By Augusto Melo – Information Security Analyst– Intrinium
In this two-part blog series, we will explore how simply purchasing a SIEM (Security Information and Event Management) solution is not enough – you need to be prepared for the operational tasks of running a SIEM and having it monitored by a Security Operations Center (SOC) to ensure that ongoing care limits risk. We will walk through the initial checklist items following the purchase of the device so, your team is set up for success.
Every organization at some point will experience a cybersecurity incident. To help detect and respond to such incidents, organizations are encouraged to invest in a SIEM (Security Information and Event Management) solution and a SOC (Security Operation Center) to monitor and investigate suspicious network events in real-time. By investigating events that could indicate potential compromise, a 24/7/365 SOC operation can drastically reduce the risk of security incidents and associated damages.
Before being able to effectively monitor specific network, events and respond to security incidents, a SOC needs a reasonable knowledge of the target environment. However, in the pursuit of maximum coverage, without a proper understanding of a network, many SOC’s will adjust their SIEMs to report anything remotely suspicious. Although there is nothing inherently wrong with ensuring you don’t miss out on suspicious events, this strategy will also guarantee alerts become too noisy and flood the SOC with false positives.
As a result, your SOC will begin to experience alert fatigue and gradually become desensitized to potential incidents. In this scenario, the risk of false negatives increases, and your organization may experience an incident that could have been avoided by simply reducing the volume of false positives.
Although the best event tuning strategies won’t eliminate false positives anytime soon, they are still valuable to reduce alert fatigue and resulting security risks. In the following sections, we show some tips to help you improve your network monitoring while also reducing alert fatigue.
Know Your Network Environment
Once you understand the network, it’s time to understand your SIEM solution. More specifically, what it can and cannot do and how it detects potential incidents. Although modern SIEM’s have gradually moved to auto-adaptable Machine Learning and AI-based detection, heuristics is still heavily used as a simple, cheap and yet effective way – if applied properly – to detect potential incidents. This means that in most SIEM’s you can tweak detection rules by manually setting the proper chain of events and thresholds, so they reach optimum accuracy without losing too much visibility. For example, if users forget or mistype their passwords, you may receive excessive amounts of authentication failure alerts during business hours. In this scenario, you may want to increase the detection rule’ threshold to alert after several failures by the same user. This won’t considerably increase the risk of missing an incident and will help reduce the number of false positives.
Know What to Expect
It may sound trivial that a SOC should have a deep knowledge of the monitored environment. But tracking down all devices and users connected to a network is not simple, especially in large organizations. In this case, a common strategy is to focus on critical assets, such as servers and network devices.
However, regular workstations are often the doorways to a network compromise due to user activity. Therefore, a solid understanding of asset management is essential to ensure proper network coverage. With proper asset management and ideally a CMDB, you can tune and prioritize alerts based on device type, as servers and domain controllers should have higher priority than workstations or personal devices.
It is important to have a proposed user management solution to ensure you prioritize events based on account privileges. For example, user management will also help you define a baseline for common events such as authentication failures, software installations, and/or network changes. By establishing parameters around the day, time and which users are allowed to perform certain changes will allow the experts to only be alerted when absolutely necessary. It is also recommended to establish the threshold for when and how many occurrences of a given event represent an incident so, your experts can make sure they are only alerted when absolutely necessary.
Understanding the environment is also understanding the business. A routine business hours action such as an account lockout of a non-privileged user during business hours is commonly the result of mistyped credentials. This can often be ignored a few times before taking any action, while the same events occurring after hours and/or by a privileged account are more likely to indicate an account compromise or brute-force attempt, and therefore should be addressed immediately upon the first occurrence. It is the responsibility of your SOC to know your environment and understand the particularities of your business so, they are positioned to serve your company as it is their own.