RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2017/10/10 09:35:25

For what the SIEM system is necessary and how to implement it? TADetails

What is SIEM systems? What problems are solved by such solutions? What features of their implementation and operation? TAdviser understood these questions together with experts of AMT Group company.

Content

What is SIEM?

Security information and event management come from two classes of products: SIM (Security information management) — information security management and SEM (Security event management) — security event management. One of the first references of SIEM was in 2005 from analysts of Gartner.


In practice these products are crossed on functional purpose, and, occasionally, at certain tinctures can perform functions of each other considerably.

SIEM producers sometimes separate this class of products into SIEM of the first and second generation (it can be considered as marketing acceptance). As a rule, specialists understand more multifunction tool with ability to integrate with third-party products as the second generation (management systems for politicians of cybersecurity, with Threat Intelligence platforms, the Network Behavioral Analysis functions, etc.).

Use of SIEM of the second generation with the Threat Intelligence functions, in particular, offers AMTSOC service. This integration allows to create correlation rules with a search criterion in the form of the indicators updated in TI bases. It significantly increases efficiency of correlation, turning static correlation into dynamic.

Functional tasks of SIEM

Data collection and normalization: data collection (both cybersecurity events, and system events) from various sources is provided: technical means of information security (firewalls of all types, intrusion prevention systems, antiviruses, systems of protection against spam, system of protection against date leaks, system of preliminary accomplishment of programs, control of integrity, etc.), servers, applied systems, etc.

Correlation of data: comparison and search in attributes, grouping and indexing on certain signs. In fact the correlation is the key SIEM function issuing the list of the correlated events at the exit;

Notification: verification of the list of the correlated events with the purpose to reveal incidents of cybersecurity and to execute the notification on these incidents. It is possible both indication on the management consoles of SIEM, and the automated notification by the worked correlation rules.

Panels of visualization (dashboards): diagrams of different types and formats, tables, lists and other visualization on the current events and incidents. Visualization considerably influences the general perception of a product and is an important element of process Incident Monitoring/Tracking.

Data storage: data storage during the set time frame. It is necessary for the retrospective analysis, investigations of incidents, examinations. Most modern SIEM process and store as crude events (before process of implementation of recognition of functional fields of an event (ang. - parsing), and the normalized events (events with the recognizable fields).

Search and analysis: context search within investigations of incidents and examinations. It is important to note that search in the crude and normalized events can significantly differ.

Reporting: creation of the configured reports for the purpose of periodic informing service cybersecurity on the current events, incidents, trends. As a rule, reports can be unloaded and used within complex reports of services cybersecurity.

What components are a part of SIEM?

The structure and implementation significantly depend on a solution architecture, the amount of implementation, geographical distribution of a system, performance parameters.

As a rule, for implementation of all basic functions at SIEM there have to be several principal components.

Collectors: are responsible for collecting of crude events. Can support the mass of different protocols and services: Syslog, Windows Event Forwarding, SDEE, SNMP Trap, clients of databases (MSSQL, Oracle, etc.) and other specific services from different producers.

Collecting of events can happen as in the passive mode (for example, syslog), and in the mode "on demand". The collector most often sends the normalized events to the correlator, and crude events go to the data warehouse. In different implementations from different producers the scheme of interaction of the collector with other components can will cause a stir.

Data warehouse: is responsible for storage of crude events. Implementations with storage of the normalized events are possible.

Correlator: provides functions of processing and correlation of the normalized events. Implementation of context search of the crude events which are in storage is possible.

Management console: is responsible for management, setup and visualization. At the same time, in some cases, function of visualization can be performed by separate komponenty.

The mentioned SIEM of the second generation may contain also additional components: collecting of Flow and SPAN traffic, BI components, TI module, modules of protection against a fraud, management of politicians of cybersecurity.

As it was told above, in practice the architecture of implementation affects in a defining way quantity a component and their implementation. For example, in small implementations almost all functions can be executed on one hardware device whereas scaling assumes the maximum separation.

What main objectives and possibilities of modern SIEM solutions?

Today it is difficult to revaluate a role of SIEM in the world of cybersecurity. Actually, it is the central element of any SOC infrastructure. It is possible to tell precisely that without SIEM effective functioning of any end-to-end system of cybersecurity is impossible.

Task of SIEM number one – registration of incidents in regime of Real-Time.

Task of SIEM number two – to provide the convenient and functional tool for retrospective incident analysis, investigation of incidents.

Modern SIEM, in fact, already should comprise Big Data of technology processing cybersecurity events as a certain intensive flow of telemetry. From SIEM both the speed, and convenience is required – because it is the main tool of analytics of cybersecurity intended for investigation of incidents, search of traces of the targeted attacks (Threat Hunting).

Trends of development of SIEM go towards adding of the Machine Learning functions and the behavioural analysis that allows to transfer more and more routine tasks of Incident Monitoring, Forensic, Investigation to an automation payoff. In practice it will allow to detect not only the incidents predetermined manually, but also to approach automation of process of creation of rules of correlation that is a key and most difficult task at setup and support of SIEM (especially on big implementations).

To what features of implementation of SIEM it is necessary to pay attention first of all?

Correctly configured and supported SIEM is a brain of the cybersecurity system, but the problem of training of this brain requires very good level of examination of the specialist and well delivered processes of cybersecurity.

Therefore question number one which needs to be set at making decision on use of SIEM – as far as qualification of service cybersecurity and the current maturity of processes of cybersecurity will allow to use correctly and effectively this tool. If it is obvious that there is no opportunity to support independently SIEM, and it "will heat air", then to spend big budgets for SIEM – absolutely non-optimal step. In this case it should be taken into account option of outsourcing of function of monitoring and investigation of incidents – for example, by means of connection of services of commercial SOC. Occasionally it is possible to receive for the price of technical support of SIEM, within commercial SOC both the tool, and examination. At this SLA can assume the round-the-clock mode of support.

The second question – problems of scaling of a system. It is extremely important to provide such architecture which will be capable to process an event stream as in peak hours, and on average. At the same time it is necessary to distribute load of components, if necessary having provided balancing of this loading and to execute routine processing as it is possible closer to sources.

The third question – ensuring reliability of SIEM. Maybe will consist both in duplication a component for fault tolerance, and in duplication on regions for a katastrofoustochivost.

The fourth question – storage life of events and their protection for a possibility of the retrospective analysis during the necessary time frame and for risk minimization of compromise/data loss.

The fifth question – existence of necessary collectors and parsers "from a box". Well adapted current list of sources in SIEM will allow to avoid in the future a lot of routine transactions and completions.

The sixth question – compliance to the current requirements of the legislation, regulators, industry and corporate standards. For example, recently adopted Federal Law "About Security of Critical Information Infrastructure of the Russian Federation" and also some requirements of the regulator, can order to use SIEM certified by FSTEC.

Answers to these questions will allow to pick up suitable option of use of SIEM. At the same time, the solution combining optimal parameters on each of the specified questions can offer AMTSOC service. Its service is based on three components: functional SIEM with the good level of a maturity, deep examination of a command according to this solution and existence of competitive MSSP model of sales.

How data sources for SIEM are selected?

In an ideal situation the more – the probability to miss an important event and not to identify a significant incident is less than sources of events, having received a so-called error of second kind (False Negative).

But practice says that at very big event streams the error probability of the first sort (False Positive) increases – as processing of bigger number of events leads to complication of a problem of writing of complex correlation rules and process of filtering of these errors. Not to mention that processing of additional events can seriously increase the cost of the solution.

Specialists of AMTSOC recommend when choosing the list of sources at the first stages to be focused on technical means of data protection, authentication systems both authorization, and cybersecurity events from the applied systems. And further, in development and increases in a maturity of service cybersecurity and service SOC to connect more and more system events, including for working off of results of process of Threat Hunting (for example, search in events of the past of traces of the slighted attacks and creations of correlation rules for identification of such attacks in real time).

Sometimes the best practices recommend "cut off" the volume of events by means of determination of importance (severity) and specific modules sources (facility).

Similar acceptances use also for preserving of performance of SIEM.

What features of operation of SIEM solutions? Whether support is required?

Actually in any implementation of SIEM close interaction with Tier2 and Tier 3 by technical supports is necessary: issues of parsing, issues of operation of correlation rules, nuances of visualization and the reporting, stability of work a component, support of codings, questions of certification, questions of migration and updates, vosstanovleniye after failures.

As a result it is difficult to provide effective work of SIEM on more or less developed IT infrastructure without well smoothly running interaction with technical support of the producer.

For example, in the service AMTSOC model the problem of interaction with SIEM producer is undertaken by the operator of this expert service.

In what advantages of the service SIEM model? What responsibility is born by the supplier of service?

For a start it is necessary to select two elements of service model:

1. Service model of sale by the operator of commercial SOC of SIEM as tool: MSSP (Managed Security Service Provider);

2. The examination of cybersecurity provided on outsourcing by service operators of commercial SOC.

As a result the service model as a combination of examination of a command of commercial SOC and OPEX model of the SIEM tool has the following advantages:

  • Decrease or complete elimination of CAPEX of costs;
  • Decrease in OPEX for a number of processes of cybersecurity (monitoring, investigation of incidents, the analyst)
  • Increase in efficiency of service in view of specialization of analysts of cybersecurity on specific processes of cybersecurity;
  • Release of resources of the customer, possibility of their more effective use;
  • Increase in level of awareness of top management on positive results of activity of service cybersecurity that often promotes additional support in projects and simplifies decision making.

How to make a choice - the classical or service scheme SIEM? By what parameters it is possible to estimate benefit of this or that model?

There are no universal approaches. Practice shows that the big customers having the developed service cybersecurity and big resources prefer to localize processes of monitoring of cybersecurity on the party. In this case the choice of the classical scheme CAPEX is the most frequent choice.

For small and medium business the question of cost of the solution becomes defining, besides, as it was told above, not always the level of a maturity of services cybersecurity allows to use effectively SIEM as the central element of service cybersecurity.

Specialists of AMTSOC often offer clients evident diagrams with comparison of costs for OPEX and CAPEX model at the identical SIEM parameters. Most often OPEX is more considerable more profitable both on costs, and on feature set – the MSSP model almost always offers the client not just the tool, but also a set of service processes of monitoring of cybersecurity:

The given example is not the valid calculation, and displays an approximate ratio of CAPEX of model with acquisition of SIEM for infrastructure of level of small-average and OPEX model for similar infrastructure with acquisition of SIEM on balance of the service operator of commercial SOC. At the same time OPEX include also providing a number of basic services of service of commercial SOC.

As a result it is obvious that the OPEX model offers more for smaller money. It is possible to refuse such approach only owing to the domestic policy ordering concentration of all functions in the organization or in general conservatism of cybersecurity. This demonstration shows the reason that the market of services of outsourcing of cybersecurity grows at big rates what the market of cybersecurity in general.

187