Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

SIEM Training Needs a Better Focus on the Human Factor

The problem with security information and event management systems isn't the solutions themselves but the training that people receive.

Logging solutions — or, more specifically, security information and event management (SIEM) solutions — have a bad reputation. Many implementations involve large sums of money and the promise to catch unauthorized and malicious activity. Fast forward a year or two into the deployment and often you will find upset senior management, exhausted security teams, and few detection capabilities. It isn't unheard of for organizations to swap SIEM systems every couple of years, similar to how organizations treat antivirus software.

The problem isn't with any specific SIEM solution. Instead, it's a lack of focus on people and processes. Well-trained staff can implement a strong detection platform regardless of SIEM product. This doesn't mean that all SIEM solutions are equal but, rather, that there is too much focus on products and not enough on people. Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn't enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.

By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they're important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform? I would argue that people who know why to use a SIEM system and what to use it for will have a much easier time figuring out how to get a SIEM platform to do what they need it to do.

The PowerShell Problem
Consider an example to illustrate this problem: PowerShell. PowerShell is a thing of beauty, allowing users to automate tasks and do things they otherwise couldn't. However, it's an attacker favorite to use against us. Many modern attacks use PowerShell to evade antivirus systems, whitelisting products, and other security technologies. Yet with a tactical SIEM architecture and proper logging, catching unauthorized PowerShell use can be simple. A properly trained individual can quickly use a SIEM platform to identify things such as:

  • PowerShell being invoked from a command line with a long length
  • PowerShell using base64 encoding
  • PowerShell making calls to external systems
  • A system performing large amounts of PowerShell calls
  • A system invoking PowerShell outside powershell.exe by using Sysmon DLL monitoring in conjunction with the specific PowerShell DLLs

Taking this further, a trained individual may try exporting all unique PowerShell cmdlets found within SIEM logs and turn around and use the result as a detection-based whitelist, a technique that is applicable across multiple data sources. They also may use the whitelist to filter out all logs unless they use an unknown cmdlet, thus severely decreasing the number of logs being collected. This simple process can detect 99.99% or possibly even 100% of PowerShell-based malware, and yet SIEM training doesn't cover this concept.

This is not a failure on part of the SIEM vendors. Their training is on how to use their product, which is necessary. The problem is that SIEM-neutral training geared toward individuals didn't exist until recently.

Remember that SIEM is a tool. Your mileage will vary dramatically, based on the individuals using the tool. If you want a successful detection platform, make sure your team is trained on the following:

  • Key data sources, including what they are, why they're important, and how to use and collect them
  • How to enrich logs and why you need to do so
  • Intentional detection techniques such as implementing virtual tripwires
  • The difference between a bad alert (high false positives) and a good alert (low or zero false positives)

If you wish to learn more, please check out the SANS course SEC555: SIEM with Tactical Analytics or research these concepts online. The more the security community gives back, the better we'll all do.

Related Content:

Justin Henderson is a SANS Instructor and course author of SEC555: SIEM with Tactical Analytics, and CEO of H & A Security Solutions. He is a passionate security architect and researcher with over decade of experience working in the Healthcare industry. He has also had ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/18/2017 | 12:34:06 PM
Spot on!
This is a great write-up that speaks directly to the disconnect between organizations and the results that they expect.  Everybody is so busy throwing money into tools and technology when they should be spending more on people and processes.

These things are not magic wands, people!  Tools are only as good as the people wielding them.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.