Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SIEM In this Decade, Are They Better than the Last? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SIEM In this Decade, Are They Better than the Last?

My first exposure to a SIEM in 2001 was netForensics followed by Intellitactics (2002) which was eventually purchase by Trustwave but since then, many new products have come to market.

Security Information and Event Management (SIEM) have been around for 20+ years now, where their evolution has gone from simply collecting and centralizing as a repository of logs. Today they have become more complex with the inclusion of Security, Orchestration, Automation and Response (SOAR) [1] with a large component of threat intel information. Some of my previous articles on SIEM [2][3] are dated but I think some of it still hold true, like being swamped by huge amount of structured and unstructured data, of this data, there is still a large amount left untouched and unanalyzed.

It is obviously a good thing to centralize logs but over time, it didn't always deliver on detecting and reacting in time against modern threats. What the legacy SIEM have in common is their inability to accurately identify incidents, they drown security teams by generating an overwhelming number of alerts that "logjam" both the SIEM and analysts.

One of the main issues is that each network behaves differently and it takes time to configure the SIEM to understand the local environment, collect the right telemetry & context and configure the use cases [2] to respond and alert for the events that matters the most. Even then, it is important to review them regularly to make sure the goals haven't changed over time.

Over time, the market has changed by incorporating new features such as SOAR that include the additional context needed to make accurate assessment on each alert and include machine learning like User and Entity Behavior Analytics (UEBA) to accelerate identification of suspicious activity. This kind of automation is helping analysts to execute preconfigure automation tasks (playbooks) between various groups and tools. 

If you have identified a SIEM that meet your goals, what is it that made it better in managing incidents? 
Do you prefer storing structured or unstructured data and why?

[1] https://isc.sans.edu/forums/diary/SOAR+or+not+to+SOAR/25808/
[2] https://isc.sans.edu/forums/diary/Mapping+Use+Cases+to+Logs+Which+Logs+are+the+Most+Important+to+Collect/22526/
[3] https://isc.sans.edu/forums/diary/Business+Value+in+Big+Data/19727/
[4] https://www.sans.org/white-papers/408/ (netForensics)
[5] https://www.trustwave.com/en-us/company/newsroom/news/trustwave-acquires-intellitactics/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

523 Posts
ISC Handler
Jan 29th 2022
Only very few SIEM can deal with the generated data a company has today. "Zero Trust" systems and tools generate more events than ever before and the integration of hybrid cloud environments is often a mess. So yes, there was a positive development of SIEM products in the last 20 years, but the complexity of mixed environments grew much faster than these tools can handle.

And as an Incident Responder I can tell you, that from my *feeling* only a small amount of severe incidents are detected via SIEM. Ransom notes on the user`s desktop or ransom demands to the CEO`s mailbox happen very often- without paying a few 100k USD for a (*put in a product name here*) license before.
Anonymous
A few years ago, while working for a company that made supercomputers, I found that not only did I not have enough budget for a proper SIEM, but other security admins I spoke with (who had bigger budgets) all said SIEMs over-promised and under-delivered. And what budget I DID have I was spending on building a CyberSecurity infrastructure from scratch (NIDS, honeypots, DNS filters, a decent log server, erecting firewalls on interior networks, not just the perimeter, etc).

But when I was doing a "bake-off" between various intrusion/malware detection vendors, there was one thing that really stood out that I suspect applies to SIEM vendors too. We (a unix/linux admin and a windows admin) had detected a pivot in our network a year or so earlier. So while we evaluated the different vendors' solutions in our networks, we also re-created the events of this pivot to see who detected it and who didn't, in addition to seeing what else they did or did not detect.

The interesting thing was that NONE of the commercial solutions detected our pivot, though snort with the emerging threats ruleset flagged it at the warning level (amidst a jillion or so other things). And all the different vendors' solutions detected DIFFERENT things with a fair bit of overlap. So no single vendor has "the" solution, IMHO.

My personal take on the vendor bake-off was that no single intrusion detection system was ever gonna catch everything. I should've guessed this after more than a decade of looking at spam filtering solutions as an IT geek. And there is no replacement for a motivated, interested, and curious security geek who likes looking at logs, graphs, and statistical anomalies and saying "Huh. I wonder what caused that," and looking further to find out.

If you have the budget for a SIEM, find one that won't make your admins' lives a misery, and if you don't, at least arm your admins with decent tools for logging, visualization, and anomaly detection, and give them the time to devote to looking for "weird" in your networks/systems. Don't make it just another activity piled on the heads of already overwhelmed SysAdmins. Overwhelmed SysAdmins are just that more prone to take the sort of short-cuts that make CyberSecurity Admins pull their hair out.
Brent

133 Posts
Brent,

I like your comment "And there is no replacement for a motivated, interested, and curious security geek who likes looking at logs, graphs, and statistical anomalies and saying "Huh. I wonder what caused that," and looking further to find out." and I think you are absolutely right.
Guy

523 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!