If you鈥檝e ever been on a cruise, you might recall looking at the ship's list of daily activities and becoming overwhelmed. You probably found everything from Star Wars trivia to competitive ballroom dancing to late-night movies. With all that was available, you were likely left wishing for an easier way to filter your options into a more manageable list of the most relevant events.聽
Security information and event management (SIEM) may not be a cruise (though sometimes we wish it was), but it does manage a large list of log data it ingests. Much like our activities scenario, it must prioritize extensive lists and notify only of the events that matter most. If it sounds daunting, that鈥檚 because it is. Fortunately, there鈥檚 a way to make SIEM smarter at this task.
If you run a quick search online for 鈥渓og-to-alert ratio,鈥 you鈥檒l quickly find funnels showing the flow of logs from raw data to parsed logs to security events to incidents and, finally, to alerts. While these can be impressive, we鈥檙e all left with one question鈥攚hy do we start with so much data in the first place?聽
The log-to-alert funnel is needlessly complex. Typically, terabytes of raw data flood in, and it all gets filtered down into a handful of alerts. Instead of sorting through all that noise, wouldn鈥檛 it make more sense to start with a cleaner, more condensed version of raw data already tuned to actionable insights?
Let's explore some ways we end up bulking up our ingested log data without even knowing it.
Let's start with one of the common ones鈥攃ompliance. A quick search on the Payment Card Industry Data Security Standards (PCI DSS) compliance reveals the following, which was taken from the .
While this may seem straightforward enough, diving a bit deeper we realize not all is as it seems. According to section 2.1.1 of the PCI Security Standards:
The PCI DSS Glossary defines a security event as 鈥渁n occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.鈥 Examples of security events include attempted logons by nonexistent user accounts, excessive password authentication failures, or the startup or shutdown of sensitive system processes. Unfortunately, determining the specific types of events and activities that should constitute security events is largely dependent on each individual environment, the systems resident in that environment, and the business processes served by that environment. Therefore, each organization must define for itself those system events and activities that represent 鈥渟ecurity events.鈥
We immediately realize the underlying problem: specific examples of "security events" are hard to define. One of the common questions asked during most SIEM product demos is, 鈥淐an you tell or show me what I should log for compliance?鈥 All too often, the answer is 鈥渆verything.鈥 However, looking at section 10.6.1, the consensus is always collect from specific components and anything else you deem as a security event.聽
While collecting everything can seem like an ideal solution, compliance mandates don鈥檛 require this. Plus, the law of diminishing returns determines how much of the data will be useful during a possible security event. Except for a very small subset of compliance regulations, storage of all data across the board isn't required.
Debug logs can ultimately bug you. This is another overly collected type of log data. While some of the data can be valid, there鈥檚 often log bloat that may be hidden at first glance. Let鈥檚 take a VPN connection for example. When troubleshooting potential network issues with a VPN, multiple steps occur as your computer connects to the VPN server, routes out to your requested destination, and back toward you. lays it out pretty clearly, as you can see below.
Diving into this picture, there are two areas that would clearly be classified as security events:
Outside of those two events, while the rest of the debug data might be interesting, the security value quickly diminishes. That鈥檚 not to say that your friendly neighborhood networking team wouldn鈥檛 find these of value. But from a security practitioner鈥檚 perspective, the core of the investigation revolves around the two above log points. Much like our compliance example, while we can store the entire depth of the debug data in SIEM, from a security perspective, filtering out the unnecessary log data would help us identify problems more quickly.
When your endpoint or server flags its disk is full, lets you know what services are available, or informs you of the overall performance of your device, that鈥檚 IT Ops logs doing their thing. They鈥檙e useful for day-to-day operations鈥攚hether you鈥檙e upgrading your SSD for a sweet new heftier one or just monitoring the general performance of various services. But their relevance to security is a different story. Imagine wading through your SIEM alerts to protect your company, only to get bombarded with repeated pings from these logs.
Is it important to add space to your database? Sure, give that SQL database some more space as the event alert calls for. While this could be a potential security problem if caused by a space filler malware, it does not fulfill the need for detection, investigation, or compliance requirements. Knowing that, how pertinent are the full disk ops logs to store in SIEM? Probably not a high priority, especially if you鈥檙e already using service availability monitoring tools that are dedicated to giving you this information firsthand. The argument could be made to want to centralize all the data into one SIEM platform. The question then becomes, is the purpose of your SIEM simply a log repository? However, if your SIEM is needed as a security-focused platform targeting threats, then feeding it data that other tools can handle may not be the best choice.聽
With all the excess data floating around, what are the industry's common practices to address this? You may be surprised.
If you had to put away some of your belongings, you might take it to a storage company that would allow you to store your items at a set price. But let's suppose that the storage company then insists you store everything you own鈥攆urniture, refrigerator, cars鈥攊n their facilities instead of allowing you to keep it at home. Worse yet, anything you buy moving forward must also be stored with them. Seems a little excessive and maybe a bit silly, but this happens daily with SIEM vendors. The market approach to SIEM is to collect every log possible and ship that to them. Why? Because if they charge for data ingested, then the more you send the more they can charge. It鈥檚 no surprise that vendors encourage and refrain from dissecting what really should be collected and what shouldn鈥檛 be. It doesn鈥檛 make business sense to do so, and it鈥檚 one of the reasons small and mid-sized businesses (SMBs) have been priced out of the SIEM market for years.
Tuning is a common practice across SIEM vendors today. It鈥檚 all about altering detections鈥攂y deciding what stays and what goes鈥攖o reduce false positives and improve accuracy. This normally occurs right after deployment and can take anywhere from two weeks to several months. In the end, data is boiled down, analyzed, and stored or made available for search queries. But here鈥檚 the thing鈥攖his approach overlooks the idea of filtering data before it鈥檚 collected, and there鈥檚 one basic reason: cost. Big data companies need big data costs to thrive. It鈥檚 no surprise that tuning is done after the consumer has incurred the expenses.聽
Is there a better way to avoid passing costs to you while still adhering to compliance requirements and security best practices? Of course.
With all the ways to increase log data into SIEM, we set out to build a platform tailored to address excessive log data and its associated pricing. The result is 杏吧传媒 Managed SIEM.
Remember the log-to-alert ratio funnel we talked about earlier? Our Smart Filtering slims down starting at the top of the funnel, cutting down the noise before moving to hot storage. The first layer of filtering reduces the log data coming in, but this doesn鈥檛 mean we just omit anything and call it a day. We鈥檝e done our homework, analyzing the data we鈥檝e collected and reviewing event types generating the most noise. In our Early Adopter version of 杏吧传媒 Managed SIEM, we filtered out over 20 Windows event types.聽
For example, let's look at Windows Event ID 4627: Group Membership Information.
While this event allows users to see what groups a user is assigned to, logging and storing them using SIEM only adds an excess amount of data. This might matter to the network engineering team, but the overall value to security is minimal. If there鈥檚 an escalation of privileges, it would be tracked through the actual event itself instead of using a log event like the above. And since the endpoint detection and response (EDR) agent tracks primary privilege escalations of events, storing a noisy log like ID:4627 in the SIEM platform just increases the bloat on log storage and, of course, cranks up the cost.
The second layer of filtering occurs before passing on to storage using our filtering rulesets. This second pass at filtering eliminates any noise not discovered during the top-of-the-funnel phase. Using our Smart Filtering rulesets, we can eliminate non-security events, providing the SIEM with clean subsets of data to later perform threat detection.
Tuning still comes into play using Managed SIEM, but our tuning process happens as close to the data source as possible. By ensuring that we cut out excessive noise at the source, we can adjust log data for an influx of logs that would be informational at best. Tuning pre-collection keeps things smooth, so we鈥檙e not dealing with excess false positives after the fact.聽
For too long, SIEM has been unreachable for most, being too costly, too noisy, or too complex to manage. 杏吧传媒 Managed SIEM changes all that by reducing the price of entry, leveraging Smart Filtering, and providing a fully managed platform. External stakeholders鈥攚hether compliance auditors or cyber insurance providers鈥攏ow require SMBs to provide SIEM functionality to meet these requirements. 杏吧传媒 wants to help you meet these requirements head-on.聽
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
