UNIVERSITY OF ZAGREB, CROATIA
FACULTY OF ELECTRICAL ENGINEERING AND COMPUTING
Computer Forensics course - seminar paper
Security Information and Event management
(SIEM)
Zvonimir Hartl
Zagreb, January 2019.
Contents
Introduction ........................................................................................................................... 1
1. SIEM in general ............................................................................................................. 2
1.1. Secured network before SIEM .............................................................................. 2
1.2. Network with SIEM .............................................................................................. 3
2. SIEM design and architecture........................................................................................ 4
2.1. Sending logs and events ........................................................................................ 4
2.2. Writing rules .......................................................................................................... 5
2.3. Managing incidents ............................................................................................... 5
2.4. Sending notifications ............................................................................................. 5
3. SIEM pros and cons ....................................................................................................... 6
3.1. SIEM advantages ................................................................................................... 6
3.1.1. Detecting incidents that would otherwise not be detected ............................ 6
3.1.2. Streamline Compliance Reporting................................................................. 6
3.1.3. Making incident response more efficient ...................................................... 7
3.1.4. Single security interface ................................................................................ 7
3.2. SIEM disadvantages .............................................................................................. 7
3.2.1. Misconfiguration ........................................................................................... 7
3.2.2. Costly and Time-Consuming ......................................................................... 8
3.2.3. False positives ............................................................................................... 8
3.2.4. Failure to monitor noise ................................................................................. 8
3.2.5. Insufficient Staffing ....................................................................................... 9
Conclusion ........................................................................................................................... 10
Bibliography ........................................................................................................................ 11
Summary .............................................................................................................................. 12
Abbreviations ...................................................................................................................... 13
1
Introduction
There are a lot of security information sources in IT systems that generate great number of
logs, such as servers, routers, firewalls, IDSs etc. These logs are hard to track and analyse
in real-time and therefore SIEM systems have been developed. A Security Information and
Event Management system collects, normalizes and automates security log and event
analysis.
This seminar is organized as follows: in chapter 1. SIEM is described in general, in chapter
2 SIEM system design and architecture are presented and finally in chapter 3 SIEM pros
and cons are listed and discussed.
2
1. SIEM in general
To better understand what SIEM is, network security configuration is described before and
after SIEM was introduced.
1.1. Secured network before SIEM
Awareness of Internet security has been growing exponentially along with the growth of
cyber-attacks. In response to cyber-attacks, network security systems have been developed
and first firewalls were created as a simple way of blocking unwanted traffic. After the
firewalls were installed, the cyber-attackers invented a new way to attack and bypass the
firewalls. As a response to those attacks, IDS and IPS (Intrusion Prevention System) were
developed, but every day the cyber-attacks are becoming more and more advanced and
they can not be detected by existing security devices and systems. Today, as seen in Figure
1, there are many security devices in network. All those devices work relying only on the
traffic that goes through them. With such a limited view of the network, these devices are
unable to notice numerous cyber-attacks, which target multiple network entities.
Figure 1 Secured Network
3
1.2. Network with SIEM
With so many security systems and devices in network, it can be a real challenge to keep
track of all the security logs and events, and to react in real time if attack occurs. Security
Information and Event Management is a centralized solution for log and event aggregation.
All security information and events are forwarded to a single computer, which then stores
and analyses the collected data. But SIEM goes beyond just collecting and analysing logs.
Main functionalities of SIEM are [1]:
- Log aggregation and normalization
- Event tracking
- Log and event analysing
- Correlating events and logs with vulnerability data, threat intelligence feeds, network and
device configuration, blacklists
- Generating and sending alerts to security administrators
- Report and graph generating
- Long-term preservation of security data
Figure 2 Secured Network with SIEM
4
2. SIEM design and architecture
To improve secured network with SIEM system, it is very important to have understanding
how does a SIEM work. With the right understanding of the system, and how it operates, it
can be configured to suit personal needs of every organization. There are four main parts in
the SIEM workflow, as shown in Figure 3, and they are listed and described in this chapter.
Figure 3 SIEM workflow
2.1. Sending logs and events
To have SIEM system set up in the network environment, first all devices in the network
have to be virtually connected with SIEM so that these devices can send logs and events to
SIEM (as shown on Figure 2). Afterwards network configuration has to be entered into
SIEM system: which applications are visible to Internet, which applications are used only
in Intranet, how is DMZ configured etc. SIEM system will be more effective if it has more
information about the network.
5
2.2. Writing rules
Except entering network configuration in SIEM, some rules also have to be created and
applied. Those rules are applied to the events and logs that come in. Those rules are than
cross-correlated with vulnerability data and threat intelligence feeds, network and device
configuration, blacklists etc. There are lots of preconfigured rules available in your SIEM
system based on global security experience, but it is advisable to adjust those rules for the
specific network and to write new personalized rules. Security administrator should also be
aware that threats and the network change over time, so he will need to tune these rules
continually according to those changes.
2.3. Managing incidents
When rules fire, they create incidents. Incidents are rated based on a criticality settings that
are also custom tuned for the environment. Based on the criticality, an incident may be just
logged, it may be written to a report to be viewed later, or it may require immediate
attention. Most of the incidents are just SIEM system generated information. Some
incidents are interesting, and they are written in report. Afterwards security or forensic
expert examines those reports to find if an attack has been performed. If needed, based on
findings in reports, rules can be updated so that that same attack will next time be stopped.
On the other hand, there are some incidents that require immediate action, which means
they should generate an immediate notification.
2.4. Sending notifications
A custom notification protocol is then followed to ensure the right person or team gets the
incident information immediately. Notifications can be made 24/7/365, allowing the
security experts to remediate issues before they escalate out of control. These notifications
can be sent via various communication services (email, SMS, etc.). Some SIEM solutions
even include the remediation guidance, which tells the support team what they can do to
fix the issue, can even be included. So support team gets instant notification of a problem
and the information they need to quickly respond and fix it.
6
3. SIEM pros and cons
As shown above, SIEM has brought security management to the next level. New principle
of handling information and events, responding to threats, generating alerts and reports was
introduced. To show that this system also has its pros and cons, in this chapter SIEM
advantages and disadvantages will be listed [2].
3.1. SIEM advantages
Clearly, SIEM has brought many advantages, and the most significant ones are listed here.
3.1.1. Detecting incidents that would otherwise not be detected
SIEM can detect incidents that would otherwise not be detected. Firstly, various hosts that
log security events do not have a built-in incident detection feature. These hosts can only
observe events and produce audit log entries, instead of analysing the log entries to identify
the signs of suspicious activities. Moreover, SIEM has is able to correlate events and logs
across many hosts. It gathers security information from different hosts, and see attacks
divided into different parts and observed by distinct hosts, and then re-establish a variety of
events to identify whether the attack has been successful or not. Finally, using the threat
intelligence feeds SIEM can detect any malicious activity and will terminate host’s
connection involving such activity so that the attack can be neutralized before it becomes a
costly breach.
3.1.2. Streamline Compliance Reporting
This benefit is so significant, that numerous organizations deploy SIEM only for
streamlining their compliance reporting via a centralized logging solution. There can be
various hosts in a network and logged security events of each host are regularly transferred
to a single SIEM server that generates one report of all logged security events received
from such hosts.
7
Without SIEM, data has to be collected from each host manually and a separate report has
to be prepared for each host. After that, this data and reports are reassembled at a
centralized point in order to create a single report. Performing such a task manually
requires massive manpower to customize and edit security logs from dissimilar hosts.
3.1.3. Making incident response more efficient
If SIEM is properly configured and maintained, it has the potential to enhance the
efficiency of incident handling activities, which results in saving resources and time for
incident handling experts. More importantly, incident handling is of paramount
importance, for the poor management of an incident may cause the deterioration of
essential information such as evidence against malicious actors, who compromised the host
in question.
3.1.4. Single security interface
Another useful feature of SIEM is that it provides a single interface to view all security
logs from multiple hosts. SIEM aggregation feature decreases the volume of event data by
integrating reporting and duplicating event records on the correlated and aggregated event
data in real-time, comparing it to long-term summaries.
3.2. SIEM disadvantages
In this subchapter SIEM limitations are listed. It is more appropriate to call them
limitations than disadvantages because those disadvantages appear only as a result of
insufficient information or resources.
3.2.1. Misconfiguration
Secure configuration is essential for the overall security of the system. Misconfiguration is
a process of changing the secure configuration either accidentally or by oversight and it
might lead to vulnerabilities or undesirable features. Sometimes, malicious actors
misconfigure systems deliberately to introduce vulnerabilities or to keep the suspicious
activities undetected. SIEM system being so large and comprehensive, system
administrator can easily oversee an error.
8
3.2.2. Costly and Time-Consuming
Collecting, storing and analysing security events are simple tasks compared to collecting,
storing and running compliance reports, updating security rules and incident alerts,
applying patches etc which can be quite time-consuming and it can require a lot of work.
SIEM system brings more maintenance and monitoring work to the network.
Also, SIEM systems are not cheap either. For the «vendors» to bill the use of their software
(and possibly hardware) there are few methods like: per appliance running, per year, per
logs generated and so on. More or less, it is all the same thing, and every commercial
SIEM solution is expensive. On the other hand, there are several open source solutions,
which are free, but the problem with open source solutions is that they have much more
bugs and no support, which can lead to having to hire more people to deal with those
problems.
3.2.3. False positives
SIEM solutions usually rely on rules to parse all logged data. When writing rules, security
expert tries to be as vigilant as possible. Unfortunately, because of this approach those
rules trigger many alerts that are false positives.
In other words, defining too few rules might lead to missing potential threats. On the other
hand, defining too many rules may trigger a huge number of false positives. As a result,
these false positives do not only take a lot of time to review but also run the risk of being
overlooked.
3.2.4. Failure to monitor noise
Out-of-the-box alerts and alarms also produce a noise across the silent and working
environment of the network. SIEM system does not have log management capabilities.
Instead, they tend to rely on the correlation rules that in turn depend on particular events
and logs to detect certain threats. As SIEM collects all logs, it fails to monitor noise due to
indiscrimination between useful and useless logs. That is why it is essential to collect only
logs required to detect potential threats and vulnerabilities as opposed to collecting every
type of log from every host.
9
3.2.5. Insufficient Staffing
In order to work properly, SIEM solutions require around-the-clock, 24/7 monitoring of
logs and alerts. Security and forensic staff must look at the logs, conduct regular reviews
and pull out relevant reports. All these tasks require adequate staffing or having a
dedicated team involved, which can be a massive expense.
Considering this, lately vendors have been offering new security solutions called Security
as a Service (SECaaS). SECaaS offers organizations to outsource security maintenance to
specialized companies. This approach eases maintenance and reduces costs but outsourcing
one’s security can be security threat itself because it includes sending a lot of private
information (logs and events) to the third parties.
10
Conclusion
In this seminar the properties of Security Information and Event Management were
presented and described. SIEM is a way to better maintain security in a network. SIEM
system is a huge system which provides not only a single point for log aggregation and
analysis, but it also gives a better insight what is happening in the network. Large-scale
networks have a lot of servers, network devices and security devices. With SIEM solution
logs from a such huge network can be processed and presented better and more easily.
Also, automated incident handling notifies security maintenance team when an important
event occurs in network (like a cyber-attack).
11
Bibliography
[1] Integra Group, https://www.integragroup.hr/usluge-i-rjesenja/sigurnost/security-
information-and-event-management-siem , Date of access: 11. 1. 2019.
[2] Hitachi Systems Security, https://www.hitachi-systems-security.com/blog/siem-
benefits-and-limitations/ , Date of access: 11. 1. 2019.
[3] Stratozen, https://stratozen.com/siem-soc/how-does-a-siem-work/ ,
https://stratozen.com/siem-soc/what-is-a-siem/ , Date of access: 12. 1. 2019.
12
Summary
In this seminar the properties of Security Information and Event Management are
presented and described, it answers these questions: “What is SIEM?”, “How does it
work?” and “What are SIEM advantages and disadvantages?”
Keywords: Security Information and Event Management, Security Maintenance, Cyber-
attack, Secured Network, Security System
13
Abbreviations
BER Bit Error Ratio
IT Information Technologies
IDS Intrusion Detection System
IPS Intrusion Prevention System
NAC Network Access Control
SECaaS Security as a Service