By Rick M. N. H. - TheExpert SQUAD Security
In this article, we will begin by defining what SIEM (Security Information and Event Management) is and what its uses are in today's world. We will then discuss probes incorporating AI (artificial intelligence), specifically the Cognito probe from Vectra, in order to highlight its major advantages for the world of tomorrow.
Introduction - What is SIEM and what is it used for?
The main purpose of a SIEM is to manage events, more commonly known as logs. More specifically, this management consists of five main steps:
- Collection
- Standardization
- Aggregation
- Correlation
- Reporting
Logs can be collected from heterogeneous sources such as firewalls, routers, IDS/IPS equipment, and also from various formats such as Syslog, SNMP, and others.
Once collected, these logs are stored in raw format and, in most cases, will need to undergo a normalization (or parsing) step so that they can be recognized and processed by the SIEM.
Now that these logs are in the expected format, it is possible to configure filtering rules to retain only those logs that have real intrinsic value. This is known as aggregation.
Now comes the critical stage: correlation. This involves establishing rules which, if all conditions are met, will trigger security alerts that can be notified by email, text message, or even by creating a ticket if the solution is interfaced to do so.
Finally, it will also be possible to generate reports and dashboards if you want to have a summary view of these alerts.
According to Gartner's 2018 Magic Quadrant, the two market leaders are IBM and Splunk.
Source: Gartner (Dec. 2018)
Some examples of implementation
To put it simply, let's imagine that the expected format for a log is:
MMM DD HH:MM:SS @IP Hostname Product Version EventID Description
If we receive a log that does not comply with this format, we will be forced to go through the parsing stage in order to rewrite the log in the correct format so that it can be understood and categorized correctly by the SIEM.
NB: SIEMs are generally very demanding when it comes to expected log formats, which must be strictly adhered to. For example, if the delimiter is the pipe ( | ), the format "space pipe space" must be strictly adhered to between each parameter.
Once you have ensured that the logs are being parsed correctly by the SIEM, you can try to correlate them in order to raise security alerts.
For example, let's create a rule that will raise an alert if an administrator has three failed authentication attempts in less than 10 seconds.
- If USER belongs to ADMINGROUP
- AND IF USER has 3 failed authentication attempts in 10 seconds
There you go, it's done. If both of these conditions are met, an alert will be issued.
NB: The list of conditions must be precise and exhaustive so as not to generate too many false positives (alerts raised without any real threat), and it is essential that all conditions are met in order to raise the alert. It is therefore a question of finding the right balance between "false positives" and "the alert will never be raised."
In summary, SIEMs are capable of collecting logs, detecting anomalies, raising security alerts in the event of a threat, and generating reports if necessary. However, manual configuration is required beforehand, all conditions must be met, rules are generally based on IP addresses, and lateral movements are difficult to detect.
A brief aside: Vertical movement refers to an attacker infiltrating a higher level of the system, for example, in the case of administrator account hijacking. Lateral movement, on the other hand, refers to an attack without penetrating deeper into the system, typically if, once an administrator, the attacker attempts to read or copy sensitive files.
Vectra Cognito
The Cognito probe is an AI-enabled probe. It works in conjunction with a SIEM. Its main purpose is to stop attackers before they can cause harm. It provides:
- Automatic 24/7 monitoring,
- Machine learning,
- Better detection than current conventional IDS/IPS/SIEM systems,
- Detection based on hostnames and MAC addresses rather than IP addresses.
- A history of logs based on hostnames and real-time tracking,
- Detection of virtually all attacks from day one, even lateral movements without prior manual configuration.
It is also capable of studying the normal behavior of equipment within a company and raising alerts in the event of any deviations. Typically, if an administrator logs into a particular server every day at 12 noon, it will take note of this and raise an alert if one day an administrator logs in at 8 p.m.
For each alert raised, it assigns two indicators: Threat and Certainty. The Threat indicator shows the impact that this attack will have on the company, while the Certainty indicator can be taken as a confidence rating on whether this alert is real.
To clarify, let's look at two examples:
- The case of a brute force attack (a very large number of authentication attempts in a very short period of time) will have a very high certainty indicator, as it is almost certain that it is an automated program testing thousands of passwords. However, the threat will be low because this type of attack is very well protected by almost all companies.
- In the case of an attack where an administrator wants to copy sensitive files will have a moderate certainty indicator, since the probe cannot be sure that it is a real attack, whereas the threat will be very high if it turns out that a malicious attacker has impersonated an administrator to extract sensitive information.
In addition, it details the progression of each attack it addresses and proposes solutions, which can facilitate the development of skills among junior personnel in the field, but also help more experienced personnel resolve incidents more quickly.
In addition, via Cognito's graphical interface, you can view a dashboard with four types of criticality (Low, Medium, High, and Critical) and see how its nodes evolve in real time (increase or decrease in criticality, or even disappearance if the incident has been resolved).
Looking for an effective solution to protect yourself from cyberattacks? Choose Vectra Cognito and you're all set!
