Logging solutions — or, more specifically, security information and event management (SIEM) solutions — have a bad reputation. Many implementations involve large sums of money and the promise to catch unauthorized and malicious activity. Fast forward a year or two into the deployment and often you will find upset senior management, exhausted security teams, and few detection capabilities. It isn't unheard of for organizations to swap SIEM systems every couple of years, similar to how organizations treat antivirus software.
The problem isn't with any specific SIEM solution. Instead, it's a lack of focus on people and processes. Well-trained staff can implement a strong detection platform regardless of SIEM product. This doesn't mean that all SIEM solutions are equal but, rather, that there is too much focus on products and not enough on people. Training from SIEM vendors is based on how to use their products. This is and should be required to properly use any solution, but it isn't enough. SIEM is a tool, and the focus must also be on the individual(s) wielding the tool.
By changing the focus to individuals, the core problem can start to be addressed. For example, assume you or another staff member attended training on how to catch the bad guys using a SIEM system. The focus, rather than being on maintaining/using a SIEM product, is on things such as which data sources are important, why they're important, and how to enrich those data sources so they make more sense, add context, and are more useful. The training may also include various methods to intentionally set up events to automatically send alerts on unauthorized activity. Would this individual not be better equipped to use any SIEM platform? I would argue that people who know why to use a SIEM system and what to use it for will have a much easier time figuring out how to get a SIEM platform to do what they need it to do.
The PowerShell Problem
Consider an example to illustrate this problem: PowerShell. PowerShell is a thing of beauty, allowing users to automate tasks and do things they otherwise couldn't. However, it's an attacker favorite to use against us. Many modern attacks use PowerShell to evade antivirus systems, whitelisting products, and other security technologies. Yet with a tactical SIEM architecture and proper logging, catching unauthorized PowerShell use can be simple. A properly trained individual can quickly use a SIEM platform to identify things such as:
- PowerShell being invoked from a command line with a long length
- PowerShell using base64 encoding
- PowerShell making calls to external systems
- A system performing large amounts of PowerShell calls
- A system invoking PowerShell outside powershell.exe by using Sysmon DLL monitoring in conjunction with the specific PowerShell DLLs
Taking this further, a trained individual may try exporting all unique PowerShell cmdlets found within SIEM logs and turn around and use the result as a detection-based whitelist, a technique that is applicable across multiple data sources. They also may use the whitelist to filter out all logs unless they use an unknown cmdlet, thus severely decreasing the number of logs being collected. This simple process can detect 99.99% or possibly even 100% of PowerShell-based malware, and yet SIEM training doesn't cover this concept.
This is not a failure on part of the SIEM vendors. Their training is on how to use their product, which is necessary. The problem is that SIEM-neutral training geared toward individuals didn't exist until recently.
Remember that SIEM is a tool. Your mileage will vary dramatically, based on the individuals using the tool. If you want a successful detection platform, make sure your team is trained on the following:
- Key data sources, including what they are, why they're important, and how to use and collect them
- How to enrich logs and why you need to do so
- Intentional detection techniques such as implementing virtual tripwires
- The difference between a bad alert (high false positives) and a good alert (low or zero false positives)
If you wish to learn more, please check out the SANS course SEC555: SIEM with Tactical Analytics or research these concepts online. The more the security community gives back, the better we'll all do.