UNIVERSITY OF ZAGREB, CROATIA

FACULTY OF ELECTRICAL ENGINEERING AND COMPUTING

Computer Forensics course - seminar paper

Security Information and Event management

(SIEM)

Zvonimir Hartl

Zagreb, January 2019.

Contents

Introduction ........................................................................................................................... 1

1. SIEM in general ............................................................................................................. 2

1.1. Secured network before SIEM .............................................................................. 2

1.2. Network with SIEM .............................................................................................. 3

2. SIEM design and architecture........................................................................................ 4

2.1. Sending logs and events ........................................................................................ 4

2.2. Writing rules .......................................................................................................... 5

2.3. Managing incidents ............................................................................................... 5

2.4. Sending notifications ............................................................................................. 5

3. SIEM pros and cons ....................................................................................................... 6

3.1. SIEM advantages ................................................................................................... 6

3.1.1. Detecting incidents that would otherwise not be detected ............................ 6

3.1.2. Streamline Compliance Reporting................................................................. 6

3.1.3. Making incident response more efficient ...................................................... 7

3.1.4. Single security interface ................................................................................ 7

3.2. SIEM disadvantages .............................................................................................. 7

3.2.1. Misconfiguration ........................................................................................... 7

3.2.2. Costly and Time-Consuming ......................................................................... 8

3.2.3. False positives ............................................................................................... 8

3.2.4. Failure to monitor noise ................................................................................. 8

3.2.5. Insufficient Staffing ....................................................................................... 9

Conclusion ........................................................................................................................... 10

Bibliography ........................................................................................................................ 11

Summary .............................................................................................................................. 12

Abbreviations ...................................................................................................................... 13

1

Introduction

There are a lot of security information sources in IT systems that generate great number of

logs, such as servers, routers, firewalls, IDSs etc. These logs are hard to track and analyse

in real-time and therefore SIEM systems have been developed. A Security Information and

Event Management system collects, normalizes and automates security log and event

analysis.

This seminar is organized as follows: in chapter 1. SIEM is described in general, in chapter

2 SIEM system design and architecture are presented and finally in chapter 3 SIEM pros

and cons are listed and discussed.

2

1. SIEM in general

To better understand what SIEM is, network security configuration is described before and

after SIEM was introduced.

1.1. Secured network before SIEM

Awareness of Internet security has been growing exponentially along with the growth of

cyber-attacks. In response to cyber-attacks, network security systems have been developed

and first firewalls were created as a simple way of blocking unwanted traffic. After the

firewalls were installed, the cyber-attackers invented a new way to attack and bypass the

firewalls. As a response to those attacks, IDS and IPS (Intrusion Prevention System) were

developed, but every day the cyber-attacks are becoming more and more advanced and

they can not be detected by existing security devices and systems. Today, as seen in Figure

1, there are many security devices in network. All those devices work relying only on the

traffic that goes through them. With such a limited view of the network, these devices are

unable to notice numerous cyber-attacks, which target multiple network entities.

Figure 1 Secured Network

3

1.2. Network with SIEM

With so many security systems and devices in network, it can be a real challenge to keep

track of all the security logs and events, and to react in real time if attack occurs. Security

Information and Event Management is a centralized solution for log and event aggregation.

All security information and events are forwarded to a single computer, which then stores

and analyses the collected data. But SIEM goes beyond just collecting and analysing logs.

Main functionalities of SIEM are [1]:

- Log aggregation and normalization

- Event tracking

- Log and event analysing

- Correlating events and logs with vulnerability data, threat intelligence feeds, network and

device configuration, blacklists

- Generating and sending alerts to security administrators

- Report and graph generating

- Long-term preservation of security data

Figure 2 Secured Network with SIEM

4

2. SIEM design and architecture

To improve secured network with SIEM system, it is very important to have understanding

how does a SIEM work. With the right understanding of the system, and how it operates, it

can be configured to suit personal needs of every organization. There are four main parts in

the SIEM workflow, as shown in Figure 3, and they are listed and described in this chapter.

Figure 3 SIEM workflow

2.1. Sending logs and events

To have SIEM system set up in the network environment, first all devices in the network

have to be virtually connected with SIEM so that these devices can send logs and events to

SIEM (as shown on Figure 2). Afterwards network configuration has to be entered into

SIEM system: which applications are visible to Internet, which applications are used only

in Intranet, how is DMZ configured etc. SIEM system will be more effective if it has more

information about the network.

5

2.2. Writing rules

Except entering network configuration in SIEM, some rules also have to be created and

applied. Those rules are applied to the events and logs that come in. Those rules are than

cross-correlated with vulnerability data and threat intelligence feeds, network and device

configuration, blacklists etc. There are lots of preconfigured rules available in your SIEM

system based on global security experience, but it is advisable to adjust those rules for the

specific network and to write new personalized rules. Security administrator should also be

aware that threats and the network change over time, so he will need to tune these rules

continually according to those changes.

2.3. Managing incidents

When rules fire, they create incidents. Incidents are rated based on a criticality settings that

are also custom tuned for the environment. Based on the criticality, an incident may be just

logged, it may be written to a report to be viewed later, or it may require immediate

attention. Most of the incidents are just SIEM system generated information. Some

incidents are interesting, and they are written in report. Afterwards security or forensic

expert examines those reports to find if an attack has been performed. If needed, based on

findings in reports, rules can be updated so that that same attack will next time be stopped.

On the other hand, there are some incidents that require immediate action, which means

they should generate an immediate notification.

2.4. Sending notifications

A custom notification protocol is then followed to ensure the right person or team gets the

incident information immediately. Notifications can be made 24/7/365, allowing the

security experts to remediate issues before they escalate out of control. These notifications

can be sent via various communication services (email, SMS, etc.). Some SIEM solutions

even include the remediation guidance, which tells the support team what they can do to

fix the issue, can even be included. So support team gets instant notification of a problem

and the information they need to quickly respond and fix it.

6

3. SIEM pros and cons

As shown above, SIEM has brought security management to the next level. New principle

of handling information and events, responding to threats, generating alerts and reports was

introduced. To show that this system also has its pros and cons, in this chapter SIEM

advantages and disadvantages will be listed [2].

3.1. SIEM advantages

Clearly, SIEM has brought many advantages, and the most significant ones are listed here.

3.1.1. Detecting incidents that would otherwise not be detected

SIEM can detect incidents that would otherwise not be detected. Firstly, various hosts that

log security events do not have a built-in incident detection feature. These hosts can only

observe events and produce audit log entries, instead of analysing the log entries to identify

the signs of suspicious activities. Moreover, SIEM has is able to correlate events and logs

across many hosts. It gathers security information from different hosts, and see attacks

divided into different parts and observed by distinct hosts, and then re-establish a variety of

events to identify whether the attack has been successful or not. Finally, using the threat

intelligence feeds SIEM can detect any malicious activity and will terminate host’s

connection involving such activity so that the attack can be neutralized before it becomes a

costly breach.

3.1.2. Streamline Compliance Reporting

This benefit is so significant, that numerous organizations deploy SIEM only for

streamlining their compliance reporting via a centralized logging solution. There can be

various hosts in a network and logged security events of each host are regularly transferred

to a single SIEM server that generates one report of all logged security events received

from such hosts.

7

Without SIEM, data has to be collected from each host manually and a separate report has

to be prepared for each host. After that, this data and reports are reassembled at a

centralized point in order to create a single report. Performing such a task manually

requires massive manpower to customize and edit security logs from dissimilar hosts.

3.1.3. Making incident response more efficient

If SIEM is properly configured and maintained, it has the potential to enhance the

efficiency of incident handling activities, which results in saving resources and time for

incident handling experts. More importantly, incident handling is of paramount

importance, for the poor management of an incident may cause the deterioration of

essential information such as evidence against malicious actors, who compromised the host

in question.

3.1.4. Single security interface

Another useful feature of SIEM is that it provides a single interface to view all security

logs from multiple hosts. SIEM aggregation feature decreases the volume of event data by

integrating reporting and duplicating event records on the correlated and aggregated event

data in real-time, comparing it to long-term summaries.

3.2. SIEM disadvantages

In this subchapter SIEM limitations are listed. It is more appropriate to call them

limitations than disadvantages because those disadvantages appear only as a result of

insufficient information or resources.

3.2.1. Misconfiguration

Secure configuration is essential for the overall security of the system. Misconfiguration is

a process of changing the secure configuration either accidentally or by oversight and it

might lead to vulnerabilities or undesirable features. Sometimes, malicious actors

misconfigure systems deliberately to introduce vulnerabilities or to keep the suspicious

activities undetected. SIEM system being so large and comprehensive, system

administrator can easily oversee an error.

8

3.2.2. Costly and Time-Consuming

Collecting, storing and analysing security events are simple tasks compared to collecting,

storing and running compliance reports, updating security rules and incident alerts,

applying patches etc which can be quite time-consuming and it can require a lot of work.

SIEM system brings more maintenance and monitoring work to the network.

Also, SIEM systems are not cheap either. For the «vendors» to bill the use of their software

(and possibly hardware) there are few methods like: per appliance running, per year, per

logs generated and so on. More or less, it is all the same thing, and every commercial

SIEM solution is expensive. On the other hand, there are several open source solutions,

which are free, but the problem with open source solutions is that they have much more

bugs and no support, which can lead to having to hire more people to deal with those

problems.

3.2.3. False positives

SIEM solutions usually rely on rules to parse all logged data. When writing rules, security

expert tries to be as vigilant as possible. Unfortunately, because of this approach those

rules trigger many alerts that are false positives.

In other words, defining too few rules might lead to missing potential threats. On the other

hand, defining too many rules may trigger a huge number of false positives. As a result,

these false positives do not only take a lot of time to review but also run the risk of being

overlooked.

3.2.4. Failure to monitor noise

Out-of-the-box alerts and alarms also produce a noise across the silent and working

environment of the network. SIEM system does not have log management capabilities.

Instead, they tend to rely on the correlation rules that in turn depend on particular events

and logs to detect certain threats. As SIEM collects all logs, it fails to monitor noise due to

indiscrimination between useful and useless logs. That is why it is essential to collect only

logs required to detect potential threats and vulnerabilities as opposed to collecting every

type of log from every host.

9

3.2.5. Insufficient Staffing

In order to work properly, SIEM solutions require around-the-clock, 24/7 monitoring of

logs and alerts. Security and forensic staff must look at the logs, conduct regular reviews

and pull out relevant reports. All these tasks require adequate staffing or having a

dedicated team involved, which can be a massive expense.

Considering this, lately vendors have been offering new security solutions called Security

as a Service (SECaaS). SECaaS offers organizations to outsource security maintenance to

specialized companies. This approach eases maintenance and reduces costs but outsourcing

one’s security can be security threat itself because it includes sending a lot of private

information (logs and events) to the third parties.

10

Conclusion

In this seminar the properties of Security Information and Event Management were

presented and described. SIEM is a way to better maintain security in a network. SIEM

system is a huge system which provides not only a single point for log aggregation and

analysis, but it also gives a better insight what is happening in the network. Large-scale

networks have a lot of servers, network devices and security devices. With SIEM solution

logs from a such huge network can be processed and presented better and more easily.

Also, automated incident handling notifies security maintenance team when an important

event occurs in network (like a cyber-attack).

11

Bibliography

[1] Integra Group, https://www.integragroup.hr/usluge-i-rjesenja/sigurnost/security-

information-and-event-management-siem , Date of access: 11. 1. 2019.

[2] Hitachi Systems Security, https://www.hitachi-systems-security.com/blog/siem-

benefits-and-limitations/ , Date of access: 11. 1. 2019.

[3] Stratozen, https://stratozen.com/siem-soc/how-does-a-siem-work/ ,

https://stratozen.com/siem-soc/what-is-a-siem/ , Date of access: 12. 1. 2019.

12

Summary

In this seminar the properties of Security Information and Event Management are

presented and described, it answers these questions: “What is SIEM?”, “How does it

work?” and “What are SIEM advantages and disadvantages?”

Keywords: Security Information and Event Management, Security Maintenance, Cyber-

attack, Secured Network, Security System

13

Abbreviations

BER Bit Error Ratio

IT Information Technologies

IDS Intrusion Detection System

IPS Intrusion Prevention System

NAC Network Access Control

SECaaS Security as a Service