ReZaAdineH

Is Your SIEM Working Well Enough?

Many companies use Security Information and Event Management (SIEM) technology to support their cybersecurity programs. SIEM allows for the real-time collection and historical analysis of security events from a wide variety of sources, helping to detect threats and support incident response. However, it is important to ensure that your SIEM is working effectively and is part of a broader cybersecurity solution that incorporates threat intelligence and appropriate sensor placement.

Threat Informed Security Monitoring

One effective approach to security monitoring is threat informed security monitoring, which is based on the MITRE ATT&CK framework. This framework provides a comprehensive model of known cyber threat techniques and tactics, and is an effective guide for understanding and detecting threats. To implement threat informed security monitoring, it is important to understand the architecture of your cybersecurity program and to consider how to deploy sensors to provide visibility across the environment.

SIEM and Threat Informed Security Monitoring

A SIEM is a core component of a cybersecurity program, and can be used to support threat informed security monitoring. Here are some examples of how a SIEM can be used to detect threats based on the MITRE ATT&CK framework:

1. Collecting and correlating logs: A SIEM can collect logs from various sources and correlate them to identify indicators of compromise (IOCs) and other potential signs of a cyber attack.
2. Establishing context: A SIEM can use threat intelligence to establish context for security analysts, helping them to identify known and unknown threats.
3. Implementing capabilities for real-time analysis: A SIEM can provide real-time analysis of security events, enabling quick response to potential threats.
4. Implementing capabilities for historical analysis: A SIEM can provide historical analysis of security events, allowing for retrospective analysis of potential threats and identification of gaps in security monitoring.

In addition to using a SIEM, it is important to consider sensor placement and the deployment of other cybersecurity tools that can support threat informed security monitoring. This may include intrusion detection and prevention systems (IDPS), endpoint detection and response (EDR) tools, network traffic analysis (NTA) tools, and more.

Open Source Tools for Threat Informed Security Monitoring

There are a variety of open source tools that can be used to support threat informed security monitoring, including:

1. Sysmon: This tool can provide detailed information on system activity, including process creation, network connections, and more.
2. Suricata: An open source intrusion detection and prevention system (IDPS) that can be used to detect known and unknown threats.
3. Zeek (formerly Bro): A network traffic analysis (NTA) tool that can be used to analyze network traffic and identify potential threats.
4. TheHive: An open source security incident response platform that can be used to manage security incidents and coordinate response efforts.

Conclusion

SIEM technology is a core component of a cybersecurity program, but it is important to ensure that it is part of a broader solution that incorporates threat intelligence and appropriate sensor placement. By implementing threat informed security monitoring based on the MITRE ATT&CK framework and using open source tools such as Sysmon, Suricata, Zeek, and TheHive, organizations can enhance their ability to detect and respond to potential cyber threats.