Transcription
SANS InstituteInformation Security Reading RoomAn Evaluator's Guide toNextGen SIEMBarbara FilkinsCopyright SANS Institute 2019. Author Retains Full Rights.This paper is from the SANS Institute Reading Room site. Reposting is not permitted without expresswritten permission.
A SANS WhitepaperAn Evaluator’s Guide toNextGen SIEMWritten by Barbara FilkinsAdvisor: Chris CrowleySponsored by:LogRhythmDecember 2018IntroductionA SIEM system provides a central console for viewing, monitoring and managingsecurity-related events and log data from across the enterprise. Because it correlatesdata from multiple sources, a SIEM system can enable an analyst to identify andrespond to suspicious behavior patterns faster and more effectively than would bepossible by looking at data from individual systems. Log data represents the digitalfingerprints of all activity that occurs across a networked infrastructure—it can bereviewed to detect security, operations and regulatory compliance problems.To be effective, a SIEM must remain relevant in the face of new threats as well aschanges in both the technical and support infrastructures of an organization. Yet, legacySIEMS are notorious for being difficult to configure and maintain. The average shelf lifefor a traditional SIEM is 18 to 24 months.1 Because a traditional SIEM often lacks thecapability to produce actionable information, the security team may be unable to justifyto management ongoing investment costs such as license renewal, ongoing systemmanagement, integration of additional data sources and continued training of personnel.A modern SIEM should be viewed as a central nervous system, capturing data andgenerating information that security teams can use as intelligence to detect potentiallymalicious activity before any damage is realized, providing a safety net that can catchpotential threats that might slip through traditional defenses.1 the-mid-market-enterprisesSANS Analyst Program 2018 SANS Institute
Because of these issues, demand arose for tools that can provide actionableinformation while optimizing current and future security investments and reducing risk.Next-generation SIEM augments traditional capabilities (automated log management,correlation, pattern recognition and alerting) with emerging and agile technologies(cloud-based analytics; security orchestration, automation and response [SOAR]; userand entity behavior analytics [UEBA]; machine learning and artificial intelligence). Table1 shows a comparison of the needs of today with “next-generation” capabilities.Table 1. Core Tenets of NextGen SIEMNeedNextGen CapabilitiesManage and monitor the modernhybrid infrastructure (e.g., cloud, onpremises, in the hands of users) as asingle entity. Permit quick integration into an enterpriseinfrastructure via open architecture.Visualize related security eventsacross disparate datasets for accurateincident identification and threatdetection. Curate standard taxonomy of activities from log andmachine data.Detect, classify, escalate and respondto threats in real time. Use scenario- and behavior-based analytics to capturewell-understood scenarios and indicate significantchanges in behavior. Meet operational demands of complex, globalenvironments both in terms of performance andmaintainability due to scalable architecture. Employ real-time visualization tools that help gaininsight into the most important, high-risk activities. Integrate with and use threat intelligence gatheredfrom commercial, open source and custom sources.Search efficiently against massiveamounts of data captured from avariety of sources, quickly honing inon the data most pertinent to forensicinvestigation. Provide precise and rapid access to data throughhigh-performance and centralized searches on bothstructured and unstructured data. Rely on high-scale indexing and storage of forensicdata for months or even years. Use big data architecture to allow storage of sourcedata in its historical or original form. Enable Elasticsearch capabilities.Manage and improve repetitiveworkflows, adjusting to changingorganizational needs, policies andsystems (e.g., guide incident responsemore rapidly and accurately afterthreat detection occurs). Support SOAR capabilities.Represent and manage business riskin terms of organizational complianceand other mandates. Measure current status against a regulatory and/orother policy-based framework for risk prioritizationand management via a rules engine. Provide flexible framework that allows customworkflow implementation for key organizational usecases (e.g., Secure DevOps, incident response).An Evolution of TermsSIEM technology combines thelog management capabilitiesof what used to be standalonesecurity information management(SIM) systems and security eventmanagement (SEM) tools. Log management system(LMS): A platform that collectsand stores log files frommultiple hosts and systems ina single location that allowscentralized access. Security informationmanagement (SIM): Built onLMS. A type of software thatautomates the collection ofevent log data from securitydevices, such as firewalls,proxy servers, intrusiondetection systems andantivirus software.2 Security event management(SEM): An LMS targetedtoward security managersthat addresses securityevents as opposed to systemevents. Includes aggregation,correlation and notificationsfor events from securitysystems (e.g., antivirus,firewalls, IPS/IDS). Security information andevent management (SIEM):An application which gatherssecurity and event datafrom information systemcomponents and presentsthat data as actionableinformation via a singleinterface.3 Provide standard (e.g., PCI DSS, HIPAA, SOX) rule setsthat are customizable and extensible.The goal of this guide is to help you develop an actionable procurement process thatenables your organization to feel confident in its selection of next-generation SIEM as akey component in the protection and defense of its business and critical assets.2 ecurity-information-and-event-management-SIEM3 7298r2.pdfSANS Analyst Program An Evaluator’s Guide to NextGen SIEM2
Visualizing NextGen SIEM: A Reference ArchitectureThe term security information and event management (SIEM) was coined in 2005 byMark Nicolett and Amrit Williams of Gartner.4 Since then, organizations have looked toSIEM solutions to help: Address complianceUser Interaction Layerrequirements, such as PCI DSS,VisualizationHIPAA and SOX, by capturing andDashboards,guided playbooksretaining system logs, automatingReportingAlertsReal timethe log review process andproviding reports that meetWorkflow/Automation Layerregulatory audit requirements.OperationWorkflows Support operations by pullingtogether data from disparatesystems, allowing for moreefficient collaboration amongvarious IT teams, the networkComplianceSOC, threat hunting,incident responseThreatIntelligenceFeedsForensicAnalysisPCI DSS, GDPR,HIPAA, SOXMonitoring/Analytics Layeroperations center (NOC) and theAnalyticssecurity operations center (SOC).Monitoring/AuditingUser activity, file integrity, applicationlog, system and device log, object accessand protecting historical logs,along with the tools to quicklynavigate and correlate the data.The high-level reference architectureshown in Figure 1 displays the basicrequirements needed to fully evaluateRetention/Archive Support investigations by storingData Correlation/AnalysisStorageData AggregationDataManagementLayerData Collectiona next-generation SIEM.Log Data SourcesNetwork DevicesSecurity DevicesAppsEndpointsPhysical, virtual, cloud,mobile, IoT, otherFigure 1. NextGen SIEM ReferenceArchitecture Visualization4 nerability-managementSANS Analyst Program An Evaluator’s Guide to NextGen SIEM3
Table 2 explains each layer in more depth, with the key differences identified in the blue rows.Table 2. NextGen SIEM CapabilitiesData Management LayerA next-generation solution is built around a big data storage architecture, a compute-and-storagearchitecture that collects and manages large security data sets for indexing and search, enablingreal-time data analytics.CapabilityDescriptionData collectionGathers log data from multiple sources, including network and securitydevices, applications and various endpoints (e.g., mobile devices, physicalservers, virtual servers)Data aggregationGathers and normalizes collected dataData correlation andanalysisLinks events and related data to security incidents, threats or forensicfindingsStorageProvides online access to current and archived log data, and additionalartifacts such as reports and visualization snapshotsRetentionStores long-term historical data, used for compliance and forensicinvestigationsMonitoring/Analytics LayerNext-generation advanced analytic capabilities are key to identifying hidden threats. They includeboth complex scenario detection and behavioral modeling to identify and prioritize ovides automated means to detect anomalous behaviors such as thoserelated to user or network activity; works with analytics toolsAudits various logs for compliance with standards such as PCI DSS, GDPR,HIPAA and SOXAnalyticsUses statistical models and machine learning to identify deeperrelationships between data and behavioral elements, and presentsinformation in contextThreat intelligence feedsCombines internal data with third-party data on threats and vulnerabilitiesand attack patternsWorkflow/Automation LayerA next-generation SIEM can automate and prioritize actions that allow workflow and productivityimprovements to organizational security. Positive impacts can be expected in any area in whichactions can be orchestrated (e.g., incident response, better triage of alarms or reducing alarm fatigue).CapabilityDescriptionOperations: AutomationIntegrates with other security solutions using APIs, defining automatedworkflows that should be executed in response to specific incidentsCompatible with SOAR toolsOperations: Threathunting/investigationEnables security staff to run queries on both structured and unstructuredlog and event data to proactively uncover threats or vulnerabilitiesOperations: IncidentresponseHelps security teams identify and respond to security incidents, bringing inall relevant data rapidly through case managementComplianceBuilds on audit data to generate reports for compliance with regulationsand standards such as PCI DSS, GDPR, HIPAA and SOXForensic analysisEnables exploration of log and event data to discover details of a securityincidentUser Interaction LayerNext-generation tools provide real-time insight into patterns, trends and correlations that cantranslate directly into the timely exposure and recognition of troublesome issues or events thatmight otherwise have gone unnoticed.CapabilityDescriptionAlertingAnalyzes events and sends alerts to notify security staff of immediate issuesVisualizationCreates visualizations based on real time or historical event data to allowstaff to more quickly and accurately identify patterns and anomaliesReportingGenerates standard and ad hoc reports to support the appropriate workflow,as well as meet specific business requirementsSANS Analyst Program An Evaluator’s Guide to NextGen SIEM4
Evaluation Strategy for NextGen SIEMAcquisition and deployment of a SIEM is an enterprisewide project. The evaluation andprocurement should be managed as a project in its own right with a dedicated projectmanager and team, assigned resources, budget and schedule.Step 1: Establish the Business CaseLack of stakeholder involvement is often cited as a reason for project failure.5 SIEM canaffect many workflows that require cooperation across all areas of the organization.Treat the evaluation processas part of the discovery andplanning phase of the largerSIEM implementation projectthat will follow.Ensure that you include all appropriate stakeholders in the successful use of nextgeneration SIEM: the operational teams (IT, security and support), audit and compliance,application development, business owners and all levels of management.To focus the project and ensurecontinued commitment from allstakeholders, consider developing aproject charter, such as the partiallycompleted example shown in Figure 2.Step 2: Strategize onRequirementsA SIEM is a platform that must beconfigured to meet the needs of theorganization. The actual requirements(and the evaluation of possiblesolutions) depend on three key,interrelated factors: Operational requirements.Understand how the platformwill fit into your managementprocesses related to operations,compliance, incident and threatresponse, and risk management.Consider also how easy theplatform will be to manage,whether it can meet yourperformance demands, and if itwill scale appropriately as yourProject Title: XYZ Global NextGen SIEM Implementation Project: Procurement PhaseProject Sponsor: CIO of XYZ GlobalProject Manager: (You)Estimated Cost: 1,250,000 (variable)Project Category: Strategic Business NeedDate of Request: 2/1/2019 (variable)Target Completion Date: 10/1/2019 (variable)Project Purpose (high level):Improved security posture for critical operation that complies with XYZ Global policiesProject Description (high level):Remediate IT audit findings to reduce risk level to comply with XYZ Global Enterprise IT Security standards.Project Objectives (what project is meant to accomplish):Implement a SIEM that 1) meets the requirements of XYZ Global policies; 2) allows XYZ Global to identify andremediate deficiencies identified in regulatory compliance audits; and 3) brings operations in line with securitybest practices.Critical Success Factors:Commitment from XYZ Global leadershipCommitted project resources and staff (e.g., project workforce retention)Confidence in selected next-generation SIEM and vendor(s)Project Milestones (with key dates):Evaluate and choose SIEM solutionsPurchase or design solutionNegotiate final price and statement of workAwardHigh-Level Risks:Other internal project-consuming resourcesLack of participation by stakeholders:1. PMO for guidance2. Operational staff (IT and security staff) for evaluation, including proof of conceptInadequate scoping of requirements and business needsNot identifying all stakeholdersInadequate evaluation and proof of conceptBusiness Justification for Project:This project is being undertaken for mandatory business reasons, to meet XYZ Global minimum IT security standards. These standards have already undergone business case justification and have become mandatory afterthe business risks for not complying with them have been reviewed. This project represents the first step inmeeting the minimum level of risk acceptance for IT security-related issues for XYZ Global and its subsidiaries.Other Important Information (as needed):Approval SignaturesSignatureDateProject ManagerFunding Approvalinfrastructure expands.5NameProject SponsorFigure 2. Sample Project Charter(Partially Completed) nt-skills-tools-7981SANS Analyst Program An Evaluator’s Guide to NextGen SIEM5
Technical requirements. Understand technically how the proposed SIEMsolution will integrate with your enterprise infrastructure. Plan on documentingyour technical infrastructure in enough depth that the vendor understandsyour environment and you have a solid basis on which to evaluate the vendorresponse. Business requirements. Gather the business requirements (and assumptions),such as cost versus terms of coverage, support and training, and regulatorycompliance. Consider the appropriate SIEM deployment model for yourorganization as well as any additional vendor services you may need.Define the Operational Requirements6Starting with the initial business case that was presented for next-generation SIEM,evaluate your organization’s current security posture and how the SIEM deployment willaffect it, taking into account all tasks that must be performed to complete the initialimplementation and to support ongoing maintenance and operation. These tasks canrange from policy development to workflow modification to planning for increasedpersonnel expense, such as additional training and/or support staff.First, review and prioritize current security policies and workflows according to thefollowing set of rules: Which are important to the business of the organization? Which are important for the organization’s compliance with regulations or othermandates? Which are best practices for maintaining a secure environment?Next, perform a gap assessment. Are your current workflows and controls actuallyperforming according to plan? Use this “as-is” picture to expose any issues for tworeasons: 1) to remediate any critical gaps that an effective SIEM implementation willdepend upon, and 2) to identify those issues that a next-generation SIEM can mosteffectively address. You now have a basic picture of what the daily “to be” environmentshould look like with a next-generation SIEM in place.This security policy andworkflow analysis can help totarget your initial deploymentstrategy. You know your highestpriority business need/usecases. Use this information toimplement the next-generationSIEM on the representativesubset of your existinginfrastructure, gathering criticalinformation to advise onmaking additional changes andimprovements prior to a morecomplete rollout.Document the Technical InfrastructureGather and organize information about your infrastructure, both to provide topotential vendors and for your team to evaluate vendor responses. At a minimum,you should provide: A detailed description of your infrastructure, including the configuration, locationand business ownership of computing assets, security controls in use, and theunderlying network topology. Sources for this information can include yourasset management system, software inventory database, network maps andvulnerability reports.6 his section presents only a quick overview on how to develop operational requirements. For more information on developing use cases to supportTSIEM deployment, see the following presentation: ummit-archive-1533050405.pdfSANS Analyst Program An Evaluator’s Guide to NextGen SIEM6
Acceptable performance expectations and constraints,such as available network bandwidth and latency Sizing information, such as number of users andprojected growth over the next one to two years Data sources for logs and alerts, encompassing bothinfrastructure assets and security controls (see Table 3)Determine the Business RequirementsSelecting the organizational model can help determine yourimplementation budget as well as shape a draft statement ofTable 3. Potential Data Sources for Logs and Alerts7Infrastructure AssetsSecurity Controls Routers F irewalls, IDS/IPS Switches E ndpoint security N etwork services (e.g., email, DNS) D ata loss prevention P hysical and virtual servers (e.g.,domain controllers, application,database, web) V PN concentrators U ser endpoints, both fixed andmobile H oney pots W eb filterswork (SoW). Table 4 outlines four organizational models thatrange from fully in-house to fully outsourced.Self-hosted, self-managedTable 4. Organizational Models for NextGen SIEM Implementation and Workflowis the primary deploymentmodel for legacy SIEMs. Thismodel can prove complex andexpensive to maintain, even ifYour OrganizationSelf-hosted,self-managedHost SIEM in organization’s data center (e.g.,dedicated SIEM platform, maintain relatedhardware and storage systems, manage SIEMwith trained security personnel).Not applicable.Self-hosted,hybrid-managedPurchase and maintain software andhardware infrastructure.Deploy and co-manageSIEM
Lack of stakeholder involvement is often cited as a reason for project failure. 5 SIEM can affect many work ows that require cooperation across all areas of the organization. Ensure that you include all appropriate stakeholders in the successful use of next-generation SIEM: the operational teams (IT, security and support), audit and compliance,
