SIEM LOG MANAGEMENT?
with Attack Simulation
Log Management is the most fundamental SOC function. It defines the perimeters and depth of SOC visibility, and Successful log management is a prerequisite for efficient detection, quick response, and meeting compliance, audit, and forensics requirements.
In today's immensely fast digital business world, the size, and versatility of logs reach massive volumes in a very short period of time, though not every log has the same importance for cybersecurity practices. As a function, log management defines those log sources and details that need to be prioritized over others, maintains log collection infrastructures, and runs a log management platform. More and more companies prefer Security Incident and Event Management (SIEM) platforms over standalone log management platforms to detect advanced threats using correlation rules, gain enhanced visibility across multiple technologies and network segments, conduct advanced data analysis, and map the log coverage to frameworks such MITRE ATT&CK, NIST, and PCI-DSS.
What Logs to Collect in a SIEM Platform?
The most fundamental aspects of log management are related with the source and content of logs. There are three critical points for SOC teams to decide:
(1) log sources that should be included in log management,
(2) type of events that should be collected from the defined log sources,
(3) attributes of the defined events that should be recorded.
Size and content of the attack surface, cybersecurity budget and maturity, business priorities, relevant cyber threats, risk factors, sectoral compliance and audit requirements and others are key decision factors.
-
What log sources should be included?
In simple terms, there are three categories of sources SIEM engineers can choose to collect logs from:
Security control technologies: Intrusion detection and prevention systems (IPS), next generation firewalls (NGFW), database security, web application firewall (WAF), email security gateways controls, web controls, endpoint protection platforms (EPP).
Network infrastructure: DNS server, DHCP server, wireless, routers.
Target end-user systems and applications: Windows security event logs, operating system logs, sysmon, PowerShell, custom-built application logs.
SOC teams decide on log sources based on the usage frequency, impact on detection effectiveness, threat coverage rate, adaptability to the log management platform, audit requirements and other infrastructural characteristics.
-
What type of events should be collected from the defined log sources?
Some events such as protocol violations, invalid application parameters, network/file/system access logs, process events, authentication success and failures,admin activities, adding or removing users, system events, malware detection files, and configuration changes can be considered apparent choices to include in logging. Also, there are many other options SOC teams need to consider if they should include them or not.
-
What attributes of the events should be recorded?
Event attributes include event date and time, name of the application, service, protocol, application, source IP, destination IP, source port, destination port, URL, source address, user ID, event type, etc. SOC teams need to decide on the level of granularity of events. If the content is defined too wide, logs can overwhelm the resources unnecessarily and delay the investigation processes. If the content is too narrow, it will not be possible to achieve effective alerting, threat hunting and incident response processes.
Additional Resources:
SANS's "Prioritizing Log Enrichment" Webcast
#SOCReload "Enhancing SIEM Outputs with Log and Alert Validation"
SIEM Log agents and collection software can malfunction due to configuration errors, software bugs, expired licenses, old APIs, and other factors. Also, the complexity, size, and load of the networks can strain the flow of data.
Decisions on data sources, types, and granularity requires significant elaboration on alternative costs. Each new log adds complexity, takes disk space, puts a load on the correlation engine, and consumes the “events per second” license pool. As a trade of, missing logs may result in some malicious events not being detected.
Changes in technology and attack surface requires tight alignment with other teams. SOC teams must be aware of architectural changes, new deployments,new applications and retiring technologies to keep log management aligned with these changes that are handled by network operations, IT security, application, devops and other.
If security controls technologies have not been made ready against new adversarial techniques, they will be blind to attacks that contain them. As security controls will not detect such attacks, they will not generate logs. Such occurrences leave SOC teams off guard.
Knowing and researching what you need for a SIEM solution is the most important step. The threat landscape is remarkably dynamic, and cybercriminals are constantly coming up with new attack techniques and new strategies to exploit vulnerabilities. So you need to define your priorities, attack surface, relevant threat categories, historical correlation needs for threat hunting. And also make a list of security and privacy regulations you have to comply with. Use these kinds of preparation lists to make decisions on the volume of logs you need to manage and store. Don’t forget to use the MITRE ATT&CK framework for that purpose also.
Do not put blind faith in your log management system. Collecting logs from multiple sources within complex network infrastructures is a challenge in its own right. There are many bumps on the road. Establish processes and use technology to build capabilities for validating consistency of log collection.
Managing SIEM needs a huge and continuous effort to get advantage of the log management values and make sure there are no blind spots on log visibility for threat detection. So starting with a good integration process can decrease possible future log management issues. Start integration with prioritized log sources and optimize the log events with what you really required during integration tests. Finally don’t forget to define log failure alarm rules by defining log collection frequency for all important log sources.
CHALLANGE & IMPROVE log visibility continuously by applying knowledge of the threat landscape
The real work is starting at that point and you need a continuous SIEM administration and monitoring process in the face of log failures, log visibility issues, blind spots, emerging threats, relevant threats, etc. Blind navigating log management can lead to increased false negatives or implementation delays at best. Best practices imply informed assessments of a log management system and data-driven implementation decisions. Continuously assess your log visibility with manual and autonomous red teaming to know & mitigate your gaps continuously also. And use automation for detecting log failures, performance issues, etc.
Log management is challenging!
New perspective to cope with this problem
Log Validation with Attack Simulation
➔ Identify logs that are not seen in the SIEM
➔ Enhance your logging to have better threat visibility
➔ Optimize endpoint logging by leveraging threats.