June 17, 2019 / by Siddhant Mishra / In siem /

Improving threat detection and response with SIEM Integration

The year 2018 had some of the biggest data breaches in history. One of the victims, British Airways, had about 185,000 sensitive, user-related records stolen. How did this happen? A group of attackers injected malicious code into a poorly secured webpage on the British Airways website in order to covertly capture users’ personal information and payment details.

Data breach at british airways

Most organizations, however, learn of such breaches only years after they occur. Despite the expensive security solutions they have in place, they often fail to identify and detect threats when it matters most. This may be a symptom of a common problem mentioned in one of our previous blog posts on security solutions in use: SIEM is not a set-and-forget tool.

It’s high time organizations and their security teams started giving their SIEM solutions the attention and serious treatment that they deserve.

Detection strategy: from reactive to proactive

As enterprises continue to grow their IT infrastructures beyond servers, IoT, cloud services, SaaS, PaaS, etc., just imagine the number of potential vulnerabilities in these environments. Software remains one of the most targeted attack surfaces, as most infrastructure, public-facing portals and interfaces involve some sort of software. Have you set up logging for these environments? Is logging the only solution?

A SIEM platform is only as good as the data you provide it. Without access to the right types of data in sufficient quantities, a SIEM solution may be unable to detect threats in a timely manner (or at all). Even in an ideal scenario, can SIEM cover all the risks that your organization might be subjected to? Some of them, sure — but not all of them!

With so many attack vectors out there, improving an organization’s security posture is not easy. Reactive detection and response mechanisms are no longer enough. Adaptability to new threats, durability during an attack and effective means of recovery are all essential. Detection and visibility should be at the core of any cyber resiliency plan.

Strategies to improve threat detection

As the saying goes, you cannot defend against what you cannot see.

Simply having a SIEM platform does not guarantee protection from every attack under the sun. It does, however, give you the ability to prepare for, respond to and recover from cyberattacks—provided you configure the platform properly. Here are some ways you can improve your detection process:

  • Aggregate and consolidate data from logs of interest - You don’t want to blindly throw all the data from each and every device in your network into your SIEM. Most of it won’t be of any use, and will only increase operating costs.
  • Use threat intelligence to add context - Combining data from all layers of your network and application stack with threat intelligence from third-party sources enhances threat detection. You can integrate contextual information from across your enterprise while improving detection for known threats based on indicators of compromise (IOCs).
  • Analyze historical trends and activities - You can use historical data to determine what constitutes a normal usage pattern in your environment. You can then use this as a baseline to detect deviations and anomalies.
  • Monitor access to and use of sensitive data - Make sure to monitor all critical infrastructure and actions performed by privileged users.

Strategies to improve response

  • Automate threat enrichment and data contextualization - For example, you can add user attributes extracted from Active Directory to proxy logs.
  • Integrate your SIEM platform with other tools - Incident response often involves multiple teams collaborating with one another. A lack of integration results in wasted time as teams request approval from each other, transfer information manually across platforms, and so on. By integrating the other tools in your environment with your SIEM solution, you can expedite these collaborative processes..
  • Use playbooks to automate series of repetitive tasks - Security analysts can do away with daily checklists of manually executed, routine tasks for an environment. Using playbooks to automate these tasks leaves them with more time to look into issues that really do need the attention of a human.
  • Set up automated response actions - For instance, you can use SOAR plugins to automate common actions like adding an IP address to your firewall’s blacklist.

Next steps

There are many ways to fine-tune your SIEM beyond the strategies mentioned above. Here are some resources that will help you optimize your SOC and increase your security teams’ productivity: