Tuesday, March 25, 2014

SIEM Simplified

This was originally an email I sent to a member of my company's management team to give them an introduction to the basic SIEM concepts:

SIEM is really the business of looking for anomalies in data. Let's say we track your computer's login activity for a month and you log on to your computer daily at 8 am and 12:30 pm (when you arrive for the day and when you get back from lunch). Then suddenly and without warning we see your ID active at 3 am. That's an interesting anomaly.

Going a level higher (and more mature in most definitions) let's say we also track your email login activity. Every day when you log in to your computer you also log into email and check your messages. So everyday at 8 am we see a computer login and then an email login. But then at 3 am we don't see an email login. Now we're extra suspicious of the 3 am activity because it doesn't follow your normal behavior.

This is a simply example, but I'm sure you can see how we could get really creative with this and tie behavior of different systems together. This is why an academic version of SIEM pushes for all of the data to be in one tool. It would be very difficult for a human to watch all of these different log sources for abnormal behavior. If you have all of this data in one tool you can automate the sequence of events and then generate alarms or alerts based on what the automated process detects.

When implemented this can still require human contact. For our example, when you logged on at 3 am, you were probably just awake and wanted to get some work done that didn't require email. So when an alert is generated, it goes to a SIEM analyst and he does a quick investigation, notices that all of your web traffic looked normal (to google.com and espn.com), and nothing else suspicious was going on. He marks it uninteresting and moves on. But if you had gone to known malicious websites, he would assume an attack had gained access to your computer and would escalate it to the next level to be researched.

After the researcher realizes that what websites you go to could be checked after noticing your computer is logged into and your notes is opened, he could add that to the alarm process and tell the alarm not to fire if no suspicious web traffic is detected (this last part is called tuning).

The premise is that normal employee behavior is consistent and steady over time, while an attack will look abnormal when compared to that typical employee behavior.