific PowerShell DLLs

Taking this further, a trained individual may try exporting all unique PowerShell cmdlets found within SIEM logs and turn around and use the result as a detection-based whitelist, a technique that is applicable across multiple data sources. They also may use the whitelist to filter out all logs unless they use an unknown cmdlet, thus severely decreasing the number of logs being collected. This simple process can detect 99.99% or possibly even 100% of PowerShell-based malware, and yet SIEM training doesn't cover this concept.

This is not a failure on part of the SIEM vendors. Their training is on how to use their product, which is necessary. The problem is that SIEM-neutral training geared toward individuals didn't exist until recently.

Remember that SIEM is a tool. Your mileage will vary dramatically, based on the individuals using the tool. If you want a successful detection platform, make sure your team is trained on the following:

  • Key data sources, including what they are, why they're important, and how to use and collect them
  • How to enrich logs and why you need to do so
  • Intentional detection techniques such as implementing virtual tripwires
  • The difference between a bad alert (high false positives) and a good alert (low or zero false positives)

If you wish to learn more, please check out the SANS course SEC555: SIEM with Tactical Analytics or research these concepts online. The more the security community gives back, the better we'll all do.

Related Content:

Justin Henderson is a SANS Instructor and course author of SEC555: SIEM with Tactical Analytics, and CEO of H & A Security Solutions. He is a passionate security architect and researcher with over decade of experience working in the Healthcare industry. He has also had ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mfuentes
100%
0%
mfuentes,
User Rank: Apprentice
7/18/2017 | 12:34:06 PM
Spot on!
This is a great write-up that speaks directly to the disconnect between organizations and the results that they expect.  Everybody is so busy throwing money into tools and technology when they should be spending more on people and processes.

These things are not magic wands, people!  Tools are only as good as the people wielding them.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.