‘SIEM Thing, Different Day’ – Roger Harris, Napatech

By Roger Harris, Senior Engineer at Napatech

The uptake of Security Information and Event Management (SIEM) technology in large enterprises is nearly ubiquitous.

Today, there are very few large companies without a SIEM tool, and in fact most find themselves with multiple SIEM implementations, gained through mergers/acquisitions or organizational fractures.

However, what is often less established is a plan to capitalize on SIEM technology, which is a shame since the SIEM solution has likely taken months to implement and has cost a fortune.

First of course the SIEM product is attached to an existing 24×5 or 24×7 Security Operations Center (SOC).

Difficulty? Even with a very large staff of 12 full-time employees or more, there may be only two or three security engineers on duty at any given time, plus some callout escalation or Incident Response resources.

But SIEMs in large enterprises literally collate billions of events per day.

The SIEM solution can organize and categorize these into high- and medium-priority events, but there will almost certainly still be thousands or tens of thousands of records that need to be examined by the SOC engineering team every single day.

This is where an effective workflow from the SIEM solution becomes critical.

If a SOC engineer only has the log and meta-data resources, he has to conduct a long examination of the high-priority events, often involving guess work to jump from meta data to full fact.

If he has to potentially examine hundreds of such events per day, and each is time-consuming, he will have no choice but to quickly disregard many.

To maximize the value of what the SIEM product has told him, he needs fast and precise forensics in two areas: hosts and network.

Host forensics primarily consists of continuous surveillance on employee workstations.

Ultimately, most security events involve an ordinary user workstation being compromised and becoming a command-and-control beachhead for the attacker.

An effective host-based surveillance system silently records all key host events like network session data, name lookups, registry changes, file executions, file writes and the like, whether or not they seem suspicious at the time.

The SOC engineer should be able to click on an event in the SIEM tool and link with context into the host solution to examine circumstances around the time of the SIEM record.

If a suspicious log event is seen from the network proxy in the SIEM solution, the SOC engineer should need no more than a minute to see event data from the internal host around that time, this will help determine if the anomaly was a successful exploit and compromised the workstation.

Overcoming Host Surveillance Limitations

But host surveillance solutions, while certainly required, are limited for a number of reasons:

  • Too large a variety of workstations.
  • Older and very new OS releases often are not supported. Users often insist on acquiring non-standard workstations (e.g. Mac in a Windows shop).
  • The prevalence of personal devices like phones and tablets.
  • Servers with a wide distribution of OS systems like various Linux flavors where the host surveillance won’t work at all, can’t handle the volume or itself adds too big a risk of an outage.
  • Flaws in the host surveillance itself can cause widespread outages under some conditions, therefore causing just as big a risk to the security team as an attacker.
  • Surveillance on compromised hosts will be found and neutered by sophisticated attackers. The host surveillance depends on the very resources it’s protecting.

This is where the network forensics workflow picks up.

Network data should be recorded in its entirety (at the internet boundaries at a minimum), whether it seems “interesting” (associated with a security event) at the time or not.

Every single packet must be captured so that no evidence is missing.

Nanosecond timestamping and 100 percent data capture with zero packet loss make for the precision packet capture that forensic investigation needs.

The data should be held for at least 24 hours to allow SOC engineers to obtain full network data for high-priority SIEM events.

This data complements the information from host-based surveillance, which may itself have some details on network connections but will not include the full packet information. And of course in DMZ and server areas, there may be no host surveillance at all for the reasons mentioned above.

Similar to the host workflow, a SOC engineer should be able to click an event in the SIEM product and, within a minute, get full packet information relating to the event.

He can then determine if the session was stopped by the firewall/IPS/malware inline tools or was successfully opened and delivered a payload to the vulnerable hosts.

Most enterprises target seven to 30 days for network data retention, depending on network volumes.

Often what SOC teams need is fast, simple packet data relating to events they already have, rather than additional network analysis.

Common problem: the SOC and Incident Response team with a known incident must wait literally hours (or even overnight) to get network data that corroborates what they are seeing, because very often, seldom-used analytics get in the way of the real issue.

The Missing Link: Acceleration

This wait time is unacceptable. To identify any suspicious activity on your network, you need full visibility at all times.

Even a marginal fraction of information lost can potentially compromise the safety of your business.

A myriad of intelligent security solutions are available to help you gain visibility – but to deliver the needed insights, they need fully reliable data. And with network speeds advancing to 100G, the challenge of attaining reliable data is growing.

This is where network acceleration comes in. It adds real-time line rate performance to your SIEM or other security application (Intrusion Detection Systems, Data Loss Prevention etc.).

Acceleration technology supplies all the information needed for effective forensic analysis in real time, even at today’s increasing speeds. This means a much shorter response time, improved mitigation and, ultimately, a reinforced security.

Don’t leave your already over-burdened SOC teams without fast and efficient workflows to host and network data.

Instead, by bringing full packet information to bear quickly and easily, teams can focus on the job at hand – catching the perpetrator.

(Napatech provides network management and security solutions that help customers monitor their networks and prevent data loss. Find out how Smarter Data Delivery can help you stay in control of your network and get data when, where and how you want it. Courtesy of Napatech and YouTube)

About the author

Roger has a degree in Electrical Engineering at the Georgia Institute of Technology.

He began his career managing a global network for worldwide air travel consortium SITA.

This operational experience formed the basis for subsequent experience in providing expert network consulting and professional services for enterprise, government and education.

He began to specialize in network packet capture solutions in 2010 and has experience in forensics, network optimization and security incident resolution using network artifacts.