How to make the most of your next gen SIEM solution
SIEM can be an incredible asset to your security teams, it’s not a magical, set-and-forget approach to security — it assists security analysts, but it can’t replace them. In this article, we’ll share some tips on how to leverage everything your SIEM solution has to offer.
Start with analytics
SIEM platforms work best when you give them plenty of data to analyze, and modern platforms make collecting and storing data easier than ever before. By leveraging the big data analytical capabilities and setups like data lakes, the latest SIEM solutions are very much equipped to handle large volumes and variety of data across organization. If you’re currently using a legacy platform built on top of a relational database system (like MySQL), consider upgrading to a solution that can make the most of all your data and governance needs.
Identify weaknesses with threat modeling
Threat modeling is a way of mapping out avenues of attack in your environment. In threat modeling, SOC staff use a variety of techniques to identify weaknesses in an organization’s security posture. They can use software like port scanners and penetration testing frameworks to check networks for potential vulnerabilities and simulate cyberattacks. Analysts can then use the results of this exercise to improve security: for example, if a simulated attack goes undetected, the SIEM platform can be reconfigured to detect similar attacks and generate an alert. Security teams can also use resources like MITRE’s CAPEC classification system to understand which kinds of threats an organization is protected against or most vulnerable to.
Modern SIEM solutions let you create many kinds of detection rules to cover a range of threats. You can create simple, correlation-based rules to generate alerts for events like connection attempts to or from malicious domains. With features like user and entity behavior analysis (UEBA) and machine learning models, you can also create dynamic, threshold-based rules. For instance, you might track how often users log into and out of their accounts. Then, you can have your SIEM generate an alert if the number of logins in one day is significantly higher than the user’s average daily logins for the past month.
When managing detection rules, remember not to duplicate rules already in use in another part of your environment. If your firewall is already blocking all traffic from a certain range of IP addresses, you probably don’t need to generate alerts for traffic from those addresses.
Threat intelligence that matters
The latest SIEM solutions have enrichment and orchestration features built in, so it’s easy to bolster your security strategy with threat intelligence from third-party sources. Think of enrichment as automated data retrieval and ingestion. You might configure your SIEM solution to automatically fetch threat or metadata information about downloaded files from VirusTotal, or have it periodically update your detection rules using a feed of known malicious domains.
Third-party threat intelligence is also a great resource to have around for investigations. Integrating these data sources into your SIEM platform lets your security team quickly find the information they need to investigate effectively and make informed decisions.
Use your SIEM platform for threat hunting
The process of searching an environment for malicious activity and events is called threat hunting. Don’t confuse it with threat modeling — in threat modeling, you’re looking for weaknesses and ways to eliminate them; in threat hunting, you’re looking for actual attacks and ways to stop them.
There are several approaches you can take to threat hunting. Often, threat hunting is a response to an alert about a suspicious event. Other times, you may begin threat hunting simply based on a hypothesis, without an alert having first been generated. In any case, threat hunting with a SIEM platform is much more efficient than without one. You can use the software not only to find suspicious events and correlations, but also to narrow down a list of possibilities, such as when identifying the endpoints affected by an attack.
Practice threat modeling regularly
Lastly, it’s important to keep in mind that threat modeling is most effective when performed regularly. As new threats appear in the wild and your environment changes (e.g., when you install new software or replace hardware), you’ll need to take action to be sure that your organization’s security posture is not gradually becoming weaker. By periodically running threat modeling exercises, you can minimize the risk of an unpleasant surprise from a vulnerability you never knew existed.