APT Shaping SIEM

Security information and event management tools must catch up with the elusive advanced persistent threat
But part of the problem with SIEM missing APT attackers isn't necessarily due to the technology, but in how it's configured. "Most of the deployments we have today of log management and SIEM are virtually useless for detecting an APT [threat]," says Matt Mosley, senior product manager at NetIQ. "It's not necessarily the limitations of the technology, but on how it has been deployed in a lot of cases. The fact is, a lot of these products take a long time to configure [such that] you would be able to pick up on this type of attack."

Contributing to that is over the past couple of years, SIEM and log management purchases were driven largely by compliance requirements, such as PCI DSS. While that has helped spur adoption of security monitoring, in most cases it has resulted in huge, centralized databases of logs without much context.

"I think the promise of security event management is the ability not just to filter, but to tell us what's important. APT is a particularly tough case there," NetIQ's Mosley says. "Even where you've configured event management to correlate and look for certain types of attacks, the most sinister APTs are those that involve zero-days."

Look for more advanced behavioral analysis for SIEM platforms, too, where you can specify what behavior is normal for a particular user or computer resource, security experts say.

"We have to stop looking at SIEM as a problem of finding the bad guy, and start looking more at modeling behavior and understanding what's acceptable and what's not," Mosley says.

How can you really tell what's normal when the attackers are hellbent on blending in? That depends on what you know about a user who logged into a particular database, for example: "If it's from a secretary's laptop, maybe that's not normal because that's not where it should be coming from," Mosley says, adding that the time of day and other factors also must be weighed.

"An activity that shows up in the system logs as authorized usually gets filtered out and ignored. [But] often that's where the evidence really is," he says.

Tying SIEM into identity management systems, NetIQ's Mosley says, can help with the behavioral analysis part of the investigation. "SIEM can then track the human being rather than the user ID to get better information" about a particular event or activity and who it's associated with, he says.

And while SIEM began as a way to correlate IDS and other network logs, that's no longer a true picture of the threat. It must also be able to detect those intrusions or threats that get around the perimeter because spearphishing attacks that dupe users and zero-day attacks are the favorite tools of the APT attacker.

"You need to see what happens when they get inside. And you have to respond quickly," says Chris Petersen, CTO and co-founder of LogRhythm.

And keep an eye on the "big data" space, EMA's Crawford says. "The technologies for collecting and managing large volumes of information more effectively become more responsive and adept at finding some of the more subtle needles that may otherwise go undetected in very large haystacks," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.